GB/T 45574-2025 Data security technology - Security requirements for processing of sensitive personal information
1 Scope
This document establishes the identification and definition of sensitive personal information and specifies general and special security requirements for the processing of sensitive personal information.
This document is applicable to personal information processors conducting sensitive personal information processing activities, as well as regulatory authorities and third-party assessment agencies supervising, managing, and assessing such activities.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 35273 Information security technology - Personal information security specification
GB/T 40660 Information security technology - General requirements for biometric information protection
GB/T 41391 Information security technology - Basic requirements for collecting personal information in mobile internet applications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
personal information
all kinds of information related to identified or identifiable natural persons, recorded electronically or otherwise
3.2
sensitive personal information
personal information that, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons or hazard to personal and property safety
Note: Sensitive personal information includes information about biometric identification data, religious belief, specific identity, medical and health, financial accounts, and location tracking data, as well as personal information of minors under the age of fourteen.
3.3
personal information processor
organization and individual who independently decides the purpose and method of processing in personal information processing activities
3.4
personal information subject
natural person identified by or connected to personal information
[Source: GB/T 35273-2020, 3.3]
3.5
personal information processing activities
activities such as collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information
3.6
separate consent
specific and explicit consent of individuals for the specific processing of their personal information
[Source: GB/T 42574-2023, 3.7, modified]
4 Identification and definition of sensitive personal information
4.1 Identification of sensitive personal information
Personal information processors shall identify sensitive personal information in accordance with the following rules.
a) Personal information that meets any of the following conditions shall be identified as sensitive personal information:
1) personal information that, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons;
Note 1: Circumstances that may easily lead to infringement of the personal dignity of natural persons include "cyber manhunt", unauthorized access to online accounts, telecom fraud, damage to personal reputation, and discriminatory treatment. Discriminatory treatment may result from the disclosure of information such as the personal information subject's specific identity, religious belief, sexual orientation, specific diseases, and health status.
2) personal information that, once leaked or illegally used, may easily lead to hazard to personal safety of natural persons;
Note 2: For example, the disclosure or illegal use of location tracking data of an individual may endanger the personal safety of the personal information subject.
3) personal information that, once leaked or illegally used, may easily lead to hazard to property safety of natural persons.
Note 3: For example, the disclosure or illegal use of financial account information of an individual may cause financial losses to the personal information subject.
b) Sensitive personal information collected and generated shall be identified as per 4.2, and shall fall within any of the categories specified in Annex A.
Note 4: The processed personal information shall not be identified as sensitive personal information if there is sufficient justification and evidence indicating that such information does not meet the conditions specified in item a).
c) Both individual pieces of sensitive personal information and the aggregated attributes of multiple pieces of general personal information shall be considered. The impact of leakage or illegal use of aggregated personal information on personal rights and interests shall be analyzed. If the conditions in item a) are met, the aggregated personal information shall be identified and protected as sensitive personal information.
d) If certain information are specified as sensitive personal information by laws and regulations, such provisions shall prevail.
4.2 Definition of sensitive personal information
Sensitive personal information includes the following categories:
a) Biometric information: Also known as biometric identification information, which refers to the personal information obtained by technical processing of physical, biological, or behavioral features of a natural person, and can be used to identify the individual alone or in combination with other information.
Note 1: Refer to in standards such as GB/T 40660, GB/T 41819, GB/T 41807, GB/T 41773, and GB/T 41806 for more details about biometric information.
b) Religious belief information: Personal information related to an individual's religion, religious organization, and religious activities.
c) Specific identity information: Identity information that significantly impacts an individual's personal dignity or social reputation, or is otherwise improper for public disclosure, particularly specific identity information that may lead to social discrimination.
d) Medical and health information: Personal information related to an individual's medical treatment, physical and mental health status, etc.
e) Financial account information: Personal information related to an individual's bank, securities, or other financial accounts, and transactions involving funds in those accounts.
f) Location tracking information: Continuous trajectory information of an individual as he/she moves and changes his/her geographic locations, activity venues, and movement paths over a certain period of time.
Note 2: This excludes scenarios where individuals of specific occupations (e.g., delivery riders and couriers) use such information to fulfill service obligations.
g) Personal information of minors under the age of fourteen.
h) Other sensitive personal information: Personal information other than those above, which, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons or hazard to personal and property safety.
5 General security requirements for processing of sensitive personal information
5.1 Basic requirements
The processing of sensitive personal information shall meet the following requirements:
a) The processing of sensitive personal information shall meet the relevant requirements for personal information in GB/T 35273;
b) Personal information processors may process sensitive personal information only for a specific purpose where there is sufficient necessity and strict protective measures have been taken;
c) Where sensitive personal information is processed based on consent of individuals, separate consent shall be obtained from the personal information subjects.
5.2 Legality of collection
The personal information processors shall meet the following requirements before collecting sensitive personal information:
a) They shall not conceal the fact that the product or service may collect sensitive personal information and shall clearly specify the types, scope and purpose of sensitive personal information to be collected, the necessity of collecting such information, and the impacts on personal rights and interests, through privacy policies or other means;
b) They shall not, on their own or with the assistance of others, collect sensitive personal information by fraud, deception, misleading, or coercion, or purchase sensitive personal information through illegal channels;
c) They shall not automatically collect sensitive personal information transmitted, stored, or displayed on internet webpages and mobile internet applications through technical means;
GB/T 3 GB/T 4 GB/T 4
Standard
GB/T 45574-2025 Data security technology—Security requirements for processing of sensitive personal information (English Version)
Standard No.
