Promulgated by: Ministry of Natural Resources.
Document Number: Zi Ran Zi Fa [2024] No. 57.
Date of Issue: March 22, 2024.
Effective Date: March 22, 2024.
Legal Effect Level: Departmental normative document.
Notice of the Ministry of Natural Resources on Issuing the Measures for the Administration of Data Security in the Field of Natural Resources.
To the natural-resources competent authorities of all provinces, autonomous regions, and municipalities directly under the Central Government; the Natural Resources Bureau of the Xinjiang Production and Construction Corps; the Shanghai Municipal Oceanic Bureau, the Fujian Provincial Department of Ocean and Fisheries, the Shandong Provincial Oceanic Bureau, and the Guangxi Zhuang Autonomous Region Oceanic Bureau; the National Forestry and Grassland Administration; the China Geological Survey and other units directly under the Ministry; all dispatched agencies; and all departments and bureaus of the Ministry:
Upon the approval of the national data security work coordination mechanism and with the consent of the Ministry’s leadership, the Measures for the Administration of Data Security in the Field of Natural Resources are hereby issued to you. Please implement them conscientiously in light of actual conditions.
Ministry of Natural Resources
March 22, 2024
Chapter 1 General Provisions
Article 1. These Measures are formulated in accordance with the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Cryptography Law of the People’s Republic of China, and other laws and regulations, in order to regulate data processing activities in the field of natural resources, strengthen data security management, safeguard data security, promote the development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and development interests.
Article 2. Non-classified data processing activities in the field of natural resources carried out within the territory of the People’s Republic of China, or carried out in the course of performing the duties of natural-resources departments overseas, and the security supervision and administration thereof, shall comply with the requirements of the relevant laws and regulations and of these Measures.
Article 3. The term “data in the field of natural resources” as used in these Measures means data collected and generated in the course of carrying out natural-resources activities, mainly including: geographic information data such as basic geographic information and remote-sensing imagery; natural-resources survey and monitoring data on land, minerals, forests, grasslands, water, wetlands, sea areas and islands, and the like; territorial spatial planning data such as master plans, detailed plans, and special plans; and natural-resources management data on use control, asset management, cultivated-land protection, ecological restoration, development and utilization, real estate registration, and the like.
The term “data processor in the field of natural resources” (hereinafter referred to as “data processor”) as used in these Measures means all types of entities in the natural-resources industry that carry out data processing activities in the field of natural resources.
The term “data security” as used in these Measures means ensuring, by taking necessary measures, that data is in a state of effective protection and lawful utilization, as well as the capability to ensure a continuous state of security.
Article 4. Under the overall coordination of the national data security work coordination mechanism, the Ministry of Natural Resources shall undertake the data security supervision and administration duties for the natural-resources industry and field, and shall be responsible for supervising and guiding the natural-resources competent authorities and oceanic competent authorities of all provinces, autonomous regions, and municipalities directly under the Central Government (hereinafter collectively referred to as local industry regulators) in carrying out data security supervision and administration. The National Forestry and Grassland Administration shall specifically undertake the data security supervision and administration duties for forests and grasslands, wetlands and deserts, and the like, and shall formulate specific systems by reference to these Measures.
Local industry regulators shall be respectively responsible for the supervision and administration of data processing activities and security protection in the field of natural resources in their respective regions.
The Ministry of Natural Resources, the National Forestry and Grassland Administration, and local industry regulators are collectively referred to as industry regulators.
Industry regulators shall incorporate data security into the Party committee’s (Party leadership group’s) national security responsibility system, and, in accordance with the principle that “whoever is in charge of the business is in charge of the data and is in charge of the data security,” implement their responsibility to guide and supervise data security in their industry, region, and field.
Article 5. The Ministry of Natural Resources and the National Forestry and Grassland Administration shall advance the building of standard systems for the development and utilization of data and for data security in the field of natural resources, and organize the formulation, revision, and promotion and application of relevant standards.
