Three questions on medical data compliance

Authors: Zhou Hanshuo / Yuan Lizhi

(This article was first published on China Business Law Journal column "Life sciences & healthcare", authorised reprint)

On 10 June, the eagerly awaited Data Security Law (DSL) was passed, which clearly provides that each region and department is responsible for the data collected and generated in their work, and the security of the data, and that the competent departments of the industry are responsible for the regulation of data security in the industry. In other words, data will eventually return to business, and industry regulation is not exactly the same.

The compliant use of medical data may be related to the business development, product registration and even domestic and overseas listing of medical companies. As a useful starting point, this article sets examines three questions.

What is medical data?

There is no direct definition of “medical data” in Chinese law. Companies should judge whether it falls into one or several specific data types based on the specific data and different regulations and industry standards.

Personal information

Personal information refers to all kinds of information recorded in electronic or any other form related to identified or identifiable natural persons in the Civil Code, the second draft of the Personal Information Protection Law (PIPL) and the Information Security Technology – Personal Information Security Specification, excluding information after anonymisation.

It is worth noting that, for the definition of identification, the PIPL draft adopts a method more similar to the definition method of “identification + association path” in the EU’s General Data Protection Regulation (GDPR), which has a wider scope than that in the Civil Code and the Cyber Security Law (CSL).

Data/important data

In the DSL, data refers to any record of information in electronic or non-electronic form. Each region and department will determine the important data of its corresponding region/department/industry/field to conduct key protection. The Information Security Technology – Guidelines for Cross-Border Data Transfer Security Assessment (Draft for Comments) and appendices 18 on population health and 21 on food and drugs cover a lot of important data such as diagnosis, treatment and health data, genetic information, drug experimental data related to strategic safety, and clinical trial data/reports of class II/III devices.

Human genetic resources information

Human genetic resources information refers to the data generated by organs, tissues, cells and other genetic materials containing human genome, genes and other genetic materials under the Biosafety Law (BSL), the Regulations on the Administration of Human Genetic Resources (RAHGR) and the service guide of the Ministry of Science and Technology, covering relevant information in clinics, imaging, biomarkers, genes and other medical data.

Healthcare data and healthcare big data

According to the Administrative Measures on Standards, Security and Services of National Healthcare Big Data (Trial), healthcare data and healthcare big data include personal healthcare data and healthcare-related data obtained after processing personal healthcare data, such as data of personal attributes, health, medical applications, medical payment, health resources and public health. In the Information Security Technology – Guide for Health Data Security, healthcare big data refers to the data related to healthcare generated in the process of people’s disease prevention and health management.

Population health information

In the Measures for the Administration of Population Health Information (Trial), this refers to basic population information, medical and health service information, and other population health information including electronic information produced by health and family planning service institutions in the service and management process.

Medical records and medical files

The Regulations on the Management of Medical Records in Medical Institutions provides that medical records refer to words, symbols, charts, images, slices and other data formed by medical personnel during medical activities; the medical records will form “medical files” after archiving.

Who processes medical data?

What is “processing medical data”? According to the DSL and draft PIPL, processing behaviour includes not only the collection, storage and use of data/personal information, but also its processing, transmission, provision and disclosure. The identities of processing subjects include:

1

Processors, controllers/entrusted processors

The DSL and draft PIPL continue the concept of “processor” adopted in the Civil Code. Generally speaking, the “processor-entrusted processor” under the draft PIPL is roughly equivalent to the “controller-processor” under the GDPR. However, the specific differences between the two concepts in terms of rights and obligations deserve further analysis.

For example, as far as healthcare information system providers, healthcare data companies, and auxiliary diagnosis and treatment solution providers are concerned, if their processing of data is for, or serves, the controller, they are “entrusted processors” under the Guide for Health Data Security, and the special obligations of the “controller” are not applicable.

