1
/
of
11
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 41479-2022 English PDF (GB/T41479-2022)
GB/T 41479-2022 English PDF (GB/T41479-2022)
Regular price
$260.00
Regular price
Sale price
$260.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 41479-2022: Information security technology - Network data processing security requirements
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 41479-2022 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 41479-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 41479-2022
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Network data processing
security requirements
ISSUED ON: APRIL 15, 2022
IMPLEMENTED ON: NOVEMBER 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions... 4
4 General requirements for data processing security ... 7
4.1 Data identification ... 7
4.2 Classification and gradation ... 7
4.3 Risk prevention and control ... 7
4.4 Auditing and traceability ... 7
5 Data processing security technical requirements ... 8
5.1 General ... 8
5.2 Collection ... 8
5.3 Storage ... 9
5.4 Use ... 9
5.5 Processing ... 10
5.6 Transmission ... 10
5.7 Provision ... 11
5.8 Disclosure ... 11
5.9 Treatment of private and forwardable information ... 12
5.10 Personal information access, correction, deletion and user account cancellation ... 12
5.11 Handling of complaints and reports ... 12
5.12 Access control and auditing ... 12
5.13 Data deletion and anonymization ... 13
6 Data processing security management requirements ... 13
6.1 Responsible person for data security ... 13
6.2 Human resource assurance and assessment ... 13
6.3 Incident emergency response ... 14
Appendix A (Normative) Personal information protection requirements for public
health emergencies ... 15
References ... 18
Information security technology - Network data processing
security requirements
1 Scope
This document specifies the security technology and management requirements for
network operators to collect, store, use, process, transmit, provide, and disclose network
data.
This document applies to the regulation of network data processing by network
operators, as well as the supervision, management and evaluation of network data
processing by regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this
document and are indispensable for its application. For dated references, only the
version corresponding to that date is applicable to this document; for undated references,
the latest version (including all amendments) is applicable to this document.
GB/T 25069, Information security technology - Glossary
GB/T 35273-2020, Information security technology - Personal information security
specification
3 Terms and definitions
Terms and definitions determined by GB/T 25069 and GB/T 35273-2020, as well as the
following ones, are applicable to this document.
3.1
Data
Any recording of information electronically or otherwise.
3.2
Network data
All kinds of data collected, stored, used, processed, transmitted, provided and disclosed
through the network.
Examples: personal information, important data, etc.
3.3
Data processing
Data collection, storage, use, processing, transmission, provision, disclosure, etc.
3.4
Data security
By taking necessary measures, ensure that the data is in a state of effective protection
and legal use, and has the ability to ensure a continuous security state.
3.5
Network operator
Network owner, manager and network service provider.
Note: The network in this document refers to the open and public network.
3.6
Personal Information
Various information recorded electronically or otherwise relating to an identified or
identifiable natural person.
Note 1: Personal information includes name, date of birth, citizenship number, personal
biometric information, address, communication contact information,
communication records and content, account password, property information,
credit information, whereabouts, accommodation information, health and
physiology information, transaction information, etc.
Note 2: It does not include anonymized information.
[Source: GB/T 35273-2020, 3.1, modified]
3.7
Sensitive personal information
The personal information which, once leaked or illegally used, is likely to cause damage
to the personal dignity of a natural person or endanger personal and property safety.
Note: Sensitive personal information includes biometrics, religious beliefs, specific
identities, medical treatment and health, financial accounts, whereabouts and
Anonymization
The process of processing personal information to a state where it does not identify a
specific natural person and cannot be recovered.
4 General requirements for data processing security
4.1 Data identification
Network operators shall identify the data involved in data processing, including
personal information, important data and other data, form a data protection catalog, and
update it in a timely manner.
4.2 Classification and gradation
Network operators shall, in accordance with relevant national standards, according to
contract provisions and business operation needs, conduct classification and gradation
of the identified data.
