Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 35273-2017 English PDF (GBT35273-2017)

GB/T 35273-2017 English PDF (GBT35273-2017)

Regular price $170.00 USD
Regular price Sale price $170.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 35273-2017
See Chinese contents: GB/T 35273-2017

GB/T 35273-2017: Information security technology -- Personal information security specification

This standard specifies the principles and security requirements for the processing activities of collection, preservation, use, sharing, transfer, public disclosure of personal information. This standard is applicable to regulate the personal information processing activities of various organizations, it is also applicable to the supervision, management and evaluation of personal information processing activities by the competent regulatory authorities and third-party evaluation agencies.
GB/T 35273-2017
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Personal information security specification
ISSUED ON: DECEMBER 29, 2017
IMPLEMENTED ON: MAY 01, 2018
Issued by: General Administration of Quality Supervision, Inspection and Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Basic principles of personal information security ... 9
5 Collection of personal information ... 10
5.1 Legal requirements for collection of personal information ... 10
5.2 Requirements for minimizing the collection of personal information ... 11 5.3 Authorized consent when collecting personal information ... 11
5.4 Exceptions for authorization of consent ... 12
5.5 Explicit consent for the collection of personal sensitive information ... 13 5.6 Content and release of privacy policy ... 13
6 Preservation of personal information ... 15
6.1 Minimizing the retention time of personal information ... 15
6.2 De-identification processing ... 15
6.3 Transmission and storage of personal sensitive information ... 15
6.4 Business suspension of personal data controller ... 16
7 Use of personal information ... 16
7.1 Control measures for access of personal information ... 16
7.2 Display restrictions on personal information ... 17
7.3 Restrictions on the use of personal information ... 17
7.4 Access to personal information ... 18
7.5 Correction of personal information ... 18
7.6 Deletion of personal information ... 18
7.7 Personal data subject withdraws consent ... 19
7.8 Personal data subject cancels account ... 19
7.9 Personal data subject obtains a copy of personal information ... 19 7.10 Constraint of information system?€?s automatic decision-making ... 20 7.11 Responding to requests of personal data subject ... 20
7.12 Management of appeal ... 21
8 Entrusted processing, sharing, transfer of control, public disclosure of personal information ... 21
8.1 Entrusted processing ... 21
8.2 Sharing and transfer of control of personal information ... 22
8.3 Transfer of control of personal information during acquisition, merger and restructuring23 8.4 Public disclosure of personal information ... 23
8.5 Exceptions to prior authorization of consent, sharing, transfer of control, public disclosure of personal information ... 24
8.6 Common personal data controller ... 24
8.7 Cross-border transmission requirements for personal information ... 25 9 Handling of personal information security incident ... 25
9.1 Emergency response and reporting of security incidents ... 25
9.2 Notification of safety incidents ... 26
10 Management requirements of organization ... 26
10.1 Identify responsible departments and personnel ... 26
10.2 Conducting impact assessment of personal information security ... 27 10.3 Data security capabilities ... 29
10.4 Personnel management and training ... 29
10.5 Security audit ... 29
Appendix A (Informative) Example of personal information ... 31
Appendix B (Informative) Judgement of personal sensitive information ... 33 Appendix C (Informative) Method for guaranteeing the right of personal data subject to choose consent ... 35
Appendix D (Informative) Template of privacy policy ... 41
References ... 52
Information security technology -
Personal information security specification
1 Scope
This standard specifies the principles and security requirements for the processing activities of collection, preservation, use, sharing, transfer, public disclosure of personal information.
This standard is applicable to regulate the personal information processing activities of various organizations, it is also applicable to the supervision, management and evaluation of personal information processing activities by the competent regulatory authorities and third-party evaluation agencies. 2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
The terms and definitions as defined in GB/T 25069-2010 as well as the
following terms and definitions apply to this document.
3.1
Personal information
Various information recorded electronically or otherwise that can identify a particular natural person or reflect the activity of a particular natural person, either alone or in combination with other information.
Note 1: Personal information includes name, date of birth, ID number,
personal biometric information, address, communication contact,
communication record and content, account password, property information, credit information, whereabouts, accommodation information, health
information, transaction information, etc.
software provider, it does not belong to the personal information collection behavior.
3.6
Explicit consent
The act of the personal data subject to make a definitive authorization for the specific processing of its personal information through a written
statement or taking actively the affirmative action.
Note: Affirmative actions include the initiative of the personal data subject to make a statement (electronic or paper form), active check, active click on ?€?agree?€?, ?€?register?€?, ?€?send?€?, ?€?dial?€? and so on.
3.7
User profiling
The process of collecting, gathering, analyzing personal information to make analysis and prediction of the personal characteristics of a particular natural person, such as occupation, economy, health, education, personal
preferences, credit, behavior, etc., to form a personal feature model.
Note: The process of the direct use of personal information of a specific natural person to form a feature model of the natural person is called a direct user profiling. The use of personal information derived from other sources than a specific natural person, such as the data of the group in which it is located, to form a feature model of the natural person, is called an indirect user profiling.
