Data security technology - Rules for data classification and grading
1 Scope
This document specifies the principles, framework, methods, and processes for data classification and grading, and provides guidelines for identifying important data.
This document is applicable to the competent (regulatory) departments to formulate standards and specifications for data classification and grading in this field, and also to various regions and departments to carry out data classification and grading work, and provides reference for data processors to carry out data classification and grading.
This document is not applicable to data involving state secrets and military data.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2022 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2022 and the following apply.
3.1
data
recording of any information by electronic or other means
3.2
key data
data in specific fields, groups, regions, or reaching a certain accuracy and scale that may directly endanger national security, economic operation, social stability, public health and safety once it is leaked or tampered with, or damaged
Note: Data that only affects the organization itself or individual citizens are generally not regarded as key data.
3.3
core data
key data with high coverage or high accuracy, large scale and certain depth for fields, groups and regions, which may directly affect political security once illegally used or shared
Note: The core data mainly include mainly include data related to key fields of national security, data related to the lifeline of the national economy, important people's livelihood and major public interests, and other data assessed and determined by the relevant departments of the state.
3.4
general data
Other data beyond core and key data
3.5
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic or other means
3.6
sensitive personal information
personal information that once leaked or illegally used, may lead to harm to personal dignity of natural person or personal and property safety
4 General principles
Follow the requirements for classification and grading protection of national data, classify and grade the data according to the industry and field to which it belongs, and classify and grade the data according to the following principles.
a) Scientific and practical principles: From the perspective of facilitating data management and usage, scientifically select common and stable attributes or features as the basis for data classification, and refine the classification of data according to actual needs.
b) of clear boundary: The boundaries of data grading at all grades are clear, and corresponding protection measures shall be taken for different grades of data.
c) Strict principle of higher priority: The data grade shall be determined according to the principle of higher priority. When multiple factors may affect the data grading, the data grade shall be determined according to the highest influence degree of each affected object.
5 Data classification rules
6 Data grading rules
7 Data classification and grading process
Annex A (Informative) Reference for data classification based on description object and data subject
Annex B (Informative) Examples of personal information classification
Annex C (Informative) Common considerations in identifying data classification elements
Annex D (Informative) Common considerations of safety risks
Annex E (Informative) Considerations of influence object
Annex F (Informative) Reference example of influence degree
Annex G (Normative) Guidelines for identifying key data
Annex H (Informative) Reference for general data grading
Annex I (Informative) Reference for derived data grading
Annex J (Informative) Reference for dynamic update situation
Bibliography
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 General principles
5 Data classification rules
6 Data grading rules
7 Data classification and grading process
Annex A (Informative) Reference for data classification based on description object and data subject
Annex B (Informative) Examples of personal information classification
Annex C (Informative) Common considerations in identifying data classification elements
Annex D (Informative) Common considerations of safety risks
Annex E (Informative) Considerations of influence object
Annex F (Informative) Reference example of influence degree
Annex G (Normative) Guidelines for identifying key data
Annex H (Informative) Reference for general data grading
Annex I (Informative) Reference for derived data grading
Annex J (Informative) Reference for dynamic update situation
Bibliography
Data security technology - Rules for data classification and grading
1 Scope
This document specifies the principles, framework, methods, and processes for data classification and grading, and provides guidelines for identifying important data.
This document is applicable to the competent (regulatory) departments to formulate standards and specifications for data classification and grading in this field, and also to various regions and departments to carry out data classification and grading work, and provides reference for data processors to carry out data classification and grading.
This document is not applicable to data involving state secrets and military data.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2022 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2022 and the following apply.
3.1
data
recording of any information by electronic or other means
3.2
key data
data in specific fields, groups, regions, or reaching a certain accuracy and scale that may directly endanger national security, economic operation, social stability, public health and safety once it is leaked or tampered with, or damaged
Note: Data that only affects the organization itself or individual citizens are generally not regarded as key data.
3.3
core data
key data with high coverage or high accuracy, large scale and certain depth for fields, groups and regions, which may directly affect political security once illegally used or shared
Note: The core data mainly include mainly include data related to key fields of national security, data related to the lifeline of the national economy, important people's livelihood and major public interests, and other data assessed and determined by the relevant departments of the state.
3.4
general data
Other data beyond core and key data
3.5
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic or other means
3.6
sensitive personal information
personal information that once leaked or illegally used, may lead to harm to personal dignity of natural person or personal and property safety
4 General principles
Follow the requirements for classification and grading protection of national data, classify and grade the data according to the industry and field to which it belongs, and classify and grade the data according to the following principles.
a) Scientific and practical principles: From the perspective of facilitating data management and usage, scientifically select common and stable attributes or features as the basis for data classification, and refine the classification of data according to actual needs.
b) of clear boundary: The boundaries of data grading at all grades are clear, and corresponding protection measures shall be taken for different grades of data.
c) Strict principle of higher priority: The data grade shall be determined according to the principle of higher priority. When multiple factors may affect the data grading, the data grade shall be determined according to the highest influence degree of each affected object.
5 Data classification rules
6 Data grading rules
7 Data classification and grading process
Annex A (Informative) Reference for data classification based on description object and data subject
Annex B (Informative) Examples of personal information classification
Annex C (Informative) Common considerations in identifying data classification elements
Annex D (Informative) Common considerations of safety risks
Annex E (Informative) Considerations of influence object
Annex F (Informative) Reference example of influence degree
Annex G (Normative) Guidelines for identifying key data
Annex H (Informative) Reference for general data grading
Annex I (Informative) Reference for derived data grading
Annex J (Informative) Reference for dynamic update situation
Bibliography
Contents of GB/T 43697-2024
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 General principles
5 Data classification rules
6 Data grading rules
7 Data classification and grading process
Annex A (Informative) Reference for data classification based on description object and data subject
Annex B (Informative) Examples of personal information classification
Annex C (Informative) Common considerations in identifying data classification elements
Annex D (Informative) Common considerations of safety risks
Annex E (Informative) Considerations of influence object
Annex F (Informative) Reference example of influence degree
Annex G (Normative) Guidelines for identifying key data
Annex H (Informative) Reference for general data grading
Annex I (Informative) Reference for derived data grading
Annex J (Informative) Reference for dynamic update situation
Bibliography