4.3 Risk prevention and control
Network operators shall perform data security protection obligations in accordance with
the contract when carrying out data processing, and strengthen risk monitoring when
carrying out data processing activities. In case of data security flaws, loopholes and
other risks, technologies such as encryption, desensitization, backup, access control,
auditing, or other necessary measures shall be adopted to strengthen data security
protection and protect data from leakage, theft, tampering, damage, and improper use.
When providing key protection for important data and sensitive personal information,
regular risk assessments of the data processing activities shall be carried out in
accordance with regulations, and risk assessment reports shall be submitted to the
relevant competent authorities. The risk assessment report shall include the type and
quantity of important data processed, the situation of data processing activities, the data
security risks faced and countermeasures, etc.
Data security management responsibility and evaluation and assessment systems shall
be established, data security protection plans shall be formulated, security risk
assessments shall be carried out, security incidents shall be dealt with in a timely
manner, and education and training shall be organized.
4.4 Auditing and traceability
Network operators shall record the entire life cycle of data processing to ensure that
data processing is auditable and traceable.
5 Data processing security technical requirements
5.1 General
Network operators shall conduct impact analysis and risk assessment when carrying out
data processing, and take necessary measures to control the identified risks to ensure
data security. In the event of a public health emergency, data processing shall also
comply with the requirements of Appendix A. Data processing activities that affect or
may affect national security shall be subject to national security review.
5.2 Collection
Where the network operator needs to process personal information in order to provide
services, it shall follow the principles of legality, legitimacy and necessity, and shall not
collect personal information that is not directly or reasonably related to the services it
provides, or that exceeds the period of express consent of the personal information
subject, and shall comply with the following requirements:
a) A personal information protection policy shall be formulated and disclosed and
strictly followed; the personal information protection policy shall meet the
requirements of 5.5 in GB/T 35273-2020;
b) Before collecting personal information, the personal information protection policy
shall be clearly stated and the consent of the personal information subject shall be
obtained;
Note: Except for the situations specified in 5.6 of GB/T 35273-2020.
c) Where the purpose, type, scope, and use of processed personal information are
changed, the personal information subject shall be informed in time, the personal
information protection policy shall be revised, and the consent of the personal
information subject shall be re-obtained. Where it involves changes in the
personal information protection policy, the personal information protection policy
shall be revised;
d) Express the type of product or service provided and the personal information
necessary for the product or service; shall not refuse to provide the product or
service because the user does not agree or withdraws consent to provide
information other than the personal information necessary for the product or
service;
e) It shall not force or mislead users to agree to the collection of personal information
only for the purpose of improving service quality, enhancing user experience,
pushing information in a targeted manner, developing new products, etc.;
b) In the process of providing news and blog information services to personal
information subjects, if network operators use algorithms to automatically
synthesize text, pictures, audio and video and other information, and they shall
clearly inform users.
5.4.2 Third party application management
Network operators shall strengthen data security management for third-party
applications that access or embed their products or services, including:
a) The data security protection responsibilities and obligations of both parties shall
be clearly defined through contracts and other forms;
b) Third party application operators shall be supervised to strengthen data security
management; if third party applications are found to have not fulfilled the security
management responsibilities, they shall promptly urge rectification and stop
access when necessary;
c) If the network operator knows or shall know that the third party application uses
its platform to infringe the civil rights and interests of users, and fails to take
necessary measures, it shall bear joint and several liability with the third-party
application operator;
d) It is advisable to carry out technical testing on the access or embedded third party
applications to ensure that their data processing behaviors meet the requirements
agreed upon by both parties, and stop access in a timely manner if the audit finds
that the behavior exceeds the agreement between the two parties.
5.5 Processing
In the process of data processing activities such as conversion, aggregation, and analysis,
network operators who know or shall know that it may endanger national security,
public security, economic security and social stability shall immediately stop the
processing activities.
5.6 Transmission
Network operators shall take security measures for data transmission activities,
including:
a) When transmitting important data and sensitive personal information, security
measures such as encryption and desensitization shall be adopted;
b) When transmitting data to the data receiver, security measures shall be taken as
required and agreed upon in the contract.
