Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

There is no uniform definition of ‘health data’ under Chinese law. Different laws and regulations have different definitions that apply to their jurisdictional scope. However, in general, the following categories of data are generally considered to be ‘health data’ in China: (1) human genetic resources data, regulated under the Biosecurity Law and the Regulations on the Administration of Human Genetic Resources, (2) medical records or medical device data, regulated under the Regulations for Medical Institutions on Medical Records Management, and (3) population health information, regulated under the Population Health Information Management Measures (Trial Implementation).

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

Health data, genetic data, and biometric data are considered sensitive personal information under the PIPL. Sensitive personal information is generally afforded a higher level of protection than ordinary personal information. Processing of sensitive personal information requires the personal information processor to ensure:

  • data subjects have given their explicit, separate consent;
  • data subjects have been notified of the purposes, necessity, methods, scope, duration of storage, and impact on an individual’s rights and interests of the processing;
  • strict protection measures, including encryption, role- and need-based access control mechanisms, are implemented;
  • for the processing of personal information of minors under the age of 14, consent of the parent or other guardian of the minor is obtained, and that specialised rules for the processing of such personal information are formulated;
  • a privacy impact assessment is performed in advance of such processing;
  • before sharing, transferring or publicly disclosing sensitive personal information, data subjects are informed of the types of sensitive personal information involved, the identity of the recipient and their data security capabilities, and provide explicit consent in advance; and
  • data subjects are promptly notified of any security breach involving their sensitive personal information.
Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

Under the PIPL, ‘anonymised’ data refers to personal information that has been processed so that the identification of specific individuals is impossible and unrecoverable. Anonymised data is no longer considered personal information under Chinese data protection and privacy laws, and is generally regulated the same as ordinary data. It is worth noting, however, that even anonymised data may still be considered as ‘important data’ or ‘medical big data’ and be subject to stricter control over storage and outbound transmission.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

Numerous regulators have overlapping jurisdiction when it comes to enforcing data protection laws in China. Some of the key regulators include CAC, MPS, SAMR, and MIIT.

 

Since the data protection and privacy laws in China are still relatively new, there have not been very many notable enforcement actions in the digital health sector.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

The Cybersecurity Law is the primary data security and privacy legislation regulating network operators in China, including digital health products and service providers that operate or manage networks. China has implemented a network security framework known as the ‘Multi-Level Protection Scheme’ (MLPS) as part of the Cybersecurity Law, under which network operators are required to take appropriate cybersecurity measures corresponding to the classification of their information system (ranging from level 1 to level 5). The latest framework is commonly known as MLPS 2.0. Digital health businesses need to take steps to comply with MLPS 2.0, taking reference of the relevant standards that have been published.

 

In addition, for digital health businesses, data security incidents involving the theft of personal information is a major risk. Although not mandatory, the PIS Standard is a key guideline for compliance and is widely adopted by Chinese companies. Some of its key principles and requirements that are of particular relevance to digital health businesses include:

 

  • Minimisation principle: the PIS Standard requires businesses to only process types and quantities of personal information necessary for the purposes for which the authorised consent is obtained, and to delete all personal information promptly after the purpose for the processing is achieved.
  • Processing of sensitive personal information: the PIS Standard recommends that prior to collecting sensitive personal information (which includes any medical data, genetic data, or biometric information), businesses need to inform data subjects of the necessity of such collection, the consequence of not consenting to the collection and providing such information, and the associated risks in case of data breach. The PIS Standard also requires businesses processing personal sensitive information to conduct a personal information security impact assessment to evaluate the risks that their processing activities could harm the lawful rights and interests of data subjects and how effective their security measures are in mitigating such risks.

 

Cyber insurance coverage is recommended and is increasing in importance as China’s data protection and privacy regime becomes mature, and the possibility of increased penalties, fines, and liability for cyber breaches increases. Appropriate coverage limits will vary depending on the number of users of the products and services of a digital health business, the type of personal information that is collected and processed, and the size of the digital health business.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Digital health businesses should bear in mind the minimisation principle discussed above and take a proactive approach to data protection and privacy compliance. Good data protection and privacy practices can only be achieved through a comprehensive, company-wide approach and sustained effort.

 

In practice, the minimisation principle means that digital health businesses should make conscious decisions concerning what and how much personal information they actually need to collect for their business functions, and whether they actually need to transfer or share personal information to China and non-China affiliates, to third parties, or outside of China.

 

Lastly, digital health businesses may need to comply with data localisation requirements if they are considered critical information infrastructure operators or when they process personal information beyond a government-prescribed threshold amount. When there is indeed a need to transfer any personal information outside of China, digital health businesses need to meet certain statutory requirements for outbound transfer.