3.8
Personal information security impact assessment
For the personal information processing activities, the process of examining the legal compliance level, determining the various risks that cause damage to the legitimate rights and interests of the personal data subject, evaluating the effectiveness of various measures used to protect the personal data subject.
3.9
Delete
The act of removing personal information in a system involved in
implementing daily business functions, so that it remains in a state in which it cannot be retrieved or accessed.
a) The principle of integration of powers and responsibilities - Undertake the responsibility for the damage caused by the personal information
processing activities to the legitimate rights and interests of the personal data subject.
b) The principle of clear purpose - Have the legal, legitimate, necessary, clear personal information processing purposes.
c) The principle of selective consent - Express the purpose, method, scope, rules, etc. of personal information processing to the personal data subject, to solicit authorization and consent.
d) The principle of least sufficiency - Unless otherwise agreed with the personal data subject, the type and amount of the minimum personal
information as required to satisfy the purpose of the consent of the
personal data subject. After the purpose is achieved, it shall delete the personal information in time according to the agreement.
e) The principle of openness and transparency - The scope, purpose, rules, etc. of processing the personal information in a clear, understandable, reasonable manner and accepting external supervision.
f) The principle of ensuring security - Have the security capabilities that match the security risks faced and take adequate management measures
and techniques, to protect the confidentiality, integrity, availability of personal information.
g) The principle of subject participation - Provide personal data subjects with access to, corrections, deletion of their personal information, as well as withdrawal of consent and cancellation of accounts.
5 Collection of personal information
5.1 Legal requirements for collection of personal information
Requirements for personal data controllers include:
a) It shall not defraud, deceive, or force the personal data subjects to provide their personal information;
b) It shall not conceal the functionality of the product or service to collect personal information;
c) It shall not obtain personal information from illegal sources;
d) It shall not collect the personal information that is clearly prohibited by laws etc. If the personal information processing activities required by the
organization to conduct business exceed the scope of the authorization, it shall, within a reasonable period after obtaining the personal
information or before processing the personal information, it shall obtain the explicit consent from the personal data subject.
5.4 Exceptions for authorization of consent
In the following cases, the personal data controller may collect and use personal information without the authorization of the personal data subject:
a) Directly related to national security and national defense security; b) Directly related to public safety, public health, major public interest; c) Directly related to criminal investigation, prosecution, trial, execution of judgments;
d) For the purpose of maintaining the material and legal rights, such as the life and property, of the personal data subject or other individuals, but it is difficult to obtain consent;
e) The personal information collected is proactively disclosed by the personal data subject to the public;
f) Collect personal information from legally publicly disclosed information, such as legitimate news reports, government information disclosure, etc.; g) Where it is necessary to sign and fulfill the contract in accordance with the requirements of the personal data subject;
h) Where it is necessary to maintain the safe and stable operation of the products or services provided, such as the discovery, disposal of the faults of products or services;
i) The personal data controller is a news unit and where it is necessary for legal news reporting;
j) The personal data controller is an academic research institution that de- identifies the personal information contained in the results when
conducting statistical or academic research for public interest and
providing academic research or description results;
k) Other circumstances as specified by laws and regulations.
include but is not limited to:
1) The basic situation of the personal data controller, including the
registration name, registered address, common business location,
contact information of the relevant person in charge;
2) The purpose of collecting and using personal information, as well as the various business functions as covered by the purpose, such as the use
of personal information for pushing commercial advertisements, the use
of personal information for the formation of direct user profiling and their uses;
3) Personal information collected by each business function, as well as personal information processing rules such as collection method and
frequency, storage area, storage period, range of actually collected
personal information;
4) The purpose of external sharing, transfer of control, and public
disclosure of personal information, the type of personal information
involved, the type of third party receiving personal information, the
corresponding legal liabilities assumed;
5) Basic principles of personal information security followed, data security capabilities, personal information security measures taken;
6) The rights and implementation mechanisms of the personal data subject, such as access methods, correction methods, deletion methods,
methods for canceling accounts, methods for withdrawing consent,
methods for obtaining copies of personal information, methods of
restraining automatic decision-making of information systems, etc.
7) Security risks that may exist after the provision of personal information, as well as the possible impact of not providing personal information;
8) Channels and mechanisms for handling the inquiry and complaint from
the personal data subject, as well as external dispute resolution
agencies and contact methods.