5.7 Provision
5.7.1 Providing to others
Before providing data to others, network operators shall conduct security impact
analysis and risk assessment. Those that may endanger national security, public security,
economic security and social stability shall not be provided to others. Requirements are
as follows:
a) When providing personal information to others, the personal information subject
shall be informed of the receiver's name, contact information, processing purpose,
processing method, type of personal information, and storage period, and the
consent of the personal information subject shall be obtained;
b) When sharing or transferring important data, the data security protection
responsibilities and obligations of both parties shall be clarified with the data
receiver through contracts and other forms, and measures such as encryption and
desensitization shall be adopted to ensure the security of important data;
c) If a third party is entrusted to carry out data processing activities, the purpose,
duration, processing method, type of data, protection measures, rights and
obligations of both parties, and the method of returning or deleting data by the
third party shall be clearly stipulated in the form of a contract, etc. The third party
is required to return and delete received and generated data in the form agreed in
the contract, and the data processing activities shall be supervised;
d) In the event of acquisition, merger, reorganization or bankruptcy, the data receiver
shall continue to perform relevant data security protection obligations; if there is
no data receiver, the data shall be deleted.
5.7.2 Data export
When network operators provide personal information or important data overseas, they
shall follow the requirements of relevant national regulations and standards.
If domestic users access domestic networks within China, their flow shall not be routed
overseas.
5.8 Disclosure
Network operators shall not endanger national security, public security, economic
security and social stability when using the data resources at their disposal to disclose
market forecasts, statistics and other information.
b) For key operations of important data and personal information (such as batch
modification, copying, deletion, downloading, etc.), set up internal approval and
audit processes, and strictly implement them.
5.13 Data deletion and anonymization
When meeting the requirements of 8.3 in GB/T 35273-2020 or meeting the following
circumstances, network operators shall delete or anonymize personal information in a
timely manner:
a) When personal information exceeds the storage period agreed by both parties;
b) When network products and services cease to operate;
c) When the personal information subject cancels the account, or when the user
withdraws consent.
When the media storing important data and personal information is scrapped...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 41479-2022 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 41479-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 41479-2022
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Network data processing
security requirements
ISSUED ON: APRIL 15, 2022
IMPLEMENTED ON: NOVEMBER 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions... 4
4 General requirements for data processing security ... 7
4.1 Data identification ... 7
4.2 Classification and gradation ... 7
4.3 Risk prevention and control ... 7
4.4 Auditing and traceability ... 7
5 Data processing security technical requirements ... 8
5.1 General ... 8
5.2 Collection ... 8
5.3 Storage ... 9
5.4 Use ... 9
5.5 Processing ... 10
5.6 Transmission ... 10
5.7 Provision ... 11
5.8 Disclosure ... 11
5.9 Treatment of private and forwardable information ... 12
5.10 Personal information access, correction, deletion and user account cancellation ... 12
5.11 Handling of complaints and reports ... 12
5.12 Access control and auditing ... 12
5.13 Data deletion and anonymization ... 13
6 Data processing security management requirements ... 13
6.1 Responsible person for data security ... 13
6.2 Human resource assurance and assessment ... 13
6.3 Incident emergency response ... 14
Appendix A (Normative) Personal information protection requirements for public
health emergencies ... 15
References ... 18
Information security technology - Network data processing
security requirements
1 Scope
This document specifies the security technology and management requirements for
network operators to collect, store, use, process, transmit, provide, and disclose network
data.
This document applies to the regulation of network data processing by network
operators, as well as the supervision, management and evaluation of network data
processing by regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this
document and are indispensable for its application. For dated references, only the
version corresponding to that date is applicable to this document; for undated references,
the latest version (including all amendments) is applicable to this document.
GB/T 25069, Information security technology - Glossary
GB/T 35273-2020, Information security technology - Personal information security
specification
3 Terms and definitions
Terms and definitions determined by GB/T 25069 and GB/T 35273-2020, as well as the
following ones, are applicable to this document.
