What Are China’s Data Types and Why Are They Important?

By Marcos SabioLast Updated on Jul 14, 2025

China’s online data climate is governed by two key laws; the Data Security Law (《中华人民共和国数据安全法》) and Personal Information Protection Law (《中华人民共和国个人信息保护法》). These two laws are the pillars of China’s data laws and they together create a robust system for managing and protecting data based on its value, sensitivity, and potential risk. Data classification and grading or 数据分类分级 are the key ways in which these laws operate and create a national framework for data that applies across sectors, industries, and administrative levels.

This article explains how this system works, including the key categories of data, their classification principles, and how grading is determined and implemented.Understanding China’s data types is critical for any business that collects user information, operates SaaS platforms, or transfers data across borders. Failure to comply may result in significant regulatory, financial, and operational risks.

What Is “Data Classification and Grading” (数据分类分级)?

In China’s regulatory framework, data is both classified (by type and origin) and graded (by sensitivity and potential impact if compromised). This enables authorities to apply proportional protection measures based on the risk profile of the data, the higher the grade, the more protection measures.

This framework is upheld by three key laws:

Any company operating in China is expected to implement classification and grading across its data assets, a task that requires technical expertise and legal understanding of overlapping regulations.

What Are the Three Main Data Types in China?

The following information has been extracted and translated from official government documentation. China’s three overarching types of data are: core data, important data and general data.

1. What Is Core Data (核心数据)?

Core data refers to data that, if disclosed or misused, could directly threaten national security or political stability. It includes high-volume, or high-specificityl datasets related to critical infrastructure, defense, or mass public behavior.

Examples:

National defense logistics
Strategic energy system data
Aggregated social or political sentiment analysis

Such data is subject to strict controls, and handling it typically requires security assessments and reporting to authorities.

2. What Is Important Data (重要数据)?

Important data, though less sensitive than core data, still presents a serious risk to national interests, public health, or economic operations if mishandled. It often includes data processed in critical sectors like finance, telecom, healthcare, and logistics.

Examples:

Traffic or logistics flows
Power grid data
Public health or epidemic tracking data

Organizations processing important data are required to perform impact assessments, implement protection mechanisms, and, when applicable, obtain approval before cross-border transfers.

3. What Is General Data (一般数据)?

General data refers to all other data not categorized as core or important. While considered lower risk, it still requires protection, especially if it contains personal information.

This category is often subdivided internally into levels based on factors like:

Accessibility (public vs. internal)
Risk to individuals or organizations
Use of sensitive identifiers

Regulations encourage organizations to conduct internal grading even for general data, especially when it’s linked to user behavior, device identifiers, or location data.

What Are Other Important Types of Data?

Aside from the above mentioned three types of data. There are two other types of data that are particularly sensitive and have strict regulations.

What Is Personal Information (个人信息)?

Under PIPL, any anonymised data does not count as personal information, only data that can identify a natural person is classified as personal information. Below is a translated version of the official personal information table:

Examples of Personal Information

Category	Examples
Basic Personal Information	Name, date of birth, gender, ethnicity, nationality, family relationships, home address, personal phone number, email address
Identity Information	ID card, military ID, passport, driver’s license, work ID, entry/exit permits, social security card, residence permit
Biometric Information	Genes, fingerprints, voiceprints, palmprints, earlobe, iris, facial recognition features
Online Identifiers	User account, IP address, email account and associated passwords, voice commands, security questions, personal digital certificates
Health and Physiological Info	Medical and health records, e.g., illnesses, hospitalizations, medical reports, examination results, surgeries, treatments, medication allergies, reproductive info, family disease history, current or infectious diseases, as well as severity, physical condition, and lung function
Education and Work Information	Occupation, job title, work unit, academic degree, educational background, work history, training records, academic transcripts
Financial Information	Bank account information, payment ID (e.g., Alipay ID), deposit information (including amount and transaction logs), property details, credit records, transaction and consumption logs, capital flow, and information related to virtual currencies or online gaming credits
Communication Information	Communication logs and contents, SMS, MMS, emails, metadata and all communication metadata
Contact Information	Address book, friend lists, group chats, email contact lists
Online Behavior Records	Data stored through cookies, such as user browsing history, software usage logs, clickstream data
Device Information	Hardware serial numbers, MAC address, app list, unique device identifiers (IMEI, Android ID, IDFA, OpenUDID, GUID, SIM card, IMSI), configuration data, device usage info
Location Information	Travel trajectories, precise location data, residence address, business travel information
Other Information	Marriage, religious beliefs, political affiliations, criminal records, etc.

Sensitive personal information (敏感个人信息) such as facial recognition templates, medical records, and bank credentials is subject to even more rigorous consent, minimization, and encryption requirements. Below is a translated version of the official personal information table:

Examples of Sensitive Personal Information

Category	Examples
Financial Information	Bank accounts, payment ID (e.g., Alipay ID), deposit records (including amounts and payment logs), property information, credit reports, transactions, capital flow, virtual currencies, online gaming credits
Health and Physiological Info	Illnesses, hospitalizations, medical records, test reports, surgical and anesthesia history, treatment records, medication, allergies, reproductive info, diagnosis, family medical history, infectious diseases, physical condition, etc.
Biometric Information	Genes, fingerprints, voiceprints, palmprints, earlobe, iris, facial recognition features
Identity Information	ID card, military ID, passport, driver’s license, work ID, social security card, residence permit
Online Identifiers	User account, passwords, security questions, personal digital certificates
Other Sensitive Information	Sexual orientation, marriage status, religious beliefs, publicly disclosed or undisclosed criminal records, communication logs and contents, contact lists, group chat data, browsing history, residence info, precise location, etc.

