Feb. 11, 2020
In its fight against the outbreak of a novel coronavirus (recently designated COVID-19 by the World Health Organization), China’s government has mobilized efforts at all levels. Successful infectious disease surveillance, however, requires collecting and handling large amounts of sensitive personal information about patients, potential cases, and the people and circumstances around them.
The Cyberspace Administration of China (CAC) on February 9 published a notice (translated in full below) reiterating responsibilities for personal information protection and emphasizing existing rules and regulations, including China’s Cybersecurity Law, which includes rules on personal information protection, and the Personal Information Security Specification, which provides details on how best to handle specific practices around personal information. These references are part of a growing data governance regime led by CAC. The document also calls for concerted efforts to use big data analysis to monitor the outbreak.
This document largely reiterates existing rules, but as Yan Luo writes for the law firm Covington, disease response is distributing new responsibilities for information collection and reporting throughout society. Moreover, China's data protection regulations often include broad exemptions for national emergencies, and this notice could provide some limiting guidance around those exemptions. As such, the notice flags relevant principles around purpose limitation, minimum necessary scope for data collection, and data protection for these new actors. And it reminds data handlers from the private sector and, especially, security authorities (see item 6) that there are legal consequences for mishandling personal information.
The translation below is by Rui Zhong and Rogier Creemers, with editing and introduction by Graham Webster.
Notice on Protecting Personal Information and Using Big Data to Support Joint Prevention and Joint Control Work
Published Feb. 9, 2020
All provincial, autonomous region, and municipal cybersecurity and informatization committees, all relevant ministries and commissions of Central Committee and State bodies:
In order to protect personal information during the joint prevention and joint control of the novel coronavirus infectious pneumonia epidemic, and to vigorously use big data including personal information to support joint prevention and joint control work, with the approval of the Central Commission for Cybersecurity and Informatization, the following relevant matters are hereby notified as follows:
- All localities and all departments must pay high regard to personal information protection work. Except for bodies authorized by the State Council hygiene and health department on the basis of the "Cybersecurity Law of the People's Republic of China," the "Infectious Disease Prevention and Treatment Law of the People's Republic of China," and the "Sudden Public Health Incident Emergency Response Provisions," no other work units or individuals may use epidemic prevention and control, or disease prevention and treatment as a reason to collect or use personal information without the agreement of the person whose data is collected. Where other provisions of law or administrative regulations exist, act according to those provisions.
- The collection of personal information required for joint prevention and joint control shall occur with reference to the national standard "Personal Information Security Specification," uphold the principle of minimal scope, and limit the targets of collection in principle to diagnosed individuals, suspected individuals, individuals having come in close contact, and other such focus groups. Collection is generally not aimed at all groups in a particular locality, and actual discrimination against groups in particular locations must be prevented.
- Personal information collected for epidemic control and disease prevention and treatment may not be used for other purposes. No work unit or individual may, without the agreement of the person whose information is collected, publish personal information such as names, ages, identity card numbers, telephone numbers, household addresses and other such information, except where it is required for joint prevention and joint control work and desensitization processing has been undertaken.
- Institutions collecting or handling personal information are responsible for security and protection of personal information, adopting strict management and technological protection measures, to prevent data theft and leaks.
- Capable firms, under guidance from relevant departments, are encouraged to actively use big data to conduct analysis and forecasting of the flow of key groups such as confirmed cases, suspected cases, and close contacts, and to contribute big data support for joint prevention and joint control work.
- Any organization or individual found to collect, use, or disclose personal information in violation of regulations or law, can be promptly reported to cybersecurity and informatization and public security departments. Cybersecurity and informatization departments should, in accordance with the “Cybersecurity Law of the People’s Republic of China” and related regulations, promptly deal with collection, use, or disclosure of personal data in violation of regulations or laws, as well as incidents that cause mass data leaks. Public security institutions involved in criminal activity will face severe consequences according to law.
Cyberspace Administration of China
Feb. 4, 2020