IP

Security Assessment and Compliance Points for Cross-Border Transfer of Healthcare Data

/
CHEN Shifu , WANG Yiting
39 MIN READ
ABSTRACT

Attorney CHEN Shifu and WANG Yiting focuses on the compliance and security assessment of cross-border transfer of healthcare data, pointing out that this field, involving national security, public interest, and personal privacy, is a high-risk area in China's cross-border data compliance. The article systematically reviews the evolution and core principles of China's cross-border data transfer regulatory policies, and, drawing on international regulations such as those of the EU and the US, clarifies that the core of cross-border data flow lies in balancing data openness and utilization with security risk management. Regarding the security assessment mechanism, it clarifies the quantitative scenarios triggering statutory declarations and details the key points for enterprise self-assessments and the key review items by the national cyberspace administration. Finally, it provides enterprises with actionable compliance management recommendations from five dimensions: establishing a data classification and grading management system, introducing security technologies for regular "health checks," dynamically adjusting compliance plans based on specific流通 scenarios, strictly reviewing the qualifications and capabilities of overseas recipients, and adhering to the bottom line of national security and privacy protection. The aim is to assist healthcare enterprises in achieving orderly cross-border data flow and value conversion while strictly observing security red lines.

In recent years, international data transactions have developed rapidly. Cross-border data transfer has always been an important topic in the field of data compliance, and the healthcare industry, which concerns national welfare and people’s livelihood, is considered one of the high-risk areas for cross-border data compliance.

Cross-border data flow is not only conducive to building a community with a shared future for mankind but also helps promote international investment and trade cooperation. It is an inevitable requirement of economic globalization. Currently, China has closely aligned itself with the trend of data trade and vigorously encourages and promotes the development of related industries. However, the cross-border transfer of healthcare data concerns the overall situation of China’s economic opening up and is closely related to national security and data sovereignty. Under the condition of free data flow, data cross-border activities should be more strictly regulated, personal information protection should be strengthened, and enterprise data security protection capabilities should be emphasized to ensure orderly, compliant, and high-quality data transfer.

This article focuses on the security standards for cross-border transfer of healthcare data. Combining our accumulated business experience in the healthcare field, we mainly sort out and provide recommendations on the security assessment and compliance points involved in the cross-border transfer of healthcare data.

of Cross-Border Transfer of Healthcare Data

To regulate cross-border data transfer activities, China has issued a series of relevant laws, regulations, and policies concerning healthcare data security and cross-border data transfer in the past five years, imposing higher requirements for data protection and data trade. We summarize the current laws and policies as follows:

According to the above regulatory and policy requirements, it can be seen that China’s supervision of cross-border healthcare data transfer emphasizes a combination of pre-assessment and continuous supervision, strictly requiring enterprises to conduct data cross-border risk self-assessments. When a data processor provides data overseas meeting statutory conditions, it must declare a data cross-border security assessment to the national cyberspace administration through the provincial cyberspace administration. If important data such as health status and personal attributes are involved in the cross-border transfer, opinions from relevant industry authorities should also be sought. The main regulatory principles and characteristics include:

  1. Principle of legality and正当性 of data cross-border purposes
  2. Principle of controllable data cross-border risks
  3. Principle of consistency of rights and responsibilities for healthcare enterprise data processing
  4. Ensuring citizens’ right to informed consent, strengthening privacy security protection
  5. Balancing the relationship between data flow and data protection

II. Regulation and Value Orientation

As the fourth anniversary of the General Data Protection Regulation (GDPR) approaches, the global data protection landscape has changed, with more countries focusing on constructing substantive data protection cross-border transfer rules.

For EU countries, the supervision of cross-border data transfer has always been a key focus under the data protection legislative framework. Its data cross-border transfer guarantee mechanisms mainly include: adequacy decisions, binding corporate rules, and standard contractual clauses. The latest version of the EU cross-border transfer SCCs in June 2021 further strengthened the regulation of data processing, dividing four categories of cross-border data transfer scenarios in detail, providing standard provisions for the diversity of current international data flows and the increasingly complex cross-border data flow scenarios, and offering a legal basis for all types of data interactions between various parties.

The United States, as a country with developed healthcare, pharmaceutical, and medical device industries, has a vast industry and strong regulatory measures. Especially in the layout of big data practices in the healthcare industry, its list standards, security management, and restriction policies are relatively mature, which can provide new ideas for China’s data development path exploration.

We can see that the true value of data lies in its use. The core of data security assessment and data cross-border compliance management is not to avoid data use, but to achieve a balance between data openness and national security and personal privacy risks.

Currently, some data flow application scenarios in China’s healthcare sector have achieved commercialization, but a large number of healthcare data cross-border application scenarios are still in the exploration stage. Satisfying only one-way compliance under Chinese law is no longer sufficient. Legal professionals safeguarding companies have the duty and responsibility to help companies regulate data cross-border activities, promote two-way compliance in cross-border data flow, and achieve freedom within the framework.

