Three questions on medical data compliance

By Zhou Hanshuo and Yuan Lizhi, Jingtian & Gongcheng
Copy link

On 10 June, the eagerly awaited Data Security Law (DSL) was passed, which clearly provides that each region and department is responsible for the data collected and generated in their work, and the security of the data, and that the competent departments of the industry are responsible for the regulation of data security in the industry. In other words, data will eventually return to business, and industry regulation is not exactly the same.

The compliant use of medical data may be related to the business development, product registration and even domestic and overseas listing of medical companies. As a useful starting point, this article sets examines three questions.

周晗烁, Zhou Hanshuo, Partner, Jingtian & Gongcheng
Zhou Hanshuo
Jingtian & Gongcheng

What is medical data?

There is no direct definition of “medical data” in Chinese law. Companies should judge whether it falls into one or several specific data types based on the specific data and different regulations and industry standards.

Personal information refers to all kinds of information recorded in electronic or any other form related to identified or identifiable natural persons in the Civil Code, the second draft of the Personal Information Protection Law (PIPL) and the Information Security Technology – Personal Information Security Specification, excluding information after anonymisation.

It is worth noting that, for the definition of identification, the PIPL draft adopts a method more similar to the definition method of “identification + association path” in the EU’s General Data Protection Regulation (GDPR), which has a wider scope than that in the Civil Code and the Cyber Security Law (CSL).

Data/important data. In the DSL, data refers to any record of information in electronic or non-electronic form. Each region and department will determine the important data of its corresponding region/department/industry/field to conduct key protection. The Information Security Technology – Guidelines for Cross-Border Data Transfer Security Assessment (Draft for Comments) and appendices 18 on population health and 21 on food and drugs cover a lot of important data such as diagnosis, treatment and health data, genetic information, drug experimental data related to strategic safety, and clinical trial data/reports of class II/III devices.

Human genetic resources information refers to the data generated by organs, tissues, cells and other genetic materials containing human genome, genes and other genetic materials under the Biosafety Law (BSL), the Regulations on the Administration of Human Genetic Resources (RAHGR) and the service guide of the Ministry of Science and Technology, covering relevant information in clinics, imaging, biomarkers, genes and other medical data.

Healthcare data and healthcare big data. According to the Administrative Measures on Standards, Security and Services of National Healthcare Big Data (Trial), healthcare data and healthcare big data include personal healthcare data and healthcare-related data obtained after processing personal healthcare data, such as data of personal attributes, health, medical applications, medical payment, health resources and public health. In the Information Security Technology – Guide for Health Data Security, healthcare big data refers to the data related to healthcare generated in the process of people’s disease prevention and health management.

Population health information. In the Measures for the Administration of Population Health Information (Trial), this refers to basic population information, medical and health service information, and other population health information including electronic information produced by health and family planning service institutions in the service and management process.

Medical records and medical files. The Regulations on the Management of Medical Records in Medical Institutions provides that medical records refer to words, symbols, charts, images, slices and other data formed by medical personnel during medical activities; the medical records will form “medical files” after archiving.

袁立志, Yuan Lizhi, Partner, Jingtian & Gongcheng
Yuan Lizhi
Jingtian & Gongcheng

Who processes medical data?

What is “processing medical data”? According to the DSL and draft PIPL, processing behaviour includes not only the collection, storage and use of data/personal information, but also its processing, transmission, provision and disclosure. The identities of processing subjects include:

Processors, controllers/entrusted processors. The DSL and draft PIPL continue the concept of “processor” adopted in the Civil Code. Generally speaking, the “processor-entrusted processor” under the draft PIPL is roughly equivalent to the “controller-processor” under the GDPR. However, the specific differences between the two concepts in terms of rights and obligations deserve further analysis.

For example, as far as healthcare information system providers, healthcare data companies, and auxiliary diagnosis and treatment solution providers are concerned, if their processing of data is for, or serves, the controller, they are “entrusted processors” under the Guide for Health Data Security, and the special obligations of the “controller” are not applicable.

The draft PIPL uniformly uses the concept of “processor” when it comes to the cross-border transfer of personal information. So, under the draft PIPL, do institutions that are clearly identified as “entrusted processors” under the Guide for Health Data Security need to fulfill the obligations of a processor when providing personal information that carries personal healthcare data across borders, such as security assessment, filing and approval? Just like the differing rights and obligations between “processor-entrusted processor” and “controller-processor”, this has yet to be clarified.

Critical information infrastructure operator (CIIO). Although the scope of CIIO under the CSL is not very clear, and the cross-border management measures for other data processors by regulatory authorities such as the Cyberspace Administration of China have not yet been issued, it is generally understood that only a basic information network operator can constitute a CIIO, and it is unlikely that ordinary companies in the industry will fall into the CIIO scope.

Foreign entities. In accordance with RAHGR, foreign entities refer to foreign organisations and institutions established or actually controlled by foreign organisations and individuals. RAHGR makes no provision on what is meant by “control”. The industry is looking forward to the promulgation of detailed rules for the implementation of RAHGR, and one of the focuses includes this issue.

How to deal with all this?

