Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · PHARMA-DATA SUPPLIER CREDIT-COMPLIANCE RULES (DRAFT)

Implementing Rules for the Credit-Compliance Certification and Assessment of Pharmaceutical-Data Supplier Entities (Shenzhen Data Exchange — Draft / Redline).

医药数据供方主体信用合规认证评估实施细则(深圳数据交易所·征求意见/红线稿)

Editor’s note — this is a DRAFT industry rule, not a government regulation. This instrument is an implementing rule for a credit-compliance certification programme operated by the Shenzhen Data Exchange (深圳数据交易所有限公司), a data exchange — not a law, administrative regulation, or departmental rule issued by a Chinese state organ. The source document is a tracked-changes (“redline”) V3 draft; the translation below renders the clean current text of that draft and omits the redline markup. The rule’s force, if adopted, is contractual/self-regulatory: it sets the conditions a data supplier must satisfy to obtain the Exchange’s A/AA/AAA credit-compliance certification before supplying medical-health data on the Exchange. Every substantive requirement in the source carries a footnote citing the underlying Chinese law or rule from which it is derived; those citations are preserved in summary form in the Source-citation map at the end. Read this as a window into how an exchange packages China’s health-data compliance regime into a certification checklist — not as an independent legal authority.


[Purpose]

In order to advance the credit-compliance certification work of Shenzhen Data Exchange Co., Ltd. (the “Exchange”), to protect citizens’ personal-information rights and interests and national data security, and to promote the compliant and high-quality development of the medical-health data-element market, these Implementing Rules are formulated in accordance with relevant national laws and regulations, the Measures for the Administration of Data-Transaction Credit of Shenzhen Data Exchange Co., Ltd. (Trial) and the Guidelines for the Credit-Compliance Certification and Assessment of Supplier Entities in the Data-Element Market (General) (the “General Certification Guidelines”), and in light of the Exchange’s actual circumstances.

[Scope of application]

These Implementing Rules apply to healthcare institutions that apply to the Exchange for entity credit-compliance certification. Other entities that process medical-health data (such as enterprises, public institutions, and research institutions) may apply them by reference.

“Healthcare institutions” as used in these Implementing Rules means primary-level healthcare institutions, hospitals, and specialized public-health institutions, among others.

“Medical-health data” as used in these Implementing Rules means health-and-medical-related data generated in the course of disease prevention and treatment, health management, and the like.


[Grade-A compliance standard]

Where a certification object applies for Grade-A certification, in addition to satisfying the Grade-A compliance requirements set out in the General Certification Guidelines, it shall also satisfy the following requirements.

Entity-qualification requirements

Where the certification business scope for which the certification object applies requires approval, filing, or the obtaining of relevant qualifications, the certification object shall obtain them before applying and shall ensure that the approval, filing, or qualification remains within its validity period — including, but not limited to, the medical-institution practising licence, the drug-clinical-trial approval, the drug-clinical-trial-institution filing, and human-genetic-resources-related permits and filings.

Entity data-management-system build-out

  1. The certification object shall establish a network-security-and-informatization leadership group, headed by the certification object’s principal person in charge, and shall hold at least one meeting per year on network security, data security, and personal-information protection to deploy key security work and implement the “top-leader” responsibility system.

  2. The certification object shall establish a data-security management organizational structure in which the principal person in charge is the unit’s first-responsible person for data-security and personal-information-protection management and the person in charge of the relevant business is the directly responsible person; shall define the management responsibilities of the competent department, operating department, informatization department, and using department of each network; and shall, by means of security responsibility undertakings and the like, regulate the rights and responsibilities of the data-management, business, and informatization departments across the full data-security-management lifecycle, establishing a data-security work responsibility system and implementing an accountability system.

  3. The certification object shall establish and improve network-O&M-management and full-process medical-health-data-security-management systems (including a dedicated personal-information-protection management system), operating procedures, and technical specifications, and shall revise the management systems concerned at least once per year.

