On 13 January 2022, SAC/TC260 issued a call for comments on a new standard: Information security technology – guideline for identification of critical data (draft for comments). The standard will provide basic principles and criteria for the identification of “important data”, as well as the format to describe them.
The protection of “important data” has been repeatedly highlighted in China’s policies and regulations. However, what constitutes “important data” – and how to identify it – has never been clearly determined. On 14 November 2021, CAC released a draft regulation: Administrative rules on the security of network data (draft for comments), indicating that China’s push to shape the regulatory system for “important data” is speeding up. In this context, developing a standard to define the scope of “important data” and providing approaches to identify it, has become an urgent task.
Information security technology – guideline for identification of critical data (draft for comments) is developed exactly for this purpose.
According to the explanation of the draft standard, its development adheres to the following principles:
- Focus on national security and avoid over-extension of the scope of “important data”. Specifically, “important data” shall be defined from the perspectives of national security and public interests; its scope shall be narrowed down as much as possible, excluding the data about enterprises’ production and operations, internal management, personal information, etc. “important data” does not include secrets or classified information, as China has established a clear working and protection system for these; still, data relating to the business sector and enterprises’ systems might fall into the scope of the “important data”. For data on which administrative departments of the industry have formulated and implemented data protection policies and standards, these rules should be followed when identifying important data.
- Abide by international conventions, while taking into account Chinese characteristics. Cybersecurity shall be safeguarded in an open environment, secured data flows shall be promoted to meet the needs of globalization, and international good practices shall be used as reference to facilitate the construction of the community of shared future of cyberspace. In the context of booming mobile internet applications and increasingly diversified internet business models, the formulation of standards shall reflect China’s conditions and management demands, and embody the Chinese government’s principles and stance on internet governance and data security.
- Apply both qualitative and quantitative methods, and highlight operability. The combination of qualitative and quantitative methods shall be applied to identify “important data”, while the specific approaches for identification shall vary according to actual situation. Data in certain sectors and application fields may be identified as “important data” due to their importance. There may also be cases where data is not identified as “important data” under general circumstances, but may become identified as such once its quantity reaches a certain volume. In this case, a quantitative approach shall be adopted to determine the boundary of the “important data”.
The draft standard proposes six principles to guide the identification of “important data”:
- Focus on the impact on security.
- Highlight key targets to be protected.
- Consistency with the current legislation.
- Comprehensive consideration of risks.
- Combination of qualitative and quantitative methods.
- Dynamic identification and review.
Furthermore, the draft standard puts forward 14 criteria to determine if a data fall into the scope of the “important data”, namely:
- Consideration of China’s strategic reserve and mobility capability in emergencies
- Support to the operations of key infrastructure and the production of key industrial sectors.
- Reflection on the security of key information infrastructure, so that data cannot be used to conduct network attacks
- Linkage with export control items
- Possibility to be used by other countries and organizations to launch military strikes against China
- Reflection on the physical safety of key targets and venues, and on the location of geographic targets that are not disclosed, so that it could be utilized by terrorist groups and criminals for sabotage.
- Possibility to be used to disrupt the supply chain of critical equipment and system components, so as to launch network attacks such as advanced persistent threat (PAT).
- Relation with basic data on population health and physiological conditions, ethnic characteristics, genetic information, etc.
- Relation with basic data on national natural resources and environment;
- Relation with China’s scientific and technological strengths and international competitiveness.
- Relation with the production and transaction of sensitive items, and the provision and use of important equipment, so that it could be used by foreign governments for adopting sanctions on China.
- Relation with classified information generated in the course of providing services to government agencies, military enterprises and other sensitive and important organizations.
- Relation with government affairs data, work secrets, intelligence data, and law enforcement and judicial data that are not made available to the public.
- Relation with other data that may affect the security of national politics, land, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, outer space, polar regions, deep sea, etc.
The deadline for submitting comments to the draft standard is 13 March 2022. European enterprises and standardization stakeholders are encouraged to contribute actively, considering the importance of the standard and the potential impact on their operations.
The text of the draft standard (in Chinese language) can be accessed via