Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules of standardization documents".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility of identifying patents. This document is proposed and categorized by the National Information Security Standardization Technical Committee (SAC/TC 260).
1 Scope
This document specifies the security requirements for data processing activities such as collection, storage, use, processing, provision, disclosure, and exit of online reservation car services.
This document applies to the regulation of data processing activities of network reservation car service providers, and can also provide reference for the supervision, management and evaluation of data processing activities of network reservation car service by regulatory departments and third-party evaluation agencies.
2 Normative reference documents
The contents of the following documents constitute the essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the revision of the list) applies to this document.
GB/T 25069 Information security technical terms
GB/T 35273-2020 Information security technology personal information security specification
GB/T37988 Information security technology Data security capability maturity model
GB/T 39335 Information security technology personal letter emergency security impact assessment guide
GB/T 41391-2022 Information security technology m Mobile Internet applications (App) to collect personal information basic requirements
GB/T 41479 Information security technology Network data processing security requirements
3 Terms and definitions
GB/T 25069 and GB/T 35273-2020 defined as well as the following terms and definitions apply to this document.
3.1
Network reservation car serviceonline ride-hailing service
The business activity of building a service platform based on Internet technology, integrating supply and demand information, and providing users with online ride-hailing service.
Note: The online ride-hailing service in this document mainly refers to the online ride-hailing service (referred to as "net-hailing"), excluding private minibus pooling (commonly known as "hitchhiking"), net-hailing freight and net-hailing bus.
3.2
Online ride-hailing service platform
An information system that provides online ride-hailing service by integrating travel supply and demand information through network information technology and using qualified vehicles and drivers.
4 Abbreviations
The following abbreviations are applicable to this document.
GPS: Global Positioning System (GPS)
5 Overview
5.1 Service Composition of Network Reservation Service
The main functions of the network reservation car service include user registration/login, driver background check by the network reservation car service provider, order initiation by passengers, order matching, order acceptance by drivers, trip service, security order maintenance by the network reservation car service provider, payment and collection, user evaluation, etc. The common network reservation car service process is shown in Figure A.1 in Appendix A.
The parties involved in network reservation car service include network reservation car service provider, third-party service platform operator, passenger and driver. Passengers use the network reservation car service platform or the third-party service platform to initiate orders, the third-party service platform accesses multiple network reservation car service platforms, the network reservation car service provider and the driver have a management or cooperation relationship, and the driver provides travel services for passengers. The relationship of network reservation car service is shown in Figure 1.
6 Basic requirements
7 Data collection
8 Data storage
9 Data use and processing
10 Data availability and disclosure
11 Data Exit
12 Passenger and Driver Personal Information Rights
13 Journey audio and video data security requirements
Appendix A (Informative) Data Processing Activities and Data Security Risks of Internet Reservation Car Services
Appendix B (Informative) Reference Rules for Identifying Important Data and Data Classification Examples for Online Reservation Service
Appendix C (Informative) Scope and Use Requirements for Personal Information Collected by Drivers' Personal Information and Common Extended Business Functions
Appendix D (informative) Scope of application and requirements for use of system privileges related to network reservation car service app
Appendix E (informative) Example of model trip recording collection agreement template
Appendix F (informative) Data security protection requirements for complaint handling scenarios
Appendix G (Informative) Example of data desensitization rules for network reservation car service
Appendix H (Informative) Example of paradigm template for trip recording data security management
Bibliography
Foreword
1 Scope
2 Normative reference documents
3 terms and definitions
4 Abbreviations
5 Overview
6 Basic requirements
7 Data collection
8 Data storage
9 Data use and processing
10 Data availability and disclosure
11 Data Exit
12 Passenger and Driver Personal Information Rights
13 Journey audio and video data security requirements
Appendix A (Informative) Data Processing Activities and Data Security Risks of Internet Reservation Car Services
Appendix B (Informative) Reference Rules for Identifying Important Data and Data Classification Examples for Online Reservation Service
Appendix C (Informative) Scope and Use Requirements for Personal Information Collected by Drivers' Personal Information and Common Extended Business Functions
Appendix D (informative) Scope of application and requirements for use of system privileges related to network reservation car service app
Appendix E (informative) Example of model trip recording collection agreement template
Appendix F (informative) Data security protection requirements for complaint handling scenarios
Appendix G (Informative) Example of data desensitization rules for network reservation car service
Appendix H (Informative) Example of paradigm template for trip recording data security management
Bibliography