Effectively strengthen the protection of personal information and effectively play the supporting role of big data in epidemic prevention and control.

2024年12月11日 | admin | aa

  Recently, in the process of Qi Xin from all walks of life working together to deal with the epidemic, there have been many incidents in which personal information such as names, mobile phone numbers, and even personal sensitive information such as household registration address and ID number were published on the Internet in the name of looking for close contacts of confirmed cases, and individual people who were exposed to information were also harassed by strangers’ phone calls and WeChat. It is also reported that the deputy director of the Health Bureau of a municipal district forwarded the case investigation report of virus-infected persons to unrelated persons and then spread it to WeChat group, causing adverse social impact. At the same time, some experts have called for the use of mobile phone signaling, big data and other technologies to support epidemic situation monitoring and source tracking.

  In response to the above problems, experts from the App special governance working group give professional advice on relevant social concerns from the aspects of protecting personal information and using big data legally and scientifically.

  Q: Does the disclosure of the names, addresses, ID numbers, mobile phone numbers and other information of returnees violate laws and regulations? What harm will the dissemination of this information bring?

  A: According to the Cyber Security Law and other laws and regulations, information such as name, address, ID number and mobile phone number can identify a specific individual, which is undoubtedly personal information. Combined with the background of epidemic prevention and control and the influence of people’s panic, the confirmed pneumonia patients, suspects and close contacts are often regarded as high-risk groups. Once their personal information is leaked and disseminated, it may lead to some harassment, intimidation, and even rumors that have been diagnosed, which may damage the physical and mental health of the people whose information is disclosed or cause discriminatory treatment. These information should be protected as personal sensitive information to a higher degree.

  Not only does the Cyber Security Law require that "no individual or organization may steal or obtain personal information in other illegal ways, nor may it illegally sell or illegally provide personal information to others", but the Law on the Prevention and Control of Infectious Diseases also clearly stipulates that it is not allowed to intentionally disclose personal privacy-related information of infectious disease patients, pathogen carriers, suspected infectious disease patients and close contacts. Obviously, organizations and institutions without clear legal authorization, or personnel who are not involved in the epidemic prevention and control work organized by the government according to law, are not allowed to collect and use the personal information of confirmed patients, suspects and close contacts without the consent of the collectors, and they are not allowed to spread the above information privately in WeChat groups and friends circles. Otherwise, it is an act of infringing on citizens’ personal information, and if the circumstances are serious, it may constitute a crime of infringing citizens’ personal information. If the disease prevention and control institutions, medical institutions, grassroots staff, etc. disclose the above information, it will also constitute an aggravating circumstance. For the leaked personal information of confirmed patients, suspects and close contacts, local network information departments and public security organs should also stop or block it in time, so as to reduce the adverse effects and avoid hindering the legitimate information collection. At the same time, we call on netizens not to spread such information and actively report malicious communicators to relevant departments.

  Q: What principles should relevant organizations or individuals adhere to when counting and using the information of returned and reworked personnel? What specific measures can be taken to protect personal information?

  A: The most important thing for the statistics and utilization of the information of people who have returned to their hometowns and returned to work is to balance the effective prevention and control of the epidemic and the protection of personal information. For the purpose of public health protection, such as the prevention and treatment of infectious diseases, people returning from Wuhan and other areas with serious epidemic situation and working again should accept and cooperate with the visits and investigations carried out by the relevant departments of disease prevention and control, and at the same time, such information needs to be shared among the relevant departments of disease prevention and control.

  At present, local disease prevention and control institutions and grass-roots street communities generally carry out interviews and surveys to collect personal information of relevant personnel. This process involves the collection, summary, sharing and disclosure of personal information, and every link should pay attention to the protection of personal information to prevent data leakage, loss and abuse.

  For example, in the process of collection, if local disease prevention and control institutions and grassroots street communities conduct interviews and surveys by filling out forms on paper, it is necessary to strictly require that paper materials not be photographed and copied, and be recycled and kept properly. If the relevant information is recorded or summarized electronically, it needs to be responsible to the person, and stored in a specific terminal, and the data and backup data are encrypted and stored.

  In the process of summary storage, personal information should be managed and processed as centrally as possible, and strict security measures such as access control, auditing and encryption should be adopted.

  When sharing and transmitting relevant data to relevant parties in epidemic prevention and control work, it should be confirmed that the other party is an institution or individual with the right to obtain data, and measures should be taken for encrypted transmission.

  Finally, in the process of using personal information, it needs to be used exclusively, strictly limited to the purpose of disease prevention and control, and must not be used for other purposes, and should be properly disposed of in accordance with the regulations after the epidemic prevention and control.

  Q: When the relevant organizations disclose information related to the epidemic, what points should be paid attention to in protecting personal information?

  A: For the external disclosure of the epidemic situation report, notification and announcement, only the statistics of the flow of returnees and the non-personal information such as gender, date of diagnosis and symptoms of the diagnosed patients can satisfy the general public’s right to know about the epidemic situation, but not the name, age, ID number, telephone number and home address. For the public in the area where the confirmed or suspected cases are located, it is not necessary to disclose their specific personal information to meet the public’s right to know about the prevention and control needs.

