Security Requirements for the Identification and Processing of Sensitive Personal Information - Lawyer's Interpretation Based on "Security Requirements for the Processing of Sensitive Personal Information (GB/T 45574-2025)
01 Background
On April 25, 2025, the State Administration for Market Regulation and the Standardization Administration of the People's Republic of China issued GB/T 45574-2025 "Data Security Technology - Security Requirements for the Processing of Sensitive Personal Information". This recommended national standard will officially come into effect and be implemented on November 1, 2025 (hereinafter referred to as the 2025 official draft). As early as August 9, 2023, the Secretariat of the National Information Security Standardization Technical Committee had already released the "Information Security Technology - Security Requirements for the Processing of Sensitive Personal Information (Draft for Comment)" (hereinafter referred to as the 2023 Draft for Comment). However, after nearly two years, the official version was finally made public in 2025. During this period, in order to assist enterprises in identifying sensitive personal information, in response to the specific issue of identifying sensitive personal information, the Secretariat of the National Cybersecurity Standardization Technical Committee, on September 14, 2024, Release TC260-PG-20244A "Cybersecurity Standard Practice Guidelines - Guidelines for the Identification of Sensitive Personal Information" (hereinafter referred to as the 2024 Identification guidelines).
The introduction of GB/T 45574-2025 "Data Security Technology - Security Requirements for the Processing of Sensitive Personal Information" not only formally establishes the identification and definition of sensitive personal information, but more importantly, further stipulates the security requirements for the processing of sensitive personal information. Regulatory authorities and third-party assessment institutions now have sufficient basis to supervise and manage the sensitive personal information processing activities of personal information processors. Therefore, processors of sensitive personal information will face more specific and explicit compliance obligations.
02 Categories of Sensitive Personal Information
Lawyer's Interpretation:
1.The continuous activity trajectory of personnel
Regarding the classification of sensitive personal information, the 2025 official draft has undergone significant changes compared to the 2023 draft for public comment. However, compared with the 2024 identification guidelines, the 2025 official draft has almost no changes. Among them, what has changed is the determination of travel trajectory information. The determination of travel trajectory information has changed from "personnel activity trajectory" in 2024 to "continuous personnel activity trajectory" in 2025. That is: travel trajectory information refers to the continuous trajectory information formed by an individual within a certain period due to the specific geographical location, activity location and the movement and change of activity trajectory.
For instance, recording Zhang SAN's activity trajectory from home to the company on a certain day does not fall under sensitive personal information. However, recording Zhang SAN's activity trajectory from home to the company from Monday to Friday is considered sensitive personal information, emphasizing the "continuity" feature of a person's trajectory.
In addition, the official draft for 2025 clearly states that the travel trajectory information of specific occupations (such as food delivery workers and couriers, etc.) used in scenarios for fulfilling service commitments does not fall under sensitive personal information. Although this view is a continuation of "Note 2" on page 3 of the "2024 Identification Guidelines", it emphasizes key constraints such as "necessity", "direct generation", "only for performance", and "necessary scope".
2. Limit the scope of sensitive personal information
Compared with the public consultation in 2023, the official draft in 2025 deleted "web browsing information, marital history, communication content, criminal identity information, specific job information (such as military personnel, police), identity document numbers, flight ticket information, specific accommodation information", etc. Further narrow the scope of sensitive personal information. However, we can further clarify through the modified content that the single "ID number", which is highly controversial in practice, is not recognized as sensitive personal information.
3. Clearly define the disputed information such as weight, height, blood type and blood pressure
Information such as weight, height, blood type and blood pressure, if not related to diseases or medical visits, does not fall under sensitive personal information. For instance, in a marathon race scenario, participants are required to fill in their blood type information for emergency use. In this case, blood type is not considered sensitive personal information. However, blood type, blood pressure and other information measured during medical visits are all sensitive personal information.
03 Identification of Sensitive Personal Information
In practice, some enterprises may only compare the types of personal information they collect and use with the above table. If they find that the data they process is not within the scope of the table, they may think that they are not involved in the processing of sensitive personal information. This approach is wrong and poses a significant risk.
Because personal information processors need to take into account both the identification of individual sensitive personal information and the overall attributes of multiple general personal information aggregated, ordinary personal information not listed in the above table, if it meets the following requirements:
1)Once leaked or illegally used, it is likely to cause damage to the personal dignity of natural persons (situations that may lead to damage to the personal dignity of natural persons may include "human flesh search", illegal intrusion into online accounts, telecommunications fraud, damage to personal reputation and discriminatory differential treatment, etc.);
2) Once leaked or illegally used, it is likely to cause harm to the personal safety of natural persons (for example, the leakage or illegal use of personal travel trajectory information may lead to damage to the personal safety of the personal information subject). The aggregated personal information should be identified and protected as a whole in reference to sensitive personal information.
For instance, a single ID number or a single name field does not fall under sensitive personal information. However, if the aggregated ID number and name as a whole are leaked, it can easily lead to the infringement of a natural person's personal dignity. Therefore, the aggregated ID number, name or phone number as a whole should be identified and protected as sensitive personal information.
04 General Requirements for Processing Sensitive Personal Information
(Excerpted analysis of some key points)
05 Special Requirements for the Processing of Sensitive Personal Information
06 Summary
The introduction of GB/T 45574-2025 "Security Requirements for the Processing of Sensitive Personal Information" marks an important step taken by China in the field of sensitive personal information protection and sets a clearer and more specific compliance framework for personal information processors. This standard, as a technical specification, together with the Personal Information Protection Law, forms a "dual-track" framework for the processing of sensitive personal information. By clarifying the classification, identification rules and processing requirements of sensitive personal information, it provides detailed provisions on aspects such as "separate consent" and the "principle of minimum necessity", and also offers an important basis for regulatory enforcement and third-party assessment.
For enterprises, the top priority is to comprehensively sort out data assets in light of business scenarios, identify sensitive personal information through technical means, and simultaneously adjust privacy policies, internal management systems, and technical protection measures. In addition, special attention should be paid to security management requirements such as "separate consent" and "log retention for three years" to avoid compliance risks caused by detailed omissions.
The implementation of standards not only requires enterprises to passively comply but also to proactively build a data governance culture, so as to achieve a win-win situation of maximizing business value and protecting personal rights and interests in the digital wave.
Recommended Information
-
UpdatesLawyer Dehehantong was invited to give a keynote lecture at the International Commercial Law Forum in Zhenhai District, Ningbo City2025-05-30
-
ArticlesIntroduction to Common Types of American Companies2025-05-28
-
UpdatesThe establishment ceremony of the Anti-Fraud and Compliance Business Committee of Dehe Shanghai Enterprises and the special forum on anti-fraud and compliance were successfully held2025-05-28
-
ArticlesAnalysis of the Legal Practice of Chinese Dollar Bonds: Evolution of Regulatory Policies, Framework Selection and Key Points of Legal Review2025-05-23
-
ArticlesDual-track protection of Trade secrets and patents: Strategies and Case Studies for Preventing Infringement of Core Technologies in Enterprises2025-05-22