浅议养老健康领域的个人信息保护 An Overview of Personal Information Protection in the Senior and Health Care Industry

中国自2017年6月1日起开始实施《网络安全法》,于此同时,一系列与之配套的规章制度已经或将要颁布。这一领域的最新立法将对网络的所有者、管理者和网络服务提供者对网络数据及个人信息的保护责任产生深远的影响。养老健康领域的运营者和服务者在此大背景下,亦受到相应的规制,因此有必要尽早为此做好准备,尤其是跨国集团的经营者。

With the implementation of the Cybersecurity Law of the People’s Republic of China (“PRC”) as of 1st June 2017, as well as a series of supporting rules and regulations which have been or will be issued in the near future, a significant impact will be taken on the owners and operators of network, as well as the network service providers, with respect to the liabilities arising from personal data protection. In this context, business operators and service providers, in particular the operators of multi-national companies, in the senior and health care industry are inevitably regulated by the legislation. Therefore, it is advisable to embrace it by taking action sooner rather than later.

个人信息的保护力度加大

Strengthened Protection of Personal Data

同世界上大部分国家一样,自然人的个人信息在中国受到法律保护,任何组织需要获取他人的个人信息,应当通过合法途径取得,不得窃取或者以其他违法的方式获取。根据《网络安全法》的规定,个人信息的收集者应遵循合法、正当、必要的原则进行收集,明示收集与使用的目的、方式和范围。在养老护理领域,需要注意的是,完全民事行为能力人可以对自身信息的处分作出明确授权,因失智导致丧失部分或全部行为能力的老人,则应由其监护人作出明确授权。

Like most countries in the world, China have set the rule to protect personal data. Organizations can only obtain personal data in a legitimate way and are prohibited from obtaining the same by stealing or in any other illegal ways. According to the Cybersecurity Law of PRC, collectors of personal data should follow the principles of legality, legitimacy and necessity, expressly stating the purpose, method and scope of collection and use of personal data. For the senior care industry, it is noteworthy that a person with full civil capacity has the right to grant authorization for disposal of his/her personal data, whilst the authorization for the data of any elderly who suffers dementia and thus loses all or part of his/her civil capacity should be granted by his/her guardian.

此外,中国立法者最近亦更新了刑事和民事领域的法律制度,从不同的维度加强个人信息的保护力度。最新颁布的《民法总则》中明确了自然人的个人信息受法律保护,不得非法收集、使用、加工、传输他人个人信息,不得非法买卖、提供或者公开他人个人信息,以此为被侵权者提供了法律救济途径。另外,《刑法修正案(九)》也对出售、非法提供公民个人信息和非法获取公民个人信息的犯罪行为加大了打击力度。

Furthermore, the PRC legislators have recently also updated both the Criminal Law and Civil Law to strengthen personal data protection from different dimensions. The newly published General Principles of Civil Law provides that the personal data of individuals is protected by the law against illegal collection, use, processing, transmission, transfer, provision and publication, which offers explicit legal basis for infringed parties to seek remedies. On the other hand, the PRC Criminal Law has also, through its 9th Amendment, intensified the crackdown of crimes that sell, illegally provide and procure personal data of citizens.

因此,养老健康领域的经营者无论自行采集还是通过第三方获取客户及被服务对象的个人信息,都必须获得合法的授权,并且在采集、储存、使用时,严格遵守该等授权,同时还需做好个人信息安全和隐私保护工作。有鉴于此,大部分的经营者首先要做的便是审核现有的服务合同,完善和更新相关用户授权条款。

As such, where an operator in the senior and health care industry, whether by itself or via a third party, obtains personal data from its clients or the persons who receive its services, legal authorization must be obtained. Such authorization should be strictly observed in the process of collection, storage and use of the personal data, and measures should be taken for data security and privacy protection. In light of the above, the first priority for most operators is to review their service contracts on hand, with an aim to improve and update the relevant terms of user’s authorization.

个人健康信息将受到重点保护

Emphasized Protection for Personal Health Data

与个人身份类信息不同,法律对个人健康信息的法律规制更为严格。所谓个人健康信息,主要包括:医疗机构和健康管理服务机构保管的个人电子病历、健康档案等各类诊疗、健康数据信息。这类数据虽不涉及国家秘密,但与国家安全、经济发展及公共利益密切相关,因此被立法者定义为重要数据。

Unlike the personal ID-related data, personal health data is more strictly protected through various laws and regulations. Personal health data principally include the medical and health data, e.g. personal e-medical records and health records, maintained by medical organizations and health management service organizations. Such data does not involve any national secrets, which however is still defined as the important data by the legislators as such data is closely associated with national security, economic development and public interest.

根据现行法律规定,个人健康信息经授权被收集后,必须存储于中国大陆境内,不得存储于境外的服务器,也不得托管、租赁在境外的服务器。若委托其他机构存储、运维人口健康信息的,委托方承担健康信息的管理和安全责任,防止受托方超权限采集、开发和利用健康信息。

According to the existing regulation, personal health data, upon collection by authorization, should be stored in Mainland China. Storage of such data in the servers outside China is prohibited, and operators are also not allowed to have servers hosted or rent servers outside China. In case any operator authorizes an organization to store and maintain personal health data, such operator should be liable for management and security of the health data and should prevent such organization from collecting, developing or using the health data beyond the scope of authorization.

