Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · INDUSTRIAL DATA SECURITY MEASURES

Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial).

工业和信息化领域数据安全管理办法(试行)

Promulgated by: Ministry of Industry and Information Technology.
Document No.: MIIT Cyber Security [2022] No. 166.
Issued December 8, 2022. Effective January 1, 2023.


Chapter I General Provisions

Article 1. These Measures are formulated in accordance with the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the National Security Law of the People’s Republic of China, the Civil Code of the People’s Republic of China and other laws and regulations, in order to regulate data processing activities in the field of industry and information technology, strengthen data security management, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national security and development interests.

Article 2. Data processing activities carried out within the territory of the People’s Republic of China in the field of industry and information technology, and the security supervision thereof, shall comply with the requirements of relevant laws, administrative regulations and these Measures.

Article 3. Data in the field of industry and information technology include industrial data, telecommunications data and radio data, among others. Industrial data refers to data generated and collected by the various industries and fields of industry in the course of research and development design, production and manufacturing, business management, operation and maintenance, platform operation and other processes.

Telecommunications data refers to data generated and collected in the course of telecommunications business operation activities.

Radio data refers to radio frequency, station (site) and other radio-wave parameter data generated and collected in the course of carrying out radio business activities.

A data processor in the field of industry and information technology refers to the various types of entities in the field of industry and information technology that independently determine the processing purpose and processing method in data processing activities, including industrial enterprises, software and information technology service enterprises, telecommunications business operators that have obtained a telecommunications business operation license, and entities using radio frequencies or stations (sites). Data processors in the field of industry and information technology may, according to the industry and field to which they belong, be classified as industrial data processors, telecommunications data processors, radio data processors, and the like. Data processing activities include but are not limited to the collection, storage, use, processing, transmission, provision and disclosure of data.

Article 4. Under the overall coordination of the national data security work coordination mechanism, the Ministry of Industry and Information Technology shall be responsible for supervising and guiding the industry and information technology authorities of the provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps, as well as the communications administrations and radio regulatory agencies of the provinces, autonomous regions and municipalities directly under the Central Government (hereinafter collectively referred to as the local industry regulatory authorities), in carrying out data security supervision, and in supervising and administering data processing activities and security protection in the field of industry and information technology.

The local industry regulatory authorities shall be respectively responsible for supervising and administering the data processing activities and security protection of industrial, telecommunications and radio data processors in their respective regions.

The Ministry of Industry and Information Technology and the local industry regulatory authorities are collectively referred to as the industry regulatory authorities.

The industry regulatory authorities shall, in accordance with relevant laws and administrative regulations, cooperate with relevant departments in carrying out work related to data security supervision in accordance with the law.

Article 5. The industry regulatory authorities shall encourage data development and utilization and research on data security technology, support the promotion of data security products and services, cultivate data security enterprises, research and service institutions, develop the data security industry, enhance data security assurance capabilities, and promote the innovative application of data.

Where data processors in the field of industry and information technology research, develop and use new data technologies, products and services, this shall be conducive to promoting economic and social development and the development of the industry, and shall conform to social morality and ethics.

Article 6. The industry regulatory authorities shall advance the development of a system of standards for data development and utilization and data security in the field of industry and information technology, and organize the formulation, revision, promotion and application of relevant standards.

Chapter II Data Classification and Grading Management

Article 7. The Ministry of Industry and Information Technology shall organize the formulation of standards and specifications for data classification and grading, identification and determination of important data and core data, and graded data protection in the field of industry and information technology, guide the conduct of data classification and grading management work, and formulate specific catalogues of important data and core data for the industry and implement dynamic management thereof.

The local industry regulatory authorities shall respectively organize the conduct of data classification and grading management and the identification of important data and core data in the field of industry and information technology in their respective regions, determine specific catalogues of important data and core data for their respective regions and report them to the Ministry of Industry and Information Technology; where the catalogues change, they shall promptly report the updates.

Data processors in the field of industry and information technology shall regularly sort out their data, identify important data and core data in accordance with relevant standards and specifications, and form their own specific catalogues.

