These Classification and Grading Guidelines only apply to the classification and grading of Network Data.  “Network Data" means any record of information in electronic form.[1]

(a) Legal compliance.

In some industries, there are industry standards, guidelines and regulations (the “Industry Standards") on the classification and grading of data of their respective industries.  The data processors in such industries should first comply with these Industry Standards.  The main existing Industry Standards are as follows. 

The Classification and Grading Guidelines provide the linkage between the grading rules in specific Industry Standards and the grading rules in these Classification and Grading Guidelines[2].  For example, the third grade of industrial data specified in the “Guidelines for Classification and Grading of Industrial Data (for Trial Implementation)" is corresponding to the level of Core Data (as defined blow); the second grade of industrial data is corresponding to the level of Important Data (as defined blow); and the first grade of industrial data is corresponding to the level of General Data (as defined blow).

(b) Multiple dimensions.

Network Data classification and grading should take multiple dimensions and factors into consideration.  From different dimensions and perspectives, Network Data can be classified into different categories.  The framework of Network Data Classification (please see Part III (a)) specified in these Classification and Grading Guidelines is a good example of this principle.

(c) Clear boundaries.

Each level of data should have a clear boundary.  A data processor should take different protection measures for different levels of data.

(d) Subject to the highest level when grading.

If a dataset contains multiple levels of data, then it should be graded according to the highest level of data in the dataset.  For example, if a dataset contains Core Data, Important Data and General Data, this dataset should be graded at the level of Core Data.

(e) Timely adjustment.

The classification and level of data can be changed and should be adjusted in a timely manner in accordance with change of circumstances, such as the changes of relevant policies and occurrence of certain safety events.

(a) Frameworks and methods of the Network Data classification.

Pursuant to the principle of multiple dimensions, the Network Data can be classified into different categories based on different dimensions.

As shown in the above chart[3], a data processor whose industry has its own Industry Standards should follow the Industry Standards first.  Those whose industries have no Industry Standards can classify the data from the dimension of “Business Operation" in accordance with the above chart.

(b) Frameworks and methods of the Network Data grading.

 i. Basic rules for grading.

When grading each class of the Network Data, a data processor should consider two factors, that is, the impacted subjects and the degree of impact.  The Network Data, according to these Classification and Grading Guidelines, will be graded as three basic levels: Core Data[4], Important Data[5], and General Data[6].  The General Data can be further graded from level 1 to level 4.  The framework of grading is as follows:

These Classification and Grading Guidelines further describe the situations of different degrees of impacts on different impacted subjects.[7]  For example, if tampering with, destroying, leaking, or illegally obtaining or utilizing the data will impact one or more provinces, causing social unrest and having extremely negative effects on economic construction, then it is regarded that the public interests are seriously endangered, and such data should be regarded as Core data.

When grading the Network Data, a data processor should firstly check with the national and industry standards to see whether the data is Core Data or Important Data.  If there is no reference in the national or industry standard, the data processor can analyze the degree of impact when the data is tampered with, destroyed, leaked, illegally obtained or utilized, and decide whether the data belongs to Core Data or Important Data based on the existing standards and regulations for identifying Core Data or Important Data.  If the data constitutes a dataset, the data processor should follow the principle of “subject to the highest level when grading" specified in Part II (d) hereof.

ii. Grading of Personal Information.

The “Personal Information Protection Law of the People's Republic of China" (the “PIPL") provides the definition of the Personal Information[8] and the Sensitive Personal Information[9]. Based on the above definitions, these Classification and Grading Guidelines further explain the classification of Personal Information by providing examples of the classification and grading of specific Personal Information.[10]  The Classification and Grading Guidelines also specify the lowest levels of certain Personal Information.  For example, the level of Sensitive Personal Information should not be lower than level 4 of General Data, the other general Personal Information should not be lower than level 2 of General Data; an employee’s Personal Information should not be lower than level 2 of General Data; any De-identified Personal Information[11] should not be lower than level 2 of the General Data, and any Anonymized Personal Information[12] should not be lower than level 1 of the General Data.

iii. Grading of Derivative Data.

According to the extent of data processing, Network Data can be divided into raw data, desensitized data, labeled data, statistics data and fusion data (the “Derivative Data").  The Derivative Data may be re-graded.  For example, desensitized data and the labeled data may be degraded compared with raw data; statistics data, such as profile data reflecting a large group of individuals, or location tracking, may be upgraded compared with raw data. 

iv. Updating of the grading.

Grading of data should be updated in a timely manner, when there are changes in contents, scale, application situations or other change of circumstances.

A data processor should follow the steps below to classify and grade its data assets:

(a) Conduct an inventory check on its data assets, and come up with a list of data assets.

(b) Classify its data assets based on different dimensions in accordance with Industry Standards or other relevant regulations on data classification.

(c) Identify Core Data, Important Data, different levels of General Data, and different levels of Personal Information, respectively, and finish the grading of its data assets.

(d) Review and approve the above classification and grading, form a list of the data assets’ classification and grading, and update the above classification and grading in a timely manner.

(e) Take applicable measures to protect data of different levels and classifications.

The classification and grading of data is the first step for the data compliance under the Chinese law, and these Classification and Grading Guidelines provide a general guidance for the classification and grading of the Network Data by detailing key rules and giving specific examples for reference.  Although it is only applicable to Network Data, it can also be used as an important reference for the classification and grading of the non-electronic data.  Thus, the enterprises should take actions to self-review their data assets in accordance with these Classification and Grading Guidelines and relevant laws and regulations, and take corresponding measures to protect their data assets.