Information security technology — Basic specifications for collecting personal information in mobile internet applications (Apps) (Draft)

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.

【Source】http://www.cac.gov.cn/2019-08/08/c_1124853418.htm
【Period for Submitting Comments】2019年8月31
意见联系人王姣 010-64102730 wangjiao@cesi.cn

1. Scope

These standards specify the basic requirements to be satisfied when mobile internet applications collect personal information, and are used to regulate mobile internet application businesses collection of personal information.

These standards apply to the development and operation of mobile Internet applications, and can also be used for technology assessment, supervision and inspection of mobile Internet applications.

2. Normative Reference Documents

The following documents are indispensable for the application of these Standards. For dated reference documents, only the dated version is applied for this document. For undated reference documents, the newest version (including all revision lists) is applied for this document.

GB/T 25069—2010 Information Security Technology Terminology

3. Abbreviations

The following terms and definitions and those defined in GB/T 25069—2010 and GB/T 35273 apply to this document.

3.1 智能移动终端 intelligent mobile terminal

Terminal Products installed with an open operating system capable of using wireless mobile communications technology to achieve internet access, and provide services to users through the installation of application software and digital content.

3.2 移动互联网应用 mobile internet application

Application programs installed and run on intelligent mobile terminals, App for short.

3.3 服务类型 service type

Operation types provided by Apps to satisfy user demand.

3.4 最少信息 least(minimum) information

The personal information necessary to ensure the normal operation of a certain service type, including personal information directly related to the service type that once missing will lead to inability to carry out or normally operate that service type, as well as personal information that laws, regulations, and normative documents require be collected.

3.5 最小权限范围 least(minimum) permission range

The minimum system permissions required to ensure the normal operation of a certain service type.

3.6 移动互联网应用运营者 mobile internet application operator

Refers to the owners or managers of mobile internet applications.

4. Basic Requirements for Apps Collection of Personal Information

4.1 Management Requirements

Apps collection of personal information should satisfy the following management requirements:

a) App operators should perform obligations to protect personal information, employ necessary security measures, and ensure the security of users' personal information.

b) When users agree to Apps' collection of the minimum information for a certain service type, the App must not refuse to provide that type of service due to the users' refusal to provide information other than the minimum information.

NOTE: Appendix A list commonly seen App service types and the corresponding minimum information.

c) Apps must not collect personal information that is unrelated to the services provided.

d)Apps should first obtain users' explicit consent before sharing or transferring personal information externally. Where users do not consent, users' personal information must not be shared or transferred externally.

e) Apps must not collect immutable and unique equipment identifiers (such as IMEI numbers, MAC addresses, etc.) except for use in ensuring network or operational security.

f)After users explicitly refuse use of a certain service type, the App must not excessively (such as more than once every 48 hours) solicit users' consent to use the service, and are to ensure the normal use of other service types.

g) Apps should be responsible for collection of personal information by third-party code and plug-ins they use. Collection of personal information by third-party code or plugins is viewed as collection by the App, and Apps should prevent third-party code and plug-ins from collecting irrelevant personal information.

NOTE: If third-party code or plugins express the goals, methods, and scope of their collection and use of personal information to users on their own, and obtain users' consent, the third-party code or plug-ins independently bears responsibility for their collection of personal information.

4.2 Technical Requirements

Apps' collection of personal information should satisfy the following technical requirements:

a) When the personal information collected exceeds the minimum information for the service type, the APP should obtain users' explicit consent for each piece of information in the excessive part.

b)When the same APP has 2 or more service types, the APP should permit users to initiate or exit service types one by one, with easily operated methods for initiation and exit.

c) After users exit a certain service type, the App should terminate that service type's activities collecting personal data, and delete or anonymize personal information used only for that service type.

d) When requesting personal information and related permissions, or when requiring users to input personal information, Apps should specify the purpose at each step for the requested permissions or information collection.

e) Apps should provide users with real-time inquiry functions into the type of personal information that have been collected, with the results displayed in an independent interface, and the method for making inquiries should be easy to operate.

f) Where there is external sharing or transfer of personal information, Apps should provide users with functions for inquiring into the identity of data recipients, with the results displayed in an independent interface, and the method for making inquiries should be easy to operate.

g) So long as it is technically feasible and does not impact terminals and normal services, Apps should prioritize storage and use of personal information they collect on user terminals.

h) Apps should send personal information to backstage servers at the lowest reasonable rate needed to achieve services.

