Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 35273-2017 Information security technology - Personal information security specification. In addition to a number of editorial changes, the following technical changes have been made with respect to GB/T 35273-2017:
——The Subcaluse - "Independent selection in case of multiple business functions" is added (see 5.3);
——The Subcaluse - "Exceptions for consent obtaining" is modified (see 5.6 of this standard; 5.4 of Edition 2017);
——The Subcaluse - "Restrictions on use of user profiling” is added (see 7.4);
——The Subcaluse - "Use of personalized display" is added (see 7.5);
——The Subcaluse - "Convergence and fusion of personal information collected for different business purposes" is added (see 7.6);
——The Subcaluse - "Account cancellation of personal information subject” is modified (see 8.5 of this standard; 7.8 of Edition 2017);
——The Subcaluse - "Third party access management" is added (see 9.7);
——The Subcaluse - “Specifying responsible departments and personnel” is modified (see 11.1 of this standard; 10.1 of Edition 2017);
——The Subcaluse - "Personal information security project" is added (see 11.2);
——The Subcaluse - "Records of personal information processing activities" is added (see 11.3);
——"Method for realizing free will of personal information subject" is modified (see Annex C to this standard; Annex C to Edition 2017).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee 260 on Information Security of Standardization Administration of China (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 35273-2017.
Introduction
In recent years, with the rapid development of information technology and the popularity of Internet applications, more and more organizations collect and use personal information in large quantities, which has brought convenience to people's lives while, at the same time, has also resulted in illegal collection, abuse and disclosure of personal information. Personal information security is facing a serious threat.
This standard addresses the security issues faced by personal information and regulates the relevant behaviors of personal information controllers in the information processing links such as collection, preservation, use, sharing, transfer of control and public disclosure in accordance with the Cybersecurity Law of the People's Republic of China, aiming at restraining the illegal collection, abuse, disclosure, etc. of personal information so as to guarantee individual legitimate rights and interests of individuals and the public interest to the maximum extent.
The specific issues in this standard, if specified in laws and regulations, shall comply with such laws and regulations.
Information security technology - Personal information security specification
1 Scope
This standard regulates the principles and relevant security requirements which shall be followed by personal information processing activities like collection, preservation, use, sharing, transfer of control, public disclosure, deletion, etc.
This standard is applicable to the regulation of personal information processing activities of various organizations and also applicable to the supervision, management and evaluation of personal information processing activities by organizations such as competent supervision departments and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information.
Note 2: See Annex A for the judgment method and type of personal information.
Note 3: The information formed by the personal information controller by processing personal information or other information, such as user profiling or features, labels, is regarded as personal information if it can be used to, either alone or in combination with other information, identify a particular natural person or reflect the activities of such a person.
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive information includes ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to14 years old.
Note 2: See Annex B for the judgment method and type of personal sensitive information.
Note 3: The information formed by the personal information controller by processing personal information or other information is regarded as personal sensitive information if it, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damage to personal reputation as well as physical and mental health damage or discriminatory treatment.
3.3
personal information subject
natural person identified by or connected to personal information
3.4
personal information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of the personal information
3.5
collect
behavior of obtaining the right of control over personal information
Note 1: Such behavior includes positive collection through initiative provision by, interaction with, or recording behaviors of personal information subject as well as indirect acquisition through sharing, transfer of control and collection of public information.
Note 2: If the product or service provider, who provides tools for use by the personal information subject, does not access personal information, it is not a collection behavior specified in this standard. For example, the offline navigation software, after obtaining the location information of the personal information subject from the terminal, does not return such information to the software provider, it is not a personal information collection behavior.
3.6
explicit consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information through a written or oral statement, in either electronic or paper form, or making affirmative actions in an initiative manner
Note: Affirmative actions include selection of or click on "Agree", "Register", "Send", "Dial", filling in or provision of personal information, etc. made by personal information subject in an initiative manner.
3.7
consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information
Note: It includes the authorization through positive behavior (i.e. explicit consent), or negative act (e.g. the personal information subject in the information acquisition area did not left such area after being informed of the information acquisition behavior).
