China: Personal information protection in health and pharmaceutical industries - part one
The requirements for personal information protection in the health and pharmaceutical industries are complex. Danjun Wu, Partner at Guantao Law Firm, provides a two-part overview: part one introduces the basic requirements for personal information protection to be met by medical institutions and pharmaceutical companies, and part two introduces the specific protection obligations to be fulfilled by medical institutions and pharmaceutical companies in the key contexts of processing personal information.
Since the Personal Information Protection Law (PIPL) came into effect on November 1, 2021, a legal system of personal information protection with it as the core has basically taken shape in the People's Republic of China (PRC). It set forth the basic requirements of personal information protection for medical institutions and pharmaceutical companies respectively from the macro level in terms of the rights and interests of personal information subjects, cyber information security, data security, the rights and interests of civil subjects, the rights and interests of consumers and social order, together with the Cybersecurity Law (CSL), the Data Security Law (DSL), the Civil Code, the Consumer Rights and Interests Protection Law, and the Criminal Law. At the same time, legal documents, such as the Measures on Security Assessment of Cross-border Data Transfer, the Measures for the Standard Contract for Personal Information Cross-Border Transfer, the Cybersecurity Standard Practice Guideline - Safety Certification Specification for Personal Information Cross-border Processing Activities V2.0, the Cybersecurity Review Measures, and the Regulations on Children's Personal Information Cyber Protection promote the implementation of various specific systems that support the PRC's personal information protection legal system.
At the micro level, legal documents, such as the Regulation on Human Genetic Resources Administration, the Measures for the Administration of Population Health Information (trial implementation), the National Management Approach for Healthcare and Medical Big Data Standards, Security and Services (trial implementation), the Code of Practice for the Quality Management of Pharmaceutical Clinical Trials, and the Information Security Technology - Guide for Health Data Security (GB/T 39725-2020), combine the characteristics of the health and pharmaceutical industries and provide more detailed requirements for specific contexts in which medical institutions and pharmaceutical companies process personal information.
The PIPL sets out seven legal bases for processing personal information, and medical institutions and pharmaceutical companies can process personal information only if one of the following circumstances exists:
- the personal information subject's consent has been obtained;
- the processing is necessary for the conclusion or performance of a contract in which the subject is a party, or necessary for human resources management pursuant to the labor rules and regulations established in accordance with the law and the collective contracts signed in accordance with the law;
- the processing is necessary for the performance of statutory duties or obligations;
- the processing is necessary for the response to public health emergencies, or for the protection of life, health, and property safety of natural persons in emergencies;
- the personal information is reasonably processed for news reporting, media supervision, and other activities conducted in the public interest;
- the personal information disclosed by the subject themself or other legally disclosed personal information of the subject is reasonably processed in accordance with the PIPL; and
- other circumstances as provided by laws or administrative regulations.
If medical institutions and pharmaceutical companies process personal information based on the consent of the subject, they shall also obtain the prior and separate consent of the subject in the following contexts:
- processing sensitive personal information;
- providing personal information to other personal information processors;
- publicly disclosing the personal information they process;
- using personal images and identification information collected through image collection and personal identification equipment installed in public places for purposes other than maintaining public security; and
- providing personal information outside the territory of the PRC.
Please note that a 'personal information processor' refers to an organization or individual that autonomously determines the purposes and means of personal information processing, which is similar to the definition of data controller under the General Data Protection Regulation (GDPR).
Medical institutions and pharmaceutical companies shall, before processing personal information, truthfully, accurately, and fully inform a subject of the following matters in an easy-to-notice manner and in clear and easy-to-understand language:
- the name and contact information of a medical institution or a pharmaceutical company;
- the purposes and means of personal information processing, and the categories and storage periods of the personal information to be processed;
- the methods and procedures for a subject to exercise their rights as provided in the PIPL; and
- other matters that a subject shall be notified of as provided by laws and administrative regulations.
Where any matter as set forth in the preceding paragraph changes, the subject shall be informed of the change. Where a medical institution or a pharmaceutical company informs a subject of the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public and be easy to consult and save.
