Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is one of the series of standards Personal health information code which is composed of:
——GB/T 38961-2020 Personal health information code - Reference model;
——GB/T 38962-2020 Personal health information code - Data format;
——GB/T 38963-2020 Personal health information code - Application interface.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by the E-government Office of the General Office of the State Council.
This standard is under the jurisdiction of SAC/TC 28 National Technical Committee on Information Technology of Standardization Administration of China.
?
Introduction
In the process of preventing, controlling and eliminating the hazards of public health emergencies [such as novel coronavirus-infected pneumonia (COVID-19)], it is necessary to collect, store and process personal health information to achieve various management purposes, including:
——quickly obtaining relevant information about personal health;
——statistics of information about an epidemic or disease;
——managing the personnel flow between different regions;
——mutual recognition of health information service levels.
In the process of prevention and control of COVID-19 epidemic and resumption of work and production since February 2020, the pandemic prevention health information code provided by the national integrated online government service platform (hereinafter referred to as "integrated platform”) and the "PHI-code" established and used by some provinces (autonomous regions and municipalities), as an important form of personal health information code, have become an effective way to quickly collect, store and process personal health information. In the practical application of personal health information code, there are some problems, such as inconsistent code system composition, inconsistent data format, lack of data sharing and mutual recognition mechanism, which restrict the cross-regional flow of personnel and goods. Therefore, from the perspective of the current practice and long-term application requirements, it is necessary to achieve the consistent standards of personal health information codes. In addition to the emergency handling of public health emergencies, personal health information codes are also applicable in the management process of personal medical treatment, health care or other major public activities.
If the specific matters specified herein are otherwise stipulated by laws and regulations (such as the Cybersecurity Law of the People's Republic of China and the Law of the People's Republic of China on Prevention and Treatment of Infectious Diseases), such provisions shall be complied with.
Personal health information code - Reference model
1 Scope
This standard specifies the composition and structure, code system and presentation form, application system reference model and application requirements of personal health information code.
This standard is applicable to the design, development and system integration of personal health information code related application systems, and may be referred to by other application systems related to authorized release, inquiry and utilization of personal health information.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 2260 Codes for the administrative divisions of the Peoples Republic of China
GB/T 2659 Codes for the representation of names of countries and regions
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 27766-2011 Two-dimensional barcode - Grid matrix code
GB/T 33560-2017 Information security technology - Cryptographic application identifier criterion specification
GB/T 35273-2020 Information security technology - Personal information security specification
GB/T 35274-2017 Information security technology - Security capability requirements for big data services
GB/T 38962-2020 Personal health information code - Data format
?
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, and transaction information.
Note 2: The information formed by the personal information controller by processing personal information or other information, such as user profiling or features, labels, is regarded as personal information if it can be used to, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person.
[GB/T 35273-2020, Definition 3.1]
3.2
personal health information
personal information related to the health status of identified or identifiable natural person
3.3
personal information subject
natural person identified by or connected to personal information, i.e., the subject of personal data
Note: It is revised from GB/T 35273-2020, Definition 3.3.
3.4
personal information controller
organization or individual that has the power to determine the purpose, manner, etc. of the processing of the personal information
[GB/T 35273-2020, Definition 3.4]
?
3.5
explicit consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information through a written or oral statement, in either electronic or paper form, or making affirmative actions in an initiative manner
[GB/T 35273-2020, Definition 3.6]
3.6
consent
behavior, of a personal information subject, of explicit authorization in terms of the specific processing of his or her personal information
[GB/T 35273-2020, Definition 3.7]
3.7
cyber trusted identity
CTID
electronic documents used to prove residents' personal identity in cyberspace, which has a one-to-one correspondence with resident identity documents
3.8
cyber identifier
code issued by the CTID online authentication service system to the CTID application system to identify the resident's personal identity
Note 1: In the same CTID application system, there is a one-to-one correspondence between the cyber identifier and the resident's real identity.
