— Interpretation of the Administrative Measures Regarding National Healthcare Big Data
By Jacky Li
In the context of economic globalization and the age of information explosion, cyberspace security has been escalated to national security and sovereignty level, and triggered legislative and judicial actions across nations. 2016 was a particularly busy year as the Cyber Security Law of China (the “Cyber Security Law”), and its extraterritorial counterpart, the European Union’s General Data Protection Regulation (“GDPR”), were promulgated. Following the Cyber Security Law taking effective in June 1, 2017 and GDPR coming into force on May 25, 2018, the legislators in other jurisdictions, such as Japan and India, are now either working on or planning, similar updates by revisiting existing data laws, promulgating new legislation, or implementing through enforcement actions[1].
There is no doubt that data compliance is becoming an unignorable mission of the global legal community, and China, as the largest and most promising market in the world, is definitely among the hotspots. More and more local or international enterprises in China have started to spend efforts and resources on data compliance and touched upon the base work through the coordination among internal and external counsels, IT security officers and other stakeholders in the company. As external counsel, some of the questions that we have been constantly asked about in regards to data compliance are “How to develop the compliance framework within each jurisdiction while keeping consistency with the global standards?”, “What is the best way to maintain cost-efficiency whilst being compliant?”, and “Is there any must-do list for data compliance in China?”. These are all very good questions and down-to-earth considerations, however, in reality there is no cure-all and forever-effective solution for all companies. This is due to the volatility of the everchanging enforcement big environment, the absence of clarity in the legislations and; the complicated nature of the data compliance itself which covers the expertise ranging from legal, technology, information governance, etc.
Key Legislation Update of Healthcare Data Compliance in China
For healthcare, a compliance-centric industry with inborn sensitivity to the legislation updates and enforcement trends, data compliance has been marked as a priority. After the Cyber Security Law, there have been a series of legislations, semi-legislative guidance being published or entering into force, including the Personal Information Security Specification (GB/T 35273-2017) (“PISS”) [2], the Administrative Measures on Internet Hospital (for Trial Implementation)[3], the Administrative Measures on the Standards, Security and Services regarding National Healthcare Big Data (for Trial Implementation) (the “Healthcare Data Measures”)[4].
Notably, as a key regulation published by the National Health Commission, the Healthcare Data Measures announced the direction of regulating the use and application of the healthcare related data from a compliance perspective. In summary, there are three main characteristics of this framework guidance:
An Industry-Defined Scope
In accordance with the Healthcare Data Measures, the healthcare big data refers to the data generated during the process of disease prevention or treatment, and health management of people. This is much more extensive than personal information or medical treatment related data[5], and therefore, all types of entities in this industry including medical institutions, pharmaceutical companies, medical device manufacturers, wearable product manufactures, genetic sequencing companies, Hospital Information System developers, AI technology companies, fitness management and consulting companies etc. (hereinafter collectively referred to as “the healthcare data responsible entities”), will fall into the scope.
Adoption of the “Chief Accountability System”
Compared with the general description contained in the Cyber Security Law regarding the responsibilities and accountabilities for “the supervisor directly in charge and other directly liable persons”[6], the Healthcare Data Measures further stipulates the adoption and implementation of the chief accountability system which means the head of the healthcare data responsible entity should be responsible for the data protection obligations including the establishment of the data security management system, and supervision over the protection of the healthcare data[7]. Although the individual’s liability is not clarified in this legal document, the tone of “holding the head accountable for data security matters” in nature could imply the severity and the significance of data security for healthcare.