  4. The certification object shall implement a classification-and-grading protection system for medical-health data, defining specific protection requirements at each stage for data of different categories and grades. The certification object shall regularly sort its healthcare-institution data and, in accordance with relevant law and the health-sector data classification-and-grading requirements, divide medical-health data into core data, important data, and general data. Where data of different categories and grades are processed simultaneously and protection measures cannot readily be applied separately, protection shall be implemented to the requirements of the highest grade among them. Derivative data produced from medical-health data through processing activities such as de-identification, labelling, statistics, and aggregation/fusion shall be re-assessed and re-graded on the basis of the grading of the original data.

    After the grade of medical-health data is determined, where any of the following occurs — (1) the content of the medical-health data changes substantially, or (2) the content is unchanged but the data scale, timeliness, application scenario, or processing method of the healthcare institution changes substantially, or other circumstances requiring a grade change arise — the grade of the healthcare-institution data shall be changed promptly.

  5. The certification object shall strengthen physical-security protection, improving security controls for equipment rooms, the office environment, and O&M sites to prevent information leakage caused by unauthorized access to the physical environment. It shall strengthen remote-O&M management; where remote O&M over the Internet is genuinely required for business, it shall conduct assessment and feasibility analysis and adopt corresponding security-control measures to prevent security incidents arising from the exposure of remote ports.

  6. The certification object shall, in accordance with the Cryptography Law and related laws, regulations, and cryptography-application standards, plan, build, and operate cryptographic-protection measures simultaneously with network construction, and use cryptographic products and services that meet the relevant requirements.

  7. The certification object shall establish network-security-management systems for the procurement, installation and commissioning, operation and use, maintenance and repair, and scrapping and disposal of medical equipment; implement security management over design, construction, operation, maintenance, and other services; procure secure network products and services; regularly inspect or assess the network security of medical equipment; and adopt corresponding security-control measures.

  8. The certification object shall implement graded storage of medical-health data; in accordance with relevant laws, regulations, and standards, select an appropriate data-storage architecture and medium and store data within the territory of China; and adopt measures such as backup and encryption to strengthen storage security. Where data are stored in the cloud, the potential security risks shall be assessed. The data-storage period shall not exceed the retention period determined by the data-use rules.

  9. The certification object shall possess data-storage, disaster-recovery-backup, and management conditions that meet the relevant national requirements; establish a reliable disaster-recovery-backup mechanism for medical-health information; and conduct regular backup and recovery testing to ensure that data can be recovered timely, completely, and accurately, achieving long-term preservation and archival management of historical data.

  10. The certification object shall conduct security management of decommissioned networks, perform risk assessment on the related equipment, and promptly seal or destroy it; when destroying data, it shall use a destruction method that ensures the data cannot be restored, paying particular attention to data-residue risk and data-backup risk.

  11. The certification object shall establish a monitoring-early-warning and emergency-response mechanism, promptly obtain vulnerability information, and adopt measures such as upgrade patches, configuration updates, and system hardening to guard against risk. The certification object shall, relying on the national network-security information-notification mechanism, strengthen the build-out of network-security notification and early-warning capabilities, formulate network-security and data-security emergency response plans, and conduct drills regularly.

    Where a health administrative department finds that data processing presents significant risk or that an incident has occurred and urges the certification object to handle and rectify it promptly, the certification object shall promptly rectify and reinforce against the notified vulnerabilities and hazards, and cooperate with the cyberspace-administration and public-security organs in conducting verification and investigation.

    The certification object shall promptly report, to the risk-information reporting-and-sharing mechanism established by the National Health Commission, hazards that may cause core- or important-data security incidents.

    Where an incident occurs, the certification object shall handle it promptly; where core or important data are involved, it shall report promptly; and after handling is completed, it shall produce a summary report, notify users as prescribed, and report to the competent department.

  12. A certification object that has a Level-2-or-above network shall designate the functional department responsible for network-security-management work, define the posts bearing security-supervisor and security-administrator responsibilities, establish a network-security-management system framework, strengthen network-security protection, and reinforce emergency response.

  13. The certification object shall strengthen business-continuity management and continuously monitor network-operation status. For Level-3-and-above networks, it shall strengthen redundant backup of key links and key equipment.