Note 2: The same resident has different cyber identifiers in different CTID application systems.
3.9
personal health information code
PHI-code
a sequence of numbers or letters bound to the cyber trusted identity, expressing that the user authorizes others or organizations to temporarily access his/her specific personal health information, for which two-dimensional barcode is usually used as the storage medium
3.10
PHI-code service
service of providing the users who have passed identity authentication with production, distribution and verification of PHI-codes containing specific application authorization information or their corresponding two-dimensional barcodes
3.11
PHI-code application
application software providing or identifying the PHI-codes used
Example: "PHI-code of XX Province” and "PHI-code of XX City".
3.12
personal health information service
service of, under the premise of user authorization, providing personal health information declared by individuals voluntarily or legally owned by related organizations
3.13
PHI-code application system
generic term for software and hardware systems that support the collection, query and use of personal health information, generally consisting of PHI-code service, PHI-code application, and personal health information service
3.14
personal health information list
summary result formed via cleaning and processing to comprehensively reflect the personal health status, which is generally provided to superior department for collection and use
4 Composition of PHI-code
4.1 Structure of PHI-code
PHI-code consists of numbers and/or letters, and its structure is shown in Figure 1.
Figure 1 Structure of PHI-code
?
PHI-code consists of three segments, i.e., A, B and S, as follows:
a) Segment A is the user identity, which needs to be obtained upon real-person authentication with a real name, and represents the identity of the personal information subject. The CTID data may be used, and the CTID may be used to realize cross-system identity intercommunication and mutual recognition. The first two bytes of the data are 16-bit big-endian unsigned integers, representing the length of Segment A.
b) Segment B is service data, which represents the code type, code making platform identifier, code expiration time, and summary of authorization record of information subject:
1) Part 1 is length and version, of which the first two bytes are 16-bit big-endian unsigned integers, representing the length of Segment B, and the last two bytes represent the version number;
2) Part 2 is the code type declaration consisting of 4 letters or digits, which is also designated as "JKM1" in this standard;
3) Part 3 is the identifier assigned when various PHI-code services are registered in the mutual recognition mechanism, which consists of 6 digits and should use the codes for the administrative divisions specified in GB/T 2260;
4) Part 4 is the expiration time (UTC time) of the PHI-code;
5) Part 5 is the summary of authorization record of information subject. The algorithm meeting the national cryptography administration requirements shall be used during summarization, see the algorithm marked as "1.2.156.10197.1.401" in GB/T 33560-2017.
c) Segment S is the digital signature value for the A+B content. The algorithm meeting the national cryptography administration requirements shall be used when signing, see the algorithm marked as "1.2.156.10197.1.501" in GB/T 33560-2017.
Parts 2 and 3 (code type and platform identifier) of Segment B in the PHI-code are used to prompt the PHI-code processor to accurately identify and route to the PHI-code service that generates the PHI-code, which are the basis of establishing intercommunication and mutual recognition of PHI-codes. The code expiration time may be used to quickly identify expired authorizations.
?
4.2 Authorization record
Authorization record shall fully express the authorization of personal information subjects to their personal information and processing methods. The main elements include authorization subject information, authorization validity period, authorized subject information, personal information controller information, category or index of personal information authorized to operate, etc., as detailed in Table 1.
Table 1 Elements of personal information authorization record
Element name Short name Constraint Description
Authorization subject SQZT Mandatory It refers to an individual issuing authorization, which shall be the subject with full capacity for civil conduct. Sufficient and necessary relevant information shall be provided, such as name, certificate type and number and nationality
Validity period YXQX Mandatory It includes the time when the authorization is issued and the starting and ending time of the validity period of the authorization
Authorized subject BSQZT Optional It refers to an individual or organization authorized to access or operate personal information, which shall provide sufficient and necessary identification information. For individuals, it is necessary to provide name, certificate type and number, nationality, etc.; for organizations, it is necessary to provide the organization name, certificate type and number, etc.
