On August 9, the National Information Security Standardization Technical Committee publicly released a notice on the national standard "Information Security Technology Security Requirements for Sensitive Personal Information Processing" (Draft for Comment) ( hereinafter referred to as the "Standard") to solicit opinions from the public.
The background of the formulation of the "Standard" is to support the implementation of the processing rules for sensitive personal information in Section 2 of the "Personal Information Protection Law". Security requirements for collection, storage, use, processing, transmission, provision, disclosure, deletion, and other processing activities, focusing on requirements for collection necessity, security protection, desensitization rules, and informed consent.
In recent years, there have been countless typical cases involving the illegal collection and use of sensitive personal information such as medical health, whereabouts, and financial accounts. Various applications (Apps) relying on the Internet, such as mobile payment, online car-hailing, online Business operations such as consultation registration and online lending need to rely on users' sensitive personal information. First of all, the data lake warehouses and business systems that support these businesses inevitably involve a large amount of sensitive personal information data processing activities. Secondly, whether it is the data development and exploration of Hucang, or the data operation and maintenance of data platforms and business systems, there must be direct access to sensitive personal information by natural persons. Third, while adopting ecological cooperation and data entrustment methods to accelerate business, there must be cross-organizational and regional supply or sharing of sensitive personal information.
Origin security technology experts believe that with the tightening of regulatory requirements and the deepening of regulatory granularity, the contradiction between the protection and utilization and circulation of sensitive personal information has become increasingly prominent. At the same time, as a personal information processor, with sensitive personal information as the core and entry point, based on clarifying the data collection and storage status of sensitive personal information, in the process of scenario-based data application, comprehensive utilization and no Seamlessly link access control, desensitization, encryption, control, behavior analysis and other technical means based on sensitive data tags, and build an overall solution from the integrated perspective of business and security, which can make personal information clearer and more specific Protection, find a suitable balance between data protection and utilization, improve enterprise data utilization capabilities, and release data capacity.
What is the relationship between the "Standard" and relevant laws, administrative regulations and relevant standards?
The "Standard" complies with the requirements of existing laws and regulations.
Section 2 of Chapter II of the Personal Information Protection Law stipulates the processing rules for sensitive personal information. Article 28 stipulates that sensitive personal information refers to personal information that, once leaked or illegally used, is likely to infringe on the personal dignity of natural persons or endanger personal and property safety, including biometrics, religious beliefs, specific identities, medical and health, and financial information. Account, whereabouts and other information, as well as personal information of minors under the age of fourteen. Personal information processors may process sensitive personal information only when there is a specific purpose and sufficient necessity, and strict protection measures are taken.
The "Information Security Technology Personal Information Security Specification" stipulates the principles and security requirements that should be followed in the collection, storage, use, sharing, transfer, public disclosure, deletion and other personal information processing activities; at the same time, it stipulates the transmission and storage of personal sensitive information, etc. content.
How to define and identify sensitive personal information and personal information processors?
01 Definition
sensitive personal information
sensitive personal information
Definition: Once leaked or illegally used, it is easy to cause the personal dignity of a natural person to be violated or the personal and property safety to be endangered, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and other information, as well as dissatisfaction Personal information of minors under the age of fourteen.
Personal Information Processor
personal information processor
Definition: Organizations and individuals that independently determine the purpose and method of processing.
02 Identification method
Personal information processors should identify sensitive personal information according to the following methods before processing personal information. Personal information that meets any of the following attributes should be identified as sensitive personal information:
-
Personal information is leaked or illegally used, which may easily cause the personal dignity of natural persons to be violated;
Example 1: Subjects of personal information may be subject to discriminatory treatment due to the disclosure of information such as specific identity, criminal record, religious belief, sexual orientation, specific disease and health status.
-
Personal information is leaked or illegally used, which may easily endanger the personal safety of natural persons;
-
Personal information is leaked or used illegally, which may easily endanger the property safety of natural persons;
Example 2: Leakage and illegal use of financial account information and related identification information (such as payment passwords) may cause property damage to the subject of personal information.
What security measures should be taken when handling sensitive personal information?
According to the "Personal Information Protection Law", strict protection measures should be taken when handling sensitive personal information. From the perspective of security protection requirements and security management requirements, the "Standard" makes detailed provisions on the protection measures to be taken in the whole process of sensitive personal information, which makes up for the "Personal Information Protection Law" on the security protection measures of sensitive personal information to a certain extent. blank.
The basic requirements for handling sensitive personal information in the Standards:
The processing of sensitive personal information should have a specific purpose and sufficient necessity. Individual consent should be obtained, and the collection, storage, use, and Strict protection measures are taken in all aspects of processing, transmission, provision, disclosure, deletion, etc.
