On August 9, 2023, the National Information Security Standardization Technical Committee (TC260) released a draft cybersecurity national standard, the Information Security Technology - Security Requirements for Processing of Sensitive Personal Information, and is requesting public comments on the same. The draft standard clarifies how to identify sensitive personal information, common categories of sensitive personal information, and general security requirements for the processing of such data. Specifically, the draft standard details that the processing of sensitive personal information should have a specific purpose, and individual consent should be obtained.

On the basis of meeting the requirements of Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification, the collection, storage, use, processing, transmission, provision, disclosure, and protection measures must be taken in all aspects of processing, such as deletion. Furthermore, the draft standard looks at consent requirements, safety management requirements, and specific types of sensitive personal information, including biometric data, financial data, and health information, among others.

Public comments can be submitted via email to [email protected] until October 8, 2023.

You can read the announcement here and the draft standard here, both only available in Chinese.