Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules of standardization documents".
Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility of identifying patents. This document is proposed and categorized by the National Information Security Standardization Technical Committee (SAC/TC 260).
1 Scope
This document specifies the security requirements for network audio and video services collection, storage, use, processing, transmission ﹑ provision, disclosure, deletion and other data processing activities.
This document applies to the network audio and video service providers to regulate data processing activities, but also for the regulatory authorities, third-party assessment agencies on the network audio and video service data processing activities to monitor, management, assessment to provide reference.
2 Normative reference documents
The content of the following documents through the normative references in the text and constitute the essential provisions of this document. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the revision of the list) applies to this document.
GB/T 25069 Information security technical terms
GB/T 35273-2020 Information security technology personal information security specification
GB/T 37988 Information security technology understanding data security can be large maturity model
GB/T 39335 Information security technology personal information security impact assessment guide
GB/T 41391-2022 Information security technology / mobile Internet applications (App) to collect personal information basic requirements
GB/T 41479 Information security technology net around the teaching data processing security requirements
3 Terms and definitions
GB/T 25069,GB/T 35273-2020 defined as well as the following terms and definitions apply to this document.
3.1
Network audio and video serviceonline audio and video service
Through Internet sites, applications and other network platforms, to provide the public with audio and video information production, distribution, dissemination of services.
Note 1: Also known as the network audio and video information services.
Note 2: Excluding audio and video editing tools, local players and online live (such as online meetings) services with instant communication properties. 3.2
Network audio and video service platformonline audio and video service platform
Information system that provides network audio and video services (3.1).
3.3
Network audio and video service provideronline audio and video service provider
To the public to provide network audio and video services (3.1) of the organization or individual.
Note 1: This document refers mainly to the owner of the network audio and video service platform, the manager.
Note 2: This document is referred to as "provider".
4 Acronyms
The following abbreviations apply to this document.
IoT: Internet of Things (Internet of Things)
IP: Internet Protocol (Internet Protocol)
5 Overview
5.1 Network audio and video services service components
Network audio and video services mainly include network audio services, network video services and network live services. Network audio services provide users with audio content production, distribution and dissemination services such as music, radio, music and art, audio books, radio dramas, audio of programs and events, and audio of news and information. Network video services provide users with short videos, movies, TV series, variety and entertainment, program and event videos, news and information videos, and other video information production, distribution and dissemination services. Webcast services provide users with real-time audio information, video information, graphic information and other content release and dissemination services.
6 Basic requirements
7 Data collection
7.1 Collection of personal information
Internet audio and video service providers to collect personal information should meet the requirements of GB/T 35273-2020 in 5.1, 5.2, 5.3, based on the following requirements.
8 data storage and transmission
9 data use and processing
10 data provision and disclosure
11 data exit
Internet audio and video service providers who provide data outside the country for business purposes shall, according to the business development and operation, conduct at least one data exit risk assessment each year by themselves or entrusted to a third-party organization.
12 personal information subject rights
Internet audio and video service providers in the protection of personal information subject rights, should comply with the requirements of Chapter 8 of GB/T 35273-2020, based on the following requirements.