 

Attachment A (Normative Attachment) Minimum Information for Commonly Used Service Categories

This Appendix designates the minimum information that may be collected for 21 common service types such as Mapping and Navigation, Online Ride Hailing, Instant Messaging, Blogs and Forums, Online Payments, News, Online Purchasing.

A.1 Map Navigation

Provide Users with Internet Mapping and Navigation Functions. The minimum information for this service type is displayed in Table 1:

Table 1 - Minimum Information for Map Navigation Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesPrecise Positioning InformationPrecision positioning information is to be used only to determine user's location and carry out map search displays and navigation services.

A.2 Online Ride Hailing

Provide Users with Online Ride Hailing (not including car rentals) services. The minimum information for this service type is displayed in Table 2:

Table 2 - Minimum Information for Online Ride Hailing Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Information Content Published by Users
Identity Verification Information
Order Logs, and Logs of Going Online
Logs of Routes Travelled
"Temporary Provisions on the Management of Online Car Hailing Operations Services"
Transaction Information"E-commerce Law"
"Temporary Measures on the Management of Online Transactions"
"Temporary Provisions on the Management of Online Car Hailing Operations Services"
Personal information required to carry out servicesAccount Information
• Account Numbers
• Passwords
Use only to identify online ride hail users and to ensure accounts' information security
Location information
• Precision positioning information
• Users' starting locations
• Users' desitinations
Precision positioning information is to be used only to determine users' current position, to recommend nearby places to board, and to search for and display nearby car information.
Third-party payment methodsUsed only for users paying for ride hailing orders through third-party payment methods.

 

A.3 Instant Messaging

Providing communications services to users using formats such as text, voice, or video; or social interaction services based on instant messaging. The minimum information for this service type is displayed in Table 3:

Table 3 - Minimum Information for Instant Messaging Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

"Internet Group Information Service Management Provisions"

Information collected only from public account information public service users:

• Identification Document Numbers

"Internet User Public Account Information Services Management Provisions"
Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify instant messenger users, and to ensure account information security and user's conversations and exchanges
Friend listsIncludes friend lists and friend information, to be used only to establish and manage user contact relationships for user of instant messaging.
Users should be permitted to manually add friends in the instant messaging App, and users' communications records are not be required to be read.
Group listsUsed only to carry out group chat functions.

A.4 Blogs and Forums

Providing users with services such as blogs, forums, or communities, including functions such as topic discussions, information sharing, and interactive following. The minimum information for this service type is displayed in Table 4:

Table 4 - Minimum Information for Blog and Forum Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

"Internet Group Information Service Management Provisions"

Information collected only from public account information public service users:
• Identification Document Numbers
"Internet User Public Account Information Services Management Provisions"
Personal information required to carry out servicesAccount Information
• Account Numbers
• Passwords
Used only in identifying blog/forum users, ensuring account information security, and interactive exchanges.
User follow lists (including followed content and lists of followed users)Followed content is only used to establish and manage follower relationships between users and community content (such as followed columns or followed topics) and to show and push followed content to users.

Lists of followed users are used only to establish and manage follower relationships between community users, as well as displaying or pushing to users any graphics and information, audiovisuals, links, and so forth, that are published by followed users they follow.

Users should be permitted to manually set up followed users in the use of blogs and forums, and should not be compelled to compelled to give access to their address book.