3.1
Data
Any recording of information electronically or otherwise.
3.2
Network data
All kinds of data collected, stored, used, processed, transmitted, provided and disclosed
through the network.
Examples: personal information, important data, etc.
3.3
Data processing
Data collection, storage, use, processing, transmission, provision, disclosure, etc.
3.4
Data security
By taking necessary measures, ensure that the data is in a state of effective protection
and legal use, and has the ability to ensure a continuous security state.
3.5
Network operator
Network owner, manager and network service provider.
Note: The network in this document refers to the open and public network.
3.6
Personal Information
Various information recorded electronically or otherwise relating to an identified or
identifiable natural person.
Note 1: Personal information includes name, date of birth, citizenship number, personal
biometric information, address, communication contact information,
communication records and content, account password, property information,
credit information, whereabouts, accommodation information, health and
physiology information, transaction information, etc.
Note 2: It does not include anonymized information.
[Source: GB/T 35273-2020, 3.1, modified]
3.7
Sensitive personal information
The personal information which, once leaked or illegally used, is likely to cause damage
to the personal dignity of a natural person or endanger personal and property safety.
Note: Sensitive personal information includes biometrics, religious beliefs, specific
identities, medical treatment and health, financial accounts, whereabouts and
Anonymization
The process of processing personal information to a state where it does not identify a
specific natural person and cannot be recovered.
4 General requirements for data processing security
4.1 Data identification
Network operators shall identify the data involved in data processing, including
personal information, important data and other data, form a data protection catalog, and
update it in a timely manner.
4.2 Classification and gradation
Network operators shall, in accordance with relevant national standards, according to
contract provisions and business operation needs, conduct classification and gradation
of the identified data.
4.3 Risk prevention and control
Network operators shall perform data security protection obligations in accordance with
the contract when carrying out data processing, and strengthen risk monitoring when
carrying out data processing activities. In case of data security flaws, loopholes and
other risks, technologies such as encryption, desensitization, backup, access control,
auditing, or other necessary measures shall be adopted to strengthen data security
protection and protect data from leakage, theft, tampering, damage, and improper use.
When providing key protection for important data and sensitive personal information,
regular risk assessments of the data processing activities shall be carried out in
accordance with regulations, and risk assessment reports shall be submitted to the
relevant competent authorities. The risk assessment report shall include the type and
quantity of important data processed, the situation of data processing activities, the data
security risks faced and countermeasures, etc.
Data security management responsibility and evaluation and assessment systems shall
be established, data security protection plans shall be formulated, security risk
assessments shall be carried out, security incidents shall be dealt with in a timely
manner, and education and training shall be organized.
4.4 Auditing and traceability
Network operators shall record the entire life cycle of data processing to ensure that
data processing is auditable and traceable.
5 Data processing security technical requirements
5.1 General
Network operators shall conduct impact analysis and risk assessment when carrying out
data processing, and take necessary measures to control the identified risks to ensure
data security. In the event of a public health emergency, data processing shall also
comply with the requirements of Appendix A. Data processing activities that affect or
may affect national security shall be subject to national security review.
5.2 Collection
Where the network operator needs to process personal information in order to provide
services, it shall follow the principles of legality, legitimacy and necessity, and shall not
collect personal information that is not directly or reasonably related to the services it
provides, or that exceeds the period of express consent of the personal information
subject, and shall comply with the following requirements:
a) A personal information protection policy shall be formulated and disclosed and
strictly followed; the personal information protection policy shall meet the
requirements of 5.5 in GB/T 35273-2020;
b) Before collecting personal information, the personal information protection policy
shall be clearly stated and the consent of the personal information subject shall be
obtained;
Note: Except for the situations specified in 5.6 of GB/T 35273-2020.