The draft PIPL uniformly uses the concept of “processor” when it comes to the cross-border transfer of personal information. So, under the draft PIPL, do institutions that are clearly identified as “entrusted processors” under the Guide for Health Data Security need to fulfill the obligations of a processor when providing personal information that carries personal healthcare data across borders, such as security assessment, filing and approval? Just like the differing rights and obligations between “processor-entrusted processor” and “controller-processor”, this has yet to be clarified.

2

Critical information infrastructure operator (CIIO)

Although the scope of CIIO under the CSL is not very clear, and the cross-border management measures for other data processors by regulatory authorities such as the Cyberspace Administration of China have not yet been issued, it is generally understood that only a basic information network operator can constitute a CIIO, and it is unlikely that ordinary companies in the industry will fall into the CIIO scope.

3

Foreign entities

In accordance with RAHGR, foreign entities refer to foreign organisations and institutions established or actually controlled by foreign organisations and individuals. RAHGR makes no provision on what is meant by “control”. The industry is looking forward to the promulgation of detailed rules for the implementation of RAHGR, and one of the focuses includes this issue.

How to deal with all this?

Personal information

The Civil Code, Consumer Rights Protection Law, etc. all put forward requirements for the protection of personal information in specific activities. This version of the PIPL makes general provisions on the protection of “personal information”, including:

●In addition to the six exceptions provided in article 13 of the draft PIPL, personal information processors need to obtain personal consent when processing personal information;

●Any change in the processing purpose and method and type of personal information shall be subject to personal consent again, and processing of sensitive personal information (including healthcare information) requires separate personal consent; and

●Personal information processors that provide basic internet platform services with a large number of users and complex business types need to set up independent supervision organisations and fulfil specific obligations.

Non-personal information

Previous relevant laws and regulations usually excluded “anonymised information” from personal information, and this version of the PIPL continues this idea.

In practice, medical companies (especially medical AI companies) often choose to “mask” medical data, which includes “de-identification” and “anonymisation” from the perspective of technical processing. The difference is that “de-identification” still retains individual granularity and has the possibility of recovery, while “anonymisation” not only cannot “identify + associate” but also cannot recover the data.

Therefore, companies need to pay attention to verification and screening. If personal information is only “de-identified”, it is still personal information, and compliance with the requirements of personal information management in all links is still required.

For masked medical data, there are exceptions to the requirement of obtaining personal consent/re-consent, so mask measures such as “de-identification” are not without help for medical companies. For example, the Guide for Health Data Security provides that restricted data sets that have been partially de-identified can be used or disclosed by the controller without authorization under certain conditions when they are used for scientific research, medical health education, public health purposes and other regulations.

However, the draft Ethical Review Measures for Biomedical Research Involving Human Subjects, issued by the National Health and Family Planning Commission of China in March, provide that after being examined and approved by the Ethics Review Committee, if the biological samples/data of identifiable individuals are used for research, and the consent of the subject can no longer be found, the informed consent may be exempted if adequate measures are taken to protect personal information and personal privacy, and commercial interests are not involved.

Domestic storage requirements

If the relevant subjects fall within the scope of CIIO and “personal information processors who process personal information up to the number specified by the national cyberspace department”, the personal information and important data collected and generated in China shall be stored in China.

There are similar requirements for some specific data except for those on subjects, including the above-mentioned “important data”, “healthcare big data”, and population health information, which are related to national security, national economy and people’s livelihoods. They are required to be stored in China, and may not be stored in overseas servers, or be hosted or leased in overseas servers.

Requirements for foreign entities in human genetic resources

According to BSL and RAHGR, foreign entities are not allowed to collect and preserve Chinese human genetic resources (including information). The utilisation activities can only be carried out in co-operation with Chinese organisations after completing the examination and approval (international scientific research co-operation) or filing (international co-operative clinical trial for marketing license of medical devices in China).

In addition, the access to or open use of Chinese human genetic resources information by foreign entities can only be provided by Chinese organisations, and the process of reporting, filing, information backup and even security review (if necessary) should be performed.

Data compliance requirements for healthcare data/big data

For healthcare big data, in addition to requirements on domestic storage, there are also network security level protection requirements, and measures such as data classification, important data backup, encryption and authentication should be taken to ensure data security.

