What are the data security management measures?

The "Data Security Management Measures" are to safeguard national security and social public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations in cyberspace, and protect individuals Information and important data security, departmental regulations formulated in accordance with the "Cybersecurity Law of the People's Republic of China" and other laws and regulations.

The content is as follows:

Chapter 1 General Provisions

Article 1 In order to safeguard national security, social and public interests, and protect citizens, legal persons and other organizations These measures are formulated in accordance with the "Cybersecurity Law of the People's Republic of China" and other laws and regulations to safeguard the legitimate rights and interests in cyberspace and ensure the security of personal information and important data.

Article 2 These Measures shall apply to the use of the Internet to carry out data collection, storage, transmission, processing, use and other activities (hereinafter referred to as data activities), as well as the protection, supervision and management of data security within the territory of the People's Republic of China. Exceptions are made for purely family and personal matters.

If laws and administrative regulations provide otherwise, such provisions shall prevail.

Article 3: The state insists on paying equal attention to data security and development, encourages the research and development of data security protection technology, actively promotes the development and utilization of data resources, and ensures the orderly and free flow of data in accordance with the law.

Article 4: The state takes measures to monitor, defend, and deal with data security risks and threats originating from within and outside the People's Republic of China, protect data from leakage, theft, tampering, damage, illegal use, etc., and punish them in accordance with the law Illegal and criminal activities that endanger data security.

Article 5 Under the leadership of the Central Cybersecurity and Informatization Commission, the national cybersecurity and informatization department shall coordinate, guide and supervise the security protection of personal information and important data.

Cyberspace departments at prefecture (city) and above shall guide and supervise the security protection of personal information and important data within their respective administrative regions in accordance with their responsibilities.

Article 6 Network operators shall, in accordance with the provisions of relevant laws and administrative regulations and with reference to national network security standards, perform data security protection obligations, establish data security management responsibilities and evaluation and assessment systems, formulate data security plans, and implement Data security technical protection, conduct data security risk assessment, formulate contingency plans for network security incidents, handle security incidents in a timely manner, and organize data security education and training.

Related recommendations: "FAQ"

Chapter 2 Data Collection

Article 7 Network operators pass the website , applications and other products that collect and use personal information must separately formulate and disclose collection and use rules. Collection and use rules can be included in the privacy policies of websites, applications and other products, or can be provided to users in other forms.

Article 8 Collection and use rules should be clear, specific, simple, popular, and easy to access, highlighting the following content:

(1) Basic information of network operators;

(2) The name and contact information of the main person in charge of the network operator and the person responsible for data security;

(3) The purpose, type, quantity, frequency, method, scope, etc. of collecting and using personal information;

(4) The location, period and handling method of personal information after expiration;

(5) Rules for providing personal information to others, if provided to others;

(6) Personal information security protection strategies and other related information;

(7) Personal information subject’s withdrawal of consent, and ways and methods to query, correct, and delete personal information;

(8) Complaint and reporting channels and methods, etc.;

(9) Other contents stipulated by laws and administrative regulations.

Article 9 If the collection and use rules are included in the privacy policy, they should be relatively concentrated and clearly indicated for easy reading. In addition, network operators can collect personal information only when users know the collection and use rules and expressly agree.

Article 10 Network operators should strictly abide by collection and use rules. The functional design of websites and applications that collect or use personal information should be consistent with the privacy policy and adjusted simultaneously.

Article 11 Network operators shall not force or mislead personal information subjects to consent to their consent through default authorization, function bundling, etc. on the grounds of improving service quality, enhancing user experience, pushing information in a targeted manner, developing new products, etc. Collection of personal information.

After the personal information subject agrees to collect personal information to ensure the operation of the core business functions of network products, the network operator shall provide core business function services to the personal information subject, and shall not collect the above information due to the personal information subject's refusal or withdrawal of consent. other information while refusing to provide core business function services.

Article 12 If collecting personal information of minors under the age of 14, consent from their guardians must be obtained.