III. Security Assessment for Cross-Border Transfer of Healthcare Data

For cross-border healthcare data transfer businesses, Chinese pharmaceutical companies and institutions face dual regulatory challenges from overseas and domestic laws and regulations when engaging in data cross-border流通 and sharing. China currently has not enacted specific legal regulations for the cross-border transfer of healthcare data, but the responsibility requirements for enterprises are scattered across various laws and policies. According to a series of policy documents such as the Data Security Law, the Personal Information Protection Law, the Measures for Data Cross-Border Security Assessment, the national standard “Healthcare Data Security Guide,” and the “Data Cross-Border Security Assessment Guide,” when a data processor provides data overseas meeting one of the following conditions, it must declare a data cross-border security assessment to the national cyberspace administration through the provincial cyberspace administration:

  • Personal information and important data collected and generated by operators of critical information infrastructure;
  • Data provided overseas contains important data;
  • Personal information processors processing the personal information of one million people provide personal information overseas;
  • Cumulative provision of personal information of more than 100,000 people or sensitive personal information of more than 10,000 people overseas.

It can be seen that China attaches great importance to data cross-border security issues. Although data security assessment is one path for data cross-border transfer (not the only one), for pharmaceutical and healthcare enterprises, most of the data they collect, store, and share is defined as important data. Therefore, the pharmaceutical industry should proactively fulfill self-assessment obligations and strictly comply with the national cyberspace administration’s data cross-border assessment requirements. We highlight the following key assessment items:

(I) Key Content of Enterprise Healthcare Data Cross-Border Risk Self-Assessment

  1. Legality,正当性, and necessity of the purpose, scope, and methods of healthcare data cross-border transfer and processing by the overseas recipient;
  2. Classification and grading of healthcare data and attribution of data rights, whether the right holder’s informed consent has been obtained;
  3. Quantity, scope, sensitivity, and risk assessment of the data to be transferred;
  4. Management and technical measures during data transfer, whether they can prevent risks such as data leakage and damage;
  5. Whether the data cross-border contract entered into with the overseas recipient stipulates data security protection responsibilities and obligations;
  6. Qualification review of the overseas healthcare data recipient and its technical measures and capabilities to fulfill responsibilities and obligations;
  7. Risk assessment of re-transfer after data cross-border transfer and whether personal rights protection channels are畅通;
  8. Assessment of the content of the healthcare data cross-border contract, including the purpose of transfer, data scope, method of receipt, purpose of processing, storage location and期限, re-transfer restriction clauses, data processing after contract termination, liability for breach, and dispute resolution clauses.

(II) Key Content of the National Cyberspace Administration’s Data Cross-Border Risk Assessment

  1. Documents submitted by enterprises for data cross-border security assessment include: application form, data cross-border risk self-assessment report, contract or other legally binding document entered into with the overseas recipient;
  2. Legality,正当性, and necessity of the purpose, scope, and methods of data cross-border transfer;
  3. Impact of the data security protection policies, laws, regulations, and network security environment of the country or region where the overseas recipient is located on the security of the transferred data;
  4. Quantity, scope, type, and sensitivity of the data to be transferred;
  5. Risks of leakage, tampering, loss, destruction, transfer, or illegal acquisition and use during and after the transfer;
  6. Whether the contract entered into between the data processor and the overseas data recipient adequately stipulates the data security protection responsibilities and obligations.

The combination of healthcare data cross-border risk self-assessment and security assessment, although imposing higher and stricter requirements on relevant enterprises, provides more favorable protection for national and enterprise security. The above key points on data cross-border security assessment are intended to provide guidance for enterprises and regulate their performance of data cross-border assessment obligations.

IV. Compliance Management Recommendations

for Cross-Border Transfer of Healthcare Data

It can be seen that data security assessment is not the entirety of data cross-border management. Not all data cross-border activities are subject to security assessment. However, compliance management of cross-border data flow is indeed a necessary prerequisite for pharmaceutical enterprises to enter international trade. For compliance management of cross-border healthcare data transfer, it is recommended that enterprises establish or improve their data compliance system from the following aspects:

(I) Classification and Grading Management of Healthcare Data

Data classification and grading is not only a compliance requirement under the Data Security Law and the Personal Information Protection Law but also an important foundation for data cross-border security assessment. Since the development of the healthcare industry, it has involved a significant amount of important data and holds a large amount of personal sensitive information. Regarding the classification of healthcare data, reference can be made to the national standard “Healthcare Data Security Guide,” which divides it into the following six categories:

According to the importance and risk level of the data, as well as the potential damage and impact on healthcare data subjects, data can be divided into five levels. The corresponding key compliance points are as follows:

Level 1

(Can be fully publicly used): Such as hospital name and address, this is public information that can be directly disclosed on the internet.

Level 2

(Can be accessed and used on a larger scale): Such as data that cannot identify personal information, can be used for clinical research, medical education, and pharmaceutical/medical device research and development. De-identification processing is required, managed through agreements or sharing models, and data integrity and authenticity must be ensured.

Level 3

(Can be accessed and used on a medium scale): Partially de-identified data, such as physical examination queuing notifications. Personal information parts should be concealed to avoid affecting the lives of patients and staff.

