China: Releases New Guidelines on Sensitive Personal Information

Written By Jerry Sin

China’s National Information Security Standardization Technical Committee (TC260) introduced new guidelines for identifying sensitive personal information, aimed at enhancing cybersecurity practices, was announced on 14 September 2024. The guidelines, titled "Cybersecurity Standard Practice Guidelines - Sensitive Personal Information Identification," define the types of personal data that require special protection.

Key Highlights:

The guidelines classify personal information as sensitive if its exposure or misuse could:

  • Harm a person’s dignity, for instance, by causing discrimination.

  • Threaten an individual’s safety, such as revealing their location.

  • Put a person’s financial assets at risk, like the illegal use of financial details.

The guidelines also emphasize the importance of considering both single and combined pieces of data when assessing the potential risks of a data breach.

Common Types of Sensitive Information:

Appendix A of the guidelines lists examples of sensitive personal information, including:

  • Biometric data (e.g., fingerprints, facial recognition).

  • Religious beliefs.

  • Specific identity details.

  • Health and medical records.

  • Financial account information.

  • Information about a person’s whereabouts.

  • Data related to minors.

Additionally, the guidelines note that other laws and regulations may further classify information as sensitive.

Both the press release and guidelines are available here in Chinese only.

Jerry Sin
Previous

Australia: New Guidelines Released to Protect Against Active Directory Cyber Attacks
Next

South Korea: Strengthens Safety Measures for Public Systems Handling Citizen Data