On 1 January 2023 new regulations came into effect which standardise the data security measures applicable to industry and information technology data. The Administrative Measures for Data Security for Industry and Information Technology Data (Measures) follow on from the Data Security Law (DSL, which came into effect on 1 September 2021) which passed responsibility for data security supervision within the industry and telecommunications sector to the Ministry of Industry and Information Technology (MIIT).
The Measures, introduced by MIIT, frame the fundamentals of the data security regulatory system, providing clarity on the scope of application, as well as the security measures to be taken by data controllers in the industry and information technology sector.
What is the scope of application of the Measures?
In determining the application of the Measures to data processing activities, the Measures define their scope by reference to the following:
- Industry and information technology data, which is broken down into three categories: (i) industry data, which is the data generated and collected during processes including R&D, production, operations and business in the industrial sector, (ii) telecommunications data, which is the operational data generated and collected from telecommunications businesses, and (iii) radio data, which is operational data generated and collected from radio businesses;
- Data controller in the industry and information technology sector, which refers to data controllers in industrial enterprises, software and information technology service enterprises, telecommunication business operators who have obtained telecommunication business licenses, radio frequency and station users, and other entities in the industrial and information technology sector; and
- Processing activity, which covers the whole data lifecycle, including data collection, storage, usage, transmission, disclosure and other activities.
Responsibilities for data classification, grading and management
The Measures clarify the responsibilities of the regulators and the obligations of data controllers in relation to the classification and grading of data and to data grading management.
The Measures classify data into different types (such as R&D, production operations, management, operations and maintenance and business services data) according to factors such as the industry requirements and characteristics, business needs, data sources and uses.
The Measures also grade data based on the level of harm that would be caused to national security, public interests or the legitimate rights and interests of individuals and organisations if it is tampered with, destroyed, disclosed or illegally acquired or used. There are three levels: (i) general, (ii) important and (iii) core data. Whilst the Measures outline the basic conditions for each, further clarification is needed on the data grading standards to enable the specific level of data to be correctly identified.
A data controller must file its important data and core data catalogue with the local counterpart of MIIT. If there is a substantial change to the information filed, the data controller is required to update the information within three months. It is worth noting that these filing requirements go beyond the existing requirements under the DSL.
Data lifecycle security management
The Measures set out specific security protection that is required throughout the whole data lifecycle, as detailed in the chart below. Again, some of these requirements go beyond the existing requirements under the DSL.
Data processing activity | Protection requirement - all data | Protection requirement - important data | Protection requirement - core data |
Collection |
|
|
|
Storage |
|
|
|
Use and processing |
|
|
|
Transmission |
|
|
|
External disclosure |
|
|
|
Disclosure to the public |
|
||
Destruction |
|
|
|
Outbound transfer |
|
|
|
Mergers & acquisitions |
|
|
|
Authorising third parties to carry out data processing activities |
|
|
|
Data security monitoring and emergency management
The Measures require data controllers to monitor data security by:
- carrying out data security risk monitoring, investigating security risks and taking necessary measures to prevent data security risks;
- promptly reporting to the competent authorities any risks that may cause material security incidents;
- following emergency response plans upon the occurrence of data security incidents, and timely reporting to the competent authorities; and
- promptly reporting to users any data security incidents that may harm users' legitimate rights and interests, and providing risk mitigation measures.
Data security assessment
The Measures require data controllers of important data and core data to carry out risk assessments on their data processing activities at least once a year. This can be carried out by the data controller itself or by using an authorised third party. The data controller is required to rectify any risks identified in a timely manner and submit the risk assessment report to the local counterpart of MIIT. While it is an existing requirement under the DSL, the Measures specify that such risk assessment shall be implemented at least once a year.
Our observations
The Measures set out the framework for protecting the security of industry and information technology data and impose compliance requirements on data controllers in relation to data processing and security monitoring. A few local MIITs have already published implementation rules or plans to enforce the Measures. Industry and information technology data controllers need to keep a close watch on the regulatory developments to ensure full compliance with the data security obligations in this sector.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.