Industry-Specific Data Protection Requirements
The data protection requirements under the Healthcare Data Measures are in general consistent with the Cyber Security Law, but it does include more stringent and specific standards. For example, the Healthcare Data Measures clearly stipulates that all data related to the health and medical treatment of the Chinese citizens should be stored within the territory of China and subject to stringent supervision regardless of whether the entity is identified as the Critical Information Infrastructure Operation under the Cyber Security Law[8]. Also, specific requirements such as the real-name authentication, data access control, tracking of the whole process for data access, use and destruction, etc., are clarified[9]. A more industry specialized aspect could be reflected in the obligation of ensuring data quality, which requires the responsible entities to standardize the collection methods and procedures, to strictly implement the verification process during the data collection and to make sure that information accuracy of the data subject and consistency among the data fields.[10]
In general, instead of providing a detailed set of implementation requirements, the promulgation of the Healthcare Data Measures is more like a commitment to data compliance from the top government regulatory authority, which indicates a more industry-focused supervisory trend and ambition. Although the detailed implementation rules and industry standards are still being developed, we are aware that the supervisory authorities such as the National Health Commission have already been conducting data security inspections this year. The rationale and purpose behind the inspections is not only to identify the data security issues, but also for the authorities to become more interactive with enterprises, in order to better understand those industry problems, general practice, compliance status, and improvement directions. The methods of inspections include on-site visits to the operation location, remote on-line testing of the information systems, as well as requiring the companies to submit self-assessment reports.
Practical Recommendations for Implementation of Healthcare Data Compliance in China
Based on our interpretation of the Healthcare Data Measures and relevant laws and regulations, as well as our understanding of the industry and experience in data compliance, there are a few practical recommendations and thoughts we would like to share on healthcare data compliance practice in China:
1. Cultivate a data security environment from the management awareness to employee self-discipline
(1) Cultivate the top-down data compliance environment
The establishment of a top-down data security environment is always a prioritized working item to achieve the goal of data compliance. The management of the responsible entities should be fully aware of the responsibilities and accountabilities for data compliance, especially given the involvement of potential individual liabilities. Incorporating data security as a component of performance goals and evaluation can be an effective way to foster the compliance environment and reinforce the importance of data security.
(2) Take proactive measures to strengthen employees’ understanding
The 2018 Data Breach Investigations Report published by Verizon, a telecommunication carrier in the United States, shows that the healthcare industry has the distinction of being the only one that has a greater insider threat than it does an external threat, which means there is a large amount of both errors and employee misuse for data breach cases[11]. Therefore, management also needs to:
1) Take measures to ensure that the value of data compliance is timely conveyed to all the employees through publishing compliance policies and providing on-line or townhall trainings; and
2) Incorporate the data protection responsibilities and data security violation into the employee handbook to curb employees’ potential motivation to mastermind creative (read fraudulent) approaches, such as trading data to serve personal interests.
All the compliance efforts should be properly documented and could be used as a reasonable defense for company to demonstrate a segregation between employee’s act and entity’s will, and therefore be exempt from legal liabilities under the circumstances where employees commit personal information infringement violations, as we can see from the Nesli case in 2016 and 2017, in which, the court explicitly stated that Nesli’s internal compliance policies containing specific prohibition on personal information infringement are deemed as the proof for individual crime instead of unit crime.[12]
(3) Interact with internal and external resources
Additionally, advocating the data compliance efforts through internal and external channels (i.e. the website, a company’s annual report) and positive interaction with respective players (i.e. the regulators, enforcement agencies, and competitors) could also be valuable in enhancing the overall data compliance awareness and standards of the industry.
2. Conduct inventory of the data and information systems, keep updating it on a regular basis
(1) Inventory regarding data category
The significance and complicity of this step is often underestimated by companies. For some common healthcare data, such as medical records, medical insurance records, medical product or service transaction records, physiological data generated by medical device and wearable products, genetic data, etc., once the general data category or type is determined, the next step is to specify the data by source, the detailed types of information and storage location. In a real case, after the data inventory, a company discovered that the personal information collected directly through the medical device containing the name, ID number, mobile number, address, is stored in an internal information system for which the server leased from a cloud provider is located in the United State, which is a definite violation of the Healthcare Data Measures.
(2) Inventory regarding information system
In addition to healthcare data, as for the healthcare information system, the basic category includes the Hospital Information System, Laboratory Information System, Enterprise Resource Management System, Intelligent Data Analysis System, etc. The details for each category might involve the vendor, and the security measures (i.e. anti-virus protection, password protection, access control). In practice, we note that it is a very common issue for healthcare data responsible entities to exert loose access control to the core information systems or to grant unnecessary authorizations to personnel irrelevant to certain functions, which could be deemed as a deviation from article 23 of the Healthcare Data Measures requesting the healthcare data responsible entities to establish a strictly controlled authentication and access control system to ensure the traceability of any data incidents and to mitigate the potential risks.