GB/T 45574-2025
Status
to be valid
Language
English
File Format
PDF
Word Count
10500 words
Price(USD)
315.0
Implemented on
2025-11-1
Delivery
via email in 1~3 business day
Detail of GB/T 45574-2025
Standard No.
GB/T 45574-2025
English Name
Data security technology—Security requirements for processing of sensitive personal information
GB/T 45574-2025 Data security technology - Security requirements for processing of sensitive personal information
1 Scope
This document establishes the identification and definition of sensitive personal information and specifies general and special security requirements for the processing of sensitive personal information.
This document is applicable to personal information processors conducting sensitive personal information processing activities, as well as regulatory authorities and third-party assessment agencies supervising, managing, and assessing such activities.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 35273 Information security technology - Personal information security specification
GB/T 40660 Information security technology - General requirements for biometric information protection
GB/T 41391 Information security technology - Basic requirements for collecting personal information in mobile internet applications
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
personal information
all kinds of information related to identified or identifiable natural persons, recorded electronically or otherwise
3.2
sensitive personal information
personal information that, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons or hazard to personal and property safety
Note: Sensitive personal information includes information about biometric identification data, religious belief, specific identity, medical and health, financial accounts, and location tracking data, as well as personal information of minors under the age of fourteen.
3.3
personal information processor
organization and individual who independently decides the purpose and method of processing in personal information processing activities
3.4
personal information subject
natural person identified by or connected to personal information
[Source: GB/T 35273-2020, 3.3]
3.5
personal information processing activities
activities such as collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information
3.6
separate consent
specific and explicit consent of individuals for the specific processing of their personal information
[Source: GB/T 42574-2023, 3.7, modified]
4 Identification and definition of sensitive personal information
4.1 Identification of sensitive personal information
Personal information processors shall identify sensitive personal information in accordance with the following rules.
a) Personal information that meets any of the following conditions shall be identified as sensitive personal information:
1) personal information that, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons;
Note 1: Circumstances that may easily lead to infringement of the personal dignity of natural persons include "cyber manhunt", unauthorized access to online accounts, telecom fraud, damage to personal reputation, and discriminatory treatment. Discriminatory treatment may result from the disclosure of information such as the personal information subject's specific identity, religious belief, sexual orientation, specific diseases, and health status.
2) personal information that, once leaked or illegally used, may easily lead to hazard to personal safety of natural persons;
Note 2: For example, the disclosure or illegal use of location tracking data of an individual may endanger the personal safety of the personal information subject.
3) personal information that, once leaked or illegally used, may easily lead to hazard to property safety of natural persons.
Note 3: For example, the disclosure or illegal use of financial account information of an individual may cause financial losses to the personal information subject.
b) Sensitive personal information collected and generated shall be identified as per 4.2, and shall fall within any of the categories specified in Annex A.
Note 4: The processed personal information shall not be identified as sensitive personal information if there is sufficient justification and evidence indicating that such information does not meet the conditions specified in item a).
c) Both individual pieces of sensitive personal information and the aggregated attributes of multiple pieces of general personal information shall be considered. The impact of leakage or illegal use of aggregated personal information on personal rights and interests shall be analyzed. If the conditions in item a) are met, the aggregated personal information shall be identified and protected as sensitive personal information.
d) If certain information are specified as sensitive personal information by laws and regulations, such provisions shall prevail.
4.2 Definition of sensitive personal information
Sensitive personal information includes the following categories:
a) Biometric information: Also known as biometric identification information, which refers to the personal information obtained by technical processing of physical, biological, or behavioral features of a natural person, and can be used to identify the individual alone or in combination with other information.
Note 1: Refer to in standards such as GB/T 40660, GB/T 41819, GB/T 41807, GB/T 41773, and GB/T 41806 for more details about biometric information.
b) Religious belief information: Personal information related to an individual's religion, religious organization, and religious activities.
c) Specific identity information: Identity information that significantly impacts an individual's personal dignity or social reputation, or is otherwise improper for public disclosure, particularly specific identity information that may lead to social discrimination.
d) Medical and health information: Personal information related to an individual's medical treatment, physical and mental health status, etc.
e) Financial account information: Personal information related to an individual's bank, securities, or other financial accounts, and transactions involving funds in those accounts.
f) Location tracking information: Continuous trajectory information of an individual as he/she moves and changes his/her geographic locations, activity venues, and movement paths over a certain period of time.
Note 2: This excludes scenarios where individuals of specific occupations (e.g., delivery riders and couriers) use such information to fulfill service obligations.
g) Personal information of minors under the age of fourteen.
h) Other sensitive personal information: Personal information other than those above, which, once leaked or illegally used, may easily lead to infringement of the personal dignity of natural persons or hazard to personal and property safety.
5 General security requirements for processing of sensitive personal information
5.1 Basic requirements
The processing of sensitive personal information shall meet the following requirements:
a) The processing of sensitive personal information shall meet the relevant requirements for personal information in GB/T 35273;
b) Personal information processors may process sensitive personal information only for a specific purpose where there is sufficient necessity and strict protective measures have been taken;
c) Where sensitive personal information is processed based on consent of individuals, separate consent shall be obtained from the personal information subjects.
5.2 Legality of collection
The personal information processors shall meet the following requirements before collecting sensitive personal information:
a) They shall not conceal the fact that the product or service may collect sensitive personal information and shall clearly specify the types, scope and purpose of sensitive personal information to be collected, the necessity of collecting such information, and the impacts on personal rights and interests, through privacy policies or other means;
b) They shall not, on their own or with the assistance of others, collect sensitive personal information by fraud, deception, misleading, or coercion, or purchase sensitive personal information through illegal channels;
c) They shall not automatically collect sensitive personal information transmitted, stored, or displayed on internet webpages and mobile internet applications through technical means;
