On September 18, 2024, the National Technical Committee 260 on Cybersecurity Standardization Administration of China released the “Cybersecurity Standard Practice Guideline – Sensitive Personal Information Identification Guideline” (the “Guideline”).
Prior to this Guideline, existing laws of China, such as the Personal Information Protection Law and the Information Security Technology – Personal Information Security Specification, provided the definition of sensitive personal information and certain examples. This Guideline seeks to further clarify the scope and provide a more detailed explanation of what sensitive personal information is in China.
Rules for Identification of Sensitive Personal Information
According to the Guideline, personal information is to be deemed sensitive personal information if, once disclosed or used illegally, it can easily lead to:
- the infringement of the human dignity of natural persons;
- the infringement of the personal safety of natural persons; or
- the infringement of the safety of property of natural persons.
Categories and Examples of Sensitive Personal Information
The Guideline provides common categories of sensitive personal information, such as biometric information, religious belief information, specific identification information, health information, financial account information, personal information of minors under 14 years old, and other information falling into the rules for identification of sensitive personal information.
The Guideline also provides examples of sensitive personal information, such as precise location information, identity card photos, sexual orientation, sex life, credit information, and criminal record information.