  14. The certification object shall conduct annual security self-inspection in various forms — including document verification, vulnerability scanning, and penetration testing — and report the self-inspection and rectification status to the higher-level health administrative department as required.

  15. The certification object shall build a data-security-management personnel team and conduct regular security education and training to raise the security awareness and capability of all staff.

  16. The certification object shall strictly manage the routine processing of data and personal information, define operating permissions, regularly conduct security-risk assessment, promptly rectify risk issues, and submit risk-assessment reports.

  17. Where the certification object conducts Internet diagnosis-and-treatment activities, it shall establish and improve the relevant management systems and service processes, possess equipment and facilities, information systems, technical personnel, and an information-security system meeting Internet-technology requirements, and implement Level-3 information-security multi-level protection. The certification object shall ensure that Internet diagnosis-and-treatment activities are traceable and leave a full audit trail, and shall open data interfaces to the regulator.

  18. Where the certification object constitutes a critical-information-infrastructure operator, it shall formulate a critical-information-infrastructure security-protection plan, establish and improve data-security and personal-information-protection systems, conduct security background checks on the person in charge of the security-management body and personnel in key posts, and strengthen the management of personnel involved in network operation.

  19. Where the certification object applies new technologies such as big data, artificial intelligence, and blockchain to conduct services, it shall, before going live, assess the security risks of the new technology and implement security controls to achieve a balance between application and security. Where the use of new technologies such as artificial intelligence involves personal information such as medical records, security must be ensured.

  20. The certification object shall manage and use medical-health data involving state secrets in accordance with the relevant national confidentiality provisions, having established a management-and-use system for medical-health data involving state secrets, with strict management over the production, review, registration, copying, transmission, and destruction stages.

Entity data-business compliance

Data compliance within the certification business scope

Lawful sourcing

a. Where the certification object collects medical-health data through diagnosis-and-treatment activities, it shall comply with the relevant requirements of the General Certification Guidelines.

b. Where the certification object collects medical-health data through clinical-trial activities, it shall satisfy the relevant requirements of the General Certification Guidelines and, in accordance with the Personal Information Protection Law, the Good Clinical Practice for Drugs, the Good Clinical Practice for Medical Devices, and the like, and the ethical requirements and principles of the Declaration of Helsinki and the like, pass ethics review and obtain the informed consent of subjects for the drug clinical trial. Such informed consent shall include (1) consent to the clinical-trial activity and (2) where medical-health data are to be re-used, consent to the secondary use of the medical-health data.

Where the certification object uses human-genetic-resources materials to generate data and other information, it shall ensure that its collection and preservation of human genetic resources meet the relevant legal and regulatory requirements:

  1. Collecting important genetic families of China, human genetic resources of specific regions, or human genetic resources of the types and quantities prescribed by the health authority of the State Council shall require the approval of the health authority of the State Council.

  2. Collecting human genetic resources of China shall require informing the provider in advance of the purpose and use of the collection, the possible health impact, the personal-privacy-protection measures, and the provider’s right to participate voluntarily and to withdraw unconditionally at any time, and obtaining the provider’s written consent.

  3. Preserving human genetic resources of China and providing a basic platform for scientific research shall require the approval of the health authority of the State Council; strengthening the management and monitoring of the preserved human genetic resources; adopting security measures and formulating emergency plans to ensure the safety of preservation and use; completely recording the preservation status; properly retaining the source and use information; ensuring lawful use; and submitting an annual report on the preservation of human genetic resources to the health authority of the State Council.

c. Where the certification object collects medical-health data generated in the course of operations management, it shall comply with the relevant requirements of the General Certification Guidelines.

d. Where the certification object obtains medical-health data through a third party, it shall comply with the relevant requirements of the General Certification Guidelines, conduct a review of the lawfulness of the data source, and be able to prove that the third party’s collection, use, and provision to the certification object, and the certification object’s use, of the medical-health data already comply with the relevant legal and regulatory requirements. Where the data constitute electronic-medical-record information, the certification object shall verify the lawfulness, integrity, and security of the information source, and shall, by reference to internal management requirements, establish detailed receipt, storage, and use records to make the data flow traceable. The certification object shall sign a data-procurement agreement with the medical-health-data provider, stipulating the rights and obligations of both parties with respect to source lawfulness and the like.