Article 13 Network operators shall not take discriminatory actions against personal information subjects based on whether the personal information subject has authorized the collection of personal information and the scope of authorization, including service quality, price differences, etc.

Article 14 Network operators who obtain personal information from other channels have the same protection responsibilities and obligations as directly collecting personal information.

Article 15 If network operators collect important data or sensitive personal information for business purposes, they should file a record with the local cybersecurity and informatization department. The filing content includes collection and use rules, purpose, scale, method, scope, type, period, etc. of collection and use, but does not include the data content itself.

Article 16 Network operators who use automated means to access and collect website data shall not hinder the normal operation of the website; such behavior seriously affects the operation of the website. If the automated access and collection traffic exceeds one-third of the website's average daily traffic, When the website requests to stop automated access collection, it should stop.

Article 17 If a network operator collects important data or sensitive personal information for business purposes, it shall specify the person responsible for data security.

The person responsible for data security shall be a person with relevant management experience and data security expertise. He shall participate in important decisions regarding data activities and report directly to the main person in charge of the network operator.

Article 18 The person responsible for data security shall perform the following responsibilities:

(1) Organize the formulation of data protection plans and supervise their implementation;

(2) Organize the development of data security risks Evaluate and urge the rectification of security risks;

(3) Report data security protection and incident handling to relevant departments and cybersecurity departments as required;

(4) Accept and handle user complaints and reports .

Network operators should provide necessary resources to those responsible for data security to ensure that they perform their duties independently.

Chapter 3 Data Processing and Use

Article 19 Network operators shall refer to relevant national standards and adopt data classification, backup, encryption and other measures to strengthen the protection of personal information and important data protection.

Article 20 Network operators should not store personal information beyond the retention period specified in the collection and use rules. Users should promptly delete their personal information after canceling their accounts. After processing, they cannot be associated with a specific individual and cannot be restored (below) Except for (called anonymization processing).

Article 21: When network operators receive requests for inquiries, corrections, deletions of personal information and user account cancellation requests, they shall inquire, correct, delete or cancel accounts within a reasonable time and cost.

Article 22 Network operators shall not use personal information in violation of collection and use rules. If it is really necessary to expand the scope of use of personal information due to business needs, the consent of the personal information subject must be obtained.

Article 23 Network operators who use user data and algorithms to push news information, commercial advertisements, etc. (hereinafter referred to as "targeted push") shall clearly indicate the word "targeted push" to provide users with a stop The function of receiving targeted push information; when the user chooses to stop receiving targeted push information, he should stop the push and delete the collected user data and personal information such as device identification codes.

Network operators carrying out targeted push activities should abide by laws and administrative regulations, respect social morality, business ethics, public order and good customs, be honest and trustworthy, and strictly prohibit discrimination, fraud and other behaviors.

Article 24 Network operators who use big data, artificial intelligence and other technologies to automatically synthesize news, blog posts, posts, comments and other information should clearly indicate the word "synthesized"; they must not seek benefits or harm. Automatically synthesize information for the benefit of others.

Article 25 Network operators should take measures to urge and remind users to be responsible for their own online behavior and strengthen self-discipline. For users who forward information produced by others through social networks, they should automatically mark the information producer on that social network. An account or unchangeable user ID on a network.

Article 26 When network operators receive reports and complaints about counterfeiting, counterfeiting, or misappropriation of information released in the name of others, they shall respond promptly, and once verified, immediately stop dissemination and delete the information.

Article 27 Before providing personal information to others, network operators shall assess the possible security risks and obtain the consent of the personal information subject. Except for the following circumstances:

(1) Collected from legal public channels and not obviously against the wishes of the personal information subject;

(2) Personal information disclosed by the subject on its own initiative;

(3) ) after anonymization;

(4) Necessary for law enforcement agencies to perform their duties in accordance with the law;

(5) Necessary for safeguarding national security, social public interests, and the life safety of personal information subjects.

