On 14 September, China’s chief committee on technical standards – the National Information Security Standardisation Technical Committee of China (or TC260) – released for public consultation a draft national standard entitled the Information Security Technology – Requirements for Classification and Grading of Network Data (Draft Standard).

The Draft Standard connects upper-level laws and regulations for cyberspace with other lower-level national standards and industry standards. It may play a fundamental role in establishing the classified and graded data protection system first framed by China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law.

Our key take-aways from the Draft Standard for tech and other businesses are below.

Consistency with existing rules

TC260’s drafting statement that accompanies the Draft Standard explains that this new guideline aims to be consistent with existing laws, regulations and national standards and is complementary to other standards. On the micro level, the definitions used in the Draft Standard mirror those used in other rules – e.g. “general data”, “important data”, “core data”, “personal information” and “data processor”. This exemplifies an effort to connect and harmonise different rules rather than break new ground.

For businesses in sectors for which mandatory or authoritative standards regarding data classification and grading are already in place, such as finance, basic telecommunications, and autonomous driving, the Draft Standard makes clear that these operators should strictly follow their respective industry standards as a first priority – the Draft Standard, once in effect, will only play a complementary role to guide data protection. As such, it will remain key for organisations to lobby and collaborate with their supervisory authorities to ensure that data classifications for their industries are fit-for-purpose. A good, recent example of industry advocacy is the release at Beijing’s 2022 World Intelligent Connected Vehicle Conference of the “White Paper on Data Classification and Grading in Demonstration Areas of High-level Autonomous Driving Tests”, which analyses various techniques in automotive data security and data classification management based on experience of industries in Beijing.

Impact on businesses

We predict that the Draft Standard will mainly have a direct impact on industries instead of individual businesses. While the drafting statement describes the Draft Standard as providing “reference for data processors to conduct classified and graded protection of data”, it emphasises that the key functions of the standard are to:

  • establish industry-level data classification and grading norms, and
  • classify and grade data protection work of different localities and departments using common specifications.

Within this framework, different industries, provinces and cities can be expected to formulate rules to implement the Draft Standard, which, in turn, indirectly guide businesses’ own practices.

Proposing workflow for data classification and grading

The most significant contribution of the Draft Standard is to suggest a workflow for data classification and grading. This consists of the following 5 steps:

Data classification requirements

The Draft Standard requires data to first be classified according to the relevant sector, then it can be further classified based on the business attributes of that sector.

Depending on the sector, data classification includes financial, health, telecommunications, energy, transportation, industrial, natural resources, education and scientific data. Industry regulators will prescribe the applicable business attributes for players under their respective jurisdictions to further classify the data. The Draft Standard provides eight common business attributes for reference:

  • Business area
  • Responsible department
  • Description object
  • Upstream/downstream
  • Data subject
  • Data use
  • Data processing
  • Data source

Data specifically regulated by existing laws and regulations (such as personal information and sensitive personal information) should be identified and classified in accordance with the relevant rules.

Data grading requirements

The grading of a dataset would be dictated by the subject that is impacted and the degree of impact on it. The matrix below shows how the six impact objects and the three degrees of impact decide whether the data are “general”, “important” or “core”.

Disappointingly, the Draft Standard does not give businesses a more practical understanding of what amounts to “core” or “important” data in their respective industries.

Development of personal information

One development in the Draft Standard relates to personal information. Appendix H of the Draft Standard classifies personal information into 16 categories, adding three additional categories than the previous 2020 national standard regarding personal information, comprising “identification information”, “personal label information”, and “personal sports information”. Appendix H also adds subcategories for six of the personal information categories.

The public consultation will end on 13 November 2022. Please let us know if you would like to comment on the draft via us.