Abstract
The processing of digital medical data (DMD) raises significant legal and ethical challenges. The rapid development of artificial Intelligence (AI) has tremendously influenced the processing of DMD. However, AI may also give rise to concerns about patient privacy breaches and data security risks. China emphasizes the legal and ethical considerations for processing DMD. In this article, we focus upon the parameters of DMD in the context of China’s legal framework and identify related applications of DMD. We explore the legal issues involving processing DMD in China: (1) individual control right/informed consent, (2) institutional obligations, (3) security impact assessment, and (4) secondary use compliance. We also find ethical issues involving processing DMD in China, involving (1) group bias and other data flaws and (2) privacy risks. Building on the above analysis, we propose legal and ethical “toolboxes” for regulating processing DMD in China. In the legal toolbox, there are four tools, including (1) optimizing individual permit and authorization, (2) creating three types of obligations, (3) promoting responsible and explainable security impact assessment, and (4) identifying public interest standards. In the ethical toolbox, there are two tools, including (1) paying particular attention to handling specific groups’ DMD and (2) enhancing accountability of handling DMD.
Keywords
I. INTRODUCTION
Establishing a legal guarantee for medical data is an important support for achieving a “Healthy China.” In 2022, the National Health Commission of the People’s Republic of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration issued the “14th Five-Year Plan for National Health Informatization,” taking the establishment and improvement of health and medical data management systems and the cultivation of health and medical data element markets as important tasks for perfecting the health and medical big data resource system.
Active use should be the main approach, and the legal system should create conditions for the active utilization of health and medical big data. 1 The active utilization means maximizing the value of health and medical big data by using it in a secure manner. In the process of actively utilizing digital medical data (DMD), many legal and ethical issues have emerged, such as how to solve related problems? We intend to study three aspects. In Section II, we evaluate China’s DMD, explore its concept, and study its application. In Section III, we analyze the legal and ethical issues involving the processing of DMD in China. In Section IV, we offer China’s approaches to regulating the processing of DMD to solve relevant legal and ethical issues. A brief conclusion follows.
II. ASSESSING DMD IN CHINA
In this section, we will assess DMD through understanding its concept under the context of Chinese legal framework and study its application in China.
A. Understanding the concept of DMD under the Chinese legal framework
The medical industry generates a large amount of medical data every year. For example, ordinary medical institutions generate 1–20 TB of related data every year, and large hospitals can generate 300 TB to 1 PB of medical data per year. DMD refers to all kinds of data generated, collected, processed, stored, and transmitted in the medical process using modern computers and information technology. These data cover disease prevention and control, health management, medical management, medical research, and other aspects, including but not limited to patients’ personal information, medical records, drug purchase and use, equipment data, and system records. These data mainly come from information systems such as hospital information systems and electronic medical record systems, as well as clinical treatment, drug sales, and other activities. 2
According to standard documents such as the “Information security technology—Guide for health data security,” DMD can be classified from different perspectives, mainly including: (1) personal attribute data (data that alone or with other information can be combined to identify a specific natural person); (2) health status data (data that can reflect or have a close relationship with an individual’s health) 3 ; (3) medical application data (data that reflect health care outpatient visits, inpatient discharges, and other medical services); (4) medical payment data (data related to costs involved in services such as medical care or insurance); (5) health resource data (data that reflect the capabilities and characteristics of health service providers, health programs, and health systems); and (6) public health data, including environmental health data, infectious disease epidemiological data, disease surveillance data, disease prevention data, and data on births and deaths. 4
Under the Chinese legal framework, digital health data are protected by multiple laws, including:
The Civil Code: The rights and privacy of personal information subjects are involved.
Personal Information Protection Law of the People’s Republic of China: The principles of legality, legitimacy, necessity, and good faith, as well as the principles of clear purpose and minimal processing, the principles of openness and transparency, the principle of quality, the principle of responsibility and the principle of security guarantee are proposed for the processing of personal information.
National Health and Medical Big Data Standards, Security and Service Management Measures (Trial): It is especially emphasized that the state should standardize the management, development, and utilization of medical data according to the needs of national strategic security and people’s life safety on the basis of guaranteeing citizens’ right to know, use, and personal privacy.
Compliance requirements need to be observed during the processing of digital healthcare data: In the process of data collection, the rules for data processing shall be fully disclosed, the purpose, method, and scope of data processing shall be informed to individuals, and the consent of individuals shall be obtained, or other conditions stipulated by laws and regulations shall be met. 5 In principle, data storage should be stored on a secure and trusted server in China, and if it is necessary to provide data overseas, security assessment and audit should be carried out in accordance with relevant laws, regulations, and other requirements. For data security, it is necessary to establish and improve the data security management system of the whole process, implement data classification and hierarchical protection, and adopt technical measures such as encryption, authentication, and access control. 6
B. Related applications of DMD in China
The application of DMD in China has penetrated into all aspects of the medical industry, playing an important role in improving the quality of medical services, optimizing the allocation of medical resources, and promoting medical research and innovation. 7
With the advancement of technology and the growth of human demand for health care, digital healthcare has been transforming the traditional service model in the global health sector. Digital medical data not only enhances the accuracy of diagnosis and treatment but also enables patients to access more convenient and efficient services. The application of DMD in healthcare institutions can effectively help doctors make more accurate clinical diagnoses. 8 , 9 For example, DMD can facilitate more accurate prediction of the cost and efficacy of treatment plans 10 ; DMD can integrate the genetic information of patients and assist them in personalized treatment; DMD provides population health data available for analysis to help predict disease outbreaks 11 ; and more.
By aggregating diverse DMD from electronic health records, imaging data, genomics, wearable devices, etc., and recognizing patterns through machine learning models, it can assist doctors in detecting early disease characteristics. DMD can be used to analyze the logical relationship between test data and disease symptoms, and new disease-related markers can be mined from these easily ignored data. 12 Alternatively, some conventional indicators can be compared and calculated with a variety of diseases, and then the correspondence between them at the data level can be discovered. New disease early warning indicators can be discovered through appropriate pathological verification. 13 For instance, Yang et al.’s research collected clinical data systematically, obtained patient data in real time and calculated scores. Health care professionals thus identified potential disease deterioration through real-time data stream processing technology, so as to promptly notify medical staff and achieve real-time disease early warning. 14
Traditional diagnosis and treatment rely on the expertise of medical staff and are vulnerable to diagnostic errors. The advent of big data provides more accurate information for clinical decision-making and opens up a new field of disease diagnosis. 15 Clinical decision support systems using medical big data have been applied in some hospitals. 16 The application of this technology will reduce the misdiagnosis caused by the professional limitations of doctors, improve the efficiency of disease diagnosis, save medical costs, and allow patients to obtain better medical services. At the same time, it provides guidance on preoperative diagnosis, efficacy evaluations, and prognosis predictions of patients’ diseases. For example, the analysis of patients’ medical records, images, and other data can assist doctors in disease diagnosis and surgical decision-making and improve treatment results and patient satisfaction.