3.8
user profiling
process of personal characteristic model formation through analyzing or predicting the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal preference, credit and behavior, on the basis of collecting, gathering, and analyzing personal information
Note: The characteristic model of certain natural person which is formed by directly using the personal information of such natural person is called direct user profiling. The characteristic model of certain natural person which is formed by using the personal information from other than such natural person, such as the data of the group in which such natural person is, is called indirect user profiling.
3.9
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal information subject and of assessing the effectiveness of various measures used to protect personal information subject
3.10
delete
behavior of removing personal information in a system which is involved in realization of daily business functions so that such personal information is kept in a status making it cannot be retrieved or accessed
3.11
public disclosure
behavior of publishing information to society or an unspecified group of people
3.12
transfer of control
process of transferring the control right over personal information from one controller to another
3.13
sharing
process of providing personal information by a personal information controller to other controller, with the parties having independent control right over the personal information
3.14
anonymization
process of processing personal information in technical terms so that the personal information subject cannot be identified or connected, with the processed information unable to be restored
Note: The information obtained after anonymization processing of personal information is not categorized as personal information.
3.15
de-identification
process of processing personal information in technical terms so that the personal information subject cannot be identified or connected without additional information
Note: De-identification is based on the individual, retaining the individual granularity, and replacing the identification of personal information by adopting technical means like pseudonym, encryption, hash function, etc.
3.16
personalized display
activities such as displaying information contents and providing search results of goods or services to specific personal information subject based on his or her personal information such as web browsing history, interests, hobbies, consumption records and habits
3.17
business function
service types that meet the specific use needs of personal information subjects
Note: For example, map navigation, online car booking, instant messaging, online community, online payment, news information, online shopping, express distribution, transportation and ticketing.
4 Basic principles of personal information security
The personal information controller, when conducting personal information processing activities, shall follow the principles of lawfulness, justification and necessity as follows:
a) Right and responsibility consistence——taking technical and other necessary measures to ensure the personal information security, and undertaking the responsibilities for the damage caused to the legitimate rights and interests of personal information subject by the personal information processing activities.
b) Explicit purpose——having definite, explicit and specific personal information processing purpose.
c) Consent based on selection——expressing the purpose, means, scope and other rules of personal information processing to the personal information subject to ask for consent.
d) Minimum necessary——only processing the minimum types and amount of personal information necessary for satisfying the purpose authorized and agreed by the personal information subject. After the purpose is achieved, the personal information shall be deleted in time.
e) Openness and transparency——publicizing the scope, purpose, rules, etc. of personal information processing in a clear, understandable and reasonable manner, and accepting external supervision.
f) Security——possessing the security capabilities that match the security risks confronted with, and taking adequate management measures and technical means to protect the confidentiality, integrity, and availability of the personal information.
g) Subject participation——providing personal information subject with methods whereby he or she can access to, correct or delete his/her personal information, as well as withdraw the consent, close the account or make complaints.
5 Personal information collection
5.1 Legality requirements for collecting personal information
The personal information controller shall:
a) Not defraud, deceive, or mislead personal information subject to provide his/her personal information;
b) Not conceal the personal information collection function of product or service;
c) Not obtain personal information through illegal channels.
5.2 Minimum necessary requirements for collecting personal information
Requirements for the personal information controller include:
a) The type of personal information collected shall have direct connection with the product or service business function to be realized. Direct connection means that without the participation of the information the product or service function cannot be realized.
b) The frequency of positively collecting personal information shall be the minimum one necessary to realize the business function of the product or service.
c) The amount of personal information indirectly acquired shall be the minimum amount necessary to realize the business function of the product or service.