境内存储的这一点要求对于新进入中国养老健康行业的跨国企业而言,尤其不容忽视。很多经验丰富的海外运营机构在国内的业务往往始于为境内项目提供咨询策划、市场调研等工作,在此阶段,它们尚未来得及建立起系统的信息保护制度,然而很多工作却是由境外母公司的团队成员通过获取境内的数据资料来完成。此时若忽视了相关的中国法律要求,未妥善处理在中国境内采集到了个人健康信息,将面临较大的合规风险。

Multinationals, in particular those who have just entered into the China senior and health care market, cannot afford to ignore such requirement of onshore storage. For many experienced overseas operators, often times, their China business starts from a small task, such as providing consultancy services, conducting a planning and market research for domestic projects, at which stage the data protection system has not been established; however, most of the work may be carried out by the team members of the overseas parent companies using data materials sent from China. If the said requirement under the PRC laws is ignored at this stage, which then results in improper handling of the personal health data collected in China, operators will be highly likely to expose themselves to the compliance risks.

针对CII经营者更为严格的法律规制

Stricter Regulations towards CII Operators

 《网络安全法》的实施,将一个新名词—关键信息基础设施(CII)—带进了经营者的视线。CII是指面向公众提供网络信息服务或支撑能源、通信、金融、交通、公用事业等重要行业运行的信息系统或工业控制系统,且这些系统一旦发生网络安全事故,会影响重要行业正常运行,对国家政治、经济、科技、社会、文化、国防、环境以及人民生命财产造成严重损失,立法者由此要求CII运营者承担更多的网络和数据安全义务和责任。

A new word was brought to the attention of operators by the PRC Cybersecurity Law, i.e. Critical Information Infrastructure (“CII”). CII refers to the information system or industry control system providing network information services to the public or supporting operation of the important industries e.g. energy, communication, finance, traffic and utilities, which, in case of a network security accident, will endanger the normal operation of the important industries and cause severe losses to the national politics, economy, science, society, culture, national defense and the lives and wealth of the citizens. Thus, the legislators require CII operators to assume more liabilities and obligations with respect to the network and data security.

作为公共事业的一部分,根据具体的细分领域、主营业务类型、规模以及网络对其关键业务的支持程度,一部分卫生医疗行业领域的单位将被纳入CII的范畴。中国目前正在推行“医养结合”的养老服务体系建设,很多老年服务的商业模式是建立在医疗卫生与养老护理相结合的基础上,由此还催生了诸多O2O的服务方式,“9073”的政策也促进了机构、社区和居家领域服务商之间的紧密合作。在此过程中,客户的健康信息被共享和应用,任何一家与养老服务相关的机构或服务商均有可能被认定为CII。

As part of the public facilities and according to the specific subdivided industries, main business and scale, as well as the extent to which network will play in supporting the core business, some organizations in the medical and healthcare industry will fall within the scope of CII. China is currently promoting construction of the senior care system with “a combination of medical and senior care services”. The business model of many senior care services is based on the combination of medical services and senior care services, which also generates many online to offline services. The “9073” policy has also facilitated the close cooperation among institutions, communities and home care service providers. Through the course, clients’ health data could be shared among and used by the parties, and any organization or service provider involved in any senior-care-related services may be deemed as a CII operator.

对于CII更为严格规制的主要体现在对其的监管贯穿于“在中国境内规划、建设、运营、维护、使用CII,以及开展CII安全保护”的全过程。同时,法律对CII运营者跨境传输信息和数据设置了较为严格的限制条件,而无论该等信息是一般的身份信息还是人口健康信息。

Stricter regulation on CII is also reflected in the administrative supervision on it throughout the entire process of “planning, construction, operation, maintenance, use, and security and protection of CII in China”. At the same time, the law also imposes comparatively wide restrictions on cross-border transfer of information and data by CII operators, whether general ID data or health data.

跨境传输的要求

Requirement on Cross-border Transfer

作为一项基本原则,个人信息被采集后,应当存储于境内。如确因需要向境外提供的,采集者应当向被采集者说明数据出境的目的、范围、接收方及其所在地或国家,并获得被采集者的授权,方可将个人信息向境外提供。采集者还应在数据出境前进行安全评估,评估内容包括数据出境的必要性,涉及的个人信息情况,数据的数量、范围、敏感程度,数据在境外能否被妥善保管并使用,数据出境是否会危害国家安全、社会公共利益、个人合法权益等重要事项。

As a basic principle, collected personal data should be stored in the territory of PRC. Where, for business needs, it is necessary to transfer the data overseas, the collector should notify the person as the data subject of the purpose, scope, recipient and the place or country where the recipient is located, and the authorization of such person for the cross-border transfer is also required before any personal date can be transferred overseas. In addition, collectors should also conduct security assessment before any data is transferred overseas, including the need to transfer the data overseas, the personal data involved, the quantity, scope and sensitivity of the data, proper offshore storage and use of the data, and possible damages to the national security, public interest, personal legal rights arising from such transfer, etc.