Medical images play a great auxiliary role in the diagnosis of diseases. Common medical images are computed tomography, magnetic resonance imaging (MRI), etc. 17 According to statistics, more than 90% of the medical data in the hospital comes from medical images, and at present, imaging examinations require doctors to give diagnostic opinions based on professional knowledge and work experience. 18 The intelligent reading system and image analysis system based on the combination of medical big data, medical image, and artificial intelligence (AI) have been extensively researched in China. 19
When medical equipment, hospital sensors, personal electronic terminals, and other devices collect medical data, they can be connected to the medical big data service center through the internet. Based on these medical data, a remote monitoring platform that is interconnected, convenient in service, immediate in feedback, and controllable in quality can be built. 20 This platform can overcome the limitations of geography, time, and space, integrate and analyze medical data from various hospitals and departments, and build a medical big data service center featuring multiparty interaction and intelligent sharing, thereby achieving the goal of remote diagnosis and treatment. 21
For instance, in the field of chronic disease management, the rapid development of AI has brought revolutionary opportunities for diabetes management. Through big data analysis, AI can achieve precise classification of diabetes and further promote personalized treatment. Combined with continuous glucose monitoring technology, AI can remotely assist in patient management through various new blood glucose monitoring indicators and algorithms. 22 In the future, the collaborative model based on medical big data and AI will further improve the remote management of diabetic patients.
Medical Analysis and Research
The application of DMD in medical analysis and research is extensive and in-depth, which not only improves diagnostic accuracy and treatment effect but also promotes the progress of medical research and the improvement of medical management efficiency. 23 , 24 With the continuing development of technology, DMD will play a more important role in the medical field.
In recent years, with the rapid development of big data technology, the achievements of DMD in medical analysis research have become increasingly in-depth, covering both technological breakthroughs and clinical practice. The research directions for analysis include medical imaging and disease diagnosis research, clinical decision-making and treatment optimization research, innovative application and interdisciplinary integration research, and medical data cohort construction research, etc.
In the field of medical imaging and disease diagnosis research, scholars are exploring the use of DMD for multimodal image analysis. For instance, the UniMedI framework proposed by Zhejiang University and Microsoft Research Asia builds a semantic space through diagnostic reports and integrates 2D/3D medical imaging data, thereby enhancing the accuracy of disease diagnosis for conditions such as pulmonary nodules and stroke to over 95%. 25 The MMed-Llama three multilingual medical large model developed by Shanghai Jiao Tong University supports the joint analysis of cross-modal images and texts. 26 In the research of digital twin technology, the team led by Feng Jianfeng from Fudan University has built a digital twin brain platform with a scale of 86 billion neurons. This platform simulates the process of neurodegenerative diseases through data assimilation methods, providing a new paradigm for the study of Alzheimer’s disease. 27 This project utilizes DMD to conduct relevant research and achieve intelligent upgrades in the disease diagnosis process.
In the field of clinical decision-making and treatment optimization research, scholars’ research directions mainly focus on AI-assisted diagnosis and treatment systems and the exploration of drug effects. Based on the data of 6,490 SCI articles, West China Hospital has developed a prognosis prediction model covering diseases such as lung cancer and breast cancer. 28 Its AI system has significantly reduced the misdiagnosis rate in the validation of journals such as Front Oncol. Based on data from 729 articles, Beijing Children’s Hospital, Capital Medical University, has developed a system for generating personalized treatment plans for children with epilepsy, leukemia, and other diseases. A study in 2020 found that the KGNN knowledge graph neural network, by integrating drug molecular structures with clinical data, increased the accuracy of predicting drug interactions (DDI) by 2.39 percentage points. 29
In terms of innovative application and interdisciplinary integration research, the focus is on conducting research on 5G + telemedicine by leveraging big data. For instance, Qilu Hospital of Shandong University has utilized 5G networks and heterogeneous data integration technology. Under the premise of protecting data privacy and security, it has connected various terminals through a 5G medical private network to achieve instant image transmission and build an integrated communication system.
Through a variety of interactive means, a new model of online communication has been created, redefining clinical communication and collaboration. Digital intelligence has empowered the transformation of the medical field, and related technologies have been included in the “Guidelines for the Application Scenarios of Artificial Intelligence in the Health and Wellness Industry.” A large amount of DMD can be obtained from medical data centers, remote consultation centers, two-way referral centers, and hospital core management centers. Auxiliary medical personnel carry out various clinical tasks such as 5G + remote consultation (multi-disciplinary consultation), 5G + remote ward rounds, 5G + remote imaging diagnosis, 5G + remote ultrasound, 5G + bedside consultation, 5G + online medical record discussion, 5G + remote teaching, and 5G + remote surgical demonstration.
Improving Public Health Services
DMD can significantly improve public health services by enhancing the “autonomous health” service experience, promoting hierarchical diagnosis and life cycle health services, enhancing patient engagement, optimizing resource allocation, and improving research efficiency.
First, “internet + medical and health” services fully utilize new technologies, new means, and new models, breaking through the limitations of time, space, and region, and removing the obstacles and difficulties in seeking medical treatment. Patients have perceived increasing convenience in accessing medical services and expressed satisfaction with their healthcare experience. The application of DMD can enhance the “autonomous health” service experience, 35 through the internet health consultation, appointment, appointment registration, consultation room settlement, medical insurance network remote settlement, mobile payment, and other convenient services, reduce the rush of the masses, and improve the service experience.
Second, the application of DMD, accompanied by big data technology and methods, resources can be channeled to the lower levels, better promote the landing of hierarchical diagnosis and treatment, accelerate the popularization of telemedicine, and promote the development of precision medicine. 36 This will help solve the problem of uneven distribution of medical resources and improve the accessibility of medical services.