13 Protection of minors
14 audio and video services related scenarios data security requirements
Appendix A (informative) network audio and video services data processing activities and security risks
Appendix B (Informative) Reference Rules for Identification of Important Data and Data Classification Examples for Network Audio and Video Services
Appendix C (informative) the scope of personal information collection and use requirements for common extended business functions of network audio and video services
Appendix D (informative) The scope of application and use requirements for system permissions related to network audio and video service app
Bibliography
Foreword
1 Scope
2 Normative reference documents
3 Terms and definitions
4 Acronyms
5 Overview
6 Basic requirements
7 Data collection
8 data storage and transmission
9 data use and processing
10 data provision and disclosure
11 data exit
12 personal information subject rights
13 Protection of minors
14 audio and video services related scenarios data security requirements
Appendix A (informative) network audio and video services data processing activities and security risks
Appendix B (Informative) Reference Rules for Identification of Important Data and Data Classification Examples for Network Audio and Video Services
Appendix C (informative) the scope of personal information collection and use requirements for common extended business functions of network audio and video services
Appendix D (informative) The scope of application and use requirements for system permissions related to network audio and video service app
Bibliography
前言
本文件按照GB/T 1.1-2020《標準化工作導則 第1部分:標準化文件的結構和起草規則》的規定起草。
請注意本文件的某些內容可能涉及專利。本文件的發布機構不承擔識別專利的責任。本文件由全國信息安全標準化技術委員會(SAC/TC 260)提出并歸口。
1范圍
本文件規定了網絡音視頻服務收集、存儲、使用、加工、傳輸﹑提供、公開、刪除等數據處理活動的安全要求。
本文件適用于網絡音視頻服務提供者規范數據處理活動,也可為監管部門,第三方評估機構對網絡音視頻服務數據處理活動進行監督﹑管理、評估提供參考。
2規范性引用文件
下列文件中的內容通過文中的規范性引用而構成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應的版本適用于本文件;不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
GB/T 25069 信息安全技術術語
GB/T 35273-2020信息安全技術個人信息安全規范
GB/T 37988信息安全技術瞭數據安全能大成熟度模型
GB/T 39335信息安全技術個人信息安全影響評估指南
GB/T41391-2022信息安全技術/移動互聯網應用程序(App)收集個人信息基本要求
GB/T 41479 信息安全技術 網繞教據處理安全要求
3術語和定義
GB/T 25069,GB/T 35273—2020界定的以及下列術語和定義適用于本文件。
3.1
網絡音視頻服務online audio and video service
通過互聯網站,應用程序等網絡平臺,向社會公眾提供音視頻信息制作,發布,傳播的服務。
注1:也稱網絡音視頻信息服務。
注2:不包括音視頻編輯工具、本地播放器和具有即時通信屬性的在線直播(如在線會議)服務。3.2
網絡音視頻服務平臺online audio and video service platform
提供網絡音視頻服務(3.1)的信息系統。
3.3
網絡音視頻服務提供者online audio and video service provider
向社會公眾提供網絡音視頻服務(3.1)的組織或者個人。
注1:本文件中主要指網絡音視頻服務平臺的所有者,管理者。
注2:本文件中簡稱“提供者”。
4縮略語
下列縮略語適用于本文件。
IoT:物聯網(Internet of Things)
IP:互聯網協議(Internet Protocol)
5概述
5.1網絡音視頻服務業務組成
網絡音視頻服務主要包括網絡音頻服務、網絡視頻服務以及網絡直播服務。網絡音頻服務向用戶提供音樂,廣播、曲藝、有聲讀物,廣播劇、節目賽事音頻、新聞資訊音頻等音頻內容制作、發布、傳播服務。網絡視頻服務向用戶提供短視頻、電影、電視劇,綜藝娛樂、節目賽事視頻、新聞資訊視頻等視頻信息制作、發布、傳播服務。網絡直播服務向用戶提供實時音頻信息,視頻信息,圖文信息等內容的發布、傳播服務。
6基本要求
7數據收集
7.1收集個人信息
網絡音視頻服務提供者收集個人信息應在滿足GB/T 35273-2020中 5.1,5.2,5.3的要求基礎上,遵守以下要求。
8數據存儲和傳輸
9數據使用和加工
10數據提供和公開
11數據出境
網絡音視頻服務提供者如因業務需要向境外提供數據,應根據業務發展和運營情況,每年自行或委托第三方機構對數據出境至少進行一次數據出境風險評估。
12個人信息主體權利
網絡音視頻服務提供者在保障個人信息主體權利方面,應在遵守GB/T 35273-2020第8章要求的基礎上﹐遵守以下要求。
13未成年人保護
14音視頻服務相關場景數據安全要求
附錄A(資料性)網絡音視頻服務數據處理活動及安全風險
附錄B(資料性)網絡音視頻服務重要數據識別參考規則及數據分類示例
附錄C(資料性)網絡音視頻服務常見擴展業務功能的個人信息收集范圍及使用要求
附錄D(資料性)網絡音視頻服務App相關系統權限申請范圍及使用要求
參考文獻