Article 6. The lawful sharing, opening, development, and utilization of data in the field of natural resources are encouraged, and innovative applications of data are supported. A development model in which data development and utilization and the security industry advance in coordination shall be actively constructed, data security safeguard capabilities shall be continuously enhanced, and national security, social stability, and the rights and interests of organizations and individuals shall be safeguarded.
Article 7. Support shall be given to carrying out regular publicity and education on data security in the field of natural resources. Various means shall be adopted to cultivate professionals in data development and utilization technology and in data security, and to promote talent exchange.
Chapter 2 Classification and Grading Management of Data
Article 8. The Ministry of Natural Resources shall organize the formulation of standards and norms for the classification and grading of data in the field of natural resources, the identification and determination of important data and core data, data security protection, and the like; guide the carrying out of data classification and grading management work; and compile the catalog of important data and core data for the industry and implement dynamic management thereof. The National Forestry and Grassland Administration shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources and in light of work needs, compile standards and norms for data security in the forestry and grassland field, guide the carrying out of data classification and grading work for forestry and grassland, and compile the catalog of important data and core data for forestry and grassland and implement dynamic management thereof.
Local industry regulators shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources, respectively organize the carrying out of data classification and grading management and the identification and review of important data and core data in the field of natural resources in their respective regions, compile the catalog of important data and core data in the field of natural resources for their respective regions, and report it to the Ministry of Natural Resources; where the catalog changes, they shall promptly report the update.
Data processors shall, in accordance with the standards and norms for the classification and grading of data in the field of natural resources, regularly sort out and fill in and report the catalog of important data and core data.
Article 9. Based on industry characteristics and business applications, the categories of data classification in the field of natural resources include, but are not limited to, geographic information, natural-resources survey and monitoring, territorial spatial planning, natural-resources management, and the like, with specific reference to the standards and norms for the classification and grading of data in the field of natural resources.
Through comprehensive analysis of the importance, precision, scale, security risk, as well as the value, availability, shareability, and openability of data in the field of natural resources, and the like, and by judging the objects affected, the degree of impact, and the scope of impact after the data is tampered with, destroyed, leaked, or illegally obtained or illegally used, the data is graded into general data, important data, and core data.
Data processors may, on this basis, further subdivide the categories of data and the levels of general data.
Article 10. Core data means important data that has a relatively high coverage of a field, group, or region, or reaches a relatively high precision, relatively large scale, or certain depth, and that, once illegally used or shared, may directly affect political security. Core data mainly includes data concerning key fields of national security, data concerning the lifelines of the national economy, important aspects of people’s livelihood, and major public interests, and other data determined through assessment by the relevant State authorities.
Important data means data of a specific field, specific group, specific region, or reaching a certain precision and scale, that, once leaked or tampered with, damaged, or destroyed, may directly endanger national security, economic operation, social stability, public health, and safety.
General data means data other than important data and core data.
In light of the characteristics of data in the field of natural resources, data that satisfies two (inclusive) or more of the following reference indicators is important data:
(I) data that is produced in support of the “two unifications” duties entrusted by the CPC Central Committee and the State Council, that is irreplaceable and unique to the industry, and that, once a data security incident such as data tampering, leakage, or service interruption occurs, will affect the performance of duties by natural-resources departments and have a significant impact on the served objects nationwide;
(II) data that concerns the national economy and important aspects of people’s livelihood, that provides basic natural-resources data support for other industries and fields, and that, once a data security incident occurs, will have a significant impact on other industries and fields;
(III) data that covers multiple provinces or even the whole country, is large in scale and high in precision, and is highly sensitive and important;
(IV) data that directly affects the normal operation and service of national critical information infrastructure;
(V) data that endangers national security, the national economic competitiveness, the public’s receipt of public services, citizens’ conditions of survival and a stable working and living environment, citizens’ personal and property safety and other lawful interests, or that leads to social panic, and the like;
(VI) other important natural-resources data prescribed by China’s laws, regulations, and normative documents.
Data that meets the indicators for important data and that concerns the lifelines of the national economy, important aspects of people’s livelihood, and major public interests, and affects political security, is core data.
