Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization—Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260).
Information security technology—
General requirements of biometric information protection
1 Scope
This document specifies the basic principles and relevant security requirements which shall be followed during biometric information processing activities like collection, storage, use, entrusted processing, sharing, transfer, public disclosure and deletion carried out by the biometric information controller.
This document is applicable to standardizing all kinds of biometric information controllers to carry out biometric information processing activities, and is also applicable to third-party organizations to evaluate biometric information processing activities.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security technology glossary
GB/T 35273-2020 Information security technology—Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 35273-2020 and the following apply.
3.1
biometric original information
analog or digital representation of physical, biological or behavioral features of natural persons obtained by means of collecting and preprocessing
Note: Like samples, images, etc.
3.2
biometric comparison information
information obtained by technical processing of the biometric original information and used for comparison
3.3
biometric information
personal information obtained by technical processing of physical, biological or behavioral features of a natural person, which can identify the information of the natural person alone or in combination with other information
Note 1: The biometric information includes personal facial recognition features, iris, fingerprint, gene, voiceprint, gait, palmprint, auricle, eyeprint, etc.
Note 2: The biometric information covers biometric original information and biometric comparison information.
3.4
biometric information subject
natural person identified by or connected to biometric information
3.5
biometric information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of biometric information
3.6
revoke
behavior preventing a specific biometric comparison information and corresponding identity-related information from passing verification.
Note: A biometric information subject may be rejected because it has been added to the revoke list.
3.7
irreversibility
property impossible to infer the biometric original information from the biometric comparison information
3.8
unlinkability
property of two or more pieces of biometric comparison information that cannot be linked to each other
Note: With unlinkability, one user can use different programs, resources and services for multiple times, while others cannot associate these uses through biometric comparison information.
4 Basic principles for protection of biometric information
The basic principles for protection of biometric information are as follows:
a) All requirements for personal information controllers in GB/T 35273-2020 shall be met.
b) The basic principles of personal information security in Clause 4 of GB/T 35273-2020 as well as the following principles shall be followed:
1) Independently selecting——ensure that individuals have the right to select whether to use biometric information or not, that individuals provide biometric information through direct means voluntarily, and that individuals have continuous right of control over their biometric information in the scene where activities related to identification are conducted;
2) Diversity and updatability—use biometric comparison information with characteristics of irreversibility, unlinkability, diversity and updatability;
3) Fully informed——ensure that the biometric information subject has the right to be informed for biometric information processing and security incidents.
5 Collection of biometric information
The requirements for biometric information controllers are as follows.
a) The collection of biometric information shall not be limited as the only way to achieve business objectives, except for the scenarios stipulated by laws and regulations and the scenarios of protecting public interests and important personal interests.
b) Before collecting biometric information, the following information shall be informed to the biometric information subject and the explicit consent of the biometric information subject shall be obtained:
1) Purpose, method and scope of collecting and using biometric information, as well as the authorized storage time, etc.;
2) Description of the processing method of the collected biometric information;
3) Contact details of the biometric information controller, including organization information, contact information, etc.;
4) Methods used by the biometric information subject to view, modify and withdraw its consent.
c) It shall be avoided to collect biometric information that does not belong to the biometric information subject, including biometric original information.
d) It shall be avoided to obtain the information from the non biometric information subject in an indirect way.
e) When the biometric information subject is unable to complete the information collection, the subsequent available alternative processing flow shall be informed.
f) When biometric information is collected according to relevant national laws and regulations, the biometric information subject shall be informed of relevant requirements and the type of biometric information collected.
g) The risk of interference and attack shall be fully considered. The factors to be considered include but are not limited to different attack forms such as physical and virtual forms, different attack materials such as paper and plastic, and different attack environments such as presentation angles and light conditions.
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles for protection of biometric information
5 Collection of biometric information
6 Storage of biometric information
7 Use of biometric information
8 Rights of biometric information subject
9 Entrusted processing, sharing, transfer and public disclosure of biometric information
10 Processing of biometric information security incidents
11 Requirements for biometric information security management
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization—Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260).