A.5 Online Payments

Providing users with services transferring funds between recipients (such as non-bank payments or online bank payment) including functions such as payments, withdrawals, transfers, billing. The minimum information for this service type is displayed in Table 5:

Table 5 - Minimum Information for Online Payment Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Identification Information

• Full Names
• Identification Document Type
• Identification Document Numbers
• Expiration Date of Identification Documents
• Reproductiond or Photocopies of Identification Documents

"Measures on the Administration of Payment Services by Non-Financial Institution"
Customer Operation Activity"Measures on the Administration of Online Payment Operations by Non-Banking Establishments"
Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify online payment users and ensure account information security.
Bank Account Information

• The name on the Bank Account
• Bank Card Number
• Bank Card Expiration Date
• Bank Reserved Phone Number

Used only to link bank and payment cards. authenticate bank card identity, top-off recharging, withdrawal, and transfer functions.
Transaction authentication information (users may choose one at payment)

• Static Passwords
• Digital Certificates
• Electronic Signatures
• Dynamic Paswords

Only used to verify users' true identity and to ensure the security of users' accounts and funds.

A.6 News

Providing users with news information services such as graphics, audio, and video, including functions for browsing, searching, and publishing news information. The minimum information for this service type is displayed in Table 6:

Table 6 - Minimum Information for News Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Collected only from users using information publishing functions:

• Mobile Numbers

"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

"Internet Group Information Service Management Provisions"

Collected only from users using information publishing functions:

Account Number

Operations times and types

Network source and destination addresses and network source ports

Client Terminal Hardware Characteristics

Records of User Published Information

"Provisions on the Security Assessment of Internet Information Services that have Public Opinion Properties or the Capacity for Social Mobilization"
Information collected only from public account information public service users:

• Identification Document Numbers

"Internet User Public Account Information Services Management Provisions"
Personal information required to carry out servicesNoneN/A

A.7 Online Purchasing

Providing users with service types for online purchase of goods or services, including functions for displaying, searching, placing orders, and paying for goods. The minimum information for this service type is displayed in Table 7:

Table 7 - Minimum Information For Online Purchasing

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

Purchase and Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify online purchasing users and to ensure account information security.
Recipient Information

• Full Names
• Addresses
• Mobile Numbers

Used only when goods are received to identify recipients and delivered goods, and to contact recipients.
Third-party payment methodsUsed only for users' utilization of third-party payment methods to pay for online purchasing orders.

A.8 Short video

Providing users with short video services, including functions such as for browsing, searching, creating, and publishing short videos, and for social interaction. The minimum information for this service type is displayed in Table 8:

Table 8 - Minimum Information for Short Video Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Collected only from users using information publishing functions:

• Mobile Numbers

"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

"Internet Group Information Service Management Provisions"

Collected only from users using information publishing functions:

Account Number

Operations times and types

Network source and destination addresses and network source ports

Client Terminal Hardware Characteristics

Records of User Published Information

"Provisions on the Security Assessment of Internet Information Services that have Public Opinion Properties or the Capacity for Social Mobilization"
Information collected only from public account information public service users:

• Identification Document Numbers

"Internet User Public Account Information Services Management Provisions"
Personal information required to carry out servicesNoneN/A

A.9 Express Delivery

Providing users with express delivery services for letters, packages, printed materials, and other items; including functions for sending, checking, and receiving items. The minimum information for this service type is displayed in Table 10:

Table 10 - Minimum Information for Express Delivery Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesBasic Sender Information

• Full Names
• Addresses
• Contact Telephone (landline or mobile phone number)

Used on to carry out delivery sending and receipt functions
Basic Recipient Information

• Full Names
• Addresses
• Contact Telephone (landline or mobile phone number)

Courier Shipping NumberUsed only to carry out delivery check functions and identify packages

The information listed in Table 10 is primarily aimed at the domestic courier situation, and it does not include recipient information and customs clearance information required for the international situation, as well as payment information required for added services such as collection on delivery. In addition, on the basis of the requirements of the "Provisional Regulations on Courier Services", enterprises operating as couriers that receive items for shipping should conduct an inspection of and register the senders' identification information, but mobile internet applications that have express delivery type services are not usually to collect related identification information.