In addition, in contexts, such as processing sensitive personal information, providing personal information to other processors, and transferring personal information outside the territory of the PRC, medical institutions and pharmaceutical companies, in addition to fulfilling the aforementioned inform obligations, shall also inform the following matters in advance:
Matters to be informed in advance
Processing sensitive personal information
Providing personal information to other processors
Transferring personal information outside the territory of the PRC
Categorization and classification management
Medical institutions and pharmaceutical companies process many different categories of data in their daily operations. In order to take protection measures appropriate to the different categories of personal information processing risks, they shall establish a categorized and classified system and carry out personal information protection based on the importance of the personal information in economic and social development, as well as the extent of harm to national security, public interests, or the lawful rights and interests of individuals or organizations that will be caused once the personal information is altered, destroyed, leaked, or illegally obtained or used in accordance with legal documents, such as the PIPL, the Regulation on Human Genetic Resources, the Guide for Health Data Security, and others.
In general, medical institutions and pharmaceutical companies may process personal information in their daily operations as follows:
Population health information
Population health information refers to such information as basic population information and medical and health service information originating in the service and administration process of medical, health, and family planning service agencies at various levels in accordance with the laws and regulations of the state and their functions and duties.
Measures for the Administration of Population Health Information (trial implementation)
Personal healthcare data
Personal healthcare data means relevant electronic data that, alone or in combination with other information, can identify a specific natural person or reflect the physical or mental health of a specific natural person, including:
Guide for Health Data Security
Healthcare and medical big data
Healthcare big data refers to healthcare-related data generated during people's disease prevention and treatment, health management, and others.
National Management Approach for Healthcare and Medical Big Data Standards, Security and Services (trial implementation)
Human genetic resources
Human genetic resources include the materials of human genetic resources and information on human genetic resources.
The term 'materials of human genetic resources' means genetic materials, such as organs, tissues, and cells which contain human genomes, genes, and other genetic substances.
The term 'information on human genetic resources' means information materials, such as data generated from the utilization of materials of human genetic resources.
Regulation on Human Genetic Resources Administration
Pharmaceutical clinical trial data
Pharmaceutical clinical trial data includes source data (all information recorded on the original records or certified copies in a clinical trial) and source documents (meaning the original records, documents, and data generated in a clinical trial) in a pharmaceutical clinical trial.
Code of Practice for the Quality Management of Pharmaceutical Clinical Trials
Based on the categorization of personal information, medical institutions and pharmaceutical companies also need to consider the degree of sensitivity, the level of risk, and the possible damage and impact on subjects: for example, they can consider classifying personal information into different levels, such as general personal information, sensitive personal information, and important data.
According to the PIPL, sensitive personal information is personal information that, once leaked or illegally used, may easily lead to the infringement of the personal dignity of a natural person or may endanger their personal safety or property, including information, such as biometrics, specific identity, medical health status, and financial accounts, as well as the personal information of a minor under the age of 14 years. For example, the health status data, medical application data, and medical payment data in the table above relate to biometrics, medical health status, and financial account information and may generally be identified as sensitive personal information.
According to the DSL, important data refers to data that may endanger national security and public interests if it is tampered with, destroyed, leaked, or illegally accessed or used. However, the PRC has not yet made clear provisions on the method of defining and criteria for identifying important data, and the health and pharmaceutical industries have not yet issued a catalogue of important data. At present, medical institutions and pharmaceutical companies may first refer to the draft Regulations on the Management of Cyber Data Security, draft Information Security Technology - Guidelines for Data Cross-border Transfer Security Assessment, and draft Information Security Technology - Identification Guide of Important Data to sort out whether the personal information they process may be considered as important data. For personal information that may be identified as important data, medical institutions and pharmaceutical companies are advised to comply with both personal information protection and important data protection requirements for more stringent protection.
In addition, medical institutions and pharmaceutical companies can refer to the Guide for Health Data Security to classify the personal information they process into five levels.
Personal information sharing
There are three main types of personal information sharing:
Entrusted processing of personal information
A medical institution or pharmaceutical company entrusting the processing of certain personal information to a party shall reach an agreement with the entrusted party on the purposes, period. and means of processing, the categories of personal information to be processed, and the protection measures, as well as the rights and obligations of both parties, among others, and shall supervise the personal information processing activities of the entrusted party. A medical institution or pharmaceutical company could refer to the Data Processing Use Agreement Template in the Appendix of the Guide for Health Data Security to sign an agreement with the entrusted party.
