Summary of Key Content Available Here:
CCS L 80
National Standard of the People's Republic of China
Information Security Technology Security - Requirements for Facial Recognition Data
Information Security Technology Security Requirements for Facial Recognition Data
This document is drafted in accordance with the provisions of GB/T 1.1-2020 Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents.
This document was presented and submitted by the National Technical Committee for the Standardization of Information Security (SAC/TC260).
Drafting units of this document: China Institute of Electronic Technology Standardization, Beijing Saixi Technology Development Co., Ltd., Chinese Academy of Sciences University, China Information Security Research Institute, Beijing Polytechnic University, Ministry of Public Security First Research Institute, Ministry of Public Security Third Research Institute, Beijing View Technology Co., Ltd., Shanghai Itu Network Technology Co., Ltd., Ant Technology Group Co., Ltd., National Certification Technology (Beijing) Co., Ltd., Global Law Firm, Hangzhou Haikangwei Digital Technology Co., Ltd., Hangzhou Anheng Information Technology Co., Ltd., Shanghai Guanan Information Technology Co., Ltd., China Mobile Communications Group Co., Ltd.
The primary drafters of this document: Yang Jianjun, Sun Yan, Hao Chunliang, Zuo Xiaodong, Hong Yanqing, Mei Jingqing, Liu Yiheng, Liu Xiangang, Yao Xiangzhen, Shangguan Xiaoli, He Yanzhe, Liu Limin, Hu Ying, Li Jun, Liu Jun, Lin Guanchen, Meng Jie, Chen Xing, Tang Di, Zhu Xuefeng, Zhou Shaopeng, Lu Qi, Xie Jiang, Qiu Qin.
Information Security Technology Security - Requirements for Facial Recognition Data
This document provides the basic security requirements for facial recognition data, security requirements for its handling, and security management requirements.
This document applies to security in data controllers' carrying out operations related to facial recognition data.
The contents of the following documents are incorporated as essential provisions of this document through normative references in the text. In these, only the version of the incorporated documents for the indicated date apply to this document; and where there is no date noted, the newest version (including all revisions) apply to this document.
GB/T 35273—2020 Information Security Technology Personal Information Security Specifications
GB/T AAAAA—AAAA Information Security Technology Security Requirements for Online Data Activities
GB/T BBBBB—BBBB Information Security Technology Basic Requirements for Protecting Biometretic Recognition Information
GB/T CCCCC—CCCC Information Security Technology Guidebook for Assessing the Security Impact of Personal Information
GB/T 35273—2020、GB/T AAAAA—AAAA、GB/T BBBBB—BBBB和GB/T CCCCC—CCCC中界定的以及下列术语和定义适用于本文件。
3.1 人脸图像 face image
Virtual or digital representation of information on natural persons' faces.
NOTE: Face images may be collected using equipment and may also be obtained through later processing of videos and digital images; they primarily include visible spectrum images, non-visible spectrum images (like infrared images), and 3D images.
3.2 人脸特征 face feature
Parameters extracted from data subjects' face images that reflect the data subject.
3.3 人脸识别数据 face recognition data
Data collected from face images and their processing that either independently or taken together with other information can identify a specified natural person or natural persons' identity.
3.4 数据主体 data subject
The specific natural person identified by face recognition data.[Source: GB/T 35273-2020, 3.3, with modification]
3.5 数据控制者 data controller
Organizations or individuals that are able to determine the purpose and methods for processing face recognition data.[Source: GB/T 35273-2020, 3.4, with modification]
3.6 数据处理 process [Data Processing or Handling-- translator]
Activities collecting, storing, using, sharing, transferring, publicly disclosing, and deleting face recognition data.
This document summarizes three scenarios involving the handling of face images, including:
a) Face Verification: Comparing collected facial recognition data with the facial recognition data of specified natural persons (1:1 comparison); to confirm whether specified natural persons are who they claim to be. Example applications include passenger-ticket verifications at airport and train stations and facial recognition locks on mobile smart terminals. This type of situation should satisfy the basic security requirements of this document, the requirements for security processing, and the security management requirements.
b) Face Identification: Comparing collected facial recognition data with a set range of previously-stored facial recognition data (1: X Comparison), to identify designated natural persons. Example applications include gate access at parks and residential complexes. This type of situation should satisfy the basic security requirements of this document, the requirements for security processing, and the security management requirements.
c) Face Analysis: Solely collecting face images for statistics, testing, or analysis of characteristics and not carrying out face verification or face identification. Face images in this scenario are to be processed in compliance with the requirements of GB/T 35273-2020、GB/T AAAAA-AAAA Security Requirements for Online Data Handling Activities.
a) Should comply with the requirements of GB/T 35273-2020、GB/T AAAAA-AAAA Security Requirements for Online Data Handling Activities and GB/T BBBBB-BBBB Basic Requirement for the Protection of Biometric Information.
b) The minimum necessary principle should be complied with when handling facial recognition data.
c) should employ security measures to ensure the rights of data subjects, including but not limited to obtaining information on the usage of face recognition data, withdrawing authorization, canceling accounts, making complaints, and getting a timely response.
d) natural persons' face images should not be collected without their authorization.
e) should have a capacity for data security protection and personal information protection proportionate to the volume of facial recognition data being handled and the methods of handling it.
f) When conducting face verification or face identification the following requirements should be satisfied at a mimimum:
1) Methods other than facial recognition are significantly less secure or convenient than facial recognition.