Information security technology—
General requirements of biometric information protection
1 Scope
This document specifies the basic principles and relevant security requirements which shall be followed during biometric information processing activities like collection, storage, use, entrusted processing, sharing, transfer, public disclosure and deletion carried out by the biometric information controller.
This document is applicable to standardizing all kinds of biometric information controllers to carry out biometric information processing activities, and is also applicable to third-party organizations to evaluate biometric information processing activities.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security technology glossary
GB/T 35273-2020 Information security technology—Personal information security specification
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 35273-2020 and the following apply.
3.1
biometric original information
analog or digital representation of physical, biological or behavioral features of natural persons obtained by means of collecting and preprocessing
Note: Like samples, images, etc.
3.2
biometric comparison information
information obtained by technical processing of the biometric original information and used for comparison
3.3
biometric information
personal information obtained by technical processing of physical, biological or behavioral features of a natural person, which can identify the information of the natural person alone or in combination with other information
Note 1: The biometric information includes personal facial recognition features, iris, fingerprint, gene, voiceprint, gait, palmprint, auricle, eyeprint, etc.
Note 2: The biometric information covers biometric original information and biometric comparison information.
3.4
biometric information subject
natural person identified by or connected to biometric information
3.5
biometric information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of biometric information
3.6
revoke
behavior preventing a specific biometric comparison information and corresponding identity-related information from passing verification.
Note: A biometric information subject may be rejected because it has been added to the revoke list.
3.7
irreversibility
property impossible to infer the biometric original information from the biometric comparison information
3.8
unlinkability
property of two or more pieces of biometric comparison information that cannot be linked to each other
Note: With unlinkability, one user can use different programs, resources and services for multiple times, while others cannot associate these uses through biometric comparison information.
4 Basic principles for protection of biometric information
The basic principles for protection of biometric information are as follows:
a) All requirements for personal information controllers in GB/T 35273-2020 shall be met.
b) The basic principles of personal information security in Clause 4 of GB/T 35273-2020 as well as the following principles shall be followed:
1) Independently selecting——ensure that individuals have the right to select whether to use biometric information or not, that individuals provide biometric information through direct means voluntarily, and that individuals have continuous right of control over their biometric information in the scene where activities related to identification are conducted;
2) Diversity and updatability—use biometric comparison information with characteristics of irreversibility, unlinkability, diversity and updatability;
3) Fully informed——ensure that the biometric information subject has the right to be informed for biometric information processing and security incidents.
5 Collection of biometric information
The requirements for biometric information controllers are as follows.
a) The collection of biometric information shall not be limited as the only way to achieve business objectives, except for the scenarios stipulated by laws and regulations and the scenarios of protecting public interests and important personal interests.
b) Before collecting biometric information, the following information shall be informed to the biometric information subject and the explicit consent of the biometric information subject shall be obtained:
1) Purpose, method and scope of collecting and using biometric information, as well as the authorized storage time, etc.;
2) Description of the processing method of the collected biometric information;
3) Contact details of the biometric information controller, including organization information, contact information, etc.;
4) Methods used by the biometric information subject to view, modify and withdraw its consent.
c) It shall be avoided to collect biometric information that does not belong to the biometric information subject, including biometric original information.
d) It shall be avoided to obtain the information from the non biometric information subject in an indirect way.
e) When the biometric information subject is unable to complete the information collection, the subsequent available alternative processing flow shall be informed.
f) When biometric information is collected according to relevant national laws and regulations, the biometric information subject shall be informed of relevant requirements and the type of biometric information collected.
g) The risk of interference and attack shall be fully considered. The factors to be considered include but are not limited to different attack forms such as physical and virtual forms, different attack materials such as paper and plastic, and different attack environments such as presentation angles and light conditions.
Contents of GB/T 40660-2021
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles for protection of biometric information
5 Collection of biometric information
6 Storage of biometric information
7 Use of biometric information
8 Rights of biometric information subject
9 Entrusted processing, sharing, transfer and public disclosure of biometric information
10 Processing of biometric information security incidents
11 Requirements for biometric information security management
Bibliography