Under the Data Security Law, organisations are required to classify the data they process according to their level of significance. Albeit a draft, the recent Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (“Draft”) highlights the principles and methods for different industries, fields, localities, departments, and data processors to classify and grade data.
Given data classification and grading are mandatory requirements under the Data Security Law and Personal Information Protection Law, organisations should prioritise understanding their data collected and data processing activities within the coming months.
When classifying data, organisations should consider (i) the industry that their data belongs to, and (ii) the business attributes of the data (i.e. scope or type of business, target objects, data subjects, data usage, data management, data sources etc).
Where some types of data have multiple categories (e.g. a set of telecommunications data which is also considered personal information), organisations should take note in ensuring compliance with the relevant rules and standards.
The Draft aligns with the data grading framework introduced under the Data Security Law, by reiterating the three categories of data, as follows:
- Core data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, that may directly harm political security, key areas of national security, the national economy, citizen’s livelihood, and major public interests.
- Important data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, that will directly harm national security, economic operation, social stability, public health, and safety.
- General data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, that would only affect the legitimate rights and interests of a small group of organisations or individuals.
Data grading in each industry must be conducted under the framework. To determine the grading of data, organisations should consider the potential harm to national security, business operations, social stability, public interests, and the rights and interests of organisations and individuals on a scaled basis (i.e. particularly serious, serious and general harm), with reference to:
- Data domain, population, region, importance, security risks; and
- Accuracy, scale, and coverage.
While organisations may refer to the requirements provided in the Draft to conduct data classification and grading internally, sectoral regulators are encouraged to formulate detailed guidance to implement the Draft within their respective jurisdictions and publish core data and important data catalogues.
Dynamic update and management of data
The Draft introduces a new concept of dynamic update and management of data, whereby organisations are subject to constant dynamic updates to data classification and grading despite having already done so.
Examples of common circumstances where updates are required include: (i) changes to the data content, (ii) material changes to the data timeliness, scale, application, processing methods, (iii) merger of multiple raw data, (iv) merger of selected parts of different data, (v) convergence and fusion of different types of data, (vi) deidentification, pseudonymisation, anonymisation of data, (vii) change of data sensitivity after data incident, (viii) under the request of government or industry authorities, or (ix) other circumstances where modification to the data security level is required.
To facilitate data classification and grading, organisations should create a data management framework to identify and understand the data they process. This may include:
- Undergoing a data mapping process to understand all data collected, processing activities and parties involved. Thereafter, maintain good record keeping practices when dealing with new data sets. To align with the recent cross border data transfer requirements introduced under the Personal Information Protection Law, organisations may – from an operational perspective – consider conducting wider data mapping to focus on not only personal data, but also non-personal data under this Draft.
- Establishing a data management framework to classify data into groups, and assess data sets against their potential impact.
- Continuous monitoring of the data collected, processed, and transferred, based on any potential changes to their importance and impact. Keep records of data processing and Personal Information Impact Assessments for reference.