In addition, through the sharing of electronic health records, communication and collaboration between doctors and patients can be facilitated, reducing paperwork and avoiding data duplication and errors. At the same time, through real-time monitoring of patients’ physical conditions, timely detection of abnormal conditions, and alerting doctors or patients, are other measures needed to improve the quality and efficiency of medical services. 37
Enhancing patient engagement is also an important aspect of DMD applications. Through smart devices or apps, patients can become more aware of their health status, participate in monitoring and managing their health data, and promote healthy lifestyles and behaviors. 38 This helps to improve patients’ self-management ability and further improve public health services. 39
Finally, by analyzing DMD from different regions, different groups, and different diseases, it is possible to assess medical needs and resources and develop optimized policies, regulations, programs, and budgets. 40 This will help improve resource allocation and improve the efficiency and effectiveness of public health services. 41
Promoting Commercial Health Insurance
The application of DMD in the commercial health insurance sector is undergoing profound changes through data sharing, intelligent risk control, and product innovation. 42 Its core value lies in enhancing actuarial capabilities of insurance, optimizing user experience, and reducing operating costs.
In China, the national medical insurance information platform has opened some data interfaces to commercial insurance. This enables insurance companies to obtain key information such as outpatient chronic and special disease benefits and hospitalization records, making it possible to develop insurance products for people with preexisting conditions. 43 For example, in Luliang city, Shanxi Province, 25 million outpatient prescriptions have been aggregated through the “Three Medical Linkage Platform.” The AI engine has achieved intelligent review of the entire process of medical services—before, during, and after, continuously improving the accuracy of fraud identification.
In recent years, Beijing, Shanghai, and other places have tried to break through the long-standing data barriers between commercial insurance and state medical insurance. 44 Through the analysis of medical insurance data, insurance companies can more accurately understand the risk status, health status, medical treatment behavior, and other information of potential customers. Data sharing can provide a more comprehensive portrait of insurance customers. Thus, insurance companies will be more accurate in pricing, improve the insurance experience and accuracy, improve the efficiency of commercial insurance services, and comprehensively improve the service experience and satisfaction. For example, “Shanghai Huibao Insurance” is launched by Shanghai Big Data Center, 45 Shanghai Medical Insurance Center, and China Insurance Science Union to jointly launch Shanghai Medical Insurance Big Data Innovation Laboratory (commercial insurance), which applies medical insurance data to commercial health insurance products on the basis of individual authorization. Policyholders can complete the entire insurance process online, including application, premium payment, policy inquiry, claim settlement, and payment, significantly improving insurance service efficiency.
III. LEGAL AND ETHICAL ISSUES INVOLVING PROCESSING DMD IN CHINA
With the rapid development of science and technology, big data technology is gradually penetrating into various fields, especially in the medical field, and its application is attracting widespread attention. The application of big data technology has brought revolutionary changes to medical diagnosis and treatment. However, privacy protection issues are also becoming increasingly prominent. 46 In China, legal and ethical issues related to the processing of DMD are becoming an important topic, not only related to patient privacy and data security, but also related to data ownership, use rights, and cross-border data transfer.
A. Legal issues involving processing DMD in China
Compared with the traditional diagnosis and treatment model, the risk of leakage or theft of DMD in internet diagnosis and treatment is higher. Internet healthcare involves multiparty collaborative data processing, which poses new challenges for medical data security protection. It also makes it difficult to distinguish and pursue legal liability for data breaches. The huge amount and scale of DMD bring great challenges to the protection of DMD. The volume of DMD requires a large computing system and protection system to promote the progress of medical technology, which means that the difficulty of medical data storage and protection will increase at the same time.
Given the nature of DMD, its ownership has always been controversial. At present, there are mainly five viewpoints, such as “individual ownership theory,” “medical institution ownership theory,” “individual and medical institution co-ownership theory,” “public ownership theory,” and “compound right theory.” The Personal Information Protection Law of the People’s Republic of China stipulates that individuals have the right to informed consent, the right to decide disclosure, the right to consult and copy, the right to portability, the right to correct and supplement, the right to delete, the right to request explanation and explanation of personal health and medical data, but it does not specify the right to ownership. 47
Individual Control Right/Informed Consent
The Personal Information Protection Law responds to the practical problems of citizens’ personal information data protection in the form of law and conforms to the trend of data protection, aligning with the developmental demands of the information era. It also conforms to the development of internet hospitals and protects the data health and privacy security of patients from the legal level. In particular, the law defines “medical and health information” as “sensitive information.” The processing of sensitive information thus requires the individual “personal consent” of specific patients, and individuals should be informed of the necessity of processing sensitive information and the impact on their personal rights and interests. The procedure requires a risk assessment of sensitive data in advance, and the entire process of treatment needs to be fully documented. 48
Institutional Obligations
As the processing body of DMD, medical and health institutions have the professional obligation to protect patients’ personal information. These obligations, reflected in the daily work of healthcare organizations, are the core content of their data compliance obligations. For medical and health institutions, DMD is not only the basis for providing services to patients, but also a huge asset. When considering compliance obligations, it is necessary to fully consider the various risks of data processing and the multi-faceted and multi-layered nature of DMD and then prevent risks through compliance construction.
At the national level, since 2016, China has successively introduced many policies and regulations to regulate the security of medical and health data. These include “Guiding Opinions on Promoting and Regulating the Application and Development of Big Data in Health Care,” 49 “Internet Diagnosis and Treatment Management Measures,” “Internet Hospital Management Measures,” “Telemedicine service management Standards,” “National Health Care Big Data Standards, Security and Service Management Measures (Trial),” etc. 50 The “Information Security Technology Health and Medical Data Security Guide” implemented in July 2021, 51 also guides the processing subjects of DMD to manage data security from the standard.
Many local regulations have also been introduced to regulate the processing of DMD. For example, the Regulations on the Application of Big Data for Health Care in Guiyang City 52 and the Measures for the Management of Big Data for Health Care in Shandong Province are the first local regulations to restrict the collection, 53 aggregation, storage, development, application, and supervision and management of DMD in respective administrative regions.