Lawful internal processing

a. General rules

a) The certification object shall conduct data collection, storage, transmission, processing, use, exchange, destruction, and other full-lifecycle data activities within the territory of China.

b) The certification object shall establish strict electronic real-name authentication and data-access control, set data-processing permissions according to post responsibilities under the principle of least authorization, and adjust permissions promptly when personnel change. The certification object shall standardize trace management of the access, use, and destruction of medical-health data, strengthen log retention and management, and ensure that any data-leakage incident or risk can be traced to the responsible unit and responsible person.

c) The certification object shall, at each stage of the full data lifecycle, comprehensively apply technical means such as encryption, authentication, attestation, de-identification, anonymization/de-labelling, digital watermarking, verification, and auditing.

d) The certification object shall establish and improve a data-use application-and-approval process, following the principle of “whoever is in charge reviews,” adhering to prior application and approval, in-process supervision, and after-the-fact review, and strictly implementing the procedure of business-department consent, leadership approval, and IT-department support and execution. Each using department and user shall use data strictly in accordance with the purpose and scope stated in the application and shall be responsible for data security.

e) Where the certification object entrusts or jointly processes data, it shall strictly review and approve, define the entrusted party’s permissions and responsibilities, and supervise performance. Where cloud-computing services are used, it shall select a service provider that has passed security assessment and comply with the relevant regulatory requirements for processing medical-health data.

f) The certification object shall agree in writing on the obligations and responsibilities of, and implement accountability for, units engaged in informatization construction and O&M, medical-equipment manufacturing and operation, and the like.

g) Where data are transferred or destroyed due to merger, division, dissolution, bankruptcy, or the like, security measures shall be adopted and the disposal plan reported in advance to the local health administrative department. Where the data catalogue changes, it shall be reported promptly.

h) The certification object and its personnel shall not engage in the following acts: (I) unlawfully collecting, collecting beyond scope, or stealing data; (II) unlawful storage — failing to store important data within the territory, or failing to adopt measures such as backup and encryption; (III) unlawful transmission — transmitting core, important, or sensitive data via email, network disks, social-media software, and the like; (IV) unlawfully providing data overseas — failing to declare an outbound assessment as prescribed; (V) ultra-vires use, tampering with or deleting logs, or unsupervised remote O&M; (VI) processing data without authorization, or subcontracting/sub-letting projects without authorization; (VII) providing externally or disclosing undisclosed data without approval; (VIII) arbitrarily disclosing data, or disclosing it despite significant impact; (IX) failing to thoroughly erase data when equipment is scrapped or repurposed; (X) concealing data-security incidents or failing to report and handle them as prescribed.

i) Where the certification object processes important data, it shall fulfil the following requirements:

i. After identifying important data, the certification object shall report to the local health administrative department; the reported content shall include, but not be limited to, the source, category, grade, scale, processing purpose and method, responsible entity, cross-border transmission, and security-protection measures of the healthcare-institution data — but not the content of the healthcare-institution data itself.

ii. It shall define the data-security person in charge and management body, implement protection responsibilities, conduct risk assessment annually, and submit the report to the health administrative department at or above the provincial level, which shall promptly notify the cyberspace-administration and public-security organs at the same level. Except for the performance of statutory duties or obligations, risk assessment shall be conducted before providing, entrusting the processing of, or jointly processing important data.