b) The information notified by the privacy policy shall be true, accurate, complete;
c) The content of the privacy policy shall be clear and understandable, in line with common language habits, use standardized figures, diagrams, etc.,
avoid using ambiguous language, provide abstracts at the beginning,
briefly describe the focus of the content;
d) The privacy policy shall be publicly available and easy to access, for 6.4 Business suspension of personal data controller
When a personal data controller ceases to operate its products or services, it shall:
a) Stop the continued collection of personal information in time;
b) Notify the personal data subject in the form of one-by-one delivery or announcement;
c) Delete or anonymize the personal information held by it.
7 Use of personal information
7.1 Control measures for access of personal information
Requirements for personal data controllers include:
a) Internal data operators who are authorized to access personal information shall be able to access only the minimum amount of personal information required for their duties, only have the minimum amount of data
manipulation required to perform their duties, in accordance with the
principle of minimum sufficiency;
b) It should set up an internal approval process for important operations of personal information, such as batch modification, copying, downloading, etc.;
c) It shall make separate settings for the roles of security administrators, data operators, and auditors;
d) If it is necessary to authorize a specific person to handle personal information beyond of authority because of the need of work, it shall be examined and approved by the person responsible for personal
information protection or the personal information protection agency, and recorded;
Note: For the determination of the person responsible for personal
information protection or the organization of personal information
protection, see 10.1.
e) For the access, modification and other behaviors of personal sensitive information, it should trigger the operation authorization according to the requirements of the business process on the basis of the authority control of the role. For example, a complaint handler can access information
copy of the following types of personal information, or directly transmit a copy of the following personal information to a third party if technically feasible: a) Personal basic information, personal ID information;
b) Personal health and physiological information, personal education work information.
7.10 Constraint of information system?€?s automatic decision-
making
When making decisions that significantly affect the subject matter of a personal data subject based solely on the automatic decision-making of the information system (e.g., determining personal credit and loan quota based on the user profiling, or using the user profiling for interview screening), the personal data controller shall provide a method of appeal to the personal data subject. 7.11 Responding to requests of personal data subject
Requirements for personal data controllers include:
a) After verifying the identity of the personal data subject, it shall respond promptly to the request of the personal data subject as made based on
7.4 ~ 7.10, reply and make reasonable explanation within 30 days or within the time limit prescribed by laws and regulations, inform the personal data subject of the route to propose externally the dispute resolution;
b) In principle, it does not charge for the reasonable request. But for a number of repeated requests within a certain period of time, it may charge a certain cost as appropriate;
c) If the direct fulfillment of request from the personal data subject requires high costs or has other significant difficulties, the personal data controller shall provide other alternative methods to the personal data subject, to protect the legitimate rights and interests of the personal data subject; d) The following conditions may not respond to requests from the personal data subject as made based on 7.4 ~ 7.10, including but not limited to: 1) Directly related to national security and national defense security; 2) Directly related to public safety, public health, and major public interests; 3) Directly related to criminal investigation, prosecution, trial and execution of judgments;
personal data subject is based on 7.4 ~ 7.10;
4) If the entrusted person is unable to provide sufficient level of security protection or has a security incident in the process of processing
personal information, it shall promptly feed back to the personal data
controller;
5) Personal information is no longer saved when the entrustment
relationship is lifted.
d) The personal data controller shall supervise the entrusted person by means of, but not limited to:
1) Specify the responsibilities and obligations of the entrusted person by means of contracts;
2) Audit the entrusted person.
e) The personal data controller shall accurately record and maintain the circumstances of the entrusted processing of personal information.
8.2 Sharing and transfer of control of personal information
Personal information may not be shared or transferred of control in principle. When personal data controllers need to share and transfer of control, they shall pay full attention to risks. Sharing or transferring of control of personal information, other than due to acquisition, merger, or restructuring, shall comply with the following requirements:
a) Conduct impact assessment of personal information security in advance and take effective measures to protect the personal data subject based
on the assessment results;
b) Inform the personal data subject of the purpose of sharing, transferring of control of the personal information, the type of the data recipient, and obtain the prior authorization from the personal data subject. The
exception is the sharing and transferring of control of the de-identified personal information, meanwhile ensuring that the data recipient cannot re-identify the personal data subject;
c) Before sharing and transferring of control of personal sensitive information, in addition to the content notified in 8.2b), it shall also inform the personal data subject of the type of personal sensitive information involved, the identity of the data recipient, the data security capabilities, meanwhile obtain the explicit consent from the personal data subject in advance;
the content of the personal sens...

View full details