Article 8. According to industry requirements, characteristics, business needs, data sources and uses, and other factors, the classification categories of data in the field of industry and information technology include but are not limited to research and development data, production and operation data, management data, operation and maintenance data, and business service data.

According to the degree of harm caused to national security, the public interest, or the legitimate rights and interests of individuals or organizations when data is tampered with, destroyed, leaked, or illegally obtained or used, data in the field of industry and information technology is divided into three grades: general data, important data and core data.

Data processors in the field of industry and information technology may further subdivide the categories and grades of data on this basis.

Article 9. Data whose degree of harm meets one of the following conditions is general data:

(I) it causes relatively minor impact on the public interest or the legitimate rights and interests of individuals or organizations, with little adverse social impact;

(II) the number of affected users and enterprises is relatively small, the affected production and living area is relatively small, and the duration is relatively short, with little impact on enterprise operations, industry development, technological progress and the industrial ecosystem;

(III) other data not included in the catalogue of important data or core data.

Article 10. Data whose degree of harm meets one of the following conditions is important data:

(I) it poses a threat to politics, territory, military affairs, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear safety, or the like, or affects key fields related to national security such as overseas interests, biology, space, the polar regions, the deep sea, and artificial intelligence;

(II) it causes serious impact on the development, production, operation and economic interests of the field of industry and information technology;

(III) it causes a major data security incident or production safety accident, causing serious impact on the public interest or the legitimate rights and interests of individuals or organizations, with significant adverse social impact;

(IV) the cascading effect it triggers is significant, the scope of impact involves multiple industries, regions or multiple enterprises within an industry, or the duration of impact is long, causing serious impact on industry development, technological progress and the industrial ecosystem;

(V) other important data determined through assessment by the Ministry of Industry and Information Technology.

Article 11. Data whose degree of harm meets one of the following conditions is core data:

(I) it poses a serious threat to politics, territory, military affairs, economy, culture, society, science and technology, electromagnetics, networks, ecology, resources, nuclear safety, or the like, or seriously affects key fields related to national security such as overseas interests, biology, space, the polar regions, the deep sea, and artificial intelligence;

(II) it causes a major impact on the field of industry and information technology and its important backbone enterprises, critical information infrastructure, important resources, and the like;

(III) it causes major damage to industrial production and operation, the operation and service of telecommunications networks and the Internet, the conduct of radio business, and the like, resulting in large-scale work stoppages and production halts, large-scale interruption of radio business, large-scale network and service paralysis, or loss of a large amount of business processing capacity;

(IV) other core data determined through assessment by the Ministry of Industry and Information Technology.

Article 12. Data processors in the field of industry and information technology shall file their catalogues of important data and core data with the industry regulatory authority of their region. The filing content includes but is not limited to the source, category, grade, scale, carrier, processing purpose and method, scope of use, responsible entity, external sharing, cross-border transmission, security protection measures, and other basic information of the data, but does not include the data content itself.

The local industry regulatory authority shall complete the review within twenty working days after the data processor in the field of industry and information technology submits the filing application; where the filing content meets the requirements, it shall be filed, and the filing status shall be simultaneously reported to the Ministry of Industry and Information Technology; where filing is not granted, the filing applicant shall be promptly given feedback together with an explanation of the reasons. The filing applicant shall submit the filing application again within fifteen working days after receiving the feedback.

Where the filing content undergoes a major change, the data processor in the field of industry and information technology shall complete the filing modification procedures within three months of the change. A major change refers to a change of more than 30% in the scale of a certain category of important data or core data (such as the number of data entries or the total storage volume), or a change in other filing content.