根据正在审议中的《个人信息和重要数据出境安全评估办法》规定,对于大部分可能影响国家安全和社会公共利益的出境数据应由行业主管或监管部门进行安全评估,其中包括人口健康领域的数据、CII运营者向境外提供个人信息和重要数据,以及超过一定规模的数据(如含有或累计含有50万人以上个人信息、数据量超过1000GB)等。

According to the Draft Guidelines for Security Assessment of Cross-border Transfer of Personal Data and Important Data which is currently under review and discussion, for most cross-border transferred data that may affect national security and public interest, including health data, personal data and important data transferred overseas by CIIs, certain excessive data (e.g. where personal data of more than 500,000 individuals is contained or aggregated, or the volume of data exceeds 1,000GB), etc., security assessment should be conducted by the industry authority or regulatory department.

数据的脱敏措施

Data Desensitization Measures

虽然立法对个人信息的保护日趋严格,但也为运营者提供了一个例外制度—信息脱敏后的利用。这也可谓是一项个人信息保护和数据合理应用之间的平衡措施。

Although the legislation is being increasingly strict on personal data protection, one exception is provided to balance between personal data protection and reasonable use of data, i.e. utilizing data after data desensitization.

近几年,中国正在积极推动健康医疗大数据采集、存储,加强健康医疗海量数据存储清晰、分析挖掘、安全隐私保护等关键技术攻关,促进健康医疗业务与大数据技术深度融合,推进健康医疗与养老、家政等服务业协同发展。因此,虽然法律规定个人信息被依法收集后,未经被收集者同意,不得向他人提供个人信息。但若该类信息经过特定处理无法复原并且无法识别特定个人(即我们通常所称经过“脱敏”处理后,通过该类信息已无法识别自然人的个人身份),即可获得更大范围的应用。

In recent years, China has actively promoted collection and storage of health and medical big data, with an aim to make key technological breakthrough on clear mass data storage, analysis and digging and security and protection of privacy, facilitate deep merger of medical services and big data technologies, and enhance the collaborative cooperation among medical service industry, elderly care industry and housekeeping service industry. Therefore, although the law stipulates that the collected personal data should not be disclosed to others unless the consent from the person as the data subject is obtained, such data may be more widely used if it is specially processed and cannot be recovered or be used to identify the specific individual (which is known as data desensitization after which it is impossible to match such information with any specific individual).

不可否认的是,当大数据技术在其他行业领域应用时,经常会出现虽然数据的掌握者对其进行了脱敏处理,使得此类信息看似已经不可逆,但它们一旦与其他来源的信息结合并通过再处理后仍可进行个人身份识别,使得脱敏的措施流于形式。对此,我们期待立法层面能有进一步的明确和规范。

Undoubtedly, when the big data technology is used in other industries, it happens that some information, seemingly irreversible after data desensitization by its operator, may still be able to reflect the identification of the individual after combined and processed with the data from other resources. In such event, the data desensitization turns out to be a mere formality. We expect further clarification and regulation in this respect from the legislation in future.

结语

Key Takeaways

 中国的个人信息保护制度是在借鉴了各国的立法和实践经验后,通过自上而下的法律制度进行引导和规范。虽然很大部分的法律法规实施细则仍在制定过程中,但养老健康领域的服务商和运营者必须意识到,和其他国家一样,中国对于个人信息的保护以及与国家安全、社会公共利益相关的数据信息的保护政策正在日趋完善。

With reference to the legislation and practices of other countries, the PRC personal data protection regime is spreading out through a top-down move to provide guidance and regulations for network operators. Whilst the implementing rules of many laws and regulations are still under drafting, the service providers and the operators in the senior and health care industry should be aware that the policies for protection of personal data and the data related to national security and public interest are being well developed in China, like what has happened in many other countries.

为应对大数据商业环境下的行业机遇与挑战,养老健康领域的经营者有必要尽早作好部署。我们的建议是,企业应审视建立信息保护内控与合规制度的必要性,尽快采取以下措施:对其企业是否为CII作好评估工作,适时建立数据分类制度,尽早更新个人信息和隐私保护的法律文件,积极部署信息保护的软硬件及技术条件,保持与行业主管、监管部门和外部律师的沟通,以及密切关注该领域的立法动态。

To cope with the industry opportunities and challenges in the big data wave, operators of the senior and health care industry should take all necessary dispositions as early as possible. Our recommendation is that your China business arm should review the necessity to set up the internal control and compliance rules on data protection and take the following measures as soon as possible: conduct assessment on whether your company falls into the CII regime, set up data layering rules in due time, update the legal documents related to personal data and privacy protection at your earliest convenience, actively deploy the hardware, software and technologies for data protection, and maintain communications with the industry authorities, regulatory departments and external lawyers to keep a close eye on the progress of legislations in this area.

作者:瞿沁  金祺

By: Michael Qu & Vivian Jin

上海恒为律师事务所

Shanghai Law View Partners

文章回复