[Chinese-language original]

Notice on Protecting Personal Information and Using Big Data to Support Joint Prevention and Joint Control Work

Published Feb. 9, 2020

All provincial, autonomous region, and municipal cybersecurity and informatization committees, all relevant ministries and commissions of Central Committee and State bodies:

In order to protect personal information during the joint prevention and joint control of the novel coronavirus infectious pneumonia epidemic, and to vigorously use big data including personal information to support joint prevention and joint control work, with the approval of the Central Commission for Cybersecurity and Informatization, the following relevant matters are hereby notified as follows:

1. All localities and all departments must pay high regard to personal information protection work. Except for bodies authorized by the State Council hygiene and health department on the basis of the “Cybersecurity Law of the People’s Republic of China,” the “Infectious Disease Prevention and Treatment Law of the People’s Republic of China,” and the “Sudden Public Health Incident Emergency Response Provisions,” no other work units or individuals may use epidemic prevention and control, or disease prevention and treatment as a reason to collect or use personal information without the agreement of the person whose data is collected. Where other provisions of law or administrative regulations exist, act according to those provisions.
2. The collection of personal information required for joint prevention and joint control shall occur with reference to the national standard “Personal Information Security Specification,” uphold the principle of minimal scope, and limit the targets of collection in principle to diagnosed individuals, suspected individuals, individuals having come in close contact, and other such focus groups. Collection is generally not aimed at all groups in a particular locality, and actual discrimination against groups in particular locations must be prevented.
3. Personal information collected for epidemic control and disease prevention and treatment may not be used for other purposes. No work unit or individual may, without the agreement of the person whose information is collected, publish personal information such as names, ages, identity card numbers, telephone numbers, household addresses and other such information, except where it is required for joint prevention and joint control work and desensitization processing has been undertaken.
4. Institutions collecting or handling personal information are responsible for security and protection of personal information, adopting strict management and technological protection measures, to prevent data theft and leaks.
5. Capable firms, under guidance from relevant departments, are encouraged to actively use big data to conduct analysis and forecasting of the flow of key groups such as confirmed cases, suspected cases, and close contacts, and to contribute big data support for joint prevention and joint control work.
6. Any organization or individual found to collect, use, or disclose personal information in violation of regulations or law, can be promptly reported to cybersecurity and informatization and public security departments. Cybersecurity and informatization departments should, in accordance with the “Cybersecurity Law of the People’s Republic of China” and related regulations, promptly deal with collection, use, or disclosure of personal data in violation of regulations or laws, as well as incidents that cause mass data leaks. Public security institutions involved in criminal activity will face severe consequences according to law.

Cyberspace Administration of China

Feb. 4, 2020