On 1 January 2023 new regulations came into effect which standardise the data security measures applicable to industry and information technology data. The Administrative Measures for Data Security for Industry and Information Technology Data (Measures) follow on from the Data Security Law (DSL, which came into effect on 1 September 2021) which passed responsibility for data security supervision within the industry and telecommunications sector to the Ministry of Industry and Information Technology (MIIT).
The Measures, introduced by MIIT, frame the fundamentals of the data security regulatory system, providing clarity on the scope of application, as well as the security measures to be taken by data controllers in the industry and information technology sector.
What is the scope of application of the Measures?
In determining the application of the Measures to data processing activities, the Measures define their scope by reference to the following:
- Industry and information technology data, which is broken down into three categories: (i) industry data, which is the data generated and collected during processes including R&D, production, operations and business in the industrial sector, (ii) telecommunications data, which is the operational data generated and collected from telecommunications businesses, and (iii) radio data, which is operational data generated and collected from radio businesses;
- Data controller in the industry and information technology sector, which refers to data controllers in industrial enterprises, software and information technology service enterprises, telecommunication business operators who have obtained telecommunication business licenses, radio frequency and station users, and other entities in the industrial and information technology sector; and
- Processing activity, which covers the whole data lifecycle, including data collection, storage, usage, transmission, disclosure and other activities.
Responsibilities for data classification, grading and management
The Measures clarify the responsibilities of the regulators and the obligations of data controllers in relation to the classification and grading of data and to data grading management.
The Measures classify data into different types (such as R&D, production operations, management, operations and maintenance and business services data) according to factors such as the industry requirements and characteristics, business needs, data sources and uses.
The Measures also grade data based on the level of harm that would be caused to national security, public interests or the legitimate rights and interests of individuals and organisations if it is tampered with, destroyed, disclosed or illegally acquired or used. There are three levels: (i) general, (ii) important and (iii) core data. Whilst the Measures outline the basic conditions for each, further clarification is needed on the data grading standards to enable the specific level of data to be correctly identified.
A data controller must file its important data and core data catalogue with the local counterpart of MIIT. If there is a substantial change to the information filed, the data controller is required to update the information within three months. It is worth noting that these filing requirements go beyond the existing requirements under the DSL.
Data lifecycle security management
The Measures set out specific security protection that is required throughout the whole data lifecycle, as detailed in the chart below. Again, some of these requirements go beyond the existing requirements under the DSL.
Data processing activity | Protection requirement – all data | Protection requirement – important data | Protection requirement – core data |
Collection | Follow the principles of legality and fairness | Strengthen management of personnel and equipment which are collecting important and core dataRecord data collection source, time, type, etc.For important and core data acquired indirectly, enter into relevant agreements with data providers | |
Storage | Store data in accordance with laws and agreements with users | Adopt verification technologies, password technologies, and other measures for safe storageImplement data disaster recovery backup and storage media security managementRegularly carry out data recovery testing | |
Use and processing | For automatic decision-making, ensure transparency of decision-making and fairness and reasonableness of resultsFor data processing services related to telecommunications business, obtain telecommunications business licenses | Strengthen access control | |
Transmission | Formulate safety strategies and adopt protective measures based on data type, level and application | Adopt verification technologies, cryptography technologies, secure transmission channels or agreements, etc. | |
External disclosure | Specify disclosure scope, type, condition, procedure, etc. | Enter into data security agreements with data recipientsVerify data protection capability of data recipients | Enter into data security agreements with data recipientsVerify data protection capability of data recipientsEvaluate security risksObtain approvals from MIIT |
Disclosure to the public | Analyse impact on national security and public interests | ||
Destruction | Establish data destruction systems | Prohibit restoration of destroyed dataHandle filing on change in data with the local counterpart of MIIT | |
Outbound transfer | Obtain approval of MIIT for retrieval of data by offshore law enforcement agencies1 | Store important and core data in PRCCarry out data export security assessment prior to any outbound transfer | |
Mergers & acquisitions | Specify data transfer plans | Handle filing on change in data with the local counterpart of MIIT | Handle filing on change in data with the local counterpart of MIITEvaluate security risksObtain approvals from MIIT |
Authorising third parties to carry out data processing activities | Enter into contracts and specify rights and obligations | Verify data protection capability and certificates of authorised party | Verify data protection capability and certificates of authorised partyEvaluate security risksObtain approvals from MIIT |
Data security monitoring and emergency management
The Measures require data controllers to monitor data security by:
- carrying out data security risk monitoring, investigating security risks and taking necessary measures to prevent data security risks;
- promptly reporting to the competent authorities any risks that may cause material security incidents;
- following emergency response plans upon the occurrence of data security incidents, and timely reporting to the competent authorities; and
- promptly reporting to users any data security incidents that may harm users’ legitimate rights and interests, and providing risk mitigation measures.
Data security assessment
The Measures require data controllers of important data and core data to carry out risk assessments on their data processing activities at least once a year. This can be carried out by the data controller itself or by using an authorised third party. The data controller is required to rectify any risks identified in a timely manner and submit the risk assessment report to the local counterpart of MIIT. While it is an existing requirement under the DSL, the Measures specify that such risk assessment shall be implemented at least once a year.
Our observations
The Measures set out the framework for protecting the security of industry and information technology data and impose compliance requirements on data controllers in relation to data processing and security monitoring. A few local MIITs have already published implementation rules or plans to enforce the Measures. Industry and information technology data controllers need to keep a close watch on the regulatory developments to ensure full compliance with the data security obligations in this sector.