The National Information Security Standardisation Technical Committee (also known as TC260)[1] has released the draft of a brief (non-binding) guideline on the identification of ‘important data’ (the Identification Guideline)[2].
The concept of ‘important data’ was first introduced by the Cyber Security Law (the CSL) in 2017 and has more recently been adopted into the Data Security Law (the DSL). It is a sui generis category of data that has a national security, national economic, social stability, public health and safety or other public interest dimension to it, and is subject to additional controls on cross-border transfers along with other protective measures.
The term has never been comprehensively defined, however. Under the DSL, regional and sectoral regulators have been tasked with formulating catalogues of ‘important data’ for their respective sectors “based on the importance of data in economic and social development and the degree of harm that would be caused by its destruction, divulgence, illegal acquisition or utilisation, or being tampered with, to national security, the public interest or the lawful rights and interests of individuals and organisations”[3].
The Identification Guideline, released on 13 January 2022, is the first step towards implementing this national classification system for ‘important data’. The guideline is intended to give direction to Chinese authorities in the formulation of sectoral catalogues and also to assist organisations to identify the ‘important data’ they hold.
The Identification Guideline refers to ‘important data’ as “data that exists in electronic form and may endanger national security and public interests once it is tampered with, destroyed, leaked, or illegally obtained or used”. The limitation to electronic data is new.
The guideline also clarifies that ‘important data’ is not intended to encompass data that is only important or sensitive to an organisation (such as data relating to an organisation’s internal management). Nor is it intended to include personal data, except that the guideline explains that neither statistical nor other data derived from “very large” amounts of personal information are precluded from constituting ‘important data’. In general, the Identification Guideline emphasises both the qualitative and quantitative aspects of ‘important data’, which may indicate that volume thresholds can be expected to feature in some categories.
Before the Identification Guideline, the clearest articulation of ‘important data’ from any sectoral authority has been in the Several Provisions on Vehicle Data Security Management effective from 1 October 2021. Contrary to this latest guidance, these Provisions did state that a dataset comprising the personal data of more than 100,000 individuals (i.e. vehicle owners, drivers, passengers, etc) constitutes ‘important data’.
The draft Identification Guideline identifies 14 factors that should be taken into consideration in the identification of ‘important data’. These factors can be grouped into the following three overall categories:
Defence interests, i.e. information related to:
- National strategic reserves and emergency mobilisation capabilities, e.g., strategic material production capacity and reserves.
- Information that may be used to launch military attacks against China, e.g., geographic information above a certain scale.
- Confidential information of defence contractors and other government vendors.
National security interests, i.e. information related to:
- The physical security of key infrastructure and assets, e.g., construction design, information on internal structure, the security of important production enterprises or national assets (such as railways, oil pipelines, etc).
- The operation of critical infrastructure or industrial production in key fields.
- Security protecting critical information infrastructure, e.g., network security plans, system configuration, core software and hardware design, system topology, emergency plans, etc.
- Supply chains for critical equipment and system components that could be used to mount a cyber-attack, e.g., important customer lists, undisclosed vulnerabilities, etc;
- Export-controlled items, e.g., design principles, technological processes and production methods.
- The production and use of equipment that may be sanctioned by foreign governments, e.g., financial transaction data of key enterprises, production and manufacturing information of important equipment or equipment used in the construction of major national projects and other activities.
- The operations of government and government agencies, including intelligence agencies, law enforcement and the courts, including unpublished statistics.
- Intellectual property rights related to national security (or national defence interests) and other scientific and technological information affecting China’s international competitiveness.
Strategic economic interests, i.e. information related to:
- The health and physiological status of certain population groups and genetic information, etc., e.g. population census data, human genetic resource information, and original gene sequencing data.
- National natural resources and environmental data, e.g., unpublished hydrological observation data, meteorological observation data and environmental monitoring data.
Lastly, the Identification Guideline contains a catch-all, typical of Chinese regulations, for other data that may affect national security, the military, nuclear facilities, the Chinese economy, Chinese culture and society, Chinese interests in technology, ecology, resources, biology, outer space, polar regions or the deep sea, or China’s overseas interests, etc. The Several Provisions on Vehicle Data Security Management contained a similar sweeper of “other data that reflects the performance of the economy”, alongside a list of more specific types of automobile-related data constituting ‘important data’.
Organisations that hold ‘important data’ will need to pass a government security assessment and obtain approval to transfer any of that information overseas. They will also need to appoint a data security officer, carry out annual risk assessments and submit an annual risk assessment report to the provincial-level Cyber Security Administration (and possibly also the municipal police) along with an annual report of overseas transfers of ‘important data’. See here, here and here for more information.
The Draft Administrative Regulations on Network Data Security issued in November 2021 would, if enacted in the form of the draft proposal, require organisations to also report to the provincial-level Cyber Security Administration within 15 working days of identifying that they hold ‘important data’.
[1] TC260 is jointly operated by the Cyber Security Administration and the Standardisation Administration of China.
[2] https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20220113195354&norm_id=20201104200036&recode_id=45625