(3) Necessity for data inventory efforts
Data inventory is in principle, the preparation step for all the other data compliance working items such as data classification and infrastructure planning. The inventory process requires patience, prudence, and also effective cooperation among different functions. Also, it should be clarified that under the China data protection laws, in addition to the personal information, there is another concept called “important data”, which is also subject to more stringent restrictions such as compulsory encryption and back-up requirements, and cross-border data transfer[13]. Currently, although there is no clear definition on important data in the Cyber Security Law, the draft version of the Measures for Security Evaluation regarding Cross-border Data Transfer of Personal Information and Important Data[14] states that important data refers to the data closely relevant to national security, economic development and social public interests. It is suggested that company should measure the data assets through a quantitative and qualitative inventory process to plan ahead for compliance purposes. Also, the inventory needs to be updated on a regular basis.
3. Design the life cycle of the data flow from collection to destruction, establish the formal protocols and document the implementation status
Article 16 of the Healthcare Data Measures states that the security management of the healthcare data relates to the management of the data security during the collection, storage, mining, application, operation, transfer, etc., which should cover the whole lift cycle of the data flow. When designing the life cycle of the data flow, the concept of Privacy by Design[15], globally recognized though without compulsory legal force, could be a valuable reference. Also, the fundamental principle is the idea of valuing privacy from a “design-thinking” perspective and incorporating privacy into organizational priorities, project objectives and designing processes:
(1) Tailor the consent mechanism during data collection
Privacy policy and consent collection mechanisms need to be carefully designed before the collection. We have been frequently asked by multi-national clients whether it is feasible to just translate their global version into Chinese. A quick answer to this question is “it is not recommended, and will usually take more time to do the revision than preparing a new one”. In principle, privacy policy is tantamount to a contractual agreement between the data collection party and the data subjects and all the statements made in the privacy policy should accurately reflect the real practice regarding collection, storage, transfer, use, retention period, etc. It is commonly misunderstood that the privacy policy will only address the data collected from website, or mobile Apps, but the fact is that all the data collection channels should be included in the policy. For example, as for wearable medical devices, explicit consent for the data collection related to the products and devices is especially important due to the sensitivity of the data category (i.e. genetic data, health status data, heart rate statistics, etc.), therefore, consent collection needs be embedded into the configurations of the product or service with privacy policy being displayed to the users.
The principle of data minimization should be adopted and considered before the collection stage, the first step of the data life cycle and a very important controlling point. Consider whether all the data collected is necessarily required by the company and serve the legitimate interests, and if the collection of certain type of information cannot be justified, adjust the configuration and constrain the scope immediately.
(2) Complete data localization and limit access by extraterritorial parties
As analyzed above, the Healthcare Data Measures clearly regulates the data localization requirement for all the data related to the health and medical treatment of the Chinese citizens, which includes, but not limited to, the personal information. Considering the server transition will inevitably complicate the information infrastructure of the entity, it is suggested that a thorough review regarding the data flow and the system interface could be conducted as soon as practical. Additionally, it should be noted that access control needs to be strictly implemented to avoid unnecessary access to the data by extraterritorial parties such as headquarters in other jurisdictions.
(3) Assess the necessity for data processing and transfer, conduct due diligence, reach contractual agreements and complete proper documentation
The healthcare data responsible entities should bear in mind that the party collecting the data will be the main responsible party during the whole life cycle, therefore, in order to contain the risk arising from the data transfer or the processing by the other parties, the healthcare data responsible entities should:
only choose the reliable vendors and incorporating data security elements in to the due diligence process;
prudently revise the contracts with the vendors (a specific data security addendum is preferred) to clarify the rights and obligations for each party (i.e. applicable security standards, restriction on sub-contracting, restriction on cross-border transfer, etc.;
before the transfer, conduct de-identification if the purpose for the transfer and process is not related to profiling or other similar cause;
conduct data audits whenever necessary.
If there is any transfer occurring among the affiliated parties, the party collecting the data should also reach the contractual agreements with those that receive the data, clarifying the rights and obligations for each party. Proper records should also be maintained for all the transfers that occur regardless of type of the receiving party.