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles of personal information security
5 Personal information collection
5.1 Legality requirements for collecting personal information
5.2 Minimum necessary requirements for collecting personal information
5.3 Independent selection in case of multiple business functions
5.4 Consent for personal information collection
5.5 Personal information protection policy
5.6 Exceptions for consent obtaining
6 Storage of personal information
6.1 Minimizing the storage period of personal information
6.2 De-identification processing
6.3 Transmission and storage of personal sensitive information
6.4 Stopping of product/service operation by personal information controller
7 Use of personal information
7.1 Personal information access control measures
7.2 Restrictions on display of personal information
7.3 Restrictions on use purpose of personal information
7.4 Restrictions on use of user profiling
7.5 Use of personalized display
7.6 Convergence and fusion of personal information collected for different business purposes
7.7 Use of the automatic decision-making mechanism of information system
8 Rights of personal information subject
8.1 Query of personal information
8.2 Correction of personal information
8.3 Deletion of personal information
8.4 Consent withdrawal by personal information subject
8.5 Account closure of personal information subject
8.6 Means for personal information subjects to obtain a copy of their personal information
8.7 Responding the requests of personal information subject
8.8 Complaint management
9 Entrusted processing, sharing, transfer of control, and public disclosure of personal information
9.1 Entrusted processing
9.2 Sharing and transfer of control of personal information
9.3 Personal information transfer of control during acquisition, merger, restructuring and bankruptcy
9.4 Public disclosure of personal information
9.5 Situations exempted from the acquisition of prior consent for the sharing, transfer of control, and public disclosure of personal information
9.6 Joint personal information controller
9.7 Third party access management
9.8 Cross-border transmission of personal information
10 Handling of personal information security incident
10.1 Emergency responses and report for information security incident
10.2 Notification on safety incidents
11 Personal information security management requirements for the organization
11.1 Specifying responsible department and personnel
11.2 Personal information security project
11.3 Records of personal information processing activities
11.4 Conducting personal information security impact assessment
11.5 Data security capacity
11.6 Personnel management and training
11.7 Security audit
Annex A (Informative) Examples of personal information
Annex B (Informative) Determination of personal sensitive information
Annex C (Informative) Methods for fulfilling free will of personal information subject
Annex D (Informative) Personal information protection policy template
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 35273-2017 Information security technology - Personal information security specification. In addition to a number of editorial changes, the following technical changes have been made with respect to GB/T 35273-2017:
——The Subcaluse - "Independent selection in case of multiple business functions" is added (see 5.3);
——The Subcaluse - "Exceptions for consent obtaining" is modified (see 5.6 of this standard; 5.4 of Edition 2017);
——The Subcaluse - "Restrictions on use of user profiling” is added (see 7.4);
——The Subcaluse - "Use of personalized display" is added (see 7.5);
——The Subcaluse - "Convergence and fusion of personal information collected for different business purposes" is added (see 7.6);
——The Subcaluse - "Account cancellation of personal information subject” is modified (see 8.5 of this standard; 7.8 of Edition 2017);
——The Subcaluse - "Third party access management" is added (see 9.7);
——The Subcaluse - “Specifying responsible departments and personnel” is modified (see 11.1 of this standard; 10.1 of Edition 2017);
——The Subcaluse - "Personal information security project" is added (see 11.2);
——The Subcaluse - "Records of personal information processing activities" is added (see 11.3);
——"Method for realizing free will of personal information subject" is modified (see Annex C to this standard; Annex C to Edition 2017).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee 260 on Information Security of Standardization Administration of China (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 35273-2017.
Introduction
In recent years, with the rapid development of information technology and the popularity of Internet applications, more and more organizations collect and use personal information in large quantities, which has brought convenience to people's lives while, at the same time, has also resulted in illegal collection, abuse and disclosure of personal information. Personal information security is facing a serious threat.
This standard addresses the security issues faced by personal information and regulates the relevant behaviors of personal information controllers in the information processing links such as collection, preservation, use, sharing, transfer of control and public disclosure in accordance with the Cybersecurity Law of the People's Republic of China, aiming at restraining the illegal collection, abuse, disclosure, etc. of personal information so as to guarantee individual legitimate rights and interests of individuals and the public interest to the maximum extent.
The specific issues in this standard, if specified in laws and regulations, shall comply with such laws and regulations.