Chapter III Full-Lifecycle Data Security Management

Article 13. Data processors in the field of industry and information technology shall bear primary responsibility for the security of data processing activities, implement graded protection for all types of data, and where data of different grades are processed simultaneously and it is difficult to take protective measures separately, shall implement protection in accordance with the requirements for the highest grade among them, so as to ensure that data is continuously in a state of effective protection and lawful utilization:

(I) establish a full-lifecycle data security management system, and, for data of different grades, formulate specific graded protection requirements and operating procedures for the collection, storage, use, processing, transmission, provision, disclosure and other stages of data;

(II) assign data security management personnel as needed, with overall responsibility for the security supervision and administration of data processing activities, and assist the industry regulatory authorities in carrying out their work;

(III) reasonably determine the operating authority for data processing activities, and strictly implement personnel authority management;

(IV) formulate contingency plans and conduct emergency drills as needed to respond to data security incidents;

(V) regularly carry out data security education and training for practitioners;

(VI) other measures prescribed by laws and administrative regulations.

Processors of important data and core data in the field of industry and information technology shall also:

(I) establish a data security work system covering the relevant departments of their own organization, clarify the person responsible for data security and the management body, and establish a normalized communication and collaboration mechanism. The legal representative or principal person in charge of the organization is the primary person responsible for data security, and the member of the leadership team in charge of data security is the directly responsible person;

(II) clarify the key positions and position responsibilities for data processing, and require personnel in key positions to sign a data security responsibility statement, the content of which includes but is not limited to data security position responsibilities, obligations, penalty measures and points for attention;

(III) establish internal registration, approval and other work mechanisms, strictly manage the processing activities of important data and core data, and retain records thereof.

Article 14. Data processors in the field of industry and information technology shall follow the principles of legality and legitimacy in collecting data, and shall not steal data or collect data by other illegal means.

In the course of data collection, corresponding security measures shall be taken according to the data security grade, the management of personnel and equipment collecting important data and core data shall be strengthened, and the source, time, type, quantity, frequency, flow direction, and the like, of collection shall be recorded.

Where important data and core data are obtained through indirect channels, the data processor in the field of industry and information technology shall, by signing relevant agreements, letters of undertaking and the like with the data provider, clarify the legal responsibilities of both parties.

Article 15. Data processors in the field of industry and information technology shall store data in accordance with the methods and periods prescribed by laws and administrative regulations and agreed with users. Where important data and core data are stored, verification technology, cryptographic technology and other measures shall be adopted for secure storage, and data disaster recovery backup and storage media security management shall be implemented, with data recovery tests conducted regularly.

Article 16. Where data processors in the field of industry and information technology use data for automated decision-making, they shall ensure the transparency of the decision-making and the fairness and reasonableness of the results. Where important data and core data are used or processed, access control shall also be strengthened.

Where data processors in the field of industry and information technology provide data processing services involving the operation of telecommunications business, they shall obtain a telecommunications business operation license in accordance with relevant laws and administrative regulations.

Article 17. Data processors in the field of industry and information technology shall formulate security strategies and take protective measures according to the type, grade and application scenario of the data transmitted. Where important data and core data are transmitted, measures such as verification technology, cryptographic technology, secure transmission channels or secure transmission protocols shall be adopted.

Article 18. Where data processors in the field of industry and information technology provide data externally, they shall clarify the scope, category, conditions, procedures, and the like, of the provision. Where important data and core data are provided, a data security agreement shall be signed with the data recipient, the data security protection capability of the data recipient shall be verified, and necessary security protection measures shall be taken.

Article 19. Data processors in the field of industry and information technology shall, before disclosing data, analyze and assess the possible impact on national security and the public interest, and shall not disclose data where a major impact exists.

Article 20. Data processors in the field of industry and information technology shall establish a data destruction system, clarify the objects, rules, procedures and technical requirements for destruction, and record and retain records of destruction activities. Where individuals or organizations request destruction in accordance with legal provisions, contractual agreements, and the like, the data processor in the field of industry and information technology shall destroy the corresponding data.

After destroying important data and core data, a data processor in the field of industry and information technology shall not recover the destroyed data for any reason or in any manner; where this causes a change in the filing content, the filing modification procedures shall be completed.