International businesses must take particular care when handling this data, ensuring legal bases for collection, localization where required, and filing Personal Information Protection Impact Assessments (PIPIA) when conducting cross-border transfers.

What Is Derived Data (衍生数据)?

Even anonymized or aggregated data can carry regulatory risks if it is deep, broad, or easily re-identified. China recognizes processed data types such as:

label/tag data (标签数据 )
statistical data (统计数据)
fused/multi-source data (融合数据 )

The sensitivity of derived data is assessed based on how it was created and how easily it could impact national, organizational, or individual interests. Businesses need to evaluate processing methods carefully, as some transformations may increase rather than decrease sensitivity.

How Is Data Classified by Sector and Use?

Data is first categorized by the industry in which it is generated or used. Examples include:

工业数据 (industrial manufacturing)
金融数据 (financial transactions)
医疗数据 (health records)
教育数据 (student and school systems)

Each sector may have its own classification rules and compliance thresholds, overseen by the respective industry regulator. For example, a mobile health app must comply not only with PIPL but also with data retention and localization rules from the health authority.

Understanding these cross-sectoral requirements is critical to maintaining compliance. Many foreign companies work with legal experts familiar with multi-agency regulations to develop compliant deployment and data protection strategies.

Once data has been categorised into an industry, it can then be broken down by:

Data source (user-generated, customer-generated)
Usage purpose (monitoring, marketing, analytics)
Processing type (manual, algorithmic, predictive modeling, artificial intelligence)

This structured approach ensures organizations align protection methods with real-world business workflows and can demonstrate due diligence in case of audits or investigations.

How Is Data Grading Decided?

What Determines the Sensitivity of Data?

China’s grading model uses both qualitative and quantitative methods of determining data’s sensitivity, including:

Scope of impact (who could be affected)
Severity of harm (to whom, and how much)
Depth and scale of the dataset
Coverage across industries or populations

Grading involves evaluating risk across multiple domains:

国家安全 (national security)
经济运行 (economic operations)
社会稳定 (social stability)
公共利益 (public interest)
组织权益 (organizational interests)
个人权益 (individual rights)

When in doubt, the authorities recommend applying the “highest-risk wins” rule (就高从严) to determine final sensitivity levels, meaning that if there is potential higher-risk, this will be taken as a certainity as opposed to a possibility.

What Is the Process for Implementing Classification and Grading?

To stay compliant, businesses must:

Conduct a comprehensive data inventory
Apply industry and internal classification rules
Assess risk factors and assign grades
Mark and record data types appropriately
Submit directories of important or core data where required
Review and update classifications dynamically

Organizations deploying tech in China often partner with compliance firms to interpret these requirements, localize data structures, and file necessary documentation with regulators. For example, when preparing for a SaaS rollout, this process ensures cross-border data handling meets legal thresholds under both PIPL and China’s Data Security Law.

What Is the Relationship Between Data Classification and China’s Multi-Level Protection Scheme (MLPS)?

While data classification (数据分类分级) focuses on the value and sensitivity of the data itself, China’s Multi-Level Protection Scheme (MLPS) (等级保护制度) governs the security level required of the systems that store, process, or transmit that data. The two frameworks are complementary and interconnected.

Under MLPS 2.0, any information system operating in China must be assessed and assigned a protection level ranging from Level 1 (low risk) to Level 5 (critical infrastructure). The classification of data (e.g. core data or important data) directly influences what MLPS level a system must meet.

Consider these two situations:

A SaaS platform processing general data and minimal personal information may fall under Level 1 or 2.
A health platform processing important data (like medical or epidemic tracking) may require Level 3 or above, along with security audits and filings with authorities.

In short, data classification informs the MLPS level, and MLPS ensures systems are protected appropriately. Together, they create a unified mechanism for securing both data and infrastructure that is essential for legal compliance and cybersecurity readiness in Chin

What Happens If You Don’t Comply?

Unlock Your Solution’s Potential in China – Get Your FREE Customized Report Today

Schedule a call with our legal counsel to receive a free, customized report explaining what you need to do to make sure you’re compliant with China’s strict data laws.

Book Your Free Call

Non-compliance with China’s data classification and protection laws can result in:

Fines and sanctions
Suspension of data transfers
Product takedowns from app stores
Placement on risk control blacklists

In particular when it comes to Wholly Foreign-Owned Entities (WFOEs), enforcement risks are higher when data crosses borders or involves Chinese users. Proactive compliance isn’t just about avoiding penalties, it’s a prerequisite for market access.

How Can You Ensure Compliance?

The complexity of China’s data landscape requires a structured, sector-aware approach. Businesses that succeed here typically:

Conduct early-stage data mapping and classification
Apply PIPL-compliant processing agreements and consent flows
Monitor evolving standards like 数据分类分级
Collaborate with experts who track legal changes in real-time

Support from a one-stop partner,offering legal, technical, and product localization expertise, such as AppInChina, can streamline this process and provide legal confidence.

How Can AppInChina Help?

In China’s strict data climate, proper data classification and grading is not optional, it’s central to digital operations in the market. Whether you’re launching a new platform, localizing an existing one, or entering the Chinese cloud ecosystem, understanding your data obligations is critical.

If your company is preparing to enter China or scale up operations involving data, it’s worth investing in early compliance architecture and working with specialists who can help you navigate both the legal requirements and technical execution.

Need help applying these standards to your business? Contact us to schedule a free consultation call and we will create a tailored plan for your solution to safely deploy in China.