China Releases Draft Guidelines To Help Organisations Identify Critical Data Under The Data Security Law.

Why the Draft Guidelines matter

According to the DSL, all types of data shall be subject to a classification protection system. The classification of data is based on (i) the importance of the data in economic and social development; and (ii) the extent of harm to national security, public interest, the lawful rights and interests of individuals or organisations once the data is altered, destroyed, leaked, or illegally obtained or used. Various PRC authorities will work together to formulate a catalogue for critical data.

Further, the DSL provides that data relating to (i) national security; (ii) China’s economic lifeline; (iii) important aspects of people’s livelihoods; and (iv) major public interests is core data (ie 核心数据) to which a stricter management system applies.

The DSL has also imposed a number of obligations on organisations which handle critical data, including restrictions on transferring critical data outside of China unless the relevant data export management measures have been complied with. There is also a data localisation requirement on critical data handled by “critical information infrastructure operators” (a term created under the Cybersecurity Law).

It is also worth mentioning that the consultation draft of the Regulations on Network Data Security Management, which was released in November 2021, has also shed light on what “critical data” means, ie data which, if tampered with, leaked, compromised, or illegally acquired or used, may cause harm to national security or public interest.

Organisations in both the public and private sectors (including government departments) must comply with the data classification protection system established under the DSL.

6 key principles for identifying “critical data”

The Draft Guidelines set out six principles for identifying critical data:

1. Data must be assessed based on its security impact from the perspectives of state security, economy, social stability, public health and safety, etc. Data which is only important to organisations internally shall not be regarded as critical data.

2. Data classification is important in identifying the area(s) of focus for protection. By classifying data and specifying security protection priorities, only critical data would be subject to additional requirements to the ensure free flow of non-critical data.

3. Existing local regulations and industry practice must be considered to ensure the additional measures work seamlessly with them.

4. Risks should be assessed in a holistic matter including the data’s confidentiality, completeness, availability, authenticity, and accuracy, etc.

5. Both the quality and quantity of data must be considered.

6. The assessment must be conducted and reviewed on a regular basis because the uses of the data, the way that the data is shared and the importance of data may change over time.

14 factors to be considered when identifying “critical data”

The following are key factors to be considered when an organisation identifies critical data:

1. data reflecting national strategic reserves and emergency mobilisation capacity;

2. critical infrastructure operations or industrial production in core sectors;

3. protection of critical information infrastructure and reduction of cyber security risks;

4. export control items;

5. likelihood to be used by foreign countries or organisations to initiate a military attack against China;

6. location of key targets, important sites or undisclosed geographical targets;

7. likelihood to be used to disrupt the supply chain of critical equipment and system components;

8. basic data reflecting the health and physiological status of the population, ethnic characteristics, genetic information, etc;

9. data relating to natural resources and the environment;

10. data relating to the level of scientific and technological advancement and the country’s competitiveness;

11. data relating to the production and trading of sensitive items and equipment which are likely to be subject to sanctions imposed by foreign countries;

12. data generated in the course of providing services to government agencies, military enterprises and other sensitive and important institutions that is not suitable for disclosure;

13. undisclosed government data, commercial secrets, intelligence data and law enforcement as well as judicial data; and

14. other data that may affect national, political, territorial, military, economic, cultural, social, scientific, technological, ecological, natural resources, nuclear, China’s interests overseas, biological, space and marine security.

Our China data and cyber law offering