Personal information controller XXKZZ Optional Various application systems for storing and managing personal information and their classification information. In certain scenarios, there may be default settings
Authorized information category XXLB Optional Determined according to the application goal, such as the category or group of personal information. In certain scenarios, there may be default settings
Authorized information index XXSY Optional Index information needed to query information, such as personal information subject information and information identifier, among which the personal information subject may be the authorization subject by default
Authorized operation authority CZQX Optional Operation that may be performed on the information obtained, such as read-only, retaining query voucher, downloading and dumping, which is read-only by default
For the PHI-code used for traffic, the information authorized to access (its data format shall conform to GB/T 38962-2020) and the authorized object (not specified explicitly, but generally the inspector of each traffic control checkpoint) are clear, so it is only necessary to record the summary information of the authorization subject. The plaintext of authorization status is composed of the name, ID number, ID type, etc. of the personal health information subject, which are spliced in the form of "B1|B2|B3|B4^B5":
a) B1 is the name of the personal health information subject;
b) B2 is the ID number of the personal health information subject;
c) B3 is the ID type code of the personal health information subject, of which the value is shown in Annex A;
d) B4 is the country or region code of the personal health information subject, which shall adopt the "three-letter code" specified in GB/T 2659;
e) B5 is the authorization time of the personal health information subject, which shall be in the format of YYYYMMDDHHMMSS.
4.3 Coding and subsequent processing
