GB/T 43506-2023
Technical requirements for the protection of personal information of telecommunications and Internet service users (English Version)
- Standard No.
- GB/T 43506-2023
- Language
- Chinese, Available in English version
- Release Date
- 2023
- Published By
- General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China
- Latest
- GB/T 43506-2023
- Introduction
National Standard of the People's Republic of China GB/T 43506—2023 Technical Requirements for the Protection of Personal Information of Telecommunication and Internet Service Users
Background and Significance of Standard Formulation
In recent years, with the rapid development of new generation information and communication technologies such as big data and cloud computing, user personal information has become an important asset of telecommunications and Internet companies. However, the awareness of personal information protection in the industry is uneven, resulting in frequent violations and serious infringement of users' privacy rights and interests. In response to this challenge, the "Personal Information Protection Law of the People's Republic of China" and related laws and regulations came into being, providing an important basis for industry norms and corporate self-discipline.
This standard is further improved on the basis of the existing "Personal Information Protection of Telecommunication and Internet Service Users" series of industry standards, aiming to improve the standardization and security of telecommunications and Internet services, and strengthen the protection of users' personal information and rights with wide applicability.
User Personal Information Classification and Protection Scope
According to GB/T 43506-2023 standard, user personal information is divided into three categories: user identity and authentication information, user data and service content information, and user service related information.
Classification Subclass Scope (including but not limited to) Information Examples User Identity and Authentication Information A1: User Natural Person Identity and Identification Information User Basic Information, Identity Certificate, Biometrics Name, ID Type and Number, Age, Gender, Occupation, Work Unit, Address, Ethnicity, Nationality; Photocopies of ID Card, Military Officer ID, Passport, etc.; Fingerprints, Voiceprints, Iris, Face, etc. A2: User virtual identity and authentication information General service identity and authentication information, transaction service identity and authentication information Telephone number, account number, email address, password; various transaction account numbers and passwords. - - -
User Personal Information Protection Classification and Requirements
This standard divides the user personal information protection level from high to low into 5 levels to 1 level, according to the sensitivity of the personal information processed by the service. The following are the specific requirements for each level:
Protection level Classification elements Specific requirements Level 5 Highly sensitive information such as biometrics, transaction service identification and authentication information Implement strict technical and management measures, including high-intensity encryption, real-time monitoring and early warning. Level 4 Sensitive information such as basic user information and general service identification Take necessary technical and management measures to ensure data security and access control. Level 3 Service content information, user private data and other medium-sensitive information Implement basic technical and management measures to ensure access control and security management standards. Level 2 Consumption information and bills and other low-sensitivity information Take basic technical and management measures to ensure basic security. Level 1 Non-sensitive information such as business orders and subscription relationships Follow basic protection requirements and implement basic technical and management measures.
Implementation Recommendations and Technology Evolution Analysis
To ensure the effective implementation of the standard, companies should start from the following aspects:
- Technical level: Strengthen data encryption, access control and security monitoring capabilities.
- Management level: Establish strict internal approval processes and data usage specifications.
- User level: Provide clear privacy policy instructions and user rights management tools.
With the evolution of technology, personal information protection in the future will rely more on the application of new technologies such as artificial intelligence and blockchain to achieve more efficient privacy management and risk prevention and control.
GB/T 43506-2023 history
- 2023 GB/T 43506-2023 Technical requirements for the protection of personal information of telecommunications and Internet service users
