In order to protect personal information during the prevention and control phases of the COVID-19 pandemic, the Office of the Central Cyberspace Affairs Commission issued the Circular on Ensuring Effective Personal Information Protection and Utilisation of Big Data to Support Joint Efforts for Epidemic Prevention and Control on 9 February 2020.(1)
The circular requires that:
- no units or individuals may collect or use another party's personal information unless they are authorised by the Health Department under the State Council in accordance with the Cybersecurity Law, the Law of the People's Republic of China on Prevention and Treatment of Infectious Diseases and the Regulations on Emergency Responses to Public Health Emergencies;
- the collection of personal information should be subject to the minimisation principle under the Personal Information Security Specification and limited only to confirmed cases, suspected cases and close contact as well as other key groups.
- personal information collected should not be used for any purpose other than preventing and controlling COVID-19;
- institutions collecting and checking personal information should be responsible for its security protection; therefore, strict management and technical safeguards should be implemented to prevent information being stolen and disclosed; and
- any organisations or individuals must report to the cyberspace administrations and public security authorities the illegal collection, use and public disclosure of personal information.
Endnotes
(1) Further details are available here.
