State Internet Information Office: Important Data Network Data Processors Should Conduct Risk Assessments Every Year

The Zhitong Finance App learned that on December 6, the State Internet Information Office solicited public comments on the “Network Data Security Risk Assessment Measures (Draft for Comments)”. The “Draft for Solicitation of Comments” mentions that network data processors that process important data (hereinafter referred to as important data processors) should conduct risk assessments of their network data processing activities every year. Where major changes in the security status of important data may adversely affect data security, risk assessments should be carried out on the parts of the changes and their effects in a timely manner.

The original text is as follows:

Network data security risk assessment method

(Draft for Solicitation of Comments)

Article 1 These Measures are formulated in accordance with laws and regulations such as the “Data Security Law of the People's Republic of China”, “Cybersecurity Law of the People's Republic of China”, and “Regulations on the Administration of Network Data Security” in order to regulate network data security risk assessment activities, guarantee network data security, and promote the rational and effective use of network data in accordance with the law.

Article 2 These Measures shall be complied with when carrying out network data security risk assessments within the People's Republic of China. Where laws, administrative regulations, or departmental regulations stipulate otherwise, they shall be in accordance with their provisions.

Network data security risk assessment (hereinafter referred to as risk assessment) referred to in this measure refers to activities such as risk identification, risk analysis, and risk evaluation of the security of network data and network data processing activities.

Article 3. Under the guidance of the national data security coordination mechanism, the national Internet information department shall coordinate all regions and departments to carry out risk assessments and strengthen work coordination and information sharing.

Article 4. All relevant competent departments shall organize and carry out risk assessments in the industry and field on a regular basis in accordance with the principle of “who controls the business, who controls business data, and who controls data security”. They may inspect the risk assessments of important data processors in the industry and field according to work needs, and submit annual risk assessments and inspection plans to the National Internet Information Technology Department by the end of January every year.

Provincial Internet information departments coordinate with relevant departments at the provincial level to formulate annual risk assessments and inspection plans for their administrative regions and submit them to the national Internet communications department in accordance with the requirements of the preceding paragraph.

Article 5. Under the guidance of the national data security coordination mechanism, the national Internet information department shall coordinate annual risk assessments and inspection plans submitted by relevant competent departments and provincial Internet communication departments to avoid repeated assessments and repeated inspections.

All relevant departments shall not charge fees to the inspected network data processors for carrying out inspections.

Article 6 A network data processor that processes important data (hereinafter referred to as an important data processor) shall conduct a risk assessment of its network data processing activities every year. Where major changes in the security status of important data may adversely affect data security, risk assessments should be carried out on the parts of the changes and their effects in a timely manner.

Network data processors that process general data (hereinafter referred to as general data processors) are encouraged to conduct risk assessments at least every 3 years.

Article 7 Risk assessment work shall be carried out in accordance with the relevant requirements of the “Network Data Security Management Regulations” and relevant national standards such as the “Data Security Technology Data Security Risk Assessment Method” (GB/T 45577). Where the relevant competent authority makes other provisions on risk assessment work in this industry or field, it shall comply with its regulations.

Article 8 Network data processors may conduct risk assessments on their own or by entrusting third party evaluation agencies (hereinafter referred to as evaluation agencies).

Network data processors carry out their own risk assessments and shall appoint a special person to be responsible. When a network data processor entrusts an evaluation agency to carry out risk assessments, they shall give priority to selecting an evaluation agency that has passed certification, and clarify the rights, responsibilities, and confidentiality obligations of both parties by entering into contracts or other documents with legal effect.

Article 9. Certification bodies with certification qualifications for data security services that have been approved by the State Council's certification and accreditation supervisory and administrative department in accordance with law may certify evaluation institutions in accordance with relevant national standards and industry standards such as the “Data Security Technical Data Security Assessment Authority Competency Requirements” (GB/T 45389).

Article 10. When carrying out risk assessments, evaluation agencies shall abide by laws and regulations, make risk judgments impartially and objectively, and are responsible for the authenticity, effectiveness and completeness of risk assessment reports issued, and shall no longer entrust other agencies to carry out risk assessments.

Article 11 The same evaluation agency and its related agencies shall not conduct risk assessments on the same network data processor more than 3 times in a row.

Article 12 Where an evaluation agency discovers that there is a major data security risk in network data processing activities during the risk assessment process, it shall promptly notify the network data processor and report it to the network information department at or above the provincial level and the relevant competent department in accordance with relevant regulations.

The evaluation agency and its staff shall keep the data, trade secrets, confidential business information, etc. obtained during the risk assessment process confidential in accordance with law, not divulge or unlawfully provide it to others, and promptly delete the relevant information after the risk assessment work is completed.

