The National Information Security Standardisation Technical Committee (TC260) released a draft guidance document in Q4, 2022 giving direction to government departments and sectoral regulators on classifying and grading network data (the Draft Guidance Document). It provides a methodology and set of criteria for grading data as either ‘important data’ or ‘core data’. Among other contributors to the standard, contributions from the Ministry of Public Security, National Information Technology Security Research Center (国家信息技术安全研究中心) and the China Cyber Security Review Technology and Certification Center (中国网络安全审查技术与认证中心) are mentioned in the foreword.
We have previously written about a draft guideline released by the TC260 in January 2022 on the identification of ‘important data’. That document was the first step in implementing mainland China’s national classification system for ‘important data’. The Draft Guidance Document is an additional step and provides further guidance to sectoral and regional regulators on classifying data as either ‘core data’ or ‘important data’.
What is ‘important data’ and what is ‘core data’?
Neither ‘important data’ nor ‘core data’ have been comprehensively defined in law.
‘Important data’ is a sui generis category of data introduced by the Cybersecurity Law (CSL) in 2017 and which more recently has been adopted into the Data Security Law (DSL), but without further elaboration. It encompasses data with a national security, national economic, social stability, public health and safety or other public interest dimension.
According to Article 21 of the DSL, ‘core data’ is data with “a bearing on national security, the lifelines of national economy, important aspects of people’s livelihood and major public interests”. ‘Core data’ is subject to more stringent controls than ‘important data’, including a total export ban and a requirement for all ‘core data’ to be localised.
It emerges from the Draft Guidance Document that ‘core data’ is a higher grading of ‘important data’. In assessing whether data should be graded as ‘important data’ or ‘core data’, the Draft Guidance Document advises sectoral and regional regulators to consider each of the following factors:
- national security
- Chinese economic interests
- social stability
- the public interest.
The Draft Guidance Document’s analytical framework for classifying data.
The Draft Guidance Document provides an analytical framework to regulators for assessing whether data is ‘important data’ or ‘core data’. The framework assists regulators in formulating catalogues of ‘important data’ and classifying ‘core data’. Under the framework, data is classified as ‘important data’ or ‘core data’ depending on the degree of risk associated with leakage, etc. of that data. A higher threat level would constitute data as ‘core data’.
‘Important data’ is data associated with a risk of leakage, etc. that would cause:
- “general” harm to national security interests or Chinese economic interests; or
- “serious” harm to social stability or the public interest.
‘Core data’ is data associated with a risk of leakage, etc. that would cause a higher degree of harm than ‘important data’, being:
- “serious” harm to national security interests; or
- “particularly serious” harm to Chinese economic interests, social stability or the public interest.
| “particularly serious” harm | “serious” harm | “general” harm |
National security | ‘core data’ | ‘core data’ | ‘important data’ |
Chinese economic interests | ‘core data’ | ‘important data’ | ‘important data’ |
Social stability | ‘core data’ | ‘important data’ | N/a |
Public interest | ‘core data’ | ‘important data’ | N/a |
The Draft Guidance Document provides some illustrative examples that contextualise the analytical framework.
Data classification | Classification criteria and examples |
‘Core data’ | A “serious” or higher level of risk is associated with data that, if leaked, etc. would: National security
|
A “particularly serious” level of risk is associated with data that, if leaked, etc. would: Chinese economic interests
Social stability
Public interest
| |
‘Important data’ | A “general” level of risk is associated with data that, if leaked, etc. would: National security
Chinese economic interests
|
A “serious” level of risk is associated with data that, if leaked, etc. would: Social stability
Public interest
|
The Draft Guidance Document provides insight into the analysis government departments and sectoral regulators will undertake when grading data and formulating catalogues of ‘important data’. However, while the guidance provides a sense of the direction of travel of the evolution of TC260’s thinking in scoping the parameters of ‘important data’ and ‘core data’, the advice is not directly operationalisable in the absence of the industry catalogues themselves.
There has been no indication yet when these catalogues will be released.
(With many thanks to Jason Hu for his work on this post.)
