Cybersecurity Standards Practice Guide — Sensitive Personal Information Identification Guide (v1.0, September 2024).

DCC summary, not a translation. TC260’s practice guide explicitly prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase of the guide’s framework, written for overseas compliance teams who need to understand how Chinese regulators expect handlers to identify “sensitive personal information” as that term is defined in PIPL Article 28.

Why this guide matters

PIPL Article 28 defines sensitive personal information as personal information that, if leaked or unlawfully used, would readily harm a natural person’s dignity or threaten their personal or property safety. The statute provides a non-exhaustive list — biometric identification, religious belief, specific identity, medical health, financial account, and whereabouts and tracks information, as well as personal information of minors under 14.

The TC260 guide does what the statute does not: it gives handlers a structured method for applying this definition. For overseas compliance teams whose Chinese subsidiaries or vendors handle personal information at scale, this is the framework Chinese regulators will reference when deciding whether the strict handling rules for sensitive personal information (separate consent under Article 29, intensified PIPIA under Article 55, notice obligations under Article 30) attach to a given dataset.

The four-rule identification framework

The guide directs handlers to apply four rules in sequence.

Rule 1 — Statutory criteria. Information is sensitive personal information if leakage or unlawful use would readily lead to any of:

• Damage to the natural person’s dignity. The guide notes that “doxxing” (人肉搜索), unauthorized account access, telecom fraud, reputational damage, and discriminatory differential treatment all fall in this category — and that discriminatory differential treatment often turns on the disclosure of specific identity, religious belief, sexual orientation, or specific disease/health information.
• Harm to the natural person’s safety. The guide gives whereabouts and trajectory data as the canonical example.
• Harm to the natural person’s property safety. The guide gives financial-account information as the canonical example.

Rule 2 — Default-category check. A handler should identify information in the eight common categories enumerated in Section 4 (set out below) and treat any such information as sensitive by default. The guide notes that a handler with substantive evidence that a particular dataset does not meet the Rule 1 conditions may elect not to treat it as sensitive — but this is an explicit override of the default, not a discretionary judgment.

Rule 3 — Aggregation analysis. Single-item identification is not enough. The handler must also assess the aggregate effect of combining multiple ordinary personal-information items. If the combined dataset would meet Rule 1’s conditions in the aggregate, it should be treated as sensitive personal information in the aggregate.

Rule 4 — Statutory carve-outs prevail. Where law or administrative regulation specifies that information is sensitive personal information, that designation governs.

The eight common categories

The guide enumerates eight categories of common sensitive personal information, with illustrative examples in Appendix A.

1. Biometric identification information — including face, voiceprint, gait, fingerprint, palmprint, eye-print, ear-print, iris, and gene information. Cross-reference to dedicated national standards: GB/T 40660 (general biometric), GB/T 41819 (facial recognition data), GB/T 41807 (voiceprint data), GB/T 41773 (gait data), GB/T 41806 (gene identification data).

2. Religious-belief information — religion practiced, religious organizations joined, positions held within religious organizations, religious activities participated in, special religious customs.

3. Specific-identity information — identity that materially affects personal dignity and social evaluation, or that is otherwise unsuitable for public disclosure. The guide emphasizes identity information that could prompt social discrimination.

4. Medical health information — information related to physical or mental injury, illness, disability, illness risk, or privacy. The guide subdivides this into (a) health-status information (symptoms, medical history, family medical history, infectious-disease history, examination reports, fertility information) and (b) information generated in the course of medical services (medical records, hospital admission records, doctor’s orders, surgical and anesthesia records, nursing records, medication records, examination data, examination reports).

5. Financial-account information — bank, securities, fund, insurance, and housing-fund account numbers and passwords; payment account numbers, bank-card track data, payment-token information derived from account data, and personal income detail.

6. Whereabouts and tracks information — continuous precise-location trajectory data, vehicle trajectory data, personal activity-trajectory data. Service-fulfillment context — for example, delivery drivers and couriers performing service tasks — is carved out by note.

7. Personal information of minors under 14.

8. Other sensitive personal information — including (per the appendix) precise-location information collected via mobile-device fine-location permission, ID-card photographs, sexual orientation, sexual activity, credit reporting information, criminal-record information, and images or video showing private body parts.

Key application notes from Appendix A

• Precise location requires the mobile-device fine-location permission to be invoked; rough-IP-derived location information is not by itself precise-location information. Continuous precise-location capture can constitute trajectory information.
• Health-related but ordinary metrics — weight, height, blood type, blood pressure, lung capacity — fall outside the sensitive category if not associated with an actual disease or medical visit.
• Criminal-record information refers specifically to records maintained by Chinese state organs (charge, sentence, etc.).
• Gene identification data, facial recognition data, voiceprint, gait, and gene each have their own dedicated national-standard data-security requirements; the TC260 guide is a higher-level identification reference and does not displace those data-specific standards.

How to use this in compliance practice

For overseas compliance teams operating in China:

• Treat the eight categories as the working list. Any data fitting one of the eight categories should default to sensitive-PI handling — separate consent, written consent where required, intensified PIPIA, and the additional notice obligations of PIPL Article 30.
• Run the aggregation check. Even where individual fields are ordinary personal information, an aggregate dataset that exposes whereabouts, financial profile, health status, or other Rule 1 vectors should be classified up.
• Document the assessment. PIPL Article 55 requires PIPIA before processing sensitive personal information; the PIPIA report is the natural place to record the Rule 1–Rule 4 analysis with reference to the guide. Retain for three years (PIPL Article 56).
• Recognize the guide’s status. TC260 practice guides are not mandatory standards. But Chinese regulators reference them as the operational gloss on the statutory definition, and handlers who deviate from the guide’s framework should expect to justify the deviation.

— Cybersecurity Standards Practice Guide: Sensitive Personal Information Identification Guide (v1.0, September 2024), issued by the Secretariat of the National Information Security Standardization Technical Committee (TC260). DCC summary based on the published guide. For the source document, see www.tc260.org.cn.