(4) Design a data retention protocol with effective implementation
A data retention protocol should be established to determine the justifiable retention period of each type of data, document the implementation of destruction or the reason for any exception.
Further, premised on the capability of ensuring the confidentiality, integrity, and availability, data cleaning could be utilized as an effective approach to ensure the data accuracy and reduce the repetitive amount of data. Additionally, in accordance with the Cyber Security Law[16], the responsible entity collecting the data needs to fulfill a data subject’s request for editing or deleting his/her personal information.
4. Identify the security risks of the information systems, eliminate the risks and complete the graded protection evaluation
(1) Obligations under the graded protection framework
The Cyber Security Law officially confirms the legal status of the graded protection system in China, a well-organized framework aiming at protection the data security from the perspectives including infrastructure development, information governance and internal management control. It is also reiterated in the Healthcare Data Measures that the responsible entity shall establish the reliable data security environment based on the national graded protection system[17]. Depending on the complicity of the information system and the potential consequences for system destruction, there are five grades with the protection level in ascending order, for example, the Internet hospital is legally required to pass the third grade and for pharmaceutical distributor, the second grade will be the applicable level. Regardless of the grade, the general requirements include:
(2) Process for the graded protection work
Pursuant to the Administrative Measures for the Graded Protection of Information Security[18], the whole process for graded protection includes:
It should be noted that the Public Security Authorities, and the Industry and Information Technology Authorities will both conduct unannounced inspections on the companies regarding the obligation to complete the graded protection framework. In response to this legal obligation, we would suggest the responsible entity to conduct the inventory of the information systems first, identify the potential risks accordingly, consult with the data compliance experts in the specific standards and requirements under the graded protection system, make improvements, and complete the evaluation by a certified organization.
Conclusion
Due to the evolving legislation and enforcement trends, the abovementioned recommendations are not considered to be exhaustive and are subject to further updates. Furthermore, it is expected that there will be more specific and stringent legislations or official guidance for the healthcare industry, especially regarding the implementation for data localization and graded protection framework. Also, the industry supervisory authorities are likely to be more active in data security inspection and enforcement actions. Therefore, for all the responsible entities in this industry, it will never be a good approach to just sit and wait until a clear boundary for compliance related matters is put forth by the authorities. Proactive measures that should be taken include cultivating compliance awareness, conducting data inventory, designing the life cycle data protection and completing the graded protection evaluation. We suggest these measures are adopted in a timely manner to achieve periodical compliance results, as well as generally being prepared and responsive to any upcoming challenges.
1. Japan passed extensive reforms to the Act on the Protection of Personal Information in September 2015 and it took effective on May 30, 2017. India released its Personal Data Protection Bill,2018 on July 27, 2018.
2. 《个人信息安全规范》, a national standard promulgated on December 29, 2017 and Effective from May 1, 2018.
3. 《互联网医院管理办法(试行)》, promulgated on July 17, 2018 and Effective from July 17, 2018.
4. 《国家健康医疗大数据标准、安全和服务管理办法(试行)》, promulgated on July 16, 2018 and effective from July 16, 2018.
5. Article 4 of the Healthcare Data Measures.
6. Article 21, 56, 59-69 of the Cyber Security Law.
7. Article 17 of the Healthcare Data Measures.
8. Article 30 of the Healthcare Data Measures.
9. Article 23 of the Healthcare Data Measures.
10. Article 29 of the Healthcare Data Measures.
11. 2018 Data Breach Investigations Report, available at: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
12. The appellate verdict was render on May 31, 2017 by Lanzhou Intermediate People's Court of Gansu Province.
13. Article 21 and article 37 of the Cyber Security Law.
14. 《个人信息和重要数据出境安全评估办法》(征求意见稿),published on April 11, 2017.
15. Privacy by Design-The 7 Foundational Principles Implementation and Mapping of Fair Information Practices, published by Ann Cavoukian, Ph.D. of the Information & Privacy Commissioner, Ontario, Canada, 1995.
16. Article 43 of the Cyber Security Law.
17. Article 19 of the Healthcare Data Measures.
18. 《信息安全等级保护管理办法》, promulgated on June 22, 2007 and effective from June 22, 2007.
