China Issues New Requirements for Handling of Sensitive Personal Information

• On April 25, 2025, TC260 issued the recommended standard Data Security Technology – Security Requirements for Handling of Sensitive Personal Information, which will come into effect on November 1, 2025.

• The Standard makes adjustments to the examples of sensitive personal information listed in the Information Security Technology — Personal Information Security Specification, which is the standard used by handlers to identify sensitive personal information. Certain categories of personal information (e.g., bank deposit information, identity information, marriage history, communication records, and browsing records) are no longer included in the list of examples of sensitive personal information.

On April 25, 2025, the National Standardization Administration (also known as TC260) issued the “recommended” standard Data Security Technology – Security Requirements for Handling of Sensitive Personal Information (GB/T45574—2025) (“Standard”), which will come into effect on November 1, 2025. The Standard lists examples of sensitive personal information (“SPI”) and includes detailed provisions on the security requirements for handling SPI. Since this particular Standard is not mandatory, it is not legally binding; however, it is generally considered  good practice to follow recommended standards.

Examples of SPI

China’s Personal Information Protection Law (“PIPL”) defines SPI as personal information that, if leaked or used illegally, may easily lead to the infringement of a natural person’s personal dignity or may endanger their personal safety or property. It enumerates seven categories: biometric information, religious beliefs, specific identities, medical and health information, financial account information, location and tracking information, and the personal information of minors under 14.

The Standard provides the following examples of each category of SPI:

• Biometric information: Personal genes, facial features, voice prints, gait, fingerprints, palm prints, eye prints, ear prints, and iris prints;

• Religious beliefs: Religious affiliation, religious organizations to which a person belongs, positions held in religious organizations, religious activities participated in, and special religious customs;

• Specific identities: Disability status information and occupational status information that is not suitable for disclosure;

• Medical and health information: Health-related information about an individual's physical or mental injuries, illnesses, disabilities, or disease risks; private medical information such as medical conditions, medical history (including infectious disease history), family medical history, physical examination reports, and reproductive information; and personal information collected and generated during medical services, such as disease prevention recommendations, diagnosis, treatment, care, and rehabilitation, including medical visit records (e.g., medical opinions, hospital admission records, medical orders, surgical and anesthesia records, nursing records, and medication records), and laboratory and diagnostic test data (e.g., laboratory reports and diagnostic test reports);

• Financial account information: Account numbers and passwords for personal bank accounts, securities accounts, transaction accounts, insurance accounts, and housing fund accounts; joint housing fund account numbers, payment account numbers, magnetic stripe data (or equivalent chip information) for bank cards, payment token information, and personal income details generated based on account information;

• Location and tracking information: Continuous accurate positioning of trajectory information, vehicle travel trajectory information, and continuous activity trajectory information of personnel; and

• Other SPI: Precise location information, resident ID card photos, information about sexual orientation or sexual activity, credit information, criminal record information, and photos or videos showing private parts of the body.

  
  

Compared to the Information Security Technology — Personal Information Security Specification (GB/T 35273-2020) (“Specification”), the recommended standard issued by TC260 on March 6, 2020 (and which was effective prior to the PIPL’s enactment in 2021), the new Standard lists different examples of SPI. Specifically, the following categories of information are no longer included among the examples of sensitive personal information:

• Bank deposit information, transaction records (including personal consumption expenditures), and authorization information other than bank account numbers and passwords, such as login passwords, dynamic passwords, password protection answers, etc.;

• Real estate information;

• Virtual property information;

• Identity information, such as ID cards, military officer certificates, passports, driver’s licenses, employee IDs, social security cards, residence certificates, etc.

• Marriage history;

• Communication records, contact lists, friends lists, group lists;

• Browsing records; and

• Information regarding accommodations (e.g., guest information, check-in and check-out dates, hotel location, room information, etc.).

  
  

Of course, the fact that the above examples are no longer designated as SPI does not mean that they would not meet the definition of SPI; indeed, in many cases the above categories of information will still meet the conditions that require categorization as SPI, as discussed further below. 

Rules for Identification of SPI

The Standard includes the following steps in the process for identification of SPI:

• Step 1: Determine whether the information is designated as SPI by law or regulation. If so, handlers must comply with associated rules related to SPI; if not, handlers must complete steps 2-4;

• Step 2: Determine whether the information meets the conditions included in the PIPL definition of SPI. Personal information is defined as SPI if its leakage or illegal use may easily lead to the infringement of a natural person’s personal dignity or endanger their personal safety or property;

• Step 3: Determine whether the information falls under any of the examples listed in the Standard. Even if it is listed in the examples, it should not be identified as SPI if there are sufficient reasons and evidence to indicate that the personal information handled does not meet the conditions included in the definition of SPI;

• Step 4: Determine whether the compilation of multiple pieces of personal information meets the conditions included in the definition of SPI. If the combined dataset, if leaked or illegally used, may easily lead to the infringement of a natural person’s personal dignity or endanger their personal safety or property, it must be identified as SPI.

  
  

Security Requirements for Handling SPI

The Standard requires handlers to comply with certain security requirements when handling SPI. For example:

• SPI should be protected according to the requirements applicable to the handling of non-SPI after de-identification;

• A process should be established to authorize and approve important operations involving SPI, such as internal or external sharing, disclosure, batch queries, and downloading;

• Handling of SPI should be recorded, and log records should be retained for at least three years;

• SPI should be stored separately from non-SPI, and de-identified SPI should be stored separately from non-de-identified information; and

• Handlers that handle SPI of 100,000 or more individuals shall: appoint a personal information protection officer (“PIPO”) and establish a personal information protection department to supervise the handling of personal information and the implementation of security measures; conduct background checks on the PIPO and personnel in key positions; and formulate a plan for handling SPI and take measures to ensure the security of SPI in the event of a merger, spin-off, dissolution, or bankruptcy.

  
  

Implications for U.S. Higher Education Institutions

Since the Standard is a recommended standard, SPI handlers are not obligated to comply with the requirements of the Standard. However, the Cyberspace Administration of China (“CAC”) and PRC courts have often referred to recommended standards when reviewing handlers’ personal information handling activities. For example, the CAC requires handlers transferring personal information outside China to list the categories of personal information and SPI in the standard contractual clauses (SCCs) in accordance with the Specification. Additionally, the Guangzhou Internet Court, which heard China’s first cross-border data transfer case (as discussed in our XL Insights+ article), cited the Information Security Technology—Implementation Guidelines for Notices and Consent in Personal Information Handling (GB/T 42574-2023)—a recommended standard issued by TC260 on May 23, 2023—in its decision.

We recommend that U.S. institutions handling personal information in China revisit their policies in light of the requirements outlined in the Standard. They might consider taking the following measures, if they have not already done so: identify SPI according to the four-step process specified in the Standard; establish an authorization and approval process for handling SPI; and store SPI separately from non-SPI.

We also recommend that those handling SPI of 100,000 or more individuals appoint a PIPO. On July 18, 2025, the CAC released guidelines on reporting the appointment of PIPO (as discussed in our XL Insights+ article), which require handlers handling personal information of 1,000,000 or more individuals to report their appointment of a PIPO to the CAC.