Security Impact Assessment
In the healthcare industry, especially in hospitals, data security is of paramount importance. The healthcare sector, particularly hospitals, is a focus area for data security risk assessment because of the large amounts of sensitive personal health information it stores and processes. Data breaches not only threaten patients’ privacy, but they can also have a serious impact on a hospital’s reputation and operations. Data breaches or improper use can lead to patients’ privacy violations, medical malpractice claims, and other legal liability. Therefore, conducting a data security risk assessment is a fundamental step in ensuring the security of DMD.
Hospital institutions are required to comply with relevant data protection regulations, such as the Cybersecurity Law of the People’s Republic of China and the Personal Information Protection Law. Meanwhile, hospitals should develop internal data security policies to clarify the security requirements of data collection, storage, transmission, and destruction.
Second Use Compliance
B. Ethical issues involving processing DMD in China
With the in-depth application of medical big data, ethical issues have gradually come to the fore. Issues such as data privacy protection, data security, and fair data sharing have become the focus of research. How to rationally utilize medical big data while protecting patients’ privacy and how to promote data sharing while ensuring data security have become urgent problems to be solved.
Group Bias and Other Data Flaws
There is a real problem of group bias in the application of DMD, which is a challenge that cannot be ignored. This bias can come from many sources, including data collection, processing, algorithm design, and clinical decision-making.
First, sample selection bias and data recording bias exist in the DMD collection stage. In the collection of DMD, if the sample selection is not representative, for example, only focusing on some specific groups (such as high-income groups, specific geographical or ethnic groups) and ignoring other groups, the collected DMD will not truly reflect the actual situation of the overall patient population. 60 This bias will directly affect the implementation of subsequent data analysis and precision in medicine. In addition, data recording processes may be inaccurate or incomplete as a result of human error or technical deficiencies, which can further lead to data bias. This bias can also affect the accuracy and reliability of data analysis, which in turn may exacerbate neglect of or discrimination against certain patient groups.
Second, algorithmic bias and data interpretation bias exist in the data processing and algorithm design stage. 61 The design and application of algorithms may be embedded with designer bias or influenced by training data. If the training data itself is biased (such as by race, gender, or socioeconomic status), then the algorithm will likely produce unfair results when dealing with different patient groups. This bias may further intensify health inequalities. During the interpretation of DMD, subjective consciousness or preconceived notions of researchers or doctors may lead to bias. This bias can affect the objectivity and impartiality of medical delivery, resulting in certain patient groups unable to receive the attention and treatment they deserve.
Third, doctors’ subjective judgment and experience bias, imperfect medical system, and asymmetrical information exist in the clinical decision-making process. 62 Doctors’ clinical decisions may be influenced by their subjective judgment and experience. Different doctors may offer different treatment plans for the same condition, and this difference may be caused by the physician’s knowledge level, experience, and personal bias. This bias can lead to different treatment regimen for different patients, resulting in unequal treatment outcomes. The imperfection of the medical system and information asymmetry are also one of the important reasons leading to bias in clinical decision-making. Due to the uneven distribution of medical resources and asymmetrical information, some patients may not have access to the best treatment options. This bias further exacerbates health inequalities.
Privacy Risks
In the era of AI, the use of DMD may result in conflicts of interest. Individuals’ control over their own health information is weakened, and the traditional informed consent model plays a limited role. This is, coupled with the absence of industry standards and the technical barriers of “algorithm black box,” which all lead to the dilemma of personal privacy protection in the use and construction of DMD.
There may be a conflict between the public nature of the construction of DMD and the private needs of protecting personal privacy. Article 1226 of the Civil Code stipulates the obligation of medical institutions and their medical staff to keep confidential the privacy and personal information of patients. Medical institutions or their medical staff shall bear tort liability if they disclose the privacy and personal information of patients or disclose the patient’s medical records without consent. Article 12 of the Law of the People’s Republic of China on the Prevention and Control of Infectious Diseases also has similar provisions, but when these provisions are implemented, personal privacy is infringed due to asymmetrical information. Such infringements are often manifested by medical professionals simplifying procedures or downplaying informed consent, failing to implement adequate protection measures for patient privacy. Even when patients seek redress afterward, they face high costs and delays in resolution.
Privacy policy is an important way to measure the legality of the collection and use of users’ personal information by internet service providers. It is not only a tool of enterprise autonomy but also related to the protection of users’ personal information. It seems that providing privacy policy agreements to users can guarantee the security of personal DMD. However, due to the absence of unified industry standards and the practical obstacles of “algorithm black box,” individual subjects are in a relatively weak position, and personal information is still likely to be infringed.
IV. LEGAL AND ETHICAL TOOLBOXES FOR REGULATING PROCESSING DMD IN CHINA
In this section, we offer China’s approaches to regulating the processing of DMD through proposing legal and ethical toolboxes.
A. The legal toolbox for regulating DMD processing in China
The legal toolbox has various systems to regulate DMD processing in China.
Optimizing Individual Permit and Authorization
The principle of informed consent is a fundamental principle in the norms for personal information protection. 63 Article 13, Paragraph 1, Subparagraph 1 of the Personal Information Protection Law stipulates that the consent of the individual shall be obtained for the processing of personal information. The Personal Information Protection Law is very cautious about the processing of DMD. Articles 28–32 of the Personal Information Protection Law also formulate specific processing rules for sensitive personal information. The theoretical basis of the principle of informed consent is the rational person assumption. “The rational person assumption holds that the information subject is rational and can make decisions that are best for their own interests.” 64 Personal information processing licenses and authorizations face the problem of being rendered ineffective in practice. Information for subjects vary greatly and may not all have the ability to make rational decisions. There are structural problems with personal licensing and authorization mechanisms, which cannot truly safeguard the information self-determination of information subjects.
These structural problems are mainly reflected in the following aspects: (1) Informed consent is formalized. Some platforms adopt an “all-or-nothing” authorization model, where users cannot access core features if they refuse non-essential permissions. Certain medical apps often require one-time authorization for unrelated permissions (e.g., contacts, location), while privacy agreements typically suffer from excessive jargon and hidden key information, making them difficult for users to understand. This reduces consent to a mere formality. (2) The authorization chain suffers from unclear accountability and secondary authorization loopholes. After initial consent, DMD often undergoes multiple transfers to third parties, during which data subjects typically lose control over their information. For instance, when medical institutions use anonymized data for research purposes, they may fail to explicitly inform patients that their data could be utilized for AI training. (3) Dynamic consent is lacking. Current authorization mechanisms primarily rely on static one-time approvals, which fail to meet scenario-specific requirements. For instance, patients’ varying privacy protection needs at different stages of diagnosis and treatment have not been incorporated into system design.