Personal information. The Civil Code, Consumer Rights Protection Law, etc. all put forward requirements for the protection of personal information in specific activities. This version of the PIPL makes general provisions on the protection of “personal information”, including:

. In addition to the six exceptions provided in article 13 of the draft PIPL, personal information processors need to obtain personal consent when processing personal information;

. Any change in the processing purpose and method and type of personal information shall be subject to personal consent again, and processing of sensitive personal information (including healthcare information) requires separate personal consent; and

. Personal information processors that provide basic internet platform services with a large number of users and complex business types need to set up independent supervision organisations and fulfil specific obligations.

Non-personal information. Previous relevant laws and regulations usually excluded “anonymised information” from personal information, and this version of the PIPL continues this idea.

In practice, medical companies (especially medical AI companies) often choose to “mask” medical data, which includes “de-identification” and “anonymisation” from the perspective of technical processing. The difference is that “de-identification” still retains individual granularity and has the possibility of recovery, while “anonymisation” not only cannot “identify + associate” but also cannot recover the data.

Therefore, companies need to pay attention to verification and screening. If personal information is only “de-identified”, it is still personal information, and compliance with the requirements of personal information management in all links is still required.

For masked medical data, there are exceptions to the requirement of obtaining personal consent/re-consent, so mask measures such as “de-identification” are not without help for medical companies. For example, the Guide for Health Data Security provides that restricted data sets that have been partially de-identified can be used or disclosed by the controller without authorization under certain conditions when they are used for scientific research, medical health education, public health purposes and other regulations.

However, the draft Ethical Review Measures for Biomedical Research Involving Human Subjects, issued by the National Health and Family Planning Commission of China in March, provide that after being examined and approved by the Ethics Review Committee, if the biological samples/data of identifiable individuals are used for research, and the consent of the subject can no longer be found, the informed consent may be exempted if adequate measures are taken to protect personal information and personal privacy, and commercial interests are not involved.

Domestic storage requirements. If the relevant subjects fall within the scope of CIIO and “personal information processors who process personal information up to the number specified by the national cyberspace department”, the personal information and important data collected and generated in China shall be stored in China.

There are similar requirements for some specific data except for those on subjects, including the above-mentioned “important data”, “healthcare big data”, and population health information, which are related to national security, national economy and people’s livelihoods. They are required to be stored in China, and may not be stored in overseas servers, or be hosted or leased in overseas servers.

Requirements for foreign entities in human genetic resources. According to BSL and RAHGR, foreign entities are not allowed to collect and preserve Chinese human genetic resources (including information). The utilisation activities can only be carried out in co-operation with Chinese organisations after completing the examination and approval (international scientific research co-operation) or filing (international co-operative clinical trial for marketing license of medical devices in China).

In addition, the access to or open use of Chinese human genetic resources information by foreign entities can only be provided by Chinese organisations, and the process of reporting, filing, information backup and even security review (if necessary) should be performed.

Data compliance requirements for healthcare data/big data. For healthcare big data, in addition to requirements on domestic storage, there are also network security level protection requirements, and measures such as data classification, important data backup, encryption and authentication should be taken to ensure data security.

The Guide for Health Data Security makes provisions on the category, classification, safety requirements and key measures of healthcare data and personal healthcare data in typical application scenarios such as clinical research, secondary utilisation, medical devices, connection between commercial insurance and social insurance and mobile application.

Export control, risk/security assessment and external supply requirements:

Providing personal information overseas. At least one of the four conditions provided in the PIPL must be met:

. A security assessment (for CIIO and personal information processors who process personal information up to the specified number);

. A personal information protection certification by professional institutions;

. Clear rights and obligations with overseas recipients according to the standard contract of the cyberspace department; and

. Other conditions provided by laws and regulations or the cyberspace department.

Personal information and important data to be evaluated. According to the CSL, the Measures for the Management of Medical Big Data, the DSL, and the draft PIPL, processing of certain information, personal information and important data that may affect national security, the national economy and people’s livelihoods, especially when it comes to outbound/external provision, should be subject to a risk assessment, security assessment or national security review.

Providing data to overseas law enforcement/judicial institutions requires approval. The DSL provides penalties for providing data to overseas law enforcement or judicial institutions without approval. In contrast, the Securities Law has only similar provisions without corresponding penalties, and the International Criminal Judicial Assistance Law has similar provisions but only targets criminal judicial procedures. The DSL provides a clearer legal basis for Chinese companies to refuse cross-border access to data by overseas law enforcement/judicial institutions.


The authors suggest that companies should make relevant compliance preparations for personal information and medical data in advance, and pay attention to legislative trends. For example, a guide to the key points of the registration and evaluation of AI-assisted diagnostic decision-making medical device software issued by the National Medical Products Administration in 2019, and the recently released draft Guiding Principles on Registration Review of Artificial Intelligence Medical Devices put forward these requirements:

Data should be masked during data collection to protect patient privacy, and the types, rules, degrees and methods of masking should be explained; when using a third-party database for software validation, the data in the database should also be masked; and when providing a data source compliance statement, data collection and labelling operation specification in the algorithm research report is to be submitted.

For example, the Internet Medical and Health Information Security Management Specification (Draft for Comment), issued by the National Health Commission in June this year, put forward standardised requirements for the security management of internet medical and health information.

Zhou Hanshuo and Yuan Lizhi are partners at Jingtian & Gongcheng


Jingtian & Gongcheng

45/Floor, K.Wah Centre

1010 Huai Hai Road (M)

Shanghai 200031, China

Tel: +86 21 5404 9930

Fax: +86 21 5404 9931


Copy link