To each provincial, autonomous region, and directly-governed municipalities' Committee on Network Security and Informatization, and relevant departments and committees of the Party Central Commission and state organs:
In order to do a good job in the protection of personal information in the joint prevention and control of pneumonia caused by novel coronavirus infection, and to actively use big data including personal information to support the joint prevention and control efforts, notice on related matters is hereby given as follows with the consent of the Central Network Security and Informatization Committee.
1. Each local department should attach great importance to the protection of personal information, and other than units other than departments authorized by the State Council Health and Hygiene Departments on the basis of the "P.R.C. Cybersecurity Law", the"P.R.C. Law on the Prevention and Control of Infectious Diseases", and the "Regulations on Emergency Response to Public Health Emergencies", units and individuals must not collect and use personal information without the consent of the subject of the person whose information is being collected for prevention and control of the epidemic or disease prevention and control. Where laws and administrative regulations provide otherwise, those provisions are controlling.
2. The collection of personal information necessary for joint defense and joint control should be done with reference to the national standards in the "Personal Information Security Specifications" and adhere to the principle of minimum scope, and in principle, the targets for collection should be restricted to key groups such as confirmed cases, suspected cases, and those with close contact; and in general should not target all groups in a specified area to prevent de facto discrimination against groups in that specified area.
3. Personal information collected for epidemic prevention and control or disease prevention and treatment, must not be otherwise used. Without the consent of the person whose information is being collected, units and individuals must not disclose names, ages, ID numbers, telephone numbers, home addresses, or other such personal information, except as needed for joint control efforts and after processing for desensitization.
4. Institutions that collect or have control of personal information should be responsible for protecting the security of personal information, and should employ strict management and technical protection measures to prevent theft and leaks.
5. Under the guidance of relevant departments, enterprises with the capacity are encouraged to actively use big data to analyze and predict the migration of confirmed cases, suspected cases, and persons with close contact, to provide big data support to joint prevention and control efforts.
6. Any organization and individual discovering violations of rules and laws in the collection, use, or disclosure of personal information may promptly report them to the departments for internet information or for public security. The departments of internet information should promptly address violations of rules and laws in the collection, use, or disclosure of personal information, as well as incidents causing leaks of large volumes of personal information, in accordance with the “P.R.C.Cybersecurity Law" and related provisions; the public security organs should strictly combat those involving crimes in accordance with law.
General Office of the Central Network Security and Informatization Committee
February 4, 2020