First, the principle of informed consent is hard to be taken seriously by patients. If patients have to choose between protecting DMD and disease recovery, they will inevitably give priority to the latter. Physical recovery is the goal of patients seeking medical treatment. Patients cannot lose sight of the essentials for the trivial.
Second, patients are faced with a false choice when it comes to making informed consent decisions. Medical institutions must obtain patients’ DMD to carry out effective diagnosis and treatment. Patients must agree to provide their DMD to obtain medical services. In fact, there is no other choice.
Third, there is a problem of formalization in the decision-making of informed consent for patients. When doctors are diagnosing patients, it is impossible for them to explain in detail to each patient the policies of medical institutions on handling their DMD. This does not conform to our medical experience, and patients find it difficult to clearly understand the social significance of their DMD processing permission. Additionally, privacy policy documents are usually complex in content and full of professional terms, resulting in difficult reading for the common person. Moreover, they are highly likely to contain general or blanket authorization provisions, or vague and broad informed consent, which can affect the post-event judgment of whether the informed consent of patients is genuine.
Personal permission and authorization are the gatekeepers of information processing. It is necessary to conduct rights confirmation for DMD to optimize personal permission and authorization. In China, data rights confirmation faces theoretical supply issues. The countermeasure proposed in the “Opinions on Establishing a Data Base System to Maximize a Better Role of Data Elements” is to separate the three rights—data resource holding rights, data processing and usage rights, and data product operation rights. This “three rights separation” system represents a core innovation in the market-based allocation of data elements. By structurally separating data property rights, it provides institutional safeguards for compliant and efficient data circulation. 65 DMD originates from patients, but it only becomes valuable after being managed by medical institutions. The value of DMD is typically public. Only when DMD held by medical institutions is combined with that held by other medical institutions can its value be maximized.
First, patients are the original source of DMD, but they should not enjoy ownership or other exclusive rights over DMD. Instead, they should prevent others from infringing upon their private information in a way that protects their privacy interests. 66 Therefore, it should be recognized that medical institutions enjoy the property rights of DMD resources, and hospitals can properly use desensitized DMD within their fields based on actual control over DMD.
Second, different personal licensing, authorization methods, and exceptional circumstances should be set up based on different data needs such as patients’ visits, clinical research, and the secondary utilization of DMD by third parties, such as government departments, researchers, or enterprises, etc. In secondary DMD utilization, the purpose of DMD usage is no longer the same as those informed patients at the time of data collection. Objectively, from clinical treatment to clinical research and then to third-party utilization, patients are increasingly lacking the right to know about the property rights and uses of DMD. Informed consent required for clinical research can be obtained through broad consent when patients visit the hospital. Such DMD can be used for future clinical research without identification. The use of raw patient-derived data, and of curated but patient-identifying DMD, should be strictly limited to the treatment of a patient’s own condition. Medical institutions should establish clear data processing policies when acquiring and managing patient data, including measures for data classification, collection, transmission, storage, usage, disclosure, sharing, and audit management, to ensure patients’ right to informed consent. Patients should be prompted through electronic or article medical records and other carriers to ensure that they can access the data processing policy and exercise their data rights at any time.
Third, in secondary DMD utilization, due to the change in the purpose of data collection, the subject of data processing also changes. Medical institutions should once again seek the explicit authorization of patients. Medical institutions need to inform patients in a positive and clear way of the future application scenarios of their personal DMD, and make it easy to contact patients by email, SMS, WeChat, and other effective ways to ensure their rights to know. Medical institutions can directly use DMD in response to public health emergencies or to protect the life, health, and property safety of natural persons in emergencies, but this cannot be used as an excuse to refuse to notify patients whose identifiable information may be released. The important purpose of DMD is to support the development of public health. Public health data formed by public health management departments using relevant data of medical institutions belonging to public data and should strengthen the de-identification of relevant data. In DMD processing, it is crucial to determine which ranges of medical and health data are absolutely not allowed to undergo re-identification operations. 67
In short, medical institutions and subjects collecting DMD should separately ask patients whether they can authorize it and clearly guarantee the patient’s right to be forgotten unless that specific DMD is found to be helpful to restore for specific individuals’ healthcare.
Creating Three Types of Obligations
The key to exempting medical institutions from unfair legal liability is to build compliance systems for DMD and effectively fulfill their compliance obligations on DMD. The Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks, the Civil Code, and the Personal Information Protection Law all put forward that information processing should abide by the principles of legality, reasonability, and necessity, and the implementation of these principles is the key for medical institutions to fulfill their obligations in personal information processing. 68 Under the rights framework separating the three rights, the obligations of medical institutions regarding DMD will vary.
In China, some scholars believe that the performance of hierarchical obligations is directly related to the legitimacy of the use of medical data and the standardized exercise of the right to use medical data. The relevant obligations are divided into general obligations, ancillary obligations, and special obligations. 69
General obligation refers to the “fair use” obligation of medical institutions on DMD. Medical institutions must consider the interests of other subjects and the public interests when using DMD. The core of the ancillary obligations is to distinguish DMD resources from data products and set the obligations of commercial entities. The obligations that commercial entities acquire when they obtain the right to use DMD in accordance with the data contract are the ancillary obligations of the data contract.
The ancillary obligations of a medical data usage license contract mainly include the payment of benefits and the avoidance of infringement. The former is the duty of fidelity, and the latter is the duty of care. The realization of the right to use medical data resources by commercial entities is premised on the fulfillment of the obligation of reasonable utilization, which requires a reasonable purpose of use, a reasonable scope of use, and a reasonable way of use. The realization of the right to use medical data products by commercial entities is premised on the fulfillment of the obligation of fair competition, which requires commercial entities not to violate the competitive order and not to cause damage to market competition.