Article 11. Data processors affiliated with the Ministry of Natural Resources shall file the catalog of their entity’s important data and core data with the Ministry of Natural Resources; data processors affiliated with the National Forestry and Grassland Administration shall file the catalog of their entity’s important data and core data with the National Forestry and Grassland Administration; and other data processors shall file the catalog of their entity’s important data and core data with the industry regulator of their region. The content of the filing shall include, but not be limited to, the category, level, scale, precision, source, carrier, scope of use, external sharing, cross-border transmission, security status, and responsible-entity situation of the data, and the like, but shall not include the data content itself.
Local industry regulators shall complete the review within twenty working days after the data processor submits the filing application; where the content of the filing meets the requirements, it shall be reported to the Ministry of Natural Resources for review and determination; the Ministry of Natural Resources shall complete the determination of important data within twenty working days after receiving the application, and core data shall be reported to the national data security work coordination mechanism for determination; where the content does not meet the requirements, feedback shall be promptly provided to the applying entity with an explanation of the reasons. The applying entity shall re-submit the application within fifteen working days after receiving the feedback.
Where the content of the filing undergoes a material change, the data processor shall complete the change formalities within three months of the change occurring. A material change means that the data content changes such that the original level no longer applies, or that the scale of a certain category of important data or core data changes by more than 30%, and the like.
Chapter 3 Whole-Lifecycle Data Security Management
Article 12. Data processors shall bear principal responsibility for the security of data processing activities, and shall implement graded protection for all categories of data. Where data of different levels is processed simultaneously and it is difficult to take protective measures separately, protection shall be implemented in accordance with the requirements for the highest level among them, so as to ensure that the data is continuously in a state of effective protection and lawful utilization.
(I) establish a data security management system and, for data of different levels, formulate specific graded-protection requirements and operating procedures for each stage of the data lifecycle;
(II) deploy data security management personnel as needed, who shall be responsible for the overall security supervision and administration of data processing activities and assist industry regulators in carrying out their work;
(III) when carrying out data processing activities using the Internet or other information networks, implement the requirements of systems such as cybersecurity multi-level protection, critical information infrastructure security protection, cryptographic protection, and secrecy protection;
(IV) take corresponding technical measures and other necessary measures to safeguard data security and prevent risks such as data being tampered with, destroyed, leaked, or illegally obtained or illegally used;
(V) reasonably determine the operating permissions for data processing activities, and strictly implement personnel permission management;
(VI) formulate emergency plans and carry out emergency drills as needed to respond to data security incidents;
(VII) regularly carry out education and training on data security knowledge and skills for practitioners;
(VIII) other measures prescribed by laws, regulations, and the like.
Processors of important data and core data shall, in addition:
(I) establish a data security work system covering the relevant departments of their entity, clarify the data security officer and management body, and establish a normalized communication and collaboration mechanism. The legal representative or principal person-in-charge of the entity is the primary person responsible for data security; the leadership-team member in charge of data security within the leadership team is the directly responsible person; and other members bear leadership responsibility for data security work within the scope of their duties, perform data security protection obligations, and accept supervision;
(II) clarify key data-processing positions and position responsibilities, and require personnel in key positions to sign a data security responsibility statement, the content of which shall include, but not be limited to, the data security position responsibilities, obligations, penalty measures, points for attention, and the like. They shall, in accordance with business work needs and the principle of least authorization, set data processing permissions based on position responsibilities, control the scope of access to important data, and promptly adjust permissions when personnel changes occur. Relevant personnel in key positions involving core data, and entities engaged in the construction and operation and maintenance of information systems, and the like, shall be submitted to the public security authorities and national security authorities for national security background review;
(III) establish internal registration and approval mechanisms, strictly manage the processing activities of important data and core data, and retain records for not less than six months;
(IV) at each stage of the data lifecycle, comprehensively apply technical means such as encryption, authentication, certification, de-identification, verification, and auditing to carry out security protection, and use commercial cryptography for protection as required by laws and regulations and relevant State provisions;
(V) information system construction and operation-and-maintenance projects involving important data shall not be subcontracted or sub-subcontracted without the approval of the entrusting party. Construction and operation-and-maintenance personnel shall not process the important data of the entrusting party without the express authorization of the entrusting party. Data collected or generated in the course of providing the construction and operation and maintenance of information systems involving important data shall not be used for other purposes, and shall, after the service is completed, be handled as agreed with the entrusting party or promptly deleted;
(VI) strengthen personnel and funding support.