Article 28 Before publishing, sharing, trading or providing important data overseas, network operators shall assess the possible security risks and report to the competent industry regulatory authorities for approval; the competent industry regulatory authorities shall not If it is clear, it should be approved by the provincial cybersecurity and informatization department.

The provision of personal information overseas shall be subject to relevant regulations.

Article 29 If domestic users access the domestic Internet, their traffic shall not be routed overseas.

Article 30 Network operators should clarify data security requirements and responsibilities for third-party applications connected to their platforms, and urge and supervise third-party application operators to strengthen data security management. If a data security incident occurs in a third-party application and causes losses to users, the network operator shall bear part or all of the responsibility, unless the network operator can prove that it is not at fault.

Article 31: If a network operator merges, reorganizes, or goes bankrupt, the data recipient shall assume data security responsibilities and obligations. If there is no data recipient, the data should be deleted. If laws and administrative regulations provide otherwise, such provisions shall prevail.

Article 32: Network operators analyze and utilize the data resources at their disposal to publish market forecasts, statistical information, personal and corporate credit and other information, and shall not affect national security, economic operations, social stability, or harm the legitimate rights and interests of others.

Chapter 4 Data Security Supervision and Management

Article 33: When performing their duties, the network information department discovers that the network operator’s data security management responsibilities are not fully implemented. The main person in charge of the network operator should be interviewed in accordance with the prescribed authority and procedures to urge rectification.

Article 34 The state encourages network operators to voluntarily pass data security management certification and application security certification, and encourages search engines, application stores, etc. to clearly identify and give priority to recommended applications that have passed the certification.

The national cybersecurity and informatization department, in conjunction with the market supervision and administration department of the State Council, guides the national network security review and certification agency and organizes data security management certification and application security certification.

Article 35 When a data security incident such as leakage, damage, or loss of personal information occurs, or the risk of a data security incident increases significantly, the network operator shall immediately take remedial measures and promptly communicate by phone, text message, Notify the subject of personal information by email or letter, and report to industry supervisory authorities and cybersecurity and informatization departments as required.

Article 36 If the relevant competent authorities of the State Council require network operators to provide relevant data in their possession in accordance with the provisions of laws and administrative regulations in order to perform their duties of safeguarding national security, social management, economic regulation, etc., the network shall The operator should provide it.

The relevant competent authorities of the State Council are responsible for the security protection of data provided by network operators and shall not use it for purposes unrelated to the performance of their duties.

Article 37 If a network operator violates the provisions of these Measures, the relevant departments shall, in accordance with the provisions of relevant laws and administrative regulations and according to the circumstances, make public exposure, confiscate illegal gains, suspend relevant business, suspend business for rectification, or close down Website, revocation of relevant business licenses or revocation of business licenses and other penalties; if a crime is constituted, criminal liability will be pursued in accordance with the law.

Chapter 5 Supplementary Provisions

Article 38 The meaning of the following terms in these Measures:

(1) Network operator refers to the network owners, managers and network service providers.

(2) Network data refers to various electronic data collected, stored, transmitted, processed and generated through the network.

(3) Personal information refers to various information recorded electronically or by other means that can identify the personal identity of a natural person alone or in combination with other information, including but not limited to the name, date of birth, and identity document of the natural person. Number, personal biometric information, address, phone number, etc.

(4) Personal information subject refers to the natural person identified or associated with personal information.

(5) Important data refers to data that may directly affect national security, economic security, social stability, public health and safety once leaked, such as undisclosed government information, large-scale population, genetic health, geography , mineral resources, etc. Important data generally does not include enterprise production and operation and internal management information, personal information, etc.

Article 39: Data activities involving the use of state secret information and passwords shall be implemented in accordance with relevant national regulations.

Article 40: These Measures shall come into effect on the day, month, year.

The above is the detailed content of What are the data security management measures?. For more information, please follow other related articles on the PHP Chinese website!