The Guide for Health Data Security makes provisions on the category, classification, safety requirements and key measures of healthcare data and personal healthcare data in typical application scenarios such as clinical research, secondary utilisation, medical devices, connection between commercial insurance and social insurance and mobile application.

Export control, risk/security assessment and external supply requirements:

● Providing personal information overseas. At least one of the four conditions provided in the PIPL must be met:

· A security assessment (for CIIO and personal information processors who process personal information up to the specified number);

· A personal information protection certification by professional institutions;

· Clear rights and obligations with overseas recipients according to the standard contract of the cyberspace department; and

· Other conditions provided by laws and regulations or the cyberspace department.

● Personal information and important data to be evaluated. According to the CSL, the Measures for the Management of Medical Big Data, the DSL, and the draft PIPL, processing of certain information, personal information and important data that may affect national security, the national economy and people’s livelihoods, especially when it comes to outbound/external provision, should be subject to a risk assessment, security assessment or national security review.

●Providing data to overseas law enforcement/judicial institutions requires approval. The DSL provides penalties for providing data to overseas law enforcement or judicial institutions without approval. In contrast, the Securities Law has only similar provisions without corresponding penalties, and the International Criminal Judicial Assistance Law has similar provisions but only targets criminal judicial procedures. The DSL provides a clearer legal basis for Chinese companies to refuse cross-border access to data by overseas law enforcement/judicial institutions.

Conclusion

The authors suggest that companies should make relevant compliance preparations for personal information and medical data in advance, and pay attention to legislative trends. For example, a guide to the key points of the registration and evaluation of AI-assisted diagnostic decision-making medical device software issued by the National Medical Products Administration in 2019, and the recently released draft Guiding Principles on Registration Review of Artificial Intelligence Medical Devices put forward these requirements:

Data should be masked during data collection to protect patient privacy, and the types, rules, degrees and methods of masking should be explained; when using a third-party database for software validation, the data in the database should also be masked; and when providing a data source compliance statement, data collection and labelling operation specification in the algorithm research report is to be submitted.

For example, the Internet Medical and Health Information Security Management Specification (Draft for Comment), issued by the National Health Commission in June this year, put forward standardised requirements for the security management of internet medical and health information.

Jingtian & Gongcheng’s Life Science and Healthcare Team has extensive legal and industrial experience in the field. Our lawyers have been focused on international and pharmaceutical legal practices over a dozen of years, with working experiences at international law firms and top-tier multinational healthcare companies, and many of them are qualified both in China and abroad.

We have advised clients on mergers and acquisitions, technology licensing, contracted manufacturing, co-promotion, business conduct and compliance, and daily operational issues related to pharmaceutical and medical devices companies. For more information, please contact Ms. Hanshuo ZHOU(zhou.hanshuo@jingtian.com, phone: 0086-21-2613 6241, mobile: 0086-18616860012).

医药医疗专栏往期文章

1. Highlights of New Rules on Medical Devices Regulation

2. 管中窥豹读新《医疗器械监督管理条例》

3. Cross-border Use of Medical Products in the Greater Bay Area

4. 细胞治疗监管政策——基础篇

5. 互联网医疗：医疗行业企业之数字化营销——春潮涌动，乘风破浪

6. 说一说互联网“医+药”里的那个“药”

7. 民营医疗机构：赴港IPO之合规注意事项探析

8. 互联网医疗：跨境线上诊疗与咨询

9. 互联网医疗：新冠疫情背景下的法律准入与监管发展

10. 药械应急审批助力疫情防控——8问小科普

11. 临床基因检测行业的监管与挑战（上篇）

12. Highlights of China’s 2019 Drug Administration Law

13. 与时俱进，焕然一新——喜迎《药品管理法》新修订版

14. 疫苗管理法正式出台，新法亮点几何？

15. 《人类遗传资源管理条例》亮点初析

16. “药品4+7带量采购”之小白十问

17. 我国医疗行业上市许可持有人(MAH)制度初探（下篇）

18. 重典治乱，监查并举，制度创新——从疫苗管理单独立法说起

19. 我国医疗行业上市许可持有人(MAH)制度初探（上篇）

合伙人

021-2613 6241

zhou.hanshuo@jingtian.com

周晗烁律师毕业于华东政法大学、美国德克萨斯大学法学院(University of Texas at Austin) ，获中美两地法律硕士学位，具有中国大陆地区以及美国纽约州法律执业资格。