Article 13 An important data processor carrying out an annual risk assessment shall prepare an assessment report in accordance with the template annexed to these Measures. A general data processor may prepare an assessment report by referring to the template annexed to these Measures. If the relevant competent authority stipulates otherwise on the risk assessment report template, follow its provisions.

Keep risk assessment reports for at least 3 years.

Article 14 An important data processor shall submit an assessment report in accordance with the requirements of the relevant competent department within 10 working days after completing the annual risk assessment. If the competent authority is unclear, report it to the provincial Internet information department or the national Internet information department.

The relevant competent department shall disclose the channels and contact information for submitting the evaluation report, promptly receive the evaluation report submitted by important data processors, and report the report to the Internet communication department at the same level within 10 working days from the date of receipt of the evaluation report. The State Internet Information Department compiles relevant reports and submits them to the national data security coordination mechanism.

Internet information departments and relevant departments at or above the provincial level may conduct spot checks and verifications on the authenticity and accuracy of network data processors' evaluation reports, and network data processors shall cooperate in carrying out spot checks and verifications.

Article 15 Where network information departments and relevant departments at or above the provincial level discover that a network data processor has any of the following circumstances in the work of verifying, supervising and inspecting risk assessment reports, they shall be required to entrust a certified evaluation agency to carry out risk assessments:

(1) Network data processing activities present significant security risks;

(2) A network data security incident has occurred, causing important data or large-scale personal information to be leaked or stolen;

(3) Network data processing activities may endanger national security or public interest;

(4) Other circumstances specified by the State Internet Communications Department or relevant departments.

For the same network data security incident or risk, network data processors must not be repeatedly requested to entrust an evaluation agency to carry out risk assessments.

Article 16 Where a network data processor entrusts an evaluation agency to carry out risk assessments in accordance with the requirements of relevant departments, it shall perform the following obligations:

(1) Providing necessary support for evaluation agencies to carry out risk assessment work, including providing risk assessors with permission to access network data facilities, network data, systems and operation logs;

(2) Complete the risk assessment within a limited time and bear the cost of the assessment. If the situation is complicated, it can be extended appropriately after approval by the relevant department;

(3) After completing the risk assessment, the evaluation report issued by the evaluation agency is submitted to the relevant department. The evaluation report shall be signed by the main person in charge of the evaluation agency and the person in charge of risk assessment and stamped with the official seal of the agency;

(4) The problems found in the risk assessment are rectified in accordance with the requirements of the relevant departments, and a report on the rectification situation is submitted to the relevant department within 15 working days after the rectification is completed.

Network data processors must not in any way request or suggest that evaluation agencies issue false or improper evaluation reports.

Article 17 When relevant departments discover network data processing activities that may endanger national security or public interest during organizational risk assessment work, they shall order network data processors to carry out rectification; network data processors that are not in place or refuse to rectify may take measures such as requiring them to stop processing important data.

Article 18 All regions and departments shall strengthen risk information sharing and collaborative handling, promptly deal with safety risks and issues discovered during risk assessment work, and promptly report them in accordance with relevant regulations.

Provincial Internet information departments coordinate risk information sharing and collaborative disposal work within their administrative regions, report the risk information handling situation for the previous year to the National Internet Information Department by the end of March of each year, and submit the relevant information to the national data security coordination mechanism.

Article 19. Any organization or individual has the right to make complaints and reports to the relevant departments about illegal and illegal activities in risk assessments, and departments receiving complaints or reports shall promptly deal with them in accordance with law.

Article 20 Where network information departments and relevant departments at or above the provincial level discover that network data processors have failed to carry out risk assessments in accordance with regulations, they shall dispose of and punish them in accordance with the “Data Security Law of the People's Republic of China” and other laws and regulations.

If it is discovered that an evaluation agency carries out a risk assessment in violation of these Measures, the Internet information department or relevant department at or above the provincial level shall order it to carry out rectification; if the circumstances are serious, they may restrict or prohibit them from carrying out risk assessment activities, hold the relevant personnel responsible, and publish them; if it constitutes a crime, criminal liability shall be prosecuted in accordance with law.

Article 21 Where the content of risk assessment, network security level protection assessment, data security management certification, personal information protection compliance audit, commercial password application security assessment, etc. coincide, the relevant results may be mutually accepted to avoid repeated assessments, audits, and certifications.

Article 22 Risk assessments are carried out by important data processors before providing, entrusting, or jointly processing important data, which may be carried out with reference to the relevant provisions of these Measures.

Article 23. Risk assessments by core data processors shall be carried out in accordance with relevant national regulations.

Article 24. Risk assessment activities involving state secrets and work secrets shall be carried out in accordance with the “Law of the People's Republic of China on the Preservation of State Secrets” and other laws, administrative regulations and state secrets regulations.

Article 25: These Measures take effect on this month.

This article was selected from the “Internet Communications China” official account, Zhitong Finance Editor: Li Fu.