After the PHI-code is generated, it may be coded into a two-dimensional barcode image according to the corresponding code system in the PHI-code service or PHI-code application. Digital watermarks may be embedded or traceability identifiers may be added in two-dimensional barcode images to enhance the use safety of two-dimensional barcodes.
Foreword II
Introduction III
1 Scope
2 Normative references
3 Terms and definitions
4 Composition of PHI-code
4.1 Structure of PHI-code
4.2 Authorization record
4.3 Coding and subsequent processing
5 Code system and presentation form
5.1 PHI-code terminal application
5.2 PHI-code emergency management
6 PHI-code application system reference model
6.1 System composition
6.2 PHI-code use process
6.3 Mutual recognition of PHI-codes
7 PHI-code application requirements
7.1 General
7.2 Identity authentication requirements
7.3 Application interfacing requirements
7.4 Information protection requirements
7.5 Safety requirements
Annex A (Normative) Code sets
Annex B (Informative) Pandemic prevention health information service system scheme for national integrated online government service platform
Annex C (Informative) PHI-code application scenarios
Bibliography
個人健康信息碼 參考模型
1 范圍
本標準規定了個人健康信息碼的組成結構、碼制和展現形式、應用系統參考模型和應用要求。
本標準適用于個人健康信息碼相關應用系統的設計、開發和系統集成。其他有關個人健康信息授權發布、查詢利用的應用系統可參照執行。
2 規范性引用文件
下列文件對于本文件的應用是必不可少的。凡是注日期的引用文件,僅注日期的版本適用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 2260 中華人民共和國行政區劃代碼
GB/T 2659 世界各國和地區名稱代碼
GB/T 22239—2019 信息安全技術 網絡安全等級保護基本要求
GB/T 27766—2011 二維條碼 網格矩陣碼
GB/T 33560—2017 信息安全技術 密碼應用標識規范
GB/T 35273—2020 信息安全技術 個人信息安全規范
GB/T 35274—2017 信息安全技術 大數據服務安全能力要求
GB/T 38962—2020 個人健康信息碼 數據格式
3 術語和定義
下列術語和定義適用于本文件。
3.1
個人信息 personal information
以電子或者其他方式記錄的能夠單獨或者與其他信息結合識別特定自然人身份或者反映特定自然人活動情況的各種信息。
注1:個人信息包括姓名、出生日期、身份證件號碼、個人生物識別信息、住址、通信通訊聯系方式、通信記錄和內容、賬號密碼、財產信息、征信信息、行蹤軌跡、住宿信息、健康生理信息、交易信息等。
注2:個人信息控制者通過個人信息或其他信息加工處理后形成的信息,例如,用戶畫像或特征標簽,能夠單獨或者與其他信息結合識別特定自然人身份或者反映特定自然人活動情況的,屬于個人信息。
[GB/T 35273—2020,定義3.1]
3.2
個人健康信息 personal health information
涉及已標識或可標識自然人健康情況的個人信息。
3.3
個人信息主體 personal information subject
個人信息所標識或者關聯的自然人,即個人數據的主體。
注:改寫GB/T 35273—2020,定義3.3。
3.4
個人信息控制者 personal information controller
有能力決定個人信息處理目的、方式等的組織或個人。
[GB/T 35273—2020,定義3.4]
3.5
明示同意 explicit consent