周律师从事法律工作已超过十五年，服务的客户包括国际500强医疗企业，国内大型药企、创新型医疗器械和医疗服务企业，以及著名私募和风险投资基金。周律师深耕于生命科学和医疗健康领域，不仅对传统医疗药械领域的生产、销售、跨境技术服务等交易经验丰富，近年来还深度参与了诸多新兴领域的项目，如生物技术、细胞治疗、基因检测、医疗大数据、互联网+医疗等。

周律师在“LEGALBAND 中国顶级律师排行榜”上连续两年被列为“医疗和生命科学领域的获推荐律师”。在国际知名财经媒体Euromoney公布的“2020年度亚洲商业法律杰出女律师（Women in Business Law Awards 2020）”评选中，荣膺亚洲区域“Best in Life Science （生命科学领域最佳）” 。

周晗烁等律师往期文章回顾

袁立志律师先后从上海对外经贸大学和新加坡国立大学取得国际法硕士和国际商法硕士学位，2016年底加入竞天公诚。

袁律师是IAPP（国际隐私专家协会）会员，通过CIPP/E、CIPM、CISP资格考试。袁律师代表竞天公诚律师事务所，参与多项信息安全技术标准的编制。袁律师兼任华东政法大学数字法治研究院特聘研究员，华东师范大学法学院校外实务导师。

袁律师的执业领域为网络与数据法、公司法律事务。袁律师曾为多家知名企业提供网络与数据法律服务，包括金融机构、汽车制造商、智能硬件制造商、文化娱乐企业、互联网企业、数据服务商、云服务商、医疗机构等，承办了一系列前沿的、富有挑战性的项目，积累了丰富的实践经验，是该领域的知名专家 。

袁律师先后荣获Legal 500亚太地区TMT（电信、媒体与科技）领域（2020年度）和数据保护领域（2021年度）“特别推荐律师”，并名列Legal Band中国顶级律师排行榜“网络安全与数据”第一梯队（2020年度、2021年度），中国律师特别推荐榜15强：网络安全与数据合规（2020年度）。

袁立志律师历史文章

1. 深度拆解：直播营销管理办法

2. App个人信息保护规定解读

3. 315后说“人脸”——人脸识别合规难题与对策

4. 《网络交易监督管理办法》解读

5. Cross-border Transfer of Personal Financial Information

6. APP收购攻略

7. APP安全认证实操十问十答

8. 联邦学习能否解决金融数据整合难题？

9. 金融集团数据整合：“信息孤岛”攻坚战

10. 企业如何应对数据泄露

11. 网约车行业数据保护的规则及其特点

12. 网约车与电商法的适用五题

13. 实施已满三月，区块链新规“回头看”

14. App个人信息保护专项治理暴雨将至，你的屋顶会漏吗？

15. 银行业金融数据出境的监管框架与脉络

16. 企业如何开展网络与数据安全事件应急演练？

17. 个人信息委托处理是否需要个人授权？

18. 当资本运作遇到网络安全：尽调该怎么做？

19. 中国企业的GDPR合规挑战

20. 欧盟《统一数据保护条例》（GDPR）适用问答

21. 债权催收行业法律研究报告（下）

22. 债权催收行业法律研究报告（上）

声明 DISCLAIMER

本文观点仅供参考，不可视为竞天公诚律师事务所及其律师对有关问题出具的正式法律意见。如您有任何法律问题或需要法律意见，请与本所联系。

This article is for your reference only and not to be deemed as formal legal advice given by Jingtian & Gongcheng or its lawyers. Please contact us directly for formal legal advice or further discussion about the relevant issues.