On 12 April 2021 the National Information Security Standardisation Technical Committee (NISSTC) issued the Information Security Technology – Gradation and Evaluation for the Effect of Personal Information De-identification (Draft for Comment) to solicit public comments by 11 June 2021. The draft for comment sets out gradation and evaluation methods for the identifiability of personal information. Such methods apply to personal information de-identification activities and the security management, supervision and evaluation of personal information. Among other things, the draft for comment clarifies that the identifiability of personal information can be categorised into one of four grades based on the risk of re-identification. Grade 1 data (ie, data through which the personal data subject can be directly identified) includes a direct identifier (eg, their name, mobile phone number or ID card number) and other data that can be used to directly identify the personal data subject under special circumstances. Grade 4 data (ie, aggregate data) includes data such as the total number, the maximum value, the minimum value and the average value, rather than any data relating to a specific case.

On 30 August 2019 the NISSTC issued Information Security Technology – Guide for De-identifying Personal Information, which took effect on 1 March 2020. The new draft for comment can be used to evaluate the effectiveness of personal information de-identification activities conducted according to the guide.