  Where the certification object provides important data to, or entrusts its processing to, another data processor, it shall stipulate by contract the processing purpose, method, scope, and security-protection obligations, and supervise the receiving party's performance.

iii. The processing of important data shall record security logs; where security-incident handling and tracing are involved, logs shall be retained for not less than one year; where provision, entrustment, or joint processing is involved, for not less than three years.

iv. The storage and processing of important data shall implement Level-3-and-above network-security multi-level protection. The storage and processing of core data shall, where critical information infrastructure is involved, implement critical-information-infrastructure security-protection requirements; where it is not involved, implement Level-4 multi-level protection. Where the data content changes substantially and the grade must change, re-grading and re-filing shall be done promptly. Where laws and regulations require the use of commercial cryptography, those provisions shall prevail.

j) Where the certification object processes core data, it shall fulfil the following requirements:

i. The provision, transfer, or sharing of core data across legal-person entities shall adopt security-protection measures; where the annual cumulative amount may reach 30% or more of the static total of the preceding year, it shall be reported to the National Health Commission for organization of a risk assessment by the relevant departments. The lawful performance of duties by state organs and internal circulation are excepted.

ii. The processing of core data shall, on top of important-data protection, also: (I) give priority to commercial-cryptography protection; (II) give priority to secure and trustworthy products and services; (III) give priority to entrusting third-party assessment institutions to conduct risk assessment; (IV) retain the relevant logs for not less than three years; and (V) submit personnel in key posts and the units that build and operate-and-maintain core-data systems for national-security background review.

k) Where the certification object processes personal information, the healthcare institution shall, in accordance with the Administrative Measures for Personal-Information-Protection Compliance Audits, conduct compliance audits regularly, either itself or by entrusting a professional institution.

Where the certification object entrusts the processing of personal information, it shall conduct a personal-information-protection impact assessment in advance, sign an entrustment-and-confidentiality agreement defining the scope, purpose, period, method, types of information, protection measures, and rights and obligations, and supervise performance. The entrusted party shall not process beyond what is agreed; upon termination of the contract it shall return or delete the information and shall not sub-entrust without authorization. The entrusted party shall conduct pre-post training and pre-departure review.

The certification object and its personnel shall not engage in the following acts: (I) unlawfully processing, illegally trading, or disseminating personal information so as to endanger national security or the public interest; (II) unlawful collection by means of misleading, fraud, coercion, and the like; (III) collecting beyond scope or excessively — for example, where a website or App operated by the healthcare institution collects location and other personal information beyond scope; (IV) ultra-vires retrieval — for example, where the failure to adopt effective identity-verification means allows unrelated, unauthorized persons to query others’ medical records — failing to manage permissions dynamically, failing to implement protection of special groups, or failing to make operations traceable; (V) unlawfully providing information without consent, or beyond the statutory necessary scope; (VI) unlawful disclosure — failing to de-identify displays in public areas, disclosing in public scenarios without consent, or leaking via social-media software, photographs, screenshots, and the like (for example, where the healthcare institution publicly discloses imaging pictures, textual descriptions, and other information containing patients’ personal information without patient consent); (VII) unlawfully providing information overseas without obtaining separate consent or fulfilling notification obligations; (VIII) abusing facial recognition — compelling the use of the face as the sole verification method, or transmitting facial information in violation of regulations.

b. Special rules

a) Where the certification object processes medical-health data collected through diagnosis-and-treatment activities:

i. Where the medical-health data processed is electronic-medical-record (EMR) information, the certification object shall additionally meet the following requirements:

  1. Establish a graded-management system for the EMR information system, with standardized workflows for the creation, recording, modification, preservation, and transmission of EMRs and a defined scope of use-and-management permissions. Establish a long-term oversight mechanism for EMR-information use, preventing and promptly handling the unreasonable retrieval, use, and forwarding of EMR information, so as to ensure that EMR-information use is lawful, compliant, secure, and controllable. Establish an emergency-handling system and a sound handling process for EMR-information-leakage scenarios.

  2. According to the importance, sensitivity grade, and use scenario of the EMR information, strictly implement graded and classified access control and permission management. Following the principle of minimum availability, define graded access permissions and time limits for clinical-diagnosis-and-treatment, teaching, management, and other relevant personnel according to post responsibilities, role tasks, and use needs, and strictly prohibit the unauthorized consultation, copying, dissemination, or tampering of medical-record information. When public-opinion events relating to medical treatment occur, immediately seal the relevant information of the persons involved; unrelated persons shall not access, browse, record, or forward it.

