Data Classification Guideline to Be Published in China

On 30 September 2021, the National Information Security Standardisation Technical Committee (SAC/TC 260) published the Practical Guideline for Cybersecurity Standard-Guideline on Data Classification and Grading, collecting public comments from 30 September 2021 to 13 October 2021. The key highlights of the document are:

Important Data & Core Data

While the Data Security Law (DSL) only introduced the concept of “important data” and “national core data”, the Practical Guideline provide clear definitions. Specifically, important data refers to data that, once tampered with, damaged or leaked, or illegally obtained or used, may endanger national security or public interests. Important data does not include national secrets, personal information or enterprise internal management information; however, personal information of a certain scale may be categorised as important data if affecting national security or public interest. National core data refers to data involving national security, the national economy, important people’s livelihood and major public interests.

Personal Information

The Practical Guideline provide more detailed conditions for defining personal information, and further divide personal information into three categories: (i) general personal information, (ii) sensitive personal information, and (iii) private personal information. It also provides concrete examples for the classification of personal information, representing a reference for enterprises to process personal information and thus helping them to implement personal information protection in accordance with Personal Information Protection Law (PIPL).

Classification and Grading

To meet the requirements in DSL on data classification, the Guidelines classify all data into three categories and five levels, as shown below:

In general, the Practical Guideline incorporate the principles, framework and rules of data classification and grading, which can provide reference for the competent regulatory authorities and data processors to carry out data classification and multi-level protection.

The Practical Guidelines are standard-related technical documents, formulated and issued by the TC260 Secretariat. They aim to provide standardisation guidance concerning network security laws, regulations, policies and standards. The final version of the Guideline is expected to be released about three months after the closure of the call for comments. SESEC will compare the final document with this draft, and analyse any significant changes.