c) Where the purpose, type, scope, and use of processed personal information are
changed, the personal information subject shall be informed in time, the personal
information protection policy shall be revised, and the consent of the personal
information subject shall be re-obtained. Where it involves changes in the
personal information protection policy, the personal information protection policy
shall be revised;
d) Express the type of product or service provided and the personal information
necessary for the product or service; shall not refuse to provide the product or
service because the user does not agree or withdraws consent to provide
information other than the personal information necessary for the product or
service;
e) It shall not force or mislead users to agree to the collection of personal information
only for the purpose of improving service quality, enhancing user experience,
pushing information in a targeted manner, developing new products, etc.;
b) In the process of providing news and blog information services to personal
information subjects, if network operators use algorithms to automatically
synthesize text, pictures, audio and video and other information, and they shall
clearly inform users.
5.4.2 Third party application management
Network operators shall strengthen data security management for third-party
applications that access or embed their products or services, including:
a) The data security protection responsibilities and obligations of both parties shall
be clearly defined through contracts and other forms;
b) Third party application operators shall be supervised to strengthen data security
management; if third party applications are found to have not fulfilled the security
management responsibilities, they shall promptly urge rectification and stop
access when necessary;
c) If the network operator knows or shall know that the third party application uses
its platform to infringe the civil rights and interests of users, and fails to take
necessary measures, it shall bear joint and several liability with the third-party
application operator;
d) It is advisable to carry out technical testing on the access or embedded third party
applications to ensure that their data processing behaviors meet the requirements
agreed upon by both parties, and stop access in a timely manner if the audit finds
that the behavior exceeds the agreement between the two parties.
5.5 Processing
In the process of data processing activities such as conversion, aggregation, and analysis,
network operators who know or shall know that it may endanger national security,
public security, economic security and social stability shall immediately stop the
processing activities.
5.6 Transmission
Network operators shall take security measures for data transmission activities,
including:
a) When transmitting important data and sensitive personal information, security
measures such as encryption and desensitization shall be adopted;
b) When transmitting data to the data receiver, security measures shall be taken as
required and agreed upon in the contract.
5.7 Provision
5.7.1 Providing to others
Before providing data to others, network operators shall conduct security impact
analysis and risk assessment. Those that may endanger national security, public security,
economic security and social stability shall not be provided to others. Requirements are
as follows:
a) When providing personal information to others, the personal information subject
shall be informed of the receiver's name, contact information, processing purpose,
processing method, type of personal information, and storage period, and the
consent of the personal information subject shall be obtained;
b) When sharing or transferring important data, the data security protection
responsibilities and obligations of both parties shall be clarified with the data
receiver through contracts and other forms, and measures such as encryption and
desensitization shall be adopted to ensure the security of important data;
c) If a third party is entrusted to carry out data processing activities, the purpose,
duration, processing method, type of data, protection measures, rights and
obligations of both parties, and the method of returning or deleting data by the
third party shall be clearly stipulated in the form of a contract, etc. The third party
is required to return and delete received and generated data in the form agreed in
the contract, and the data processing activities shall be supervised;
d) In the event of acquisition, merger, reorganization or bankruptcy, the data receiver
shall continue to perform relevant data security protection obligations; if there is
no data receiver, the data shall be deleted.
5.7.2 Data export
When network operators provide personal information or important data overseas, they
shall follow the requirements of relevant national regulations and standards.
If domestic users access domestic networks within China, their flow shall not be routed
overseas.
5.8 Disclosure
Network operators shall not endanger national security, public security, economic
security and social stability when using the data resources at their disposal to disclose
market forecasts, statistics and other information.
b) For key operations of important data and personal information (such as batch
modification, copying, deletion, downloading, etc.), set up internal approval and
audit processes, and strictly implement them.
5.13 Data deletion and anonymization
When meeting the requirements of 8.3 in GB/T 35273-2020 or meeting the following
circumstances, network operators shall delete or anonymize personal information in a
timely manner:
a) When personal information exceeds the storage period agreed by both parties;
b) When network products and services cease to operate;
c) When the personal information subject cancels the account, or when the user
withdraws consent.
When the media storing important data and personal information is scrapped...
Share
