YD/T 3746-2020 English PDF (YDT3746-2020)

Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click YD/T 3746-2020
Historical versions: YD/T 3746-2020
Preview True-PDF (Reload/Scroll if blank)

YD/T 3746-2020: Specification of internet of vehicle information service - User personal information protection
YD/T 3746-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.020
L 70
Specification of Internet of vehicle information service
- User personal information protection
ISSUED ON: AUGUST 31, 2020
IMPLEMENTED ON: OCTOBER 01, 2020
Issued by: Ministry of Industry and Information Technology of the
People's Republic of China.
Table of Contents
Foreword ... 3 
1 Scope ... 4 
2 Normative references ... 4 
3 Terms and definitions ... 4 
4 Basic rules for subscriber personal information protection ... 5 
5 Overview of subscriber personal information protection ... 6 
5.1 Object of subscriber personal information protection ... 6 
5.2 Processing links of subscriber personal information ... 6 
5.3 Basic idea of subscriber personal information protection ... 7 
6 Classification requirements for subscriber personal information ... 7 
6.1 Classification methods for subscriber personal information ... 7 
6.2 Classification examples for subscriber personal information ... 8 
7 Grading requirements for subscriber personal information sensitivity ... 12 
7.1 Grading methods for subscriber personal information sensitivity ... 12 
7.2 Grading examples for subscriber personal information sensitivity ... 13 
8 Protection requirements for subscriber personal information security ... 14 
8.1 Protection requirements for personal general information security ... 14 
8.2 Protection requirements for personal important information security ... 14 
8.3 Protection requirements for personal sensitive information security ... 14 
Bibliography ... 16 
Specification of Internet of vehicle information service
- User personal information protection
1 Scope
This Standard specifies information content classification, sensitivity
classification and classification protection requirements for subscriber personal
information protection of Internet of vehicle information service.
This Standard is applicable to subscriber personal information protection of
automakers, parts and components suppliers, software providers, data content
providers and service providers related to Internet of vehicle during the service
providing process.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 35273-2020, Information security technology - Personal information
security specification
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1 subscriber personal information of Internet of vehicle information
service
the information - which is collected by automakers, parts and components
providers, software providers, data and content providers, and service
providers related to the Internet of vehicle industry during the service providing
process - that can identify subscribers individually or in combination with other
information and involve subscribers' personal privacy
NOTE: After the subscriber's personal information is processed to remove the subscriber's
identity and personal privacy attributes, it is not included in the scope of protection of the
personal information of the Internet of vehicle information service subscribers specified in
this Standard. For example, the scale statistics of the subscription business of the Internet
of vehicle information service, etc.
4 Basic rules for subscriber personal information
protection
The subscriber personal information protection of Internet of vehicle information
service usually shall follow the requirements in GB/T 35273-2020, follow the
principles of consistency of rights and responsibilities, clear purpose, selection
under consent, enough for use, openness and transparency, safety ensuring,
and subject participation, so as to use personal information reasonably.
- Principle of consistency of rights and responsibilities: Take technical and
other necessary measures to protect the security of personal information.
It shall be liable for the damage caused by its personal information
processing activities to the legitimate rights and interests of personal
information subjects.
- Principle of clear purpose: It has a legal, legitimate, necessary and clear
purpose of personal information processing.
- Principle of selection under consent: Clearly state the purpose, method,
scope, rules, etc. of personal information processing to personal
information subjects, and seek their authorization and consent.
- Principle of enough for use: Only process the minimum type and amount of
personal information necessary to satisfy the purposes for which the
personal information subject has authorized and consented to it. After the
purpose is achieved, personal information shall be deleted in a timely
manner.
- Principle of openness and transparency: Disclose the scope, purpose and
rules of processing personal information in a clear, understandable and
reasonable manner. Receive external oversight.
- Principle of safety ensuring: It has security capabilities commensurate with
the security risks faced. Take adequate management measures and
technical means to protect the confidentiality, integrity and availability of
personal information.
- Principle of subject participation: Provide personal information subjects with
methods to inquire, correct, delete their personal information, as well as
withdraw, unify, cancel accounts, and lodge complaints.
processing refers to entrusting the personal information controller of the
Internet of vehicle subscribers to a third party to process the personal
information of subscribers. Sharing refers to the process in which a
subscriber's personal information controller provides personal information
to other controllers, and both parties have independent control over the
personal information. Transfer is the process of transferring control of
personal information from one controller to another. Public disclosure
refers to the act of releasing subscriber personal information to the society
or unspecified groups of people.
5.3 Basic idea of subscriber personal information protection
This Standard focuses on the classification and grading of subscriber personal
information for the protection objects of subscriber personal information. It also
puts forward corresponding security requirements around the processing links
of the entire life cycle of subscriber personal information protection, so as to
reduce the security risks related to the entire life cycle of subscriber personal
information on the Internet of vehicle information service. Ensure that the
Internet of vehicle information service provider shall standardize the collection,
storage, use, entrusted processing, sharing, transfer and disclosure of
subscriber personal information involved in the process of providing services,
in accordance with the management requirements and technical requirements
of the corresponding level.
6 Classification requirements for subscriber personal
information
6.1 Classification methods for subscriber personal information
Subscriber personal information refers to the data information closely related to
subscribers in the process of Internet of vehicle information service such as
data collection and transmission, use and destruction. These data information
can identify the personal identi...