Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: TC260 requests comments on requirements for data classification

The National Institute of Standards and Technology ('TC260') requested, on 14 September 2022, public comments on the draft Requirements for Classification and Grading of Information Security Technology Network Data. In particular, the TC260 highlighted that the draft requirements provide the principles and methods of data classification. More specifically, the draft requirements classify data types, including:

  • important data - data of a specific field, group, area, or certain precision and scale that, once leaked, may directly endanger national security, economic operation, social stability, public health, and safety;
  • core data - important with high coverage or high precision, large scale, and certain depths for fields, groups, and regions, and , once collected, illegal use or sharing may directly affect political security; and
  • personal information - all kinds of information related to identified or identifiable natural persons recorded electronically or otherwise, excluding anonymised information.

Further, the draft requirements clarify that data which only affects the organisation itself or individual citizens is generally not considered important data. In addition, the draft requirements establish basic principles for data classification, including that, when classifying data, organisations should select common and stable attributes, and adopt the principle of 'higher rather than lower' when multiple factors may affect data classification.

Notably, the draft requirements also set out that data classification should be based on industry field and then business attribute application. Likewise, the draft requirements detail the classification process for data processors, with special note in the classification process given to data categories, such as personal information and sensitive personal information.

Finally, the draft requirements extensively define the data grading elements that affect data classification, including domain, group, area, accuracy, scale, and depth of the data. Equally, the draft requirements provide a set of reference rules for data classification, according to the degree of impact that may be caused once data is leaked, tampered with, destroyed, illegally used, obtained, or shared.

Public comments may be submitted to [email protected] until 13 November 2022.

You can read the announcement here and the draft requirements here, both only available in Chinese.