If a medical institution or pharmaceutical company as an entrusted party processes the personal information of other personal information processors, it shall process personal information in accordance with the agreement and not process personal information beyond the agreed purpose and manner of processing; if the entrustment contract is not effective, invalid, revoked, or terminated, it shall return the personal information to a personal information processor or delete it and not retain it. Without the consent of a personal information processor, a medical institution or pharmaceutical company acting as an entrusted party shall not subcontract others to process personal information.
Provision of personal information to other personal information processors
To provide personal information for any other processor, a medical institution or pharmaceutical company shall inform subjects of the recipient's name and contact information, the purposes and means of processing, and the categories of personal information to be processed, and shall obtain the subject's separate consent. The recipient shall process personal information within the scope of the purposes, means, and categories of personal information mentioned above. If the recipient changes the original purposes or means of processing, it shall obtain the consent of subjects again in accordance with the PIPL.
Joint processing of personal information
Where two or more medical institutions or pharmaceutical companies jointly determine the purposes and means of processing certain personal information, they shall reach an agreement on their respective rights and obligations in processing the personal information. However, this agreement shall not affect a subject's request to any one of them to exercise their rights as provided in the PIPL. Where, in jointly processing certain personal information, a processor infringes the rights and interests regarding personal information and causes damages, other personal information processors shall bear joint and several liability in accordance with the law.
Organizational structure and internal management system
According to the PIPL, a personal information processor that processes personal information up to the amount prescribed by the national Cyberspace Administration of China (CAC) shall designate a person in charge of personal information protection, who shall supervise the personal information processing activities of the processor, as well as the protective measures taken thereby, among others. The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit said person's name, contact information, and other information to the departments with personal information protection duties. However, the PRC has not yet defined the standard for processing 'personal information up to the amount prescribed by the national cyberspace administration.'
According to the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020), if a medical institution or pharmaceutical company meets the following conditions, it also needs to establish a full-time person in charge of personal information protection and a working body for personal information protection:
- the main business involves the processing of personal information and the number of internal practitioners more than 200 persons;
- processing personal information of more than one million subjects or expecting to process personal information of more than one million subjects within a 12-month period; and
- processing personal sensitive information of more than 100,000 subjects.
There may be multiple departments within medical institutions and pharmaceutical companies that need to process personal information, and there may be a mix of personal information. For example, the mixing of research data obtained from different research projects within a medical institution and pharmaceutical company may change the purposes and the means of processing that subjects were informed on when personal information was collected. In order to ensure that personal information processing activities comply with laws and administrative regulations and to prevent unauthorized access, as well as breach, tampering, or loss of any personal information, a medical institution and pharmaceutical company shall also take the following institutional measures:
- formulating internal management systems and operational procedures for the protection of personal information;
- reasonably determining the operational authority of personal information processing;
- providing guidelines and requirements for the protection of personal information to practitioners, and regularly conducting safety education and training for practitioners; and
- formulating contingent plans for personal information security emergencies and organizing the implementation of such plans.
In addition, as a personal information processor, a medical institution or pharmaceutical company shall regularly conduct compliance audits of its personal information processing activities with laws and administrative regulations. In any of the following circumstances, a medical institution or pharmaceutical company shall assess in advance the impact on personal information protection and keep records of the course of the processing activities:
- processing sensitive personal information;
- using personal information to conduct automated decision-making;
- entrusting personal information processing to another party, providing personal information for another party, or publicizing personal information;
- providing personal information for any party outside the territory of the PRC; or
- conducting other personal information processing activities which may have a significant impact on subjects.
The impact assessment on personal information protection shall include the following content:
- whether the purposes and means of personal information processing, are legitimate, justified, and necessary;
- the impact on subjects' rights and interests, and security risks; and
- whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.
Moreover, the report of the impact assessment on personal information protection and the processing record shall be retained for at least three years.
Therefore, in order to fulfill the obligation to conduct compliance audits and Personal Information Protection Impact Assessments (PIPIAs), it is recommended that medical institutions or pharmaceutical companies formulate and implement compliance audit systems and PIPIA systems according to the actual situation and the PIPL.