個人信息主體通過書面、口頭等方式主動作出紙質或電子形式的聲明,或者自主作出肯定性動作,對其個人信息進行特定處理作出明確授權的行為。
[GB/T 35273—2020,定義3.6]
3.6
授權同意 consent
個人信息主體對其個人信息進行特定處理作出明確授權的行為。
[GB/T 35273—2020,定義3.7]
3.7
居民身份網絡可信憑證 cyber trusted identity;CTID
網證
用于在網絡空間中證明居民個人身份的電子文件,與居民身份證件具有一一對應關系。
3.8
居民身份網絡標識 cyber identifier
由居民身份網絡認證服務系統派發給網證應用系統,用于標識居民個人身份的代碼。
注1:同一網證應用系統中,居民身份網絡標識與居民真實身份一一對應。
注2:同一居民在不同網證應用系統的居民身份網絡標識不同。
3.9
個人健康信息碼 personal health information code;PHI-code
健康碼
與居民身份網絡可信憑證綁定,表達用戶授權他人或組織臨時訪問特定個人健康信息的一串數字或字母的序列。通常使用二維條碼作為其存貯媒體。
3.10
健康碼服務 PHI-code service
對通過身份驗證的用戶提供生產、分發和驗證包含特定應用授權信息的健康碼或其對應的二維條碼的服務。
3.11
健康碼應用 PHI-code application
提供或識別使用健康碼的應用軟件。
示例:“××省健康碼”“××市健康碼”。
3.12
個人健康信息服務 personal health information service
在用戶授權的前提下,提供個人自愿申報或相關組織合法擁有的個人健康信息的服務。
3.13
健康碼應用系統 PHI-code-application system
支持個人健康信息的采集、查詢和使用的軟硬件系統的統稱,一般由健康碼服務、健康碼應用和個人健康信息服務組成。
3.14
個人健康信息目錄 personal health information list
經過清洗、加工后形成的綜合反映個人健康狀態的概要結果,一般提供給上級部門匯集和使用。
4 健康碼的組成
4.1 健康碼的結構
健康碼由數字和/或字母組成,其結構見圖1。
健康碼的結構
長度及版本
碼類型
平臺標識
截止時間
個人信息主體授權記錄摘要
A段——代表身份
B段——代表業務
S段——A+B內容的簽名
圖1 健康碼的結構
健康碼由A、B、S三段構成。其中:
a) A段是用戶身份標識,需經實名實人認證后取得,代表個人信息主體的身份。可使用網證數據,網證可用于實現跨系統身份互通互認,其數據前兩個字節為16位大端序無符號整數,代表A段內容的長度。
b) B段是業務數據,代表碼的類型、制碼平臺標識、碼的截止時間和信息主體授權記錄摘要,其中:
1) 第1部分是長度及版本,前兩個字節是16位大端序無符號整數,表示B段內容的長度,后兩個字節表示版本號;
2) 第2部分是碼類型聲明,4位字母或數字,本標準中同定為“JKM1”;
3) 第3段是各類健康碼服務在互認機制中注冊時分配的標識,6位數字,宜使用GB/T 2260中規定的行政區劃代碼;
4) 第4段是該健康碼的截止時間(UTC時間);
5) 第5段是信息主體授權記錄的摘要,摘要時應使用符合國家密碼管理要求的算法,見GB/T 33560—2017中標識為“1.2.156.10197.1.401”的算法。
c) S段是針對A+B內容的數字簽名值。簽名時應使用符合國家密碼管理要求的算法,見GB/T 33560—2017中標識為“1.2.156.10197.1.501”的算法。
健康碼B段的第2部分、第3部分(碼類型及平臺標識)用來提示健康碼的處理者準確識別和路由到生成該碼的健康碼服務,是建立健康碼互通互認的基礎。碼的截止時間可用來快速識別已過期的授權。
4.2 授權記錄
授權記錄應完整表達個人信息主體對其個人信息及處理方式的授權情況,主要要素包括授權主體信息、授權有效期限、被授權主體信息、個人信息控制者信息、被授權操作的個人信息類別或索引等,其要素見表1。
表1 個人信息授權記錄的要素
要素名稱 短名 約束 說明
授權主體 SQZT 必選 發出授權的個人,應是具有完全民事行為能力的主體。需提供充分和必要的相關信息,如姓名、證件類型和號碼、國籍等
有效期限 YXQX 必選 包括發出授權的時間以及該授權有效期限的起止時間
被授權主體 BSQZT 可選 被授權的訪問或操作個人信息的個人或組織,需提供充分和必要的標識信息。對于個人來說,需提供姓名、證件類型和號碼、國籍等;對于組織來說,需提供組織機構名稱、證件類型和號碼等
個人信息控制者 XXKZZ 可選 存儲和管理個人信息的各種應用系統及其分類信息。在特定場景下,可有默認設定
被授權的信息類別 XXLB 可選 根據應用目標確定,如個人信息的類別或組別等。在特定場景下,可有默認設定
被授權的信息索引 XXSY 可選 查詢信息所需的索引信息,如個人信息主體信息、信息的標識等。其中個人信息主體可默認為授權主體