Level 4

(Can be accessed and used on a smaller scale): Accurately identifiable personal information, such as gene sequencing, infectious disease control, etc. This data can be used for telemedicine, etc. As it involves personal identification information and constitutes important data, for cross-border transfer of such data, the security assessment obligation should be strictly fulfilled. Data processors should strictly control it and ensure data integrity and availability to high standards.

Level 5

(Can only be accessed and used on a very small scale under strictly restricted conditions): Involves detailed data on specific diseases. As such diseases are extremely sensitive and the data constitutes important data, in addition to strictly complying with security assessment obligations, access control should be strictly enforced to ensure the security of personal health privacy data.

Healthcare enterprises concern national welfare and people’s livelihood, involve a significant amount of important data, and hold a large amount of personal sensitive information. Therefore, for the cross-border transfer of healthcare data, enterprises must establish a strict classification and grading compliance protection system, set up different cross-border flow management and technical measures, to help enterprises strike a balance between fulfilling compliance requirements and efficiently conducting business.

(II) Combine data cross-border compliance management security products, conduct regular data security “health checks”

Healthcare data has immense research value during international circulation and will empower enterprises. For enterprises, research data studies and information technology security should be placed on equal footing. It is recommended that enterprises strengthen technology empowerment, customize data security compliance management products, and make good use of technical means to handle compliance challenges.

On the one hand, enterprises can collaborate with data security companies to jointly set up cross-border data identification and early warning systems. On the other hand, enterprises can use technical encryption, de-identification, and other means to convert data types with higher compliance costs into data types with lower risks. Additionally, enterprises can establish internal data assessment checklists and conduct regular data security “health checks” to ensure orderly data commercialization within compliance management. The design of compliance plans for cross-border healthcare data transfer should advance in tandem with information technology, using scientific technology to reduce data compliance risks.

(III) Adjust compliance plans according to different data流通 scenarios

In the era of the data economy, scenarios for cross-border data circulation are relatively complex, with many application scenarios still in the exploration stage. Therefore, enterprises should maintain high sensitivity to data cross-border transmission scenarios. For the multiple relationships among data controllers, processors, and users, they need to quickly confirm role compliance obligations, accurately identify data types, clarify data circulation models, and flexibly adjust compliance plans for data cross-border transmission.

(IV) Compliance review of data cross-border recipient qualification

For enterprises involved in overseas business, data cross-border流通 faces dual compliance supervision. Enterprises must not only ensure their own data security and compliance with Chinese regulatory requirements but also consider the credit qualifications, technical capabilities, processing plans, and local data security legal environment of the data cross-border recipient. Enterprises should proactively scrutinize the compliance risks of data circulating internationally.

(V) Adhere to national security and personal privacy protection

Data security is increasingly closely related to national sovereignty. Personal data privacy protection and cross-border data transfer have become matters of political博弈. Among all industries, healthcare data is different from others, concerning patient life safety, personal information security, social public interests, and national security. It not only has international trade economic value but also global scientific research and medical value. Chinese enterprises should firmly adhere to the data security red line, value the right to informed consent and choice of data subjects, and establish corresponding rights relief measures to fully protect personal information security.

In summary, we can see that while protecting the security of healthcare data, China is actively promoting data integration, sharing, and open application. Globally, data flow has made significant contributions to economic growth, and cross-border data flow has become an inevitable trend of economic globalization. Therefore, our legal service team hopes to use the above sharing to assist enterprises in promoting orderly cross-border data compliance, strengthening the construction of cross-border data flow systems, and achieving the optimal balance between cross-border data flow and risk prevention and control.

KEEP READING

IP

Exploring the Impact of the New Trade Secret Protection Regulations on the Low-Altitude Economy Industry
IP

Trade Secret Analysis Series: Determination of Corresponding Confidentiality Measures (Part I)
IP

Strengthened Judicial Protection of Trade Secrets (Part 1): Expanding Scope and Precisely Targeting Infringement

RESEARCH TEAM

陈世福
CHEN Shifu Senior Partner

Chen Shifu is a Senior Partner at Long An (Shanghai) Law Firm and Director of the Biomedical and Healthcare Legal Professional Committee at Long An Shanghai. He is also Director of Legal Affairs at the Translational Medicine Industry Branch of the National Health Industry Enterprise Management Association, Director of Legal Affairs at the Boao Lecheng Advanced Medical Technology Translation Center under the Hainan Lecheng Administration, a Distinguished Expert at the Digital Health Research Institute, and Chairman of the Australia Greater China Legal Alliance.

王怡婷
WANG Yiting Attorney

Wang Yiting is an attorney at Long An (Shanghai) Law Firm and a member of the Biohealth Legal Committee of Long An Shanghai. She holds a Bachelor's degree in Pharmacy from Hunan University of Chinese Medicine and a Master's degree in Law from Shanghai University of International Business and Economics. Attorney Wang is a multidisciplinary professional combining medicine and legal practice, specializing in life sciences and healthcare, providing compliance, dispute resolution, and general corporate legal services to listed companies and healthcare tech enterprises. Her clients have included Meinian Healthcare Holdings and Peijiu Medical, among others.