Article 21. Where laws and administrative regulations require domestic storage of important data and core data collected and generated by data processors in the field of industry and information technology within the territory of the People’s Republic of China, such data shall be stored within the territory; where it is truly necessary to provide such data overseas, a data export security assessment shall be conducted in accordance with the law.

The Ministry of Industry and Information Technology shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China, or on the principle of equality and reciprocity, handle requests from foreign industrial, telecommunications and radio law-enforcement agencies for the provision of data in the field of industry and information technology. Without the approval of the Ministry of Industry and Information Technology, data processors in the field of industry and information technology shall not provide data in the field of industry and information technology stored within the territory of the People’s Republic of China to foreign industrial, telecommunications or radio law-enforcement agencies.

Article 22. Where a data processor in the field of industry and information technology needs to transfer data due to merger, reorganization, bankruptcy, or the like, it shall clarify the data transfer plan and notify the affected users by telephone, text message, email, announcement and other means. Where a change in the filing content of important data or core data is involved, the filing modification procedures shall be completed.

Article 23. Where data processors in the field of industry and information technology entrust others to carry out data processing activities, they shall, by signing contracts and agreements and the like, clarify the data security responsibilities and obligations of the entrusting party and the entrusted party. Where the processing of important data and core data is entrusted, the data security protection capability and qualifications of the entrusted party shall be verified.

Except as otherwise provided by laws and administrative regulations, the entrusted party shall not provide the data to a third party without the consent of the entrusting party.

Article 24. Where core data is provided, transferred or entrusted for processing across entities, the data processor in the field of industry and information technology shall assess the security risks, take necessary security protection measures, and report to the Ministry of Industry and Information Technology after review by the industry regulatory authority of its region. The Ministry of Industry and Information Technology shall conduct the review in accordance with relevant provisions.

Article 25. Data processors in the field of industry and information technology shall, in the course of full-lifecycle data processing, record logs of data processing, authority management, personnel operations, and the like. The log retention period shall be not less than six months.

Chapter IV Data Security Monitoring, Early Warning and Emergency Management

Article 26. The Ministry of Industry and Information Technology shall establish a data security risk monitoring mechanism, organize the formulation of data security monitoring and early-warning interfaces and standards, plan and develop technical means for data security monitoring and early warning in an overall manner, form capabilities for monitoring, early warning, disposal and traceability, and strengthen information sharing with relevant departments.

The local industry regulatory authorities shall respectively develop data security risk monitoring and early-warning mechanisms for their respective regions, organize the conduct of data security risk monitoring, promptly release early-warning information in accordance with relevant provisions, and notify the data processors in the field of industry and information technology in their respective regions to promptly take responsive measures.

Data processors in the field of industry and information technology shall carry out data security risk monitoring, promptly investigate security hazards, and take necessary measures to prevent data security risks.

Article 27. The Ministry of Industry and Information Technology shall establish a data security risk information reporting and sharing mechanism, uniformly collect, analyze, assess and notify data security risk information, and encourage security service institutions, industry organizations, scientific research institutions, and the like, to carry out the reporting and sharing of data security risk information.

The local industry regulatory authorities shall respectively collect and analyze data security risks in their respective regions, and promptly report to the Ministry of Industry and Information Technology risks that may cause major or more serious security incidents.

Data processors in the field of industry and information technology shall promptly report to the industry regulatory authority of their region risks that may cause relatively major or more serious security incidents.

Article 28. The Ministry of Industry and Information Technology shall formulate a contingency plan for data security incidents in the field of industry and information technology, and organize and coordinate the emergency response to security incidents involving important data and core data.

The local industry regulatory authorities shall respectively organize the conduct of emergency response to data security incidents in their respective regions. For security incidents involving important data and core data, they shall immediately report to the Ministry of Industry and Information Technology, and promptly report on the development and disposal of the incident.

After a data security incident occurs, a data processor in the field of industry and information technology shall promptly carry out emergency response in accordance with the contingency plan; for security incidents involving important data and core data, it shall report to the industry regulatory authority of its region at the first opportunity, form a summary report within the prescribed period after the disposal of the incident is completed, and report on the disposal of data security incidents to the industry regulatory authority of its region annually.

