Personal Sensitive Information (个人敏感信息)

The leakage, illegal provision, or misuse of personal sensitive information may pose risks to personal and property safety, easily leading to damage to personal reputation, mental and physical health, or discriminatory treatment based on personal information.

  • Note 1: Personal sensitive information includes identity card numbers, personal biometric information, bank accounts, communication records and content, property information, credit information, travel trajectories, accommodation information, health and physiological information, transaction information, and personal information of children aged 14 and below.

  • Note 2: Refer to Appendix B for the methods and types of determining personal sensitive information.

  • Note 3: Information formed by personal information controllers through the processing of personal information or other information, which, if leaked, illegally provided, or misused, may pose risks to personal and property safety, easily leading to damage to personal reputation, mental and physical health, or discriminatory treatment, falls under personal sensitive information.

From GB/T35273 “Information Security Technology - Personal Information Security Specification” Appendix B

Determination of Personal Sensitive Information

Personal sensitive information refers to personal information that, once leaked, illegally provided, or misused, may pose risks to personal and property safety, easily leading to damage to personal reputation, mental and physical health, or discriminatory treatment. In general, personal information of children aged 14 and below and information involving the privacy of natural persons are considered personal sensitive information. The following perspectives can be used to determine whether it falls under personal sensitive information:

  • Leakage: Once personal information is leaked, the ability of the data subject, as well as the organizations and institutions collecting and using the personal information, to control the personal information is lost. This leads to uncontrollable diffusion of personal information scope and usage. Certain personal information, when used or associated with other information in a manner contrary to the wishes of the data subject, may pose significant risks to the rights and interests of the data subject and should be classified as personal sensitive information. For example, the photocopy of the data subject’s ID card being used by others for mobile phone registration or bank account opening.

  • Illegal Provision: Some personal information, when disclosed beyond the scope of the data subject’s authorized consent, may pose significant risks to the rights and interests of the data subject and should be classified as personal sensitive information. For example, information about sexual orientation, deposit information, and infectious disease history.

  • Misuse: Some personal information, when used beyond the authorized reasonable limits (such as changing processing purposes, expanding processing scope, etc.), may pose significant risks to the rights and interests of the data subject and should be classified as personal sensitive information. For example, using health information for insurance company marketing and determining individual premiums without the data subject’s authorization. Table B.1 provides examples of personal sensitive information.

Table B.1 Examples of Personal Sensitive Information

  • Personal Property Information: Bank accounts, authentication information (passwords), deposit information (including fund amounts, payment and receipt records, etc.), real estate information, credit records, credit information, transaction and consumption records, flow records, as well as virtual property information such as virtual currency, virtual transactions, and game exchange codes.
  • Personal Health and Physiological Information: Relevant records generated by individuals due to illness and treatment, such as symptoms, hospitalization records, medical orders, test reports, surgery and anesthesia records, nursing records, medication records, information on drug and food allergies, reproductive information, past medical history, diagnosis and treatment information, family medical history, current medical history, infectious disease history, etc.
  • Personal Biometric Information: Personal genes, fingerprints, voiceprints, palm prints, ear shapes, iris, facial recognition features, etc.
  • Personal Identity Information: ID cards, military cards, passports, driver’s licenses, work permits, social security cards, residence permits, etc.
  • Other Information: Sexual orientation, marital history, religious beliefs, undisclosed illegal criminal records, communication records and content, address book, friends list, group list, travel trajectories, web browsing records, accommodation information, precise location information, etc.

个人敏感信息 (Personal Sensitive Information)

一旦泄露、非法提供或滥用可能危害人身和财产安全,极易导致个人名誉、身心健康受到损害或歧视性待遇等的个人信息。

  • 注 1:个人敏感信息包括身份证件号码、个人生物识别信息、银行账户、通信记录和内容、财产信息、征信信息、行踪轨迹、住宿信息、健康生理信息、交易信息、14岁以下(含)儿童的个人信息等。

  • 注 2:关于个人敏感信息的判定方法和类型参见附录B。

  • 注 3:个人信息控制者通过个人信息或其他信息加工处理后形成的信息,如一旦泄露、非法提供或滥用可能危害人身和财产安全,极易导致个人名誉、身心健康受到损害或歧视性待遇等的,属于个人敏感信息。

From GB/T35273《信息安全技术个人信息安全规范》附录B

个人敏感信息判定

个人敏感信息是指一旦泄露、非法提供或滥用可能危害人身和财产安全,极易导致个人名誉、身心健康受到损害或歧视性待遇等的个人信息。通常情况下,14岁以下(含)儿童的个人信息和涉及自然人隐私的信息属于个人敏感信息。可从以下角度判定是否属于个人敏感信息:

  • 泄露:个人信息一旦泄露,将导致个人信息主体及收集、使用个人信息的组织和机构丧失对个人信息的控制能力,造成个人信息扩散范围和用途的不可控。某些个人信息 在泄漏后,被以违背个人信息主体意愿的方式直接使用或与其他信息进行关联分析,可能对个人信息主体权益带来重大风险,应判定为个人敏感信息。例如,个人信息主体的身份证复印件被他人用于手机号卡实名登记、银行账户开户办卡等。

  • 非法提供:某些个人信息仅因在个人信息主体授权同意范围外扩散,即可对个人信息主体权益带来重大风险,应判定为个人敏感信息。例如,性取向、存款信息、传染病史等。

  • 滥用:某些个人信息在被超出授权合理界限时使用(如变更处理目的、扩大处理范围等),可能对个人信息主体权益带来重大风险,应判定为个人敏感信息。例如,在未取得个人信息主体授权时,将健康信息用于保险公司营销和确定个体保费高低。表B.1给出了个人敏感信息举例。

表B.1 个人敏感信息举例

  • 个人财产信息: 银行账户、鉴别信息(口令)、存款信息(包括资金数量、支付收款记录等)、房产信息、信贷记录、征信信息、交易和消费记录、流水记录等,以及虚拟货币、虚拟交易、游戏类兑换码等虚拟财产信息
  • 个人健康生理信息: 个人因生病医治等产生的相关记录,如病症、住院志、医嘱单、检验报告、手术及麻醉记录、护理记录、用药记录、药物食物过敏信息、生育信息、以往病史、诊治情况、家族病史、现病史、传染病史等
  • 个人生物识别信息: 个人基因、指纹、声纹、掌纹、耳廓、虹膜、面部识别特征等
  • 个人身份信息: 身份证、军官证、护照、驾驶证、工作证、社保卡、居住证等
  • 其他信息: 性取向、婚史、宗教信仰、未公开的违法犯罪记录、通信记录和内容、通讯录、好友列表、群组列表、行踪轨迹、网页浏览记录、住宿信息、精准定位信息等