Description of Sensitive Personal Information Identification and Authorization Rules
# Description of Sensitive Personal Information Identification and Authorization Rules
——Scope of application and detailed description of sensitive personal information identification and authorization rules
# Role of Sensitive Personal Information Identification and Authorization Rules
Applicable scenarios of sensitive personal information identification and authorization rules:
● Relevant functions are located in the Admin Center > Info Security Management > Customer Info Authorization > Sensitive Info Sending Authorization. This rule can take effect only after the function configuration is completed.
● At the regulatory level, if the enterprise needs to obtain the user's sensitive personal information during the chat, it should first obtain the user's authorization separately. The admin console provides a set of rules to identify the sensitive words during the chat and remind the user to authorize the sensitive information.
# Legal Basis
Based on the relevant requirements on personal information protection in the Personal Information Protection Law of the People's Republic of China and the Information Security Technology—Personal Information Security Specification, this identification rule is clarified:
● The Personal Information Protection Law of the People's Republic of China was officially implemented on November 1, 2021. Article 28 makes it clear that "Sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14". Article 29 stipulates that "To handle sensitive personal information, the individual's separate consent shall be obtained".
● The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) gives examples of the specific scope of sensitive personal information, including five categories: personal property information, personal health and physiological information, personal biometric information, personal identity information, and other information.
# Rule Description
Based on the Personal Information Protection Law of the People's Republic of China and the Information Security Technology—Personal Information Security Specification, the system identifies whether the customer sends sensitive personal information in live chat through regular expression identification and keyword identification, among which:
● Regular expression identification mainly uses regular expression rules to identify ID card, passport, driver's license, officer card, residence permit, bank account number and other certificate numbers;
● Keyword identification is based on the keyword library. As long as the visitor's chat contains keywords during the chat, the separate authorization prompt for sensitive personal information will be given. The keyword library is as follows:
| Serial No. | Sensitive Personal Information Category | Keywords Involved |
|---|---|---|
| 1 | Personal property information | Bank account, command, deposit, collection, real estate, credit, credit investigation, transaction, consumption, virtual currency, virtual transaction, exchange code, password, credit report, and house |
| 2 | Personal health and physiological information | Medical history, operation record, disease, anesthesia record, inpatient record, medication record, drug allergy, test report, symptoms, nursing record, food allergy, and fertility |
| 3 | Personal biometric information | Personal genes, fingerprints, voice prints, palm prints, auricles, iris and facial recognition |
| 4 | Personal identity information | ID card, officer card, passport, driver's license, work permit, social security card, and residence permit |
| 5 | Other information | Contacts, marriage, religion, belief, criminal record, friend list, location, accommodation information, accommodation record, browsing record, and homosexuality |
# Rule Impact Description
The customer message that hits the "identification rule" will not be sent to the agent workbench for display until the customer authorization is approved. The validity period of the customer authorization is 24h (that is, the authorized visitors will not be verified and repeatedly prompted for sensitive personal information authorization after restarting the chat within 24h), which may have the following impacts:
● A reminder pop-up window will appear on the chat page after hitting the "identification rule", which may affect the user's inquiry experience;
● The identification scope of sensitive personal information mainly refers to the requirements of general laws and regulations, and some sensitive information may not be identified or identified inaccurately.
Prompt for authorization after identification of sensitive personal information:
- 01
- Status Setting Guide12-02
- 02
- Shopify Docking Guide11-18