PRC Guidelines on Identifying Sensitive Personal Information

The PRC National Technical Committee 260 on Cybersecurity of SAC (“TC260”) published new Guidelines on Identifying Sensitive Personal Information (“Guidelines”)¹ on 18 September 2024,² nearly three months after it released the draft guidelines (“Draft Guidelines”) for public comment.³

Background

Under the Personal Information Protection Law (“PIPL”), data controllers are subject to more stringent requirements when processing sensitive personal information, such as more stringent protective standards, the requirement to obtain separate consent⁴  and to conduct privacy impact assessment (“PIA”)⁵ before processing sensitive personal information. Data controllers processing sensitive personal information shall ensure that there is sufficient necessity in doing so, and are also required to inform data subjects of the necessity of processing the sensitive personal information and the associated impact on their rights and interests. Depending on the volume of sensitive personal information cumulatively exported by a data controller,  the requirement of security assessment may be triggered (see our previous Legal Update on China Eases Controls over Cross-Border Data Transfers).

Prior to the issuance of the guidelines, companies collecting and processing sensitive personal information have had to rely on vague definitions and non-exhaustive example lists under the PIPL, which caused uncertainties in respect of compliance requirements in terms of formulation of policies and procedures and the cross-border transfer of such data.

The Guidelines

The Guidelines provide detailed identification rules for sensitive personal information, and adopt the definition of sensitive personal information as set out in the PIPL, i.e. personal information will be regarded as sensitive if its disclosure or illegal use will easily result in damage to the dignity of natural persons, or endanger personal safety or properties.⁶The Guidelines provide some common scenarios⁷ of breach that may often involve sensitive personal information:

• Causing harm to dignity of natural persons: doxing; illegal access to internet accounts; online or telecommunication fraud; causing harm to personal reputation; discriminatory treatments due to unauthorized disclosure of information such as specific personal identities, religious belief, sexual orientation, specific diseases or health status
• Endangering safety of human lives: unauthorised disclosure or illegal use of  location tracking information
• Endangering safety of properties: unauthorised disclosure or illegal use of financial account information

Categories of Sensitive Personal Information

In particular, the Guidelines identify eight common categories of sensitive personal information and provide examples for each category in an appendix. While the examples given should assist identification of sensitive information, they should not be taken as being exhaustive and the focus should be on the “risk of harm” brought by its unauthorized disclosure or illegal use. Notably, the Guidelines further clarify that some personal information may not be identified as sensitive, if there is sufficient evidence to prove that the unauthorized disclosure or illegal use of such personal information will not cause harm to the dignity of natural persons, or will not endanger the safety of human lives or properties.⁸

The eight common categories of sensitive personal information and some examples in each category are set out as below:⁹

1. Biometric data: any personal genes, faces, voiceprint, gait, fingerprints, palmprints, eye prints, auricles, iris, etc.
2. Religious belief information: any personal religion, religious organisations, positions in religious organisations, religious activities, special religious practices, etc.
3. Specific identity information: any disability identity information, professional identity information that is not suitable for disclosure, etc.
4. Medical and health information: 1) any health status information related to an individual’s physical or mental injury, illness, disability, risk of illness, or privacy, such as symptoms, past medical history, family medical history, history of infectious diseases, physical examination reports, fertility information, etc.; 2) any personal information collected and generated in the process of disease prevention, diagnosis, treatment, nursing, rehabilitation and other medical services, such as medical treatment records (e.g., medical opinions, hospitalization records, medical orders, surgery and anesthesia records, nursing records, medication records), inspection and examination data (e.g., inspection reports, examination reports), etc.
5. Financial account information: any account numbers and passwords of personal bank, securities, funds, insurance, provident fund and other accounts, provident fund joint account number, payment account number, bank card track data (or chip equivalent information), payment information generated based on account information, personal income details, etc.
6. Location tracking information: any continuous and precise location tracking information, vehicle tracking, and personnel activity tracking, etc. However, location tracking information that is collected or otherwise processed in the context of performing service contracts for specific occupations (e.g., deliveryman and courier) will not be considered sensitive.¹⁰
7. Personal information of minors: any personal information of minors under the age of 14.
8. Other sensitive personal information: any precise location information collected via the precise location services of personal mobile phone,¹¹ ID card photos, sexual orientation, sex life, credit information, criminal record information, photos or video showing private parts of an individual's body, etc.

Helpful Clarifications in the Guidelines

Notably, some information that is generally considered sensitive such as credit records, transaction and consumption records, and web browsing history have been excluded from the scope of sensitive personal information, which will reduce compliance costs significantly for companies.

Under the Draft Guidelines, “location and tracking information” had been defined broadly to include “any real-time precise positioning information and GPS vehicle trajectory information”, which has been the cause of a fair degree of uncertainty given the breadth of the definition.¹² The Guidelines now clarify that only continuous precise positioning tracking information, vehicle driving tracking information, and personnel activity tracking information, etc. will be defined as sensitive.¹³ Rough location information obtained from an IP address will not be classified as sensitive personal information. The Guidelines also excluded flight and high-speed train travel records from the list of examples of sensitive personal information.

Takeaway

The Guidelines clarify some pre-existing ambiguities in identifying sensitive personal information. Companies are reminded to assess the “risk of harm” of the data they collect as well as to refer to the example list to determine whether the data they are processing shall be classified as sensitive personal information. While the Guidelines are non-binding, companies are advised to review their data privacy policy and documents to ensure compliance with the new identification rules.

The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this Legal Update.