A.10 Food and Beverage Take Out

Providing users with food and beverage take out information and services, including delivery and in-store pickup functions for food and beverages. The minimum information for this service type is displayed in Table 11:

Table 11 - Minimum Information for Food and Beverage Take Out Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

Transaction Information"Measures on Safety Oversight and Management of Online Food and Beverage Services"

"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify food and beverage take out users and to ensure the safety of their account information.
Location informationUsed only to display information on nearby take out stores to users, and facilitate users' selection of delivery addresses.
Contact Person Information

• Name of Contact Person
• Mobile Number of Contact Person
• Address of Contact Person

Used only for sellers and delivery personnel to contact the users and for delivery personnel to make deliveries, the full name need not be real.
Third-party payment methodsUsed only for users utilization of third-party payment methods to pay for food and beverage take out orders.

A.11 Transportation Ticketing Services

Providing users with ticketing services related to transportation, including functions such as ticket inquiries, sales, changes, and returns. The minimum information for this service type is displayed in Table 12:

Table 12 - Minimum Information for Transportation Ticketing Services Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Traveler Identification Document Information"The Public Air Transport Enterprise Aviation Safety and Security Rules"

"Measures on the Administration of the Real Name System for Railway Passengers"

"Provisions on the Administration of the Real Name System for Waterway Passengers"

"Provisions on the Administration of Road Passenger Transport and Passenger Stations"

Collected only from passengers on air travel:

• Full Names
• Origin
• Destination

"Civil Aviation Law"
Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

· Account Numbers
· Passwords

Used only to identify transportation ticketing users and to ensure the security of account information.
Basic Information on Travelers and Contact Persons

• Full Name (Contact Person, Traveler)
• Mobile Number of Contact Person
• Traveler type

Used only to carry out ticketing and transportation services for users, including functions such as ticket purchasing, changes, returns, and boarding.
Travel information

• Origin
• Destination
• Departure Time
• Car/Flight Number
• Class/Cabin Level
• Seat Number

A.12 Matchmaking and Dating

Providing users with marriage matchmaking services, including recommending people of the opposite sex and dating. The minimum information for this service type is displayed in Table 13:

Table 13 - Minimum Information for Matchmaking and Dating Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Cybersecurity Law"

"Provisions on the Management of Mobile Internet Applications' Information Services"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify matchmaking users, and to ensure the security of account information.
Basic personal materials

• Personal photos
• Sex
• Birthdate
• City
• Marital satus

Used only in representing people of the opposite sex, dating, and other matchmaking services.

A.13 Jobs Seeking and Recruitment

Providing users with online job seeking and recruitment services, including functions for publishing, displaying, and searching positions, and submitting resumes. The minimum information for this service type is displayed in Table 14:

Table 14 - Minimum Information for Job Seeking and Recruitment Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Identification Information

• Full Names
• Identification Document Type
• Identification Document Numbers
• Expiration Date of Identification Documents
• Reproductiond or Photocopies of Identification Documents

"Measures on the Storage and Management of Financial Institutions' Client Identity Identification and Client Identification Materials and Transaction Records"

"Measures counter-money laundering and counter-terrorism Management for Institutions Engaged in Internet Finance (Provisional)"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify financial lending users and ensure the security of account information.
Bank Account Information

• The name on the Bank Account
• Bank Card Number
• Bank Card Expiration Date
• Bank Reserved Phone Number

Used only to carry out linking of credit and debit cards, bank card authentication, borrowing, and repayment functions.
Personal Credit Report Information

• People's Bank of China personal credit report
• Third-party personal credit ratings

Used only to conduct assessments of user borrowers personal credit, and determine the amount of credit to authorize.