The special obligation for regulatory entities refers to the public welfare priority protection obligation of medical data, which is the justification standard for the exercise of the right to use medical data by the regulatory institution. The priority duty of public welfare protection of medical data is mainly reflected in procedures. The first is to obtain and use medical data in accordance with legal procedures, the second is to maintain the record and supervision of the whole process, the third is the sealing system of administrative and judicial files involving sensitive medical data, and the classification and use of medical data.
We argue that these three obligations proposed are distinguished from the scenario where DMD is utilized and the burdens data processors carry. The key to understanding these three obligations lies in the three principles of legality, justification, and necessity. From general obligations to ancillary obligations and then to special obligations, the processing requirements for DMD are becoming increasingly specific, and the possibility of data processing losing control also increases. When processing subjects of DMD are medical institutions, the security status of DMD depends on the self-restraint of medical institutions, and data security is an internal issue of medical institutions. When data processing subjects expand to other medical institutions, especially commercial subjects, data processing activities need to balance the interests of all subjects involved. Any compliance activity has a cost, and the more specific and directed the attributes of digital health data, the more valuable the data will be.
The three principles of legality, justification, and necessity can build the processing program for data processors, govern the purpose principle and other principles, and draw the bottom line that data processing subjects should abide by. The principle of legality requires that data processing must comply with the normative guidance of laws and regulations, while the principle of justification requires that the purpose and means of data processing should be justified.
The principle of necessity requires that data processing should not exceed the necessary limit to achieve the purpose of processing, which also derives from the principle of proportionality and other subprinciples. For commercial subjects, economic interests are the fundamental motivation for the processing of DMD, and they are also the most likely cause of data security problems. Therefore, the principle of justification requires that the accompanying obligation with fiduciary duty attribute limit the data processing behavior of commercial subjects. When data processors change from private entities to government agencies, public interests replace economic interests and become the motivation and purpose of data utilization behavior.
By doing so, it is necessary to prevent individual rights from being infringed upon in data processing. Furthermore, it is necessary to synchronously set the authorization rules to set the right to use DMD of the management institution and ensure the public welfare of DMD through compulsory rules.
Promoting Responsible and Explainable Security Impact Assessment
According to the provisions of Articles 55 70 and 56 71 of the Personal Information Protection Law, personal information processors should conduct personal information protection impact assessments before processing sensitive personal information. The content of the assessment should include whether the purpose and method of processing of personal information are legal, justified, and necessary, the impact on personal rights and security risks. The assessment should also ask whether the protective measures taken are legal, effective, and appropriate to the level of risk. These personal information protection impact assessment reports and processing records shall be kept for at least three years. Health care institutions should follow these rules when handling DMD.
The above provisions of the Personal Information Protection Law cannot effectively guide the development of DMD security impact assessment in practice. First, the coverage of personal information security impact assessment is not clear, and there is a lack of quantitative standards for evaluating the effect at the legal level. In Article 55 of the Personal Information Protection Law, the processing of sensitive personal information is only one of the circumstances where a personal information protection impact assessment should be conducted. Article 13 of the Personal Information Protection Law stipulates that an assessment should be completed in six other situations besides “obtaining individual’s consent.”
Since the processing of personal information in the other six situations does not require informed consent, the need for security impact assessment of personal information processing should be greater. However, current legal provisions do not include these situations in which a security impact assessment should be carried out. Second, the content of personal information security impact assessment is broad and general, and it is difficult to apply its guidance in practice. Article 56 of the Personal Information Protection Law stipulates the content of personal information security impact assessment, which is too programmatic to guide practice. The guidance on the security assessment of personal information processing needs should be more specific and interpretable.
A responsible security impact assessment means that it can properly achieve its normative purpose and can be effectively implemented in practice. An interpretable security impact assessment means that the concepts of the relevant terms of the system are clear, without controversy, and can be implemented in good faith in practice.
Personal information security impact assessment is a mandatory self-restraint, which is a precompliance assessment and risk assessment procedure. 72 The EU General Data Protection Regulation (GDPR) provides for a data protection impact assessment for data processing activities that may create a high risk to the rights and freedoms of natural persons. The GDPR’s data protection impact assessment is a model for the formulation of specific provisions on information (data) security impact assessment in China. The purpose is to improve recommended national standards. 73 National standards are not the source of law. Compared with normative documents such as law, which are guaranteed by national compulsory force, national standards belong to “soft law.” They are derived from practice and used in practice, serving the purpose of refining the provisions of normative documents such as laws and regulations. The governance effect of these national standards is complementary and important to the formation of normative documents.
In terms of personal information security impact assessment, the Information Security Technology Guidance for Personal Information Security Impact Assessment (GB/T 39335-2020) specifically standardizes the development of such assessment. The standard defines key terms for personal information security impact assessment. For example, Article 3.4 defines personal information security impact assessment as “in view of personal information processing activities, checking their legal compliance, judging their various risks of damaging the legitimate rights and interests of personal information subjects, and a process for assessing the effectiveness of measures used to protect the subject of personal information.” The normative purpose of personal information security impact assessment is to evaluate the value of information and data processing work. Article 4.2 of the above standards defines the evaluation value as “it can effectively strengthen the protection of the rights and interests of the personal information subject, help the organization to display its efforts to protect the personal information security, enhance transparency, and enhance the trust of the personal information subject.”
In promoting the construction of a responsible and interpretable security impact assessment mechanism, the assessment procedures and contents should strictly focus on the purpose of DMD security, and also pay attention to the reality that DMD is sensitive personal information.
Concerning the issue of assessment procedures, Information Security Technology Guide for Personal Information Security Impact Assessment (GB/T 39335-2020) divides the assessment implementation process into nine elements, such as assessment necessity analysis, assessment preparation, data mapping analysis, risk source identification, individual rights and interests impact analysis, security risk comprehensive analysis, assessment report, risk disposal and continuous improvement, and formulation of report release strategy.
Some scholars argue that personal information security impact assessment should pay special attention to four aspects: participation procedure, review procedure, realization consultation procedure, and public procedure. 74 In the security impact assessment procedure of DMD processing, special attention should be paid to the review and the implementation of the consultation procedure. In the processing of DMD, the nature of the review procedure is continuous monitoring, which contributes to the continuous security of DMD. The prior consultation procedure refers to the provisions of Article 36 of the GDPR to seek effective external assistance in the event of difficulties in the processing process, so as to avoid long-term difficulties for the information processing subject. The processing of DMD involves many legal issues; how to design participation procedures and disclosure procedures has become a challenge to whether the security impact assessment is clear and interpretable.