被授權的操作權限 CZQX 可選 獲得信息后可對該信息執行何種操作,如只讀、保留查詢憑證、下載、轉儲等。默認為只讀
對于用于通行的健康碼,被授權訪問的信息(其數據格式應符合GB/T 38962—2020)和被授權對象(未明確指定,但一般是各通行卡口的檢查人員)均已明確,因此僅需記錄授權主體的概要信息。授權情況的明文由個人健康信息主體的姓名、身份證件號碼、身份證件類型等組成,并按“B1|B2|B3|B4^B5”的形式拼接:
a) B1為個人健康信息主體的姓名;
b) B2為個人健康信息主體的身份證件號碼;
c) B3為個人健康信息主體的身份證件類型的代碼,其取值見附錄A;
d) B4為個人健康信息主體的國家或地區代號,應采用GB/T 2659中規定的“三字母代碼”;
e) B5為個人健康信息主體的授權時間,應按YYYYMMDDHHMMSS的格式組織。
4.3 編碼和后續處理
健康碼生成后可在健康碼服務或健康碼應用中按相應碼制編碼成二維條碼圖像。可在二維條碼圖像中嵌入數字水印或增加溯源標識等,增強條碼的使用安全性。
5 碼制和展現形式
5.1 健康碼的終端應用
將健康碼編碼為條碼圖像時應使用GB/T 27766—2011規定的二維條碼碼制,以及其他有關國家標準規定的主流二維條碼碼制。
健康碼宜采用圖2所示的展現形式。
姓名 強
類別 居民身份證
身份信息
證件號碼
請出示給對方掃一掃識讀
健康碼標志
二維條碼
提示信息
健康信息自查
信息申報入口
健康風險等級為 低
我的健康信息詳情
行程申報 今日已申報
健康打卡 今日已打卡
健康碼JKM
圖2 健康碼在移動終端中的展現示例
在展現健康碼二維條碼的同時,應同時提供信息業務等級文字或符號提示。宜同時提供脫敏的身份信息、個人健康信息自查和個人健康信息申報等入口。一般在二維條碼展示界面中還應提供操作提示和切換操作入口。
其中:
a) 脫敏的身份信息應提供核對個人登錄情況所需的必要信息;
b) 出示二維條碼時,健康碼應用應在二維條碼中心處添加統一健康碼標志,并可根據信息業務等級改變條碼色塊和邊框的顏色;
c) 除以二維條碼色塊、框線等形式標識信息業務等級外,還應以明顯的文字或符號進行提示;
d) 用戶可自行查看本人申報的健康信息和被授權訪問的情況,從而了解本人的健康信息業務等級;
e) 信息申報入口提供用戶自行申報或為家人等申報健康信息(如體溫、相關癥狀等)和行程信息的功能;
f) 統一健康碼標志應清晰鮮明,其覆蓋二維條碼圖像的面積比例應在10%以下。
健康碼應設定有效期,在健康碼應用中點擊二維條碼圖像可手動刷新。
5.2 健康碼應急管理
信息主體查詢本人健康信息時,可根據查詢所得的信息結合不同場景的應用需要賦予二維條碼不同的顏色,以便快速標識健康信息業務等級,提升檢查和通行效率。二維條碼的不同顏色標識示例見圖3。在特殊情況下可增加其他顏色。
紅碼(顏色值#FB382D)
黃碼(顏色值#FF8F1F)
綠碼(顏色值#57AC6C)
健康碼JKM
圖3 二維條碼的不同涂色示例
除二維條碼涂色以外,健康信息業務等級的標識還應配合容易識別的文字或符號提示信息使用。
6 健康碼應用系統參考模型
6.1 系統組成
健康碼服務不應直接參與個人健康信息的處理,其與具體的個人健康信息服務應在邏輯上做顯著區分。健康碼應用系統參考模型見圖4,參考模型中給出了健康碼服務與各類個人健康信息服務的集成關系。
健康碼應用(掃碼端)
3)出示
健康碼應用(亮碼端)
7)個人健康信息
4)健康碼
查詢
2)健康碼
1)制碼請求
申領
申報
實名實人認證
××健康信息服務
健康信息或目錄
5)驗碼請求
健康碼服務
健康碼引擎
A平臺
B平臺
6)查詢索引
制碼和驗碼記錄
其他個人信息
身份驗證
一體化平臺統一身份認證
出入境身份認證平臺
居民身份網絡可信憑證平臺
圖4 健康碼應用系統參考模型
在圖4中,各組成部分的功能和協作關系如下:
a) 健康碼服務主要提供制碼、驗碼功能,還可為應用端提供個人授權使用情況查詢;
b) 健康碼服務主要的功能模塊是健康碼引擎,用以生成和驗證健康碼;制碼和驗證的記錄應保留一段時間以供查詢;
c) 個人健康信息服務系統是個人信息的控制者,應根據個人信息主體(健康碼應用的用戶)的身份憑證或授權來響應個人健康信息查詢請求;
d) 個人健康信息服務可采用分級管理模式,采用分級管理時,對外的信息服務由頂層健康信息目錄庫統一提供,各子級平臺負責本區域人員的健康信息更新和質量保障;
e) 個人健康信息服務可與其他個人信息控制者建立聯系,采用接口調用等方式在個人信息主體授權下查詢其他信息并作為本服務的數據來源或參考值;
f) 健康碼的申領、出示、驗證等應通過健康碼應用完成;
g) 健康碼的使用應先進行可信的用戶身份認證,身份認證的范圍應能覆蓋可能使用個人健康信息服務的各人群,包括大陸居民、港澳臺人士、華僑和外籍人員等。
防疫健康信息服務系統示例參見附錄B。