Personal Credit Reporting Information Inquiries Require User Authorization

Emergency Contact Information

The contact methods for two regular contacts

• The contact methods for two regular contacts

Used only for financial institutions to press for payment when loans have not been repaid in the time allowed.

Users should be permitted to manually input emergency contact information for financial lending applications, and access to user communication records should not be compelled.

Lending transaction recordsUsed only to carry out inquiries into users borrowing history and handle user disputes.

A.14 Finance and Lending

Providing users with personal consumer lending services from financial institutions, including functions such as credit authorization, loans, repayment, and transaction records; 'financial institutions' here refers to banks, consumer finance companies, small loan companies qualified to make loans, and institutions providing online lending services. The minimum information for this service type is displayed in Table 15:

Table 15 - Minimum Information for Finance and Lending Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Identification Information

• Full Names
• Identification Document Type
• Identification Document Numbers
• Expiration Date of Identification Documents
• Reproductiond or Photocopies of Identification Documents

"Measures on the Storage and Management of Financial Institutions' Client Identity Identification and Client Identification Materials and Transaction Records"

"Measures counter-money laundering and counter-terrorism Management for Institutions Engaged in Internet Finance (Provisional)"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify financial lending users and ensure the security of account information.
Bank Account Information
• The name on the Bank Account
• Bank Card Number
• Bank Card Expiration Date
• Bank Reserved Phone Number
Used only to carry out linking of credit and debit cards, bank card authentication, borrowing, and repayment functions.
Personal Credit Report Information

• People's Bank of China personal credit report
• Third-party personal credit ratings

Used only to conduct assessments of user borrowers personal credit, and determine the amount of credit to authorize.

Personal Credit Reporting Information Inquiries Require User Authorization

Emergency Contact Information

The contact methods for two regular contacts

• The contact methods for two regular contacts

Used only for financial institutions to press for payment when loans have not been repaid in the time allowed.

Users should be permitted to manually input emergency contact information for financial lending applications, and access to user communication records should not be compelled.

Lending transaction recordsUsed only to carry out inquiries into users borrowing history and handle user disputes.

 

A.15 Housing Rentals and Sales

Providing users with housing resource information and housing rental services, including functions for the display, searching, and rental of housing. The minimum information for this service type is displayed in Table 16:

Table 16 - Minimum Information for Housing Rentals and Sales Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify housing sale and rental users, and to ensure the security of account information.
Reproductions or photocopies of renters' and owner's identification documentsUsed only for identity verification when users rent housing online, as well as identity verification when owners publish housing resource information or lease housing online.
Information on Real Estate OwnersUsed only in the publication and searching of housing source information, and housing leases.
Third-party payment methodsUsed only during online lease transactions paying closing fees through third-party payment methods.

If users only browse housing resource information, the personal information listed in Table 16 need not be collected. Table 16 only lists the personal information collected online through home sales and rental type mobile internet applications. Currently housing sales and rental services usually employ a combination of online and offline methods, with the majority of housing resource information and rentals appearing online, while home sales transaction are still primarily conducted offline; specific collection of information may be based on the requirements of relevant policy documents.

A.16 Second-hand Car trades

Providing second-hand car trade users with motor vehicle information and second-hand vehicle trade services, including functions such as searching and displaying car resource information, vehicle review, and second-hand car sales. The minimum information for this service type is displayed in Table 17:

Table 17 - Minimum Information for Second-Hand Car Trading Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify second-hand car trading users and to ensure the security of account information.
Vehicle Examination AddressUsed only for use in conducting onsite review of car resources before online publication, to facilitate reviewers going to the cars' locations to conduct reviews.
Identity document information for home buyers and sellers

• Full Names
• Type of Identity Document
• Identity Document Number

Used only for the real name registration and identity verification of second hand car buyers and sellers and completion of vehicle registration, electronic signing of contracts, and other vehicle purchase processes.
Third-party payment methodsUsed only in paying service fees to intermediaries in second hand car transactions.