Specifically, the following points should be carried out:
1. In the process of collecting sensitive personal information , before collecting sensitive personal information, personal information processors should not collect sensitive personal information if collecting non-sensitive personal information can achieve the purpose of processing; they should only collect while the personal information subject is using business functions. Sensitive personal information required by the business function; Sensitive personal information should be collected item by item according to the business function or service scenario.
2. In the process of using sensitive personal information , personal information processors should carry out sensitive personal information processing activities in accordance with the agreed processing purpose and processing method, and record the processing status; Transfer of sensitive personal information under the conditions of the personal information processor;
3. In the transmission of sensitive personal information, when transmitting sensitive personal information on the Internet, at least channel encryption should be used for transmission. It is advisable to use a combination of channel encryption and content encryption. The channel encryption and content encryption algorithms should comply with relevant industry technologies. Standards and relevant regulations of industry authorities; the security status of sensitive personal information transmission methods should be regularly assessed or verified, and security policies should be adjusted in a timely manner when major changes occur in the network environment; application and API asset lists should be sorted out regularly, and applications and APIs should be regularly reviewed. Conduct audits of transfers of sensitive personal information;
4. In the storage of sensitive personal information , personal information processors should store encrypted and de-identified sensitive personal information separately from decryption keys and other personal information; To set security protection measures in strict principle, abnormal monitoring and analysis capabilities should be established to respond to abnormal situations in a timely manner and dynamically adjust security protection measures.
5. In the access link of sensitive personal information , on the basis of role authority control, operation authorization should be triggered according to the needs of business processes, and log audits should be conducted regularly for operations such as access, modification, deletion, and export of sensitive personal information; abnormal monitoring should be established Early warning and response mechanism, for abnormal operations that exceed normal business needs (such as frequent, large amounts of sensitive personal information browsing, downloading, printing, non-working hours operations, etc.) Alert, carry out analysis and investigation, and eliminate hidden dangers in advance;
6. In terms of deletion of sensitive personal information , personal information processors should regularly evaluate the effect of deletion or anonymization of sensitive personal information to ensure that the deleted or anonymized sensitive personal information cannot be restored; an automatic deletion of sensitive personal information should be established Mechanisms, where laws and administrative regulations stipulate that sensitive personal information needs to be retained, it should be deleted in a timely manner after expiration.
7. In terms of security management requirements , sensitive personal information processors are required to implement classified management of sensitive personal information. According to relevant regulations, sensitive personal information that reaches a certain level should be protected by referring to important data; and a sensitive personal information security management strategy should be established , identify, approve, record, and audit the processing of sensitive personal information; conduct impact assessments on personal information protection and record the processing; data security capabilities should meet GB/T 37988—2019 "Information Security Technology Data Security Capabilities Mature When the planning and construction involve sensitive personal information processing products and services, it is advisable to refer to GB/T41817-2022 "Information Security Technology Personal Information Security Engineering Guidelines" to carry out personal information security engineering practice, and synchronize planning and synchronization Construction, simultaneous deployment, and simultaneous use of personal information security measures. Those handling more than 10,000 pieces of sensitive personal information involving cross-border transmission of personal information shall conduct a self-assessment of data export risk, and report to the national network information department through the local provincial network information department for a data export security assessment.
What are the special security requirements for the handling of sensitive personal information?
Previously, the Cyberspace Administration of China issued a special draft of security management regulations for face recognition information to regulate the processing of face recognition information. The Standard also sets out special security requirements for different types of common sensitive personal information categories :
Common Sensitive Personal Information Categories
Special security requirements for common sensitive personal information
Related Documents Referenced in the Standard
[1] GB/T 35274-2017 Information Security Technology Big Data Service Security Capability Requirements
[2] GB/T 37973-2019 Information Security Technology Big Data Security Management Guidelines
[3] GB/T 41391-2022 Information Security Technology Basic Requirements for Collection of Personal Information by Mobile Internet Applications (App)
[4] GB/T 42574-2023 Information Security Technology Implementation Guidelines for Notification and Consent in Personal Information Processing
The integrated data security platform can realize sensitive data discovery and data classification and classification within the organization, and form a directory of sensitive data assets; on top of this, it provides integrated sensitive data access control, data authority control, data dynamic desensitization, and sensitive data access auditing and other functions to meet data security control, personal information protection, and data export security compliance requirements, making enterprise data more secure and compliance more efficient.
The data security platform can cover common means and management methods of enterprise data security management, including data asset inventory management, sensitive data identification, data classification and classification; database firewall, data audit, database security audit, cloud database audit, API audit; sensitive data desensitization , data desensitization, data dynamic desensitization, real-time desensitization, sensitive data access supervision; database security protection, database operation and maintenance control, cloud database security operation and maintenance, database authority management settings, access authority settings, data access governance, to achieve fine-grained Authority control, data security operations, prevent sensitive data leakage, and meet data compliance and business compliance requirements.