Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: TC260 requests comments on draft Standard on Automated Decision-Making

On August 16, 2023, the National Information Security Standardization Technical Committee (TC260) requested public comments on the draft National Standard Information Security Technology Security Requirements for Automated Decision-Making Based on Personal Information (the draft Standard).

Definitions

In particular, the draft Standard uses the definition of automated decision-making from Article 73(2) of the Personal Information Protection Law (PIPL). Likewise, 'decision with significant impact on individual's rights and interests' under the draft Standard means decisions that have a legal impact on the realization of an individual's statutory rights and similar significant impacts on other rights of an individual.

Automated decision-making

The draft Standard divides automated decision-making into two parts. Feature generation is provided as the selection and collection of specific personal information to achieve specific business purposes and their subsequent automatic analyses. Secondly, decision-making is provided as specific actions taken on individuals with the participation of personal characteristic information provided by the feature generation.

Principles and strategy

Notably, the draft Standard outlines security risks for automated decision-making and corresponding security principles for personal information processors carrying out automated decision-making, including openness and transparency, and data quality. More specifically, the draft Standard details that an algorithmic impact assessment must be conducted prior to the development of automated decision-making algorithms. Equally, the draft Standard notes circumstances where personal information processors or algorithm developers should ensure human intervention and test and train the data used for algorithm training.

In addition, the draft Standard establishes requirements for feature generation, including personal information collection requirements, elaborating on the necessity for authentic and accurate personal information, alongside a valid legal basis.

Similarly, on decision-making, the draft Standard notes the need to take into account security requirements and the rights and interests of data subjects.

Public comments can be submitted to [email protected] until October 15, 2023.

You can read the press release here and download the draft Standard here, both only available in Chinese.