Protection of subject rights
According to the PIPL, the accuracy of personal information shall be guaranteed in personal information processing, to avoid adverse impacts on the rights and interests of subjects caused by inaccurate and incomplete personal information. At the same time, the PIPL grants subjects a series of rights in personal information processing activities. In this regard, medical institutions and pharmaceutical companies shall establish mechanisms for receiving and processing subjects' requests for exercising their rights. Where a subject's request is rejected, the reasons therefore shall be given. According to the Provisions on the Protection of Personal Information of Telecommunications and Internet Users, a personal information processor shall establish a user complaint mechanism, publish effective contact information, accept complaints related to the protection of users' personal information, and reply to the complainant within 15 days of receiving the complaint. According to the draft Regulations on the Management of Cyber Data Security, a personal information processor shall process rights requests from subjects and provide feedback within 15 working days. The rights of subjects and the corresponding obligations of personal information processors are summarized as follows:
Personal information processors' obligations
Corresponding provisions of the PIPL
The right to withdraw consent: Where personal information processing is based on a subject's consent, a subject shall have the right to withdraw their consent.
Providing convenient ways for subjects to withdraw their consent
The right to be informed, the right to make decisions: Subjects shall have the right to be informed, the right to make decisions on the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by laws or administrative regulations.
Performing notification obligations to subjects, and stopping all or part of personal information processing activities at the requests of subjects
The right to consult and duplicate: Subjects shall have the right to consult and duplicate their personal information from personal information processors, except under circumstances as set out in Articles 18(1) and 35 of the PIPL.
Providing such information in a timely manner
The right to transfer personal information: Subjects have the right to transfer their person information to a designated personal information processor.
Providing means for the transfer if subjects' requests meet CAC requirements for transferring personal information
The right to rectify or supplement: Where a subject discovers that their personal information is incorrect or incomplete, they shall have the right to request the personal information processors to rectify or supplement relevant information.
Verifying the information in question, and making rectifications or supplementations in a timely manner
The right to erase: When the circumstances stipulated in Article 47 of the PIPL occur, subjects have the rights to request the deletion of their personal information.
Right to request interpretation: Subjects have the right to request personal information processors to interpret the personal information processing rules developed by the latter.
Interpreting the rules for the personal information processing rules at the requests of subjects
The right to refuse automated decision-making: Where a decision that may have a significant impact on a subject's rights and interests is made through automated decision-making, the subject shall have the right to request clarification from the personal information processor and the right to refuse the processor for making the decision only through automated decision-making.
Protection of personal information of the deceased: The close relatives of a deceased natural person may, for their own legal and legitimate interests, exercise the rights to process the personal information of the deceased, such as consultation, duplication, rectification, and deletion, as provided in the PIPL, except as otherwise arranged by the deceased before death.
Assisting the close relatives of the deceased in exercising their rights, except as otherwise arranged by the deceased before death
In addition to regulating the processing of personal information through institutional measures, medical institutions and pharmaceutical companies are required to take appropriate technical measures to safeguard the security of personal information. According to the PIPL, the CSL, the DSL, the Measures for the Administration of Cybersecurity of Medical Institutions, the Measures for the Administration of Population Health Information (implementation trial), and the National Management Approach for Healthcare and Medical Big Data Standards, Security and Services (implementation trial), medical institutions and pharmaceutical companies are required to take at least the following technical measures:
- fulfilling the obligations of graded cybersecurity protection;
- taking technical measures to prevent computer viruses and cyber-attacks, cyber intrusion, and other acts that endanger cybersecurity;
- adopting technical measures to monitor and record cyber operation status and cyber security events, and retaining relevant cyber logs for not less than six months;
- adopting measures, such as data classification, backup of important data, encryption, and de-identification;
- establishing reliable data disaster recovery and backup mechanisms, and conducting regular backup and recovery tests;
- establishing strict electronic real-name authentication and data access control, and regulating the trace management of data access, use, and destruction processes; and
- complying with the cybersecurity review system.
In addition, where the breach, tampering, or loss of personal information occurs or may occur, medical institutions and pharmaceutical companies shall immediately take remedial measures and notify the departments with personal information protection duties and the relevant subjects.
Danjun Wu Partner
Guantao Law Firm, Shanghai