What does China plan to do with mountain of personal health code data amassed during zero-Covid?

Guangdong says it has deleted all all Covid-related data collected from users of provincial health code app
But some other regions plan to hang on to data to bolster digital governance initiatives

Coronavirus China

Vanessa Caiin Shanghai

Published: 12:00pm, 20 Feb 2023

Why you can trust SCMP

China’s abrupt abandonment of its stringent zero-Covid pandemic control strategy two months ago means people no longer need to scan a QR code when they enter restaurants, public transport, hospitals, office buildings or residential compounds.

But the massive amount of information collected from such scans during the almost three years the strategy was in place is still held in government-controlled databases around the country.

How local authorities will handle that mountain of personal information remains unclear, and that has prompted concerns about the protection of personal information and government accountability.

On Tuesday, Guangdong’s provincial government became the first regional administration to announce it would delete all Covid-related data collected from users of the provincial health code app.

11:33

Trace, test, lock down, repeat: Three years under China’s zero-Covid strategy

“We will thoroughly delete and destroy all data related to the services … to effectively safeguard the security of personal information,” a statement it posted on the health code app said, adding that, since its launch, the system had included strict technical and management measures to ensure the security of personal data.

The deletion of the data held in Guangdong was completed on Thursday, but other provinces’ approach to the same issue remains unclear, to the consternation of legal experts and members of the public.

Some regions, including Beijing, Shanghai and southwestern China’s Guizhou province, have said they will integrate their health codes with government platforms to aid in the provision of other public services, but experts say there is an insufficient legal basis for such moves.

Politburo hails ‘decisive victory’ over pandemic in ending zero-Covid policy

Shanghai’s big data centre said in mid-December that there were no plans to make the local health code defunct because “its applications are not limited to pandemic prevention and control, but also relate to other scenarios in the city’s public administration and services”.

Beijing announced in late December that the capital’s health code functions had been integrated into its government affairs platform, adding that data related to disease control work would be handled with “strict security management and timely removal”, and Guizhou said that same month that the local health code had been merged with the provincial government service platform to continue services related to healthcare and communities.

Local authorities’ use of the health code system – a major tool for Covid-19 control – sparked concerns about the abuse of administrative power over the past year. In June, many victims of a banking scandal who protested in Zhengzhou, the capital Henan province, found their health codes flagged them as Covid-19 risks, heightening fears that the extensive data collected by the authorities could be used for other purposes.

WHO chief says agency will ‘continue to push’ to uncover Covid’s origins

A person close to one provincial capital’s big data system said the data collected during the pandemic was of “high quality” and “more comprehensive” than data collected earlier, and was likely to be stored in a police database.

From February 2020, provinces across the country rolled out their own data-driven real-time health code systems that used different colours to indicate a person’s health status, with red and yellow codes mandating restrictions on travel and other everyday activities.

Data collected by the systems included users’ names, identity numbers, travel histories and health records – all deemed sensitive personal information under China’s Personal Information Protection Law, which came into effect in November 2021 and placed legal restrictions on how personal data can be collected, used and managed.

A man scans a Covid-19 health code before entering a supermarket in Zhengzhou, Henan province, in February 2020. Photo: Xinhua

Two months earlier, another law, the Digital Security Law, was implemented, becoming the first Chinese law to limit the ways data can be processed.

A document issued by the State Council, China’s cabinet, in 2021 said that personal information collected for disease prevention and control work should not be used for other purposes, and that health codes needed to be destroyed or “properly handled” after the pandemic ended.

The Personal Information Protection Law stipulates that the processing of personal data should be directly related to “a clear and reasonable purpose”, and that those processing it must take the initiative to delete it when “the processing purpose has been met, cannot be met, or the data is no longer required to achieve the purpose”.

Legal experts have said the country’s zero-Covid U-turn in December rendered the purpose of the health codes obsolete, as they were no longer checked at public venues and mandatory nucleic acid tests and quarantine were abandoned.

How zero-Covid was a costly lesson for China’s local governments

A similar digital travel pass system, the “Big Data Itinerary Card” used by all three major Chinese mobile phone carriers to track people’s movements, was terminated in December, with all data erased.

“The law is quite clear that the government authority no longer has a legitimate legal basis to keep the personal data it had gathered from the health code during the pandemic,” said Angela Zhang, an associate professor of law at the University of Hong Kong.

The Personal Information Protection Law mandated that consent was generally required for the processing of personal data, unless that processing was necessary to respond to public health emergencies or for other limited purposes, she said.

What does coronavirus have in store for China after massive wave of infection?

“The problem, however, is the non-compliance from the local authority,” Zhang said, adding that while higher-level government bodies were responsible for correcting infringements by lower-level authorities – and officials could also be subject to discipline – the “enforcement provision is very weak and lacks real teeth”.

Raymond Wang, a Beijing-based lawyer specialising in data protection, said retaining such sensitive personal data could pose a very high data security risk in the event of a data leak because the health codes had covered big populations and gathered massive amounts of information.

“Data security is part of national security,” he said. “The Data Security Law raises protection of data security to a national security perspective. The issue also matters to public interests and individual rights.”

02:22

China can see a ‘light of hope’ in Covid battle, says Xi Jinping in New Year’s message

However, Zha Yunfei, a scholar at Zhejiang University who discussed health code data storage issues with local officials during his research, told Caixin, a Chinese magazine, that local governments might not have strong incentives to completely destroy the data obtained in the past three years, and instead hoped to use it to bolster digital governance initiatives.

Zhang said that while the Personal Information Protection Law allowed governments to continue using health code data if they obtained “stand-alone consent from the individuals”, it was doubtful that informed citizens would give such consent because it did not seem to offer them much benefit.

Zhang said governments were also allowed to continue using the data as long as it was completely anonymised, but Beijing and Guizhou did not seem to be planning to do that and instead wanted to incorporate it into apps for public purposes.

“Above all, how the anonymisation process works remains a big question and there has yet to be clear guidelines on that,” she said.