Example: When matching passengers and tickets at airports and railway stations, using identification methods other than face recognition can lead to a significant decrease in the convenience of related services.
2) In principle, facial recognition should not be used to verify the identities of minors under the age of 14.
3) Methods of identity verification other than facial recognition should be concurrently provided, and data subjects should be given the choice of which to use.
4) Security measures should be provided to safeguard the data entities' right to know.
5) Facial recognition data should not be used for purposes other than facial recognition, including but not limited to assessments or predictions of data subjects' work performance, economic status, health status, preferences, or interests.
a) When collecting facial recognition data, the data subject should be informed of the principles for its collection, including but not limited to the purposes of collection, the types and volume of data collected, the methods of handling it, and the period for retention, and the data subjects' explicit consent is to be obtained.
b) After natural persons refuse the use of facial recognition functions or services, frequent notifications should not be used to obtain their authorization or consent to use facial recognition.
c) A data subject's use of basic operational functions should not be refused because they did not consent to the collection of facial recognition data.
d) Equipment used for the collection of facial recognition data should comply with the requirements of relevant standards.
Example: Public Security Regions' collection of face images should comply with the requirements of GB 37300-2018、GB/T 38671-2020.
e) When collecting facial recognition data in public venues, mechanisms should be set up for the active cooperation of data subjects.
Note: Active cooperation refers to data subjects looking directly at the collection equipment and making specified poses or expressions, or going through designated pathways for the collection that are labeled 'facial recognition.
f) While satisfying the requirements for the usage scenario, only the smallest number and fewest types of face images necessary to generate face features should be collected.
a) When the following situations occur, facial recognition data should be deleted or anonymized:
1) The data subject expressly stops use of the functions or services, or withdraws their authorization;
2) The storage period authorized by the data subject concludes;
3) The data controller is unable to provide the service or discontinues providing it;
4) Other situations where face images should be deleted or anonymized.
b) Security measures should be employed for the storage and transmission of facial recognition data, including but not limited to encrypting data, employing physical and logical isolation to separately store facial recognition data and personal identification informatation, and so forth.
c) Should not store face images except where the data subjects give independent written authorization and consent.
Note: The forms of written authorization include authorization through contract documents, letters, telegrams, fax, electronic data exchanges, and email.
a) delete face images immediately after completing the confirmation or identification.
b) Updateable, irreversible, and non-linkable facial features should be generated.
Note 1: Updateable refers to the same face image being able to general different face features. When a particular face feature is leaked, different face features can be newly generated.
Note 2: Irreversible refers to the inability to restore face images from face features.
Note 3: Non-linkable refers to the lack of connection between different face features based on the same face image.
c) Should possess the ability to protect against presentation attacks.
Note 4: Presenting jamming attacks mainly include using face photos, paper masks, face videos, composite face animations, 3D replica face masks, and so forth to attack and disrupt facial recognition.
d)When both local and remote facial recognition methods apply, local facial recognition should be used.
Note 5: Local facial recognition refers to the completion of the collection and facial recognition of facial recognition data at the terminal that collects it. Remote facial recognition refers to completing the collection of facial recognition data at the collection terminal and completing facial recognition at a server.
6.4Entrusting processing, sharing, transfer, and disclosure;
a) Facial recognition data should not be publicly disclosed, and in principle, it should not be shared or transferred. Where it is truly necessary to share or transfer it as required for operations, a security assessment should be carried out in accordance with GB/T CCCCC "Handbook for Assessments of the Security Impact of Personal Information", and the data subjects are to be independently notified of the purpose of the sharing or transfers, the identities of the recipients, the security capacity of the recipients, the types of data, and the impact that might result; and the data subjects' written authorization is to be obtained.
b) In principle, no handling should be entrusted to others, and where it is truly necessary to do so, a review should be conducted in advance of the data security capacity of the party being entrusted, and a personal information security impact assessment should be conducted of the entrusted party's handling.
a) Responsibility for data security management should be put in place, expressly requiring protections of facial recognition data in personal information security management systems, including but not limited to protection strategies and rules for handling.
b) When leaks, destruction, or loss of facial recognition data occur or might occur, remedial measures should be immediately employed, data subjects should be promptly notified as provided, and a report is to be made to the relevant regulatory departments.
c) Facial recognition data collected or generated in the [mainland] territory of this country should be stored in the territory. Where it is truly necessary to send it out of the territory as required for operations, a security assessment is to be conducted in accordance with provisions related to sending personal information abroad.