On December 8, 2022, the Ministry of Industry and Information Technology ("MIIT") promulgated the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation) ("Measures"), a landmark legislation for China in industry and information technology sectors. the Measures introduces and clarifies some very important concepts such as core data and important data in the sector.
This article would like to briefly introduce the Measures for enterprises practicing in the said sector.
I. Who must comply?
The Measures apply to the data processing activities in the industrial and information technology field in China. The industrial and information technology data concerned under the Measures refers to industrial data, telecom data and radio data.
As such, there are three types of industrial and information technology data processors ("data processors", Under China's law, the concept of data processors covers both controllers and processors) under the Measures: (i) industrial data processors; (ii) telecom data processors; and (iii) radio data processors. In brief, the targeting enterprises of Measures cover a wide range of data processors, such as industrial enterprises, software and information technology service enterprises, telecom operators who have obtained operation permits, such as ICP license holder or controller. Namely, All data processors in the industrial manufacturing and IT sectors are regulated under the Measures.
II. What are the key compliance obligations under the Measures?
i. Classified and graded data protection system
A classified and graded data protection system is a vital management measure under the Data Security Law and the Measures. In accordance with the Measures, industrial and information technology data may be categorized as:
- By Classification: R&D data, production and operation data, management data, operation and maintenance data, business service data, etc., from the perspective of industry requirements, characteristics, business needs, data sources and uses;
- By Gradation: general data, important data and core data, on the bases of damage to national security, public interests, or the legitimate rights and interests of individuals or organizations in the event that data are tampered with, destroyed, leaked, or illegally obtained or used.
Data processors should implement protection measures per classification and gradation of the data, such as different operating procedures. Where the data of different grades are processed simultaneously and it is difficult to take separate protection measures, the data processor should implement protection requirements in accordance with the highest grade of the data concerned.
Where graded protection for all types of data, different levels of data being processed at the same time and hard to take protective measures should be implemented in accordance with the requirements of the highest level of protection to ensure that the data continue to be in a state of effective protection and legitimate use.
2. Catalogue of core data and important data for the industry and information technology sector
2.1 Introduction of catalogue of core data and important data for the industry and information technology sector
According to the Measures, MIIT and local authorities will formulate a catalogue of important data and core data for the industry and information technology sector ("Catalogue") based on the potential damage effect of the data concerned. The Catalogue plays a crucial role in the establishment of a classified and graded data protection system.
In the meantime, the Measures also provide damage effect standards as the rules to distinguish core, important, and general data. It is the first time that the scope of core data has been clarified in binding legislation.
Please see the table of standards for core data and important data for your reference.
|
Data Gradation |
Standards |
|
Important Data |
l Data that constitutes a threat to politics, land, military, economy, culture, society, science and technology, electromagnetism, network, ecology, resources, nuclear security, etc., and severely affects overseas interests, biology, space, polar regions, deep sea, artificial intelligence and other key areas related to national security; l Data that has a severe impact on the development, production, operation and economic interests of industry and information technology sectors; l Data that causes major data security incidents or production security accidents, exerts a severe impact on public interests or the legitimate rights and interests of individuals and organizations, and exerts a large negative impact on society; l Data that has an obvious cascading effect. The scope of influence involves multiple industries, regions or multiple enterprises in the industry, or the impact lasts for a long time, causing severe impact on industry development, technology advancement and industrial ecology; and l Other important data determined by the MIIT. |
|
Core Data |
l Data that constitutes a severe threat to politics, land, military, economy, culture, society, science and technology, electromagnetism, network, ecology, resources, nuclear security, etc., and severely affects overseas interests, biology, space, polar regions, deep sea, artificial intelligence and other key areas related to national security; l Data that has a significant impact on industry and information technology sectors and important key enterprises, key information infrastructure, and important within those sectors; l Data that can cause significant damage to industrial production and operation, telecom network and Internet operation services, and the operation of the radio business, etc., resulting in the widespread shutdown of production, large-scale interruption of the radio business, large-scale standstill of network and service, and a significant loss of business handling capabilities; and l Other core data determined by the MIIT. |
2.2 The obligation of data processors with the Catalogue
According to the Measures, a data processor shall undertake the following obligation on the basis of the Catalogue.
(1) Customized catalogue of important data and core data
A data processor is obligated to create its own catalogue of important data and core data based on the Catalogue and other relevant rules. In this sense, the data processor should proactively conduct data classification and grading and keep an eye on the publishment and update of the Catalogue.
(2) Record of Catalogue
A data processor must file the catalogue of important data and core data created by itself with the local regulatory department.
The content of the filing document includes essential details such as data source, classification, level, scale, carrier, purpose and method of handling, the scope of use, responsible entities, external information sharing, cross-border transmission, security protection Measures, etc. Notably, however, the filing document does not cover the data itself.
Moreover, it shall re-file the updated catalogue of important data and core data within three months when substantial changes happen. A 30%+ change on the scale of important data and core data (including data entry and amount) or any changes on the reported content would be considered substantial changes.
3. Special obligation for important data and core data processors
3.1 Storage
Important data and core data collected and generated in China shall be stored within China if the laws and administrative regulations have such requirements. And the data exporting security assessment shall be conducted in the case of cross-border transmission.
In addition, the data processors are forbidden to provide industry and information technology data stored within China to foreign industrial, telecommunications, and radio law enforcement agencies without the permission of the MIIT.
3.2 Data security management
Important and core data processors undertake more obligations in terms of data security management. To be specific:
(i) Appointing the responsible personnel and management body for data security and establishing a regular communication and collaboration mechanism to implement data security protection responsibilities fully. The chiefly responsible personnel for data security are generally the legal representative or the principal of the enterprises, and the member(s) responsible for data security of the leading team shall act as the directly liable person(s).
(ii) Defining key data processing positions and job responsibilities, and concluding a data security liability statement with the key position personnel, which includes job responsibilities, obligations, penalties, precautions, etc.
(iii) Establishing internal registration, approval and other working mechanisms, and keeping records of important data and core data processing activities.
3.3 Annual data security risk assessment
Important data and core data processors are obligated to conduct data security risk assessment at least once a year, either by themselves or third-party. And the assessment report shall be submitted to the relevant local industry regulators.
In addition to the special obligations summarized above, data processors who do not handle important data and core data also bear compliance obligations, such as whole-life-circle data security management, data security monitoring in daily operation and emergency management, data security training, etc.
Conclusion
Data processors, either important data and core data processors or normal data processors, should establish various data security management mechanisms and measures required by the Measures, conduct data compliance risk assessment and make sufficient rectification, if any. Moreover, it is strongly suggested that data processors pay attention to the supporting norms and standards developed by the regulatory authorities, especially the Catalogue.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.