The core of these two procedures is to introduce specific parties to play an oversight role. Allowing patients or relevant stakeholders to express their opinions in the security impact assessment is a manifestation of procedural justice and democracy and can also restrain medical institutions. However, it is always faced with the problem of whether the security of processing activities can be guaranteed: The more participants, the more sensitive personal information can be leaked. Therefore, how to balance the relationship between confidentiality mechanisms and supervision needs to be clearly defined.
In terms of the content of DMD processing, attention should be paid to evaluating the impact on the personal rights and interests of patients and medical institutions, and based on this, to judge whether the protection measures of specific DMD can meet the requirements of legal, justified, and necessary principles. The treatment measures of patients’ medical institutions not only include technical measures such as de-identification technology and anonymity technology but also should pay attention to whether the medical institution itself has the compliance ability.
Identifying Public Interest Standards
According to the provisions of Article 1036 (3) of the Civil Code, 75 the actor shall not bear civil liability if the information processing act is reasonably carried out to protect the public interest or the legitimate rights and interests of the natural person. According to Article 13 of the Personal Information Protection Law, “the processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances” or “personal information is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest,” no individuals’ consents are required. Where the direct processing of DMD is required for public interest, personal information security impact assessment should not be carried out. Due to the lack of advance warning of security impact assessment, information processing activities in the name of public interest cannot be effectively supervised. Clarifying public interest standards is important for maintaining the security of DMD.
To determine the public interest standard is to determine when the public interest can breach the boundaries of individual information self-determination. DMD encompasses both personal and property interests, as well as private and public attributes. 76 DMD in the era of AI is complex. Personal interests are the logical starting point for the protection of DMD, and public interests are also important stakeholders in personal information protection. Although personal interest and public interest are usually consistent with each other, there is some conflict between them. In some circumstances, personal interest may have to be sacrificed for common good; likewise, the self-determination of personal information may be sacrificed for the sake of public interest.
In public health events, grasping effective epidemic information in real time is an important guarantee for the smooth implementation of epidemic prevention and control. It is undoubtedly a great social burden to contact individuals one by one and obtain their informed consent. 77 From the perspective of saving social costs, the provision of Article 13 of the Personal Information Protection Law has its justification. The superiority of public interests over personal interests is relative. No matter how DMD is utilized, the identity of patients should not be disclosed, otherwise the behavior of fulfilling public interests itself will be an act of violating citizens’ personal information.
The connotation and extension of public interest are not clear, and there are theoretical disputes. Some scholars think that public interest has characteristics of publicity and universality. It is the synthesis of the common parts of various interest groups, and it has the characteristics of the uncertainty of the number of subjects, the sharing of the entity, and the consistency of the interests. 78 There are also views that public interests have broad but relative manifestations, which are related to the fundamental and inseparable overall interests of human beings, and the subject of public interest is universal, uncertain, and non-exclusive. 79
We hold that publicness is the core element of public interest, and the standard of public interest can be developed around publicness. In the GDPR, the public interest is not a vague, indivisible whole concept, but is treated in a typed way. Some Chinese scholars have summarized the “public interest” in the GDPR and divided it into general public interest and important public interest. The general public interest is related to social goods such as employment, social security, medical purposes, scientific research, and statistical purposes. By contrast, the application of important public interest is necessary to detect epidemics and their spread and to respond to humanitarian emergencies. 80 The important public interest and the general public interest of Article 13, paragraph 1, paragraphs 4 and 5 of the Personal Information Protection Act are to some extent similar to those of the GDPR.
Comparing “the processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances” with “personal information is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest,” it can be found that the former is faced with a more-urgent crisis or infringement of life, health, or property safety of natural persons. Therefore, the former defines the exceptions from informed consent as “necessary,” while the latter is “reasonable scope.” The key to understanding “necessary” and “reasonable scope” is the principle of proportionality. First, public health emergencies should be comparable to emergencies that seriously threaten the life, health, and property safety of natural persons, both of which will cause social unrest and unhappiness. Second, public health emergencies and serious threats to the life and health of natural persons and property security should have different degrees. What needs to be prevented is to replace the concept of “necessary” with “reasonable scope.”
In terms of the specific definition of public interest, some scholars hold that when expert agencies or experts believe that public health emergencies will pose an urgent or significant threat to public health based on professional scientific knowledge, state organs can follow more relaxed procedures and substantive requirements in handling personal information. When such threats are weakened, state organs should follow more stringent requirements. 81 This viewpoint takes the expert opinion standard, and the results are highly dependent on the level of the individual experts.
We hold that China’s prosecutorial organs have the function of initiating public interest litigation against the violation of personal information, and the standard of public interest can be explored from the perspective of prosecutorial public interest litigation. From this perspective, the social public interest in the Personal Information Protection Law is divided into three levels, namely: the transformation of numerous individual interests to social public interests; the value of order and efficiency in the legal use of information and data; and that individuals become interest groups in need of special protection in the face of information handlers. These three levels constitute the three starting points of prosecutorial public interest litigation. 82 This public interest should be taken as a reference for the public interest in Article 13, paragraph 1, Item 5 of the Personal Information Protection Law. The strict nature of the prosecutorial public interest litigation system and the intelligence advantages of state organs have opened up a nationalistic protection path for personal information protection, which can effectively make up for the deficiencies of private law protection. 83
B. The ethical toolbox for regulating processing DMD in China
The ethical toolbox is also vital to regulating processing DMD in China.
Paying Particular Attention to Handling Specific Groups’ DMD
“The ethical risk connotation of emerging technologies focuses on the prediction and analysis of the potential negative effects of technologies. In essence, it is about perceiving complex and diverse ethical conflicts in the application of technologies.” 84 Using art AI technology to process DMD, special attention should be paid to the security of DMD of special groups to avoid adverse consequences such as algorithm discrimination or algorithm decision-making errors. There are many reasons for algorithm discrimination. It may be that the data used for algorithm training itself has discriminatory elements, it may be that the algorithm developer integrates its own discriminatory position into the algorithm program, and it may be that the input data and output results of the algorithm are not interpretable. 85 In the processing of DMD, which groups should be given special attention is not clear in the Information Security Technology—Guide For Health Data Security (GB/T 39725-2020).