Information security technology - Personal information security specification
1 Scope
This standard regulates the principles and relevant security requirements which shall be followed by personal information processing activities like collection, preservation, use, sharing, transfer of control, public disclosure, deletion, etc.
This standard is applicable to the regulation of personal information processing activities of various organizations and also applicable to the supervision, management and evaluation of personal information processing activities by organizations such as competent supervision departments and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information.
Note 2: See Annex A for the judgment method and type of personal information.
Note 3: The information formed by the personal information controller by processing personal information or other information, such as user profiling or features, labels, is regarded as personal information if it can be used to, either alone or in combination with other information, identify a particular natural person or reflect the activities of such a person.
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive information includes ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to14 years old.
Note 2: See Annex B for the judgment method and type of personal sensitive information.
Note 3: The information formed by the personal information controller by processing personal information or other information is regarded as personal sensitive information if it, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damage to personal reputation as well as physical and mental health damage or discriminatory treatment.
3.3
personal information subject
natural person identified by or connected to personal information
3.4
personal information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of the personal information
3.5
collect
behavior of obtaining the right of control over personal information
Note 1: Such behavior includes positive collection through initiative provision by, interaction with, or recording behaviors of personal information subject as well as indirect acquisition through sharing, transfer of control and collection of public information.
Note 2: If the product or service provider, who provides tools for use by the personal information subject, does not access personal information, it is not a collection behavior specified in this standard. For example, the offline navigation software, after obtaining the location information of the personal information subject from the terminal, does not return such information to the software provider, it is not a personal information collection behavior.
3.6
explicit consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information through a written or oral statement, in either electronic or paper form, or making affirmative actions in an initiative manner
Note: Affirmative actions include selection of or click on "Agree", "Register", "Send", "Dial", filling in or provision of personal information, etc. made by personal information subject in an initiative manner.
3.7
consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information
Note: It includes the authorization through positive behavior (i.e. explicit consent), or negative act (e.g. the personal information subject in the information acquisition area did not left such area after being informed of the information acquisition behavior).
3.8
user profiling
process of personal characteristic model formation through analyzing or predicting the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal preference, credit and behavior, on the basis of collecting, gathering, and analyzing personal information
Note: The characteristic model of certain natural person which is formed by directly using the personal information of such natural person is called direct user profiling. The characteristic model of certain natural person which is formed by using the personal information from other than such natural person, such as the data of the group in which such natural person is, is called indirect user profiling.
3.9
personal information security impact assessment
process of inspecting the extent to which the personal information processing activities are lawful and compliant, of determining the various risks of such activities that cause damage to legitimate rights and interests of personal information subject and of assessing the effectiveness of various measures used to protect personal information subject
3.10
delete
behavior of removing personal information in a system which is involved in realization of daily business functions so that such personal information is kept in a status making it cannot be retrieved or accessed
3.11
public disclosure
behavior of publishing information to society or an unspecified group of people
3.12
transfer of control
process of transferring the control right over personal information from one controller to another
3.13
sharing
process of providing personal information by a personal information controller to other controller, with the parties having independent control right over the personal information
3.14
anonymization
process of processing personal information in technical terms so that the personal information subject cannot be identified or connected, with the processed information unable to be restored
Note: The information obtained after anonymization processing of personal information is not categorized as personal information.
3.15
de-identification
process of processing personal information in technical terms so that the personal information subject cannot be identified or connected without additional information
Note: De-identification is based on the individual, retaining the individual granularity, and replacing the identification of personal information by adopting technical means like pseudonym, encryption, hash function, etc.
3.16
personalized display
activities such as displaying information contents and providing search results of goods or services to specific personal information subject based on his or her personal information such as web browsing history, interests, hobbies, consumption records and habits
3.17
business function
service types that meet the specific use needs of personal information subjects
Note: For example, map navigation, online car booking, instant messaging, online community, online payment, news information, online shopping, express distribution, transportation and ticketing.
