This document describes the mapping between the new national standard template for data classification and categorization and the new national standards. This template is enabled by default in Data Security Center (DSC).
Background
To improve the compliance and usability of data classification and categorization, DSC standardizes the mapping between data sensitivity levels and the sensitivity levels defined in relevant laws and regulations. This ensures that enterprises meet compliance requirements throughout the data processing flow. It also enables precise, visualized database permission control and threat protection.
Categorization description
DSC level | Description | Regulation/Standard level | Regulation/Standard description |
S1 | Non-sensitive data. Public disclosure of this data generally causes no harm. Examples include provinces, cities, and product names. | Level 1 data | A breach, tampering, destruction, or illegal access, use, or sharing of this data does not harm individual or organizational rights and interests. |
S2 | General sensitive data. This data is not suitable for public disclosure. A data breach causes a low degree of harm. Examples include names and addresses. | Level 2 data | A breach, tampering, destruction, or illegal access, use, or sharing of this data causes general harm to individual or organizational rights and interests. |
S3 | Critical sensitive data. This data is highly sensitive. A small leak can cause serious harm. Examples include ID certificates and account passwords. | Level 3 data | A breach, tampering, destruction, or illegal access, use, or sharing of this data causes serious harm to individual or organizational rights and interests. |
S4 | Core confidential data. This data must not be leaked under any circumstances. Examples include genes, fingerprints, and irises. | Level 4 data | A breach, tampering, destruction, or illegal access, use, or sharing of this data causes particularly serious harm to individual or organizational rights and interests. It can also cause general harm to economic operations, social order, or public interests. |
For a description of the regulation levels, see Appendix H General Data Categorization Reference in *Data Security Technology - Rules for Data Classification and Categorization* (GB/T 43697-2024).
Classification description
DSC classifies data based on the *Data Security Technology - Rules for Data Classification and Categorization* regulation. It analyzes and groups data child classes with similar subjects and subdivides them based on the described objects.
DSC classification | Regulation classification |
Personal information | User data |
Company information | Business management data |
Technical management | System O&M data |
Business data | Business data |
Marketing service | Business data |
Comprehensive management | Business management data |
For a description of the regulation classifications, see Table A.1 Reference Examples For Object-based Data Classification in Appendix A of *Data Security Technology - Rules for Data Classification and Categorization* (GB/T 43697-2024).
Classification and feature examples
DSC level 1 category | DSC level 2 child class | Standard level 1 category | Standard level 2 category | Corresponding regulation classification | Categorization example |
Personal information | Personal financial information | Personal financial information | Personal financial information | For the regulation classification of basic personal data, see Table B.1 Reference Examples For Personal Information Classification in Appendix B of *Data Security Technology - Rules for Data Classification and Categorization* (GB/T 43697-2024). | For categorization examples of personal financial information, see Personal financial information. |
Personal information | Personal health and physiological information | Personal health and physiological information | Medical and health information | For the regulation classification of personal identity information, see Table B.1 Reference Examples For Personal Information Classification in Appendix B of *Data Security Technology - Rules for Data Classification and Categorization* (GB/T 43697-2024). | For categorization examples of personal health and physiological information, see Personal health and physiological information. |