China: TC260 requests comments on draft standard on processing of important data
On August 25, 2023, the National Information Security Standardization Technical Committee (TC260) requested public comments on the draft standard Information Security Technology Important Data Processing Security Requirements. The draft standard highlights its application to the security requirements for processing important data. Specifically, 'important data' is considered data that once leaked, tampered with, or damaged in a specific field, or region, or data that reaches a certain level of precision and scale, may directly endanger national security, economic operations, social stability, public health, and safety.
The draft standard outlines that data processors must, among other things:
- formulate procedures regarding the collection of personal data;
- establish a data classification management system;
- identify important data;
- formulate a data storage management system, including location, storage period, and backup and recovery systems; and
- formulate use and processing measures including access control measures.
More practically, the draft standard notes that data processors must implement a range of data security practices, including a data security risk assessment, with particular criteria, emergency response measures, data protection training, and supply chain management criteria.
Overseas data transfers
Notably, the draft standard provides that when providing data overseas, data processors must:
- report to the national network information department and pass the data export security assessment;
- adopt technical and management measures to carry out cross-border data transfers, and provide such data overseas without exceeding the matters specified in the export security assessment;
- accept and handle user complaints related to data exports;
- retain relevant data export logs for more than three years;
- display in a clear and reasonable manner, the type and scope of important data provided overseas following verification from the competent department or law enforcement department;
- cease the export of data and take effective measures to remedy the safety of exported data if the competent authority determines the data should not be exported; and
- not provide important data stored in China to foreign judicial or law enforcement agencies without the approval of the competent authority.
Further, the draft standard outlines measures to be taken when entrusting the processing of important data to third parties.
Public comments can be submitted to [email protected] until October 24, 2023.