On August 31, the National Information Security Standardization Technical Committee issued the Draft of Information Security Technology-Security Specification for Network Data Processing (《信息安全技术 网络数据处理安全规范》 ) for public comments. Comments are due by October 27, 2020.

The Draft applies to network operators’ data processing activities, data security management and personal information protection, government agencies’ supervision and management of network operators’ data processing activities, and third-party agencies’ evaluations.

In particular, the Draft provides definitions for data, network operator, personal information, personal sensitive information, and key data.

  • Data in this Draft include digital data generated or processed through the internet, including personal information and key data.
  • Personal information means any information can be used independently or combined to identify individuals, including names, birthdays, IP numbers, biometrics, addresses and health information.
  • Personal sensitive information includes any personal information that once leaked or disclosed could lead to threats to safety, loss of property, damage of physical and mental health, or discriminatory treatment.
  • Key data means data for which the leakage may directly impair national security, public safety, economic safety, and social stability. It includes undisclosed government information and information on genetic, geographic and mineral resources at a certain scale. In principle, it does not include personal data or company information.

The Draft also puts forward the overall requirements for data grading and classification, risk prevention and control, and audit traceability.

In addition, it sets forth overall principles and specific requirements for data processing, including data collection, transmission, storage, exports, processing, and disclosure; personal information’s access/correction/deletion and user account’s cancellation, processing methods for private information and forwardable information, access control and auditing, data deletion and anonymization, and handling of complaints and reports. It requires that domestic users’ access to a domestic website shall not to routed abroad. It does not preclude other data exportation except that it shall comply with other legislation.

When individuals’ personal information is used to provide location tracing in the situation of public emergency, government agencies at the central and provincial level shall protect personal information and take responsibility in accordance with any service contact that government agencies signed. If the government agencies need to use personal information previously collected by key information infrastructure operators, they shall obtain approval from the relevant central agencies and refine the scope and procedure of personal information collection. In addition, after collecting such information, the government agencies shall not publish it, or provide for a third party to do so, or change the use of purpose, without the consent of individual and the approval of relevant central agencies.