Typically, factors such as gender, age, and medical conditions may be used to identify vulnerable groups. In this regard, the provisions of the Personal Information Protection Law are very simple. Article 31 of the law stipulates that “Where a personal information processor processes the personal information of a minor under the age of fourteen, it or he shall obtain the consent of the minor’s parents or other guardians. A personal information processor that processes the personal information of a minor under the age of fourteen shall develop special personal information processing rules.” The Personal Information Protection Law only provides special protection for minors, but ignores other socially vulnerable groups such as the elderly, women, people with disabilities, and patients with rare diseases, and the scope of protection is obviously insufficient.
First, the management system of DMD for special populations should be scientifically designed.
On the one hand, the law should clarify the scope of special groups in the processing of DMD, so as to strengthen their protection. To adapt to the structural changes in health care data and privacy interests, identifying the group dimensions included in privacy interests is an important attempt. 86 Taking the DMD of the elderly as an example, the elderly are in the second half of their life, and their medical and health information has considerable research value. At the macrolevel, DMD of the elderly can be used to draw a population portrait, which is helpful for the country to timely adjust the direction of medical and health services for the elderly. At the microlevel, the analysis of DMD of the elderly can obtain information such as the disease situation of the elderly group, what drugs are usually needed to treat specific diseases, how many courses of treatment are needed, and how much money is needed. These data are necessary for accurate medical and health work.
On the other hand, DMD of special populations should be classified and managed. Information Security Technology—Guide For Health Data Security (GB/T 39725-2020) puts forward the requirements for data classification in “11.3 clinical research data security.” In the scenario of scientific research use, data can be divided into public data sets, restricted data sets, identifiable data sets, and other types. Different types of medical data of special populations should be classified into different data sets, and alternative management methods, use methods, and use permissions should be adopted.
Second, the processing of DMD for special populations should be aimed at aiding patients, and the data processing mode should be innovated appropriately according to local conditions. “Rare diseases refer to those with a very low prevalence rate, characterized mainly by genetics, severe conditions, difficult diagnosis and treatment, and high medical costs.” 87 DMD related to rare diseases are specialized and valuable resources. The base of rare disease sufferers itself is small, and the channel of circulation of DMD related to rare disease patients is not smooth. The traditional legal framework for DMD cannot effectively meet the challenges of rare disease prevention and treatment. There are no unified sharing rules and standards for the distribution of DMD of rare disease patients, which leads to the increased risk of rare disease data being inappropriately processed or abused. This adds to the risk of rare disease patients suffering from data leakage or discrimination.
In this regard, some scholars believe that the data sharing model of rare diseases can be innovated through the way of data trust. 88 The proposal of data trust is aimed at addressing the unbalanced power structure where individuals are unable to protect their data, and data controllers have absolute control over the data. 89 There is a triangular structure of the principal, the trustee, and the beneficiary in the data trust. The principal entrusts the data to the trustee, the trustee with professional ability and obligations will process the data, and the beneficiary will benefit from it. For patients with rare diseases, the purpose of contributing their medical and health information is to see the hope of curing diseases. The data trust can promote data circulation, which is more conducive to the vital interests of patients with rare diseases.
Enhancing Accountability of Handling DMD
Chinese law stipulates criminal, administrative, and civil liability for the violation of personal information. For example, at the level of criminal responsibility, Criminal Law stipulates the crime of violating citizens’ personal information. 90 Criminal Law regulates the act of selling, providing, stealing, or otherwise illegally obtaining citizens’ personal information. Criminal Law gives heavier punishment to those who sell or provide personal information obtained in the course of performing their official duties or providing services.
At the level of administrative responsibility, Article 66 of the Personal Information Protection Law stipulates administrative liability. 91
If the security of DMD itself is considered, the relevant responsibilities are also administrative responsibilities under the Data Security Act. At the level of civil liability, Article 69 92 of the Personal Information Protection Law and Article 1226 93 of the Civil Code stipulate tort liability.
To strengthen the accountability of the improper processing of DMD, government departments need to improve the inspection of illegal acts and strengthen the awareness of rights protection of information subjects. The community has a deep understanding of the harm from illegal processing of DMD. The reason for the difficulty in accountability for the illegal processing of DMD is that the illegality of DMD processing is difficult to find. The only part of DMD processing that patients can access may be the informed consent decision made at the time of visiting a doctor. Patients do not know the likely destination or potential use of patients’ DMD. It is unrealistic and irresponsible to assign the responsibility for finding illegal facts to patients themselves. It is most appropriate for administrative departments to increase the supervision of DMD to investigate legal responsibilities. Fundamentally speaking, the ability and cost of administrative agencies to detect illegal data processing behaviors are much stronger than those of natural persons.
For individuals, they should also strengthen their legal awareness, attempt to find out in time that their medical and health information has been processed illegally, and likewise act to protect their rights in a timely fashion. In China, an incident known as the “first case of face recognition” is a controversy resulting when Hangzhou citizen Guo Bing found that Hangzhou Wildlife World had converted his fingerprint information from a membership card to face recognition. The Primary People’s Court of Fuyang District of Hangzhou City ordered Wildlife World to delete the facial information submitted by Guo Bing when he applied for an annual card. The Hangzhou Intermediate People’s Court ordered Wildlife World to delete Guo Bing’s fingerprint identification information based on the original judgment. 94 The case was subsequently selected as 1 of the top 10 cases of the People’s Courts of China in 2021.
V. CONCLUSION
The legal and ethical considerations for processing DMD in China are a key issue. In this article, we focus upon the parameters of DMD in the context of China’s legal framework and identify related applications of DMD. We explore the legal issues involving processing DMD in China: (1) individual control right/informed consent; (2) institutional obligations; (3) security impact assessment; (4) secondary use compliance. We also find ethical issues involving processing DMD in China, involving (1) group bias and other data flaws and (2) privacy risks. Building on the above analysis, we propose legal and ethical “toolboxes” for regulating processing DMD in China. In the legal toolbox, there are four tools, including (1) optimizing individual permit and authorization; (2) creating three types of obligations; (3) promoting responsible and explainable security impact assessment; (4) identifying public interest standards. In the ethical toolbox, there are two tools, including (1) paying particular attention to handling specific groups’ DMD; (2) enhancing accountability of handling DMD.