A data processor in the field of industry and information technology shall, for data security incidents that occur and may harm the legitimate rights and interests of users, promptly inform the users and provide measures to mitigate the harm.

Article 29. The Ministry of Industry and Information Technology shall entrust relevant industry organizations to establish channels for complaints and reports of data security violations in the field of industry and information technology; the local industry regulatory authorities shall respectively establish mechanisms or channels for complaints and reports of data security violations in their respective regions, accept and handle complaints and reports in accordance with the law, and carry out law-enforcement investigations as needed. Data processors in the field of industry and information technology are encouraged to establish user complaint-handling mechanisms.

Chapter V Data Security Testing, Certification and Assessment Management

Article 30. The Ministry of Industry and Information Technology shall guide and encourage institutions with corresponding qualifications to carry out industry data security testing and certification work in accordance with relevant standards.

Article 31. The Ministry of Industry and Information Technology shall formulate an industry data security assessment management system and carry out the management of assessment institutions. It shall formulate industry data security assessment specifications and guide assessment institutions in carrying out data security risk assessments, export security assessments, and the like.

The local industry regulatory authorities shall respectively be responsible for organizing the conduct of data security assessment work in their respective regions.

Processors of important data and core data in the field of industry and information technology shall, on their own or by entrusting a third-party assessment institution, conduct a risk assessment of their data processing activities at least once a year, promptly rectify risk issues, and submit risk assessment reports to the industry regulatory authority of their region.

Chapter VI Supervision and Inspection

Article 32. The industry regulatory authorities shall supervise and inspect the implementation by data processors in the field of industry and information technology of the requirements of these Measures.

Data processors in the field of industry and information technology shall cooperate with the supervision and inspection of the industry regulatory authorities.

Article 33. The Ministry of Industry and Information Technology shall, under the guidance of the national data security work coordination mechanism, carry out work related to data security review in the field of industry and information technology.

Article 34. Staff of the industry regulatory authorities and the data security assessment institutions entrusted by them shall strictly keep confidential the personal information, commercial secrets, and the like, that they become aware of in the performance of their duties, and shall not disclose them or illegally provide them to others.

Article 35. Where the industry regulatory authorities, in performing their data security supervision and administration duties, discover that data processing activities involve relatively major security risks, they may, in accordance with the prescribed authority and procedures, conduct interviews with the data processor in the field of industry and information technology, and require it to take measures to make rectifications and eliminate hidden dangers.

Article 36. Where there is conduct in violation of these Measures, the industry regulatory authorities shall, in accordance with relevant laws and regulations and according to the degree of seriousness of the circumstances, impose administrative penalties such as confiscation of illegal gains, fines, suspension of business, suspension of business for rectification, and revocation of business licenses; where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Chapter VIII Supplementary Provisions

Article 37. Central enterprises shall supervise and guide their subordinate enterprises in fulfilling territorial management requirements in the work of filing catalogues of important data and core data, risk assessment of cross-entity processing of core data, risk information reporting, annual data security incident disposal reports, and risk assessment of important data and core data; they shall also comprehensively sort out and summarize the data security situation of the enterprise group headquarters and subordinate companies, and promptly report it to the Ministry of Industry and Information Technology.

Article 38. Where data processing activities involving personal information are carried out, the provisions of relevant laws and administrative regulations shall also be complied with.

Article 39. Data processing activities involving military affairs, State secrets, and the like, shall be carried out in accordance with relevant State provisions.

Article 40. The specific measures for the processing of government affairs data in the field of industry and information technology shall be separately prescribed by the Ministry of Industry and Information Technology.

Article 41. Data security management in the fields of national defense science, technology and industry and tobacco shall be the responsibility of the State Administration of Science, Technology and Industry for National Defense and the State Tobacco Monopoly Administration, and the specific systems shall be separately formulated with reference to these Measures.

Article 42. These Measures shall come into force on January 1, 2023.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.