Table 17 only lists personal information collected online through second-hand car trading type mobile internet applications. Currently second-hand car trading services employ a combination of online and offline methods, the large majority of second-hand car trading is already using contracts electronically signed online, while vehicle inspections, vehicle registration, transfer of title, payment of sale fees, and other phases are still generally carried out offline.

A.17 Exercise and Health

Providing users with exercise recording and health recommendation services, including functions such as fitness management and health recommendations. The minimum information for this service type is displayed in Table 18:

Table 18 - Minimum Information for Exercise and Health Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify exercise and health users, and to ensure the security of account information.
Precise Positioning InformationPrecision positioning information is used only to determine users position in real-time and display users' exercise trajectory.
Personal Exercise InformationUsed only to display information on overall status in the course of exercise.

A.18 Consultation and Appointment Making

Providing users with online consultation and appointment making medical services. The minimum information for this service type is displayed in Table 19:

Table 19 - Minimum Information for Consultation and Appointment Making Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Mobile Numbers"Provisions on the Management of Mobile Internet Applications' Information Services"
Transaction Information"E-commerce Law"

"Temporary Measures on the Management of Online Transactions"

Personal information required to carry out servicesAccount Information

• Account Numbers
• Passwords

Used only to identify users for consultations and appoint making, and to ensure the security of account information.
Patient Identity InformationUsed only to verify user identities when making appointments.
Information from patient communications

• Description of Symptoms
• Sex
• Age

Used only for doctors to assess patient symptoms during online consultations.
Appointment Making Information

• Hospitals
• Departments

Used only for assisting patients complete the appointment making process.
Third-party payment methodsUsed only for users paying for consultation and appointment making orders through third-party payment methods.

Table 19 Browsers

Providing users with services having functions for browsing online information resources, including functions such as reading web pages, downloading documents, and saving resources. The minimum information for this service type is displayed in Table 20:

Table 20 - Minimum Information for Browser Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesNoneN/A

A.20 Input Methods

Services providing users with functions of entering characters through means such as keyboards, handwriting, or voice. The minimum information for this service type is displayed in Table 21:

Table 21 - Minimum Information for Input Method Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesNoneN/A

A.21 Security Management

Providing users with functions for killing Trojan Horses, cleaning-up malicious plug-ins, fixing bugs, speeding up the system, blocking harassment, permissions management and so forth. The minimum information for this service type is displayed in Table 22:

Table 22 - Minimum Information for Security Management Category

TypePersonal InformationUsage Requirements
Personal Information required by laws and regulationsNetwork Logs"Cybersecurity Law"
Personal information required to carry out servicesNoneN/A

 

Appendix B (Normative Appendix) Table of Minimum Scope of Permissions for Service Types

This Appendix targeting dangerous permissions on Android 6.0 and higher, gives the minimum scope of permissions for service types, as follows:

  1. Mapping and Navigation: Positioning Permissions, Storage Permissions.
  2. Online Ride Hailing: Positioning Permissions, Phone Call Permissions.
  3. Instant Messaging: Storage Permissions.
  4. Blogs and Forums: Storage Permissions.
  5. Online Payment: Storage Permissions.
  6. News: None.
  7. Online Purchasing: None.
  8. Short Video: Storage Permissions.
  9. Express Delivery: None.
  10. Food and Beverage Take Out: Positioning Permissions, Phone Call Permissions.
  11. Transportation Ticketing Services: None.
  12. Matchmaking: Storage Permissions.
  13. Job Seeking and Recruitment: Storage Permissions.
  14. Financial Lending: Storage Permissions.
  15. Home Sales and Rentals: Storage Permissions.
  16. Second-hand Car Trading: Storage Permissions.
  17. Exercise and Health: Positioning Permissions, Sensor Permissions.
  18. Consultation and Appointment Setting: Storage Permissions.
  19. Browsers: None.
  20. Input Methods: None.
  21. Security Management: Storage Permissions, Obtaining Application Accounts
About China Law Translate 821 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*