Compliance recommendations for handling personal information under Chinese law during the coronavirus outbreak.
[See the Chinese language version of this article here: 新冠疫情期间中国法下 – 有关个人信息处理的合规建议]
During the Covid-19 outbreak, processing and protection of personal information can be a pivotal and difficult issue. The key lies in balancing the interest of information/data subjects and the interest of society. Considering that the legislation of personal information protection in China is yet under development, this article sets forth the principles for personal information processing, and the possible exceptions during the Covid-19 outbreak under the current Chinese legal framework. This article also suggests some compliance advice for enterprises that are not authorised or not eligible to collect or use personal information without the consent of personal information subjects.
The principle provisions under Chinese law on personal information processing and possible exception during the Covid-19 outbreak
Generally, obtaining “consent” from data subjects is the legitimate basis for personal data processing. However, the major personal information protection laws also provide exceptions under certain circumstances, such as for the public interest purpose under epidemic outbreak. For example, Article 9 of GDPR provides a legal basis of the exceptions of “consent” principle in personal data processing. Under Chinese law, the general principle is that the consent of personal information subjects should be acquired before personal information can be collected and used. However, if such processing is for the purpose of prevention and control of Covid-19, can the principle be set aside? And which institutions or entities can be exempted from this principle? These are urgent issues to be addressed in practice.
In order to prevent and control infectious diseases and handle public health emergencies, Law of the People’s Republic of China on Prevention and Treatment of Infectious Diseases, Regulation on Responses to Public Health Emergencies and other laws and regulations provide that relevant personal information can be collected without the authorisation of personal information subjects by certain departments and institutions, including the people’s government, health administrative departments, disease prevention and control institutions, and medical agencies. Furthermore, the people’s government can authorise relevant departments, institutions and organisations to collect information in the government’s “contingency plan for public health emergencies”. Based on this, it is an exception to the general principle for personal information processing during the Covid-19 outbreak. However, any other unauthorised entities or individuals are not eligible for such exemption.
On February 9, 2020, Office of the Central Cyberspace Affairs Commission issued Notice on Effectively Protecting Personal Information and Using Big Data to Support Joint Prevention and Control (the “Notice”). The Notice requires that “except for the institutions authorised by the health department of the State Council in accordance with Cybersecurity Law of the People’s Republic of China, Law of the People’s Republic of China on Prevention and Treatment of Infectious Diseases, Regulation on Response to Public Health Emergencies, no other entities or individuals could collect or use personal information on the grounds of epidemic prevention and control and disease prevention and treatment, when it is without the consent of the personal information subject.” The Notice further clarified the exception and its scope of application for the purpose of prevention and control.
Specific compliance advice
During the prevention and control of the current epidemic, those who collect and use personal information are varied and hence applicable rules are different. Depending on the one that collects and uses personal information, we could divide the personal information controllers into two categories: (1) the government and other public sectors which collect and publish relevant information based on statutory duties, (2) unauthorised entities and individuals which are obliged to report relevant information in support of epidemic prevention and control — so that the outbreak is monitored. For the second category, especially for employers neither authorised to collect/use personal information, nor eligible for the exception, our advice is as follows:
Firstly, employers should better establish internal control system of personal information management; clearly stipulate the workflow of information collection, storage and disclosure; impose confidentiality requirements and disclosure bans on personnel with access to relevant information. In the meantime, employers should clarify job duties and ensure that the whole process of personal information collection and processing is under internal scrutiny.
Secondly, employers should establish encryption and storage security measures to prevent the collected personal information from being accessed without authorisation, tampered with or misappropriated.
Thirdly, if employers plan to use the personal information after the epidemic, it must explicitly state its purpose to personal information subjects and obtain their consent. This applies unless the enterprise can anonymise the personal information.
Lastly, employers should provide personal information subjects with the chance to view and rectify the information collected. Employers should delete relevant information upon the requirements of personal information subjects.