YD/T 3746-2020 English PDF (YDT3746-2020)

This Standard specifies information content classification, sensitivity classification and classification protection requirements for subscriber personal information protection of Internet of vehicle information service. This Standard is applicable to subscriber personal information protection of automakers, parts and components suppliers, software providers, data content providers and service providers related to Internet of vehicle during the service providing process.

YD/T 3746-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.020
L 70
Specification of Internet of vehicle information service
- User personal information protection
ISSUED ON: AUGUST 31, 2020
IMPLEMENTED ON: OCTOBER 01, 2020
Issued by: Ministry of Industry and Information Technology of the
People's Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Basic rules for subscriber personal information protection ... 5
5 Overview of subscriber personal information protection ... 6
5.1 Object of subscriber personal information protection ... 6
5.2 Processing links of subscriber personal information ... 6
5.3 Basic idea of subscriber personal information protection ... 7
6 Classification requirements for subscriber personal information ... 7 6.1 Classification methods for subscriber personal information ... 7
6.2 Classification examples for subscriber personal information ... 8
7 Grading requirements for subscriber personal information sensitivity ... 12 7.1 Grading methods for subscriber personal information sensitivity ... 12 7.2 Grading examples for subscriber personal information sensitivity ... 13 8 Protection requirements for subscriber personal information security ... 14 8.1 Protection requirements for personal general information security ... 14 8.2 Protection requirements for personal important information security ... 14 8.3 Protection requirements for personal sensitive information security ... 14 Bibliography ... 16
Specification of Internet of vehicle information service
- User personal information protection
1 Scope
This Standard specifies information content classification, sensitivity classification and classification protection requirements for subscriber personal information protection of Internet of vehicle information service.
This Standard is applicable to subscriber personal information protection of automakers, parts and components suppliers, software providers, data content providers and service providers related to Internet of vehicle during the service providing process.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 35273-2020, Information security technology - Personal information security specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 3.1 subscriber personal information of Internet of vehicle information
service
the information - which is collected by automakers, parts and components providers, software providers, data and content providers, and service
providers related to the Internet of vehicle industry during the service providing process - that can identify subscribers individually or in combination with other information and involve subscribers' personal privacy
NOTE: After the subscriber's personal information is processed to remove the subscriber's identity and personal privacy attributes, it is not included in the scope of protection of the personal information of the Internet of vehicle information service subscribers specified in this Standard. For example, the scale statistics of the subscription business of the Internet of vehicle information service, etc.
4 Basic rules for subscriber personal information
protection
The subscriber personal information protection of Internet of vehicle information service usually shall follow the requirements in GB/T 35273-2020, follow the principles of consistency of rights and responsibilities, clear purpose, selection under consent, enough for use, openness and transparency, safety ensuring, and subject participation, so as to use personal information reasonably. - Principle of consistency of rights and responsibilities: Take technical and other necessary measures to protect the security of personal information. It shall be liable for the damage caused by its personal information
processing activities to the legitimate rights and interests of personal information subjects.
- Principle of clear purpose: It has a legal, legitimate, necessary and clear purpose of personal information processing.
- Principle of selection under consent: Clearly state the purpose, method, scope, rules, etc. of personal information processing to personal
information subjects, and seek their authorization and consent.
- Principle of enough for use: Only process the minimum type and amount of personal information necessary to satisfy the purposes for which the
personal information subject has authorized and consented to it. After the purpose is achieved, personal information shall be deleted in a timely
manner.
- Principle of openness and transparency: Disclose the scope, purpose and rules of processing personal information in a clear, understandable and reasonable manner. Receive external oversight.
- Principle of safety ensuring: It has security capabilities commensurate with the security risks faced. Take adequate management measures and
technical means to protect the confidentiality, integrity and availability of personal information.
- Principle of subject participation: Provide personal information subjects with methods to inquire, correct, delete their personal information, as well as withdraw, unify, cancel accounts, and lodge complaints.
processing refers to entrusting the personal information controller of the Internet of vehicle subscribers to a third party to process the personal information of subscribers. Sharing refers to the process in which a
subscriber's personal information controller provides personal information to other controllers, and both parties have independent control over the personal information. Transfer is the process of transferring control of personal information from one controller to another. Public disclosure
refers to the act of releasing subscriber personal information to the society or unspecified groups of people.
5.3 Basic idea of subscriber personal information protection
This Standard focuses on the classification and grading of subscriber personal information for the protection objects of subscriber personal information. It also puts forward corresponding security requirements around the processing links of the entire life cycle of subscriber personal information protection, so as to reduce the security risks related to the entire life cycle of subscriber personal information on the Internet of vehicle information service. Ensure that the Internet of vehicle information service provider shall standardize the collection, storage, use, entrusted processing, sharing, transfer and disclosure of subscriber personal information involved in the process of providing services, in accordance with the management requirements and technical requirements of the corresponding level.
6 Classification requirements for subscriber personal
information
6.1 Classification methods for subscriber personal information
Subscriber personal information refers to the data information closely related to subscribers in the process of Internet of vehicle information service such as data collection and transmission, use and destruction. These data information can identify the personal identity of the Internet of vehicle subscriber to a certain extent or reflect the personal activities of the subscriber. The subscriber personal information of Internet of vehicle information service is subdivided into three categories: subscriber identification information, subscriber data and service content information of Internet of vehicle information service, and subscriber service-related information.
Subscriber identification information: Refers to the subscriber personal information that is closely related to the subscriber's natural person identity and identification information, the subscriber's virtual identity and authentication information in the process of the Internet of vehicle information service activities. 8 Protection requirements for subscriber personal
information security
8.1 Protection requirements for personal general information security
Basic protection requirements for personal general information security: Basic technical and management measures shall be implemented to ensure the
security of access control to the personal information of Internet of vehicle subscribers. For example, necessary access control measures shall be
implemented for subscribers' personal information.
8.2 Protection requirements for personal important information security Basic protection requirements for personal important information security: Necessary technical and management measures shall be implemented to
protect subscribers' right to know and choose. Protect the confidentiality and integrity of subscribers' personal information. Ensure the security of access control to subscribers' personal information. Establish subscriber personal information security management specifications. For example, subscribers' consent shall be obtained when collecting and transferring personal information of subscribers. Necessary encryption measures shall be taken during the transmission process of information collection and transfer to ensure the confidentiality and integrity of data. Strict access control measures shall be implemented for information. Strict safety management specifications for each life cycle of subscribers' personal information (including information collection, storage, use, entrusted processing, sharing, transfer, and disclosure) shall be defined. An internal data approval process and system shall be set up.
8.3 Protection requirements for personal sensitive information security Basic protection requirements for personal sensitive information security: Strict technical and management measures shall be implemented to protect
subscribers' right to know and to choose. Protect the confidentiality and integrity of subscribers' personal information. Ensure the security of access control of Internet of vehicle subscribers' personal information. Establish strict subscriber personal information security management specifications and data real-time monitoring mechanism. For example, subscriber consent shall be obtained when collecting, transferring and using subscriber personal information. High- strength encryption shall be used during the storage and transmission of information for collection and transfer. Guarantee data confidentiality and integrity. Strict access control measures shall be implemented for information. Strict safety management specifications for each life cycle of subscribers' personal information (including information collection, storage, use, entrusted processing, sharing, transfer and public disclosure) shall be defined. Internal