  If you have information about key people who are in close contact with the source of infection and need to get in touch with them directly, you should arrange a special person to be responsible to ensure that their contact information will not be spread, and the list of relevant personnel should further limit the scope of knowledge and give priority protection.

  Q: At present, some experts suggest using mobile phone signaling or Internet big data to carry out accurate epidemic prevention and control. Is it feasible? What kind of effect can it have?

  A: Almost all people in China use mobile phones to access the Internet. According to statistics, the number of netizens in China is 854 million, of which 99.1% use mobile phones to access the Internet. Mobile phones and apps have become the necessities of most people’s lives. Telecom operators and major Internet companies have actually mastered a large number of citizens’ personal information, especially contact information, geographical location and whereabouts, which provides the possibility for using big data to help prevent and control the epidemic.

  On the one hand, the above information can’t identify a specific individual after processing and can’t be recovered, so it is no longer personal information. After summarizing and analyzing, it can form information such as the distribution of crowd gathering hotspots and the cross-regional flow of people, which is of great significance to the prediction and analysis of epidemic situation development and the scheduling of medical resources.

  On the other hand, for key populations, such as infectious disease patients and pathogen carriers, disease prevention and control institutions can effectively implement protective measures such as isolation by using their location information. At the same time, through data retrospective analysis, disease prevention and control institutions can find suspected patients and close contacts as soon as possible, which is called "contact tracking", which is helpful to isolate and cut off the source of infection in time.

  It can be seen that compared with traditional visits, arrangement and registration, it is more timely, accurate and effective to apply information technology and big data analysis to the prevention and control of infectious diseases. In addition, another feature of big data is that it can be continuously learned, changed and improved, which is conducive to better analyzing and mastering the law of disease transmission, eliminating more "blind spots" and uncertainties, and turning passivity into initiative. In foreign countries, there has long been a successful practice of using call detail records to carry out Ebola virus prevention and control.

  Q: Can any unit or individual carry out the above big data analysis? In this regard, how are the current laws and regulations in China stipulated?

  A: Big data analysis for disease prevention and control involves a large amount of personal information, even the tracking analysis of specific groups. Not any unit or individual has the authorization and ability to carry out it. The primary concern should be legality, that is, whether there is a clear legal authorization. At present, China’s laws and regulations on the protection of personal information stipulate that the collection and use of citizens’ personal information should obtain the consent of the collected person in advance. Relevant provisions in laws and regulations such as the Law on the Prevention and Control of Infectious Diseases and the Emergency Regulations for Public Health Emergencies can be regarded as exceptions with the consent of individuals, with the purpose of ensuring the effective prevention and control of epidemic situations. In the Law on the Prevention and Control of Infectious Diseases and the Emergency Regulations for Public Health Emergencies, there are disease prevention and control institutions, medical institutions, and units and individuals directly involved in the "emergency plan for emergencies" formulated and implemented by the people’s governments of the State Council and provinces, autonomous regions and municipalities directly under the Central Government. Non-above-mentioned units and individuals should not use personal information for epidemic control, key population tracking and other purposes without personal consent.

  Q: Are there any specific regulations on the use of personal information when dealing with public health emergencies abroad? What experience is worth our reference?

  A: Take the EU’s General Data Protection Regulation (GDPR), which is famous for its "strictest" personal information protection law in the world, as an example. In addition to personal consent, GDPR has three other legitimate reasons to use for public health emergencies like novel coronavirus’s pneumonia epidemic, namely, personal data processing is "necessary to fulfill the legal obligations of the data controller", "necessary to protect the major interests of the data subject or other natural persons" and "necessary for". These three legitimate reasons can strongly support its disease prevention and control institutions, medical institutions and related organizations to use personal information to carry out epidemic prevention and control work.

  Of course, under the premise of legitimacy, GDPR also requires that specific data processing should follow the following basic principles: legality, fairness and transparency; Principle of purpose limitation; The principle that data is at least enough; Principle of accuracy; Principle of storage period limitation; Principles of integrity and confidentiality; And the principle of consistency of powers and responsibilities.

  A typical example of the above thinking is the "Decision on Serious Cross-border Health Threats" adopted by the European Union in 2013. The "Decision" establishes an early warning and response system within the EU, and makes it clear that people who are exposed to health threats, are at risk of infection or have been infected can take contact tracking measures. In line with the purpose of contact tracking, the competent authorities are allowed to collect and share necessary personal information among relevant member States. When carrying out such data collection and use, the "Decision" requires that data collection and use fully comply with the provisions of the EU legal framework for the protection of personal information, which is in line with the above basic principles.

  Generally speaking, China’s Cyber Security Law and the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection have established a legal framework for personal information protection that is in line with international standards. The Law on the Prevention and Control of Infectious Diseases and the Emergency Regulations on Public Health Emergencies further establish the legal authorization for the collection and use of personal information in public health emergencies such as the outbreak of infectious diseases, and at the same time clarify the legal responsibilities. Therefore, in this epidemic prevention and control work, all units and individuals should work within the legal framework, attach great importance to the protection of personal information, achieve a balance between the use of personal information and security, and win the victory of epidemic prevention and control. (End)