Article 13. Data processors collecting data shall follow the principles of legality and legitimacy, and shall not steal data or collect data by other illegal means. Where laws and regulations provide for the purpose and scope of data collection, the data shall be collected within the purpose and scope prescribed by laws and regulations.
In the course of data collection, corresponding security measures shall be taken according to the data security level, the management of personnel and equipment collecting and producing important data and core data shall be strengthened, and records shall be made of the source, time, type, quantity, precision, region, frequency, flow direction, and the like, of the collection.
Where important data and core data are obtained through indirect channels, the data processor shall, by means of signing relevant agreements, letters of commitment, and the like, with the data provider, clarify the legal responsibilities of both parties.
Article 14. Data processors shall store data in the manner and for the period prescribed by laws and regulations, and may strengthen data storage security management and control in terms of physical and environmental security, network and communication security, equipment and computing security, application and data security, and the like, so as to safeguard the integrity, confidentiality, authenticity, and availability of stored data.
For the storage of important data, Level 3 or above cybersecurity multi-level protection requirements shall be implemented. For the storage of core data, critical information infrastructure security protection requirements or Level 4 cybersecurity multi-level protection requirements shall be implemented.
Article 15. Data processors carrying out data processing and use activities shall take management and control measures such as access control, data leakage prevention, and operation auditing, to ensure that the process is secure, compliant, controllable, and traceable, to prevent the security risks of leakage of valuable information and personal privacy in the course of data correlation mining and analysis, to clarify the relevant responsibilities in the course of data use and processing, and to ensure the legitimate processing and use of data. In the course of processing and use, corresponding measures shall be taken according to the data level to protect the security of data; the data used must be authentic and reliable, and the data source and collection process must be reviewed and verified. Where automated decision-making using data is involved, the transparency of the decision-making and the fairness and reasonableness of the results shall be ensured. For the processing and use of important data and core data, strict access control shall also be implemented, and relevant technical and management mechanisms such as data trustworthiness and controllability, log retention and auditing, risk monitoring and assessment, real-time monitoring, emergency response, and data traceability shall be established.
Article 16. Data processors shall, according to the type, level, and application scenario of the data transmitted, formulate security strategies and take protective measures. For the transmission of important data and core data, measures such as verification technology, cryptographic technology, secure transmission channels, or secure transmission protocols shall be adopted.
Article 17. Data processors shall provide data in a secure and orderly manner in accordance with relevant provisions, clarify the scope, category, conditions, procedures, and the like, of the provision; the data provided shall be limited to the minimum scope necessary to achieve the processing purpose of the data recipient; and the data recipient shall be informed to carry out classification and grading protection according to the corresponding level and to take necessary security protection measures. Where important data is involved, a data security agreement shall be signed with the data recipient. In the course of sharing and invocation of important data, security management and control shall be strengthened, technical measures shall be taken to regularly monitor the sharing and invocation of data, and security protection measures such as risk isolation, authentication and authorization, and threat alerts shall be deployed. Where the provision or sharing of core data is involved, necessary security protection measures shall be taken and a report shall be made to the Ministry of Natural Resources; where the cumulative amount from January 1 of the current year may reach 30% or more of the total volume, a risk assessment shall be organized by the national data security work coordination mechanism upon submission by the Ministry of Natural Resources. The lawful performance of duties by State organs, or internal flow within a unit, shall be excepted.
Article 18. Before disclosing data, data processors shall analyze and assess the impact that may be caused on national security and the public interest; where there is a significant negative impact or risk, the data shall not be disclosed. Government departments shall observe the principles of fairness, impartiality, and convenience for the people, and shall disclose government affairs data promptly and accurately in accordance with provisions, except for data not to be disclosed in accordance with the law.