4 Basic principles of personal information security
The personal information controller, when conducting personal information processing activities, shall follow the principles of lawfulness, justification and necessity as follows:
a) Right and responsibility consistence——taking technical and other necessary measures to ensure the personal information security, and undertaking the responsibilities for the damage caused to the legitimate rights and interests of personal information subject by the personal information processing activities.
b) Explicit purpose——having definite, explicit and specific personal information processing purpose.
c) Consent based on selection——expressing the purpose, means, scope and other rules of personal information processing to the personal information subject to ask for consent.
d) Minimum necessary——only processing the minimum types and amount of personal information necessary for satisfying the purpose authorized and agreed by the personal information subject. After the purpose is achieved, the personal information shall be deleted in time.
e) Openness and transparency——publicizing the scope, purpose, rules, etc. of personal information processing in a clear, understandable and reasonable manner, and accepting external supervision.
f) Security——possessing the security capabilities that match the security risks confronted with, and taking adequate management measures and technical means to protect the confidentiality, integrity, and availability of the personal information.
g) Subject participation——providing personal information subject with methods whereby he or she can access to, correct or delete his/her personal information, as well as withdraw the consent, close the account or make complaints.
5 Personal information collection
5.1 Legality requirements for collecting personal information
The personal information controller shall:
a) Not defraud, deceive, or mislead personal information subject to provide his/her personal information;
b) Not conceal the personal information collection function of product or service;
c) Not obtain personal information through illegal channels.
5.2 Minimum necessary requirements for collecting personal information
Requirements for the personal information controller include:
a) The type of personal information collected shall have direct connection with the product or service business function to be realized. Direct connection means that without the participation of the information the product or service function cannot be realized.
b) The frequency of positively collecting personal information shall be the minimum one necessary to realize the business function of the product or service.
c) The amount of personal information indirectly acquired shall be the minimum amount necessary to realize the business function of the product or service.
Contents of GB/T 35273-2020
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles of personal information security
5 Personal information collection
5.1 Legality requirements for collecting personal information
5.2 Minimum necessary requirements for collecting personal information
5.3 Independent selection in case of multiple business functions
5.4 Consent for personal information collection
5.5 Personal information protection policy
5.6 Exceptions for consent obtaining
6 Storage of personal information
6.1 Minimizing the storage period of personal information
6.2 De-identification processing
6.3 Transmission and storage of personal sensitive information
6.4 Stopping of product/service operation by personal information controller
7 Use of personal information
7.1 Personal information access control measures
7.2 Restrictions on display of personal information
7.3 Restrictions on use purpose of personal information
7.4 Restrictions on use of user profiling
7.5 Use of personalized display
7.6 Convergence and fusion of personal information collected for different business purposes
7.7 Use of the automatic decision-making mechanism of information system
8 Rights of personal information subject
8.1 Query of personal information
8.2 Correction of personal information
8.3 Deletion of personal information
8.4 Consent withdrawal by personal information subject
8.5 Account closure of personal information subject
8.6 Means for personal information subjects to obtain a copy of their personal information
8.7 Responding the requests of personal information subject
8.8 Complaint management
9 Entrusted processing, sharing, transfer of control, and public disclosure of personal information
9.1 Entrusted processing
9.2 Sharing and transfer of control of personal information
9.3 Personal information transfer of control during acquisition, merger, restructuring and bankruptcy
9.4 Public disclosure of personal information
9.5 Situations exempted from the acquisition of prior consent for the sharing, transfer of control, and public disclosure of personal information
9.6 Joint personal information controller
9.7 Third party access management
9.8 Cross-border transmission of personal information
10 Handling of personal information security incident
10.1 Emergency responses and report for information security incident
10.2 Notification on safety incidents
11 Personal information security management requirements for the organization
11.1 Specifying responsible department and personnel
11.2 Personal information security project
11.3 Records of personal information processing activities
11.4 Conducting personal information security impact assessment
11.5 Data security capacity
11.6 Personnel management and training
11.7 Security audit
Annex A (Informative) Examples of personal information
Annex B (Informative) Determination of personal sensitive information
Annex C (Informative) Methods for fulfilling free will of personal information subject
Annex D (Informative) Personal information protection policy template
Bibliography