Article 19. Data processors shall establish a data destruction system, clarify the destruction objects, rules, processes, technical requirements, and the like, and record and retain records of destruction activities. Where destruction is requested in accordance with the provisions of laws and regulations, contractual stipulations, or the like, the data processor shall destroy the corresponding data.
For the destruction of important data and core data, necessary security protection measures shall be taken, and the data destruction plan shall be reported to the industry regulator in advance. Where a change in the catalog of important data and core data is thereby caused, a report shall be promptly filed with the industry regulator, and the destroyed data shall not be recovered for any reason or by any means.
Article 20. Important data collected and generated by data processors within the territory of the People’s Republic of China shall be stored within the territory; where it truly needs to be provided overseas, the data processor shall implement the relevant provisions of the State cyberspace authority on data export security assessment.
Article 21. Where a data processor needs to transfer data due to reorganization or the like, it shall clarify the data transfer plan. Where important data is involved, necessary security protection measures shall be taken, and the data transfer plan shall be reported to the industry regulator in advance. Where a change in the catalog of important data is thereby caused, a report shall be promptly filed with the industry regulator.
Article 22. Where a data processor entrusts another party to process data or jointly processes data with another party, data security responsibility shall not change as a result of the entrustment, and the data security responsibilities and obligations of the entrusting party and the entrusted party shall be clarified by means of signing a contract or agreement. Where important data is involved, the entrusting party shall take security as an important consideration, assess or verify the data security protection capabilities and qualifications of the entrusted party, undergo strict approval procedures, clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party in performing its data security protection obligations.
Except as otherwise provided by laws and regulations, the entrusted party shall not provide data to a third party without the consent of the entrusting party.
Article 23. Data processors shall, in the course of whole-lifecycle data processing, record logs of data processing, permission management, personnel operations, and the like, and use commercial cryptography technology to protect the integrity of the logs. Among them, the retention period of logs for general data shall be not less than six months; where the handling and traceability of important data security incidents are involved, the relevant logs shall be retained for not less than one year; where the provision to others, entrusted processing, or joint processing of important data is involved, the relevant logs shall be retained for not less than three years; and where the handling and traceability of core data security incidents are involved, the relevant logs shall be retained for not less than three years.
Chapter 4 Data Security Monitoring, Early Warning, and Emergency Management
Article 24. The Ministry of Natural Resources shall, in accordance with relevant State standards and procedures, organize the establishment of a data security risk monitoring mechanism in the field of natural resources, establish a data security risk monitoring and early-warning system in the field of natural resources, classify the levels of data security risks and incidents, organize the building of technical means for data security monitoring and early warning, form capabilities for monitoring, traceability, early warning, and handling, and strengthen information sharing with relevant departments. The National Forestry and Grassland Administration shall organize the establishment of a data security risk monitoring and early-warning mechanism for forestry and grassland, classify the levels of forestry and grassland data security risks and incidents, and organize the building of technical means for forestry and grassland data monitoring and early warning.
Local industry regulators shall respectively build data security monitoring and early-warning mechanisms for their regions, organize the carrying out of data security risk monitoring in the field of natural resources in their regions, promptly release early-warning information in accordance with relevant provisions, and notify data processors in their regions to promptly take response measures.
Data processors shall carry out data security risk monitoring, promptly investigate security hazards, and take necessary measures to prevent data security risks.
Article 25. The Ministry of Natural Resources shall organize and guide the carrying out of data security risk assessment and other work in the field of natural resources. The National Forestry and Grassland Administration shall organize and guide the carrying out of forestry and grassland data security risk assessment and other work.
Local industry regulators shall be respectively responsible for organizing the carrying out of data security risk assessment work in the field of natural resources in their regions.
Important-data processors shall, on their own or by entrusting a third-party assessment institution, carry out a risk assessment of their data processing activities at least once a year, promptly rectify risk problems, and submit risk assessment reports to the industry regulator. The risk assessment report shall include the category and quantity of important data processed, the situation of the data processing activities carried out, the data security risks faced, the response measures and their degree of effectiveness, and the like. Data processors shall retain the risk assessment report for at least three years. Core-data processors shall give priority to using third-party assessment institutions to carry out risk assessments.
When data processors organize a risk assessment of important data security, they shall carry out audit analysis of the logs of key operations such as data query, download, modification, and deletion, and shall promptly take corresponding handling measures upon discovering violations or abnormal behavior.
Article 26. The Ministry of Natural Resources shall organize the establishment of a data security risk information notification mechanism in the field of natural resources, and uniformly collect, analyze, judge, and notify data security risk information. The National Forestry and Grassland Administration shall organize the establishment of a data security risk information notification mechanism for forestry and grassland.
Local industry regulators shall respectively summarize and analyze data security risks in the field of natural resources in their regions, and, based on a comprehensive judgment of the development trend, scale, degree of correlation, and actual harm of the data security risks, and the like, promptly report risks that may cause major or higher-level security incidents to the Ministry of Natural Resources.
Data processors shall promptly report risks that may cause relatively large or higher-level security incidents to the industry regulator.
Article 27. The Ministry of Natural Resources shall organize the formulation of data security incident emergency plans in the field of natural resources, and organize and coordinate the emergency-response work for important data and core data security incidents. The National Forestry and Grassland Administration shall organize the establishment of forestry and grassland data security incident emergency plans, and organize and coordinate the emergency-response work for important data and core data security incidents.
Local industry regulators shall respectively organize the carrying out of data security incident emergency-response work in the field of natural resources in their regions. For security incidents involving important data and core data, a report shall be immediately made to the Ministry of Natural Resources, and the development and handling of the incident shall be promptly reported.
After a data security incident occurs, data processors shall, in accordance with the emergency plan, promptly carry out emergency response; for security incidents involving important data and core data, they shall report to the industry regulator and the local public security department at the first instance, and form a summary report within one week after the handling of the incident is completed. They shall report the handling of data security incidents to the industry regulator on an annual basis.
For data security incidents that may harm the lawful rights and interests of users, data processors shall promptly inform the users and provide measures to mitigate the harm.
Chapter 5 Supervision and Inspection
Article 28. Industry regulators shall carry out supervision and inspection of the implementation by data processors of data classification and grading protection and the requirements of these Measures. Data processors shall cooperate with the supervision and inspection of industry regulators.
Article 29. Under the unified organization of the national data security work coordination mechanism, the Ministry of Natural Resources shall, in accordance with the law, cooperate with the relevant authorities in carrying out data security review work with respect to data processing activities in the field of natural resources that affect or may affect national security.
Article 30. Data processors and the staff of the data security risk assessment institutions entrusted by them shall keep strictly confidential the personal information, commercial secrets, and the like, that they become aware of in performing their duties, and shall not leak them or illegally provide them to others.
Chapter 6 Legal Liability
Article 31. Where, in performing their data security supervision and administration duties, industry regulators discover that a data processing activity poses a relatively large security risk, they may, in accordance with the prescribed authority and procedures, conduct interviews with the data processor and require it to take rectification measures to eliminate hidden dangers.
Article 32. For violations of the relevant provisions, handling shall be carried out in accordance with the Data Security Law of the People’s Republic of China and relevant laws and regulations, and corresponding administrative penalties shall be imposed according to the seriousness of the circumstances; where a crime is constituted, criminal liability shall be pursued in accordance with the law.
Chapter 7 Supplementary Provisions
Article 33. Where data processing activities involving personal information are carried out, the provisions of the relevant laws and regulations shall also be complied with.
Article 34. Data processing activities involving State secret information, or matters that constitute State secrets after data in the field of natural resources is aggregated and correlated, shall comply with the relevant secrecy provisions of the State and the Ministry.
Article 35. Where laws and regulations provide that an administrative license shall be obtained for carrying out data processing activities, the data processor shall obtain the license in accordance with the law.
Article 36. These Measures shall be interpreted by the Ministry of Natural Resources.
Article 37. These Measures shall take effect on the date of issuance.