  3. Provide EMR-system operators with proprietary identity identifiers and identification means, and set corresponding permissions. Make clear that operators are responsible for the use of their own identity identifiers and shall not, in violation of regulations, collect, use, transmit, divulge, or trade patients’ medical-record information, or disseminate it via network channels.

  4. Sign strict confidentiality and authorization agreements with external service providers that provide information-system maintenance, data-analysis, and similar services, defining the scope, purpose, and period of their access to the EMR system, and subjecting them to the medical institution’s supervision during service to ensure data security.

  5. Ensure that the EMR system’s records of each operation, operation time, and operator are queryable and traceable. Support technical means such as digital watermarking to ensure a trail is left during use. When sharing EMR information, the certification object shall have a strict authorization mechanism and approval process to ensure information security and tamper-resistance.

  6. Establish an EMR-information security-protection system, conduct regular security assessments, and promptly issue alerts and notify higher-level managers of abnormal access or unauthorized operations, so as to effectively guard against potential security risks.

  7. Outpatient/emergency medical records shall be retained for not less than 15 years from the patient’s last visit; inpatient medical records shall be retained for not less than 30 years from the patient’s last discharge.

ii. Where the medical-health data processed is data generated in the course of using medical devices, the certification object shall additionally meet the following requirements:

  1. Purchase medical devices from qualified medical-device manufacturers and operators; obtain and verify the supplier’s qualifications, medical-device registration certificate or filing voucher, and other supporting documents; conduct acceptance in accordance with the relevant provisions; and record and retain the inspection-on-receipt status.

  2. Have storage premises and conditions commensurate with the variety and quantity of medical devices in use; staff a medical-device quality-management body or quality-management personnel commensurate with its scale as required by law; establish a use-quality-management system covering the whole quality-management process; strengthen the technical training of staff; and use medical devices in accordance with product manuals and technical operating specifications.

  3. Establish a pre-use quality-inspection system and a maintenance-and-repair management system for medical devices. Establish use records for implantable and interventional medical devices. For large medical devices with a long service life, establish a use archive for each unit, recording its use and maintenance, with a retention period of not less than five years after the expiry of the prescribed service life or five years after the termination of use.

  4. Actively assist medical-device manufacturers in investigating and assessing defective products, proactively cooperate with manufacturers in fulfilling recall obligations, and promptly convey and feed back recall information according to the recall plan so as to control and retrieve defective products.

    Where the certification unit discovers that a medical device it uses may be a defective product, immediately suspend the sale or use of that device, promptly notify the manufacturer or supplier, and report to the food-and-drug administration and health administrative department of the province, autonomous region, or municipality where it is located.

  5. Where the certification object configures large medical equipment, it shall conform to the large-medical-equipment configuration plan formulated by the health authority of the State Council, be commensurate with its functional positioning and clinical-service needs, possess the corresponding technical conditions, supporting facilities, and qualified professional technical personnel, and be approved by the health authority of the people’s government at or above the provincial level and obtain a large-medical-equipment configuration licence.

    The certification object shall, in accordance with national laws and regulations, establish and improve information-security safeguard measures for the use of large medical equipment to ensure the operational security of the relevant information systems and the security of medical data.

iii. Where the medical-health data processed is data transmitted to the medical-insurance information system, the certification object shall safeguard the security of the medical-insurance-related information system, comply with the relevant data-security systems, and protect the privacy of insured persons. When reinstalling the information system, the certification object shall maintain effective docking of the technical-interface standards with the medical-insurance information system, and shall promptly, comprehensively, and accurately transmit to the medical-insurance information system the data required for medical-insurance settlement and review as prescribed.

b) Where the certification object processes medical-health data obtained through clinical-trial activities, it shall meet the following requirements:

  1. The certification object’s investigators shall ensure that all clinical-trial data are obtained from the source documents and trial records of the clinical trial and are accurate, complete, legible, and timely. Modifications to source data shall leave a trail, shall not obscure the original data, and shall record the reason for modification. For clinical trials with patients as subjects, the relevant medical records shall be entered into the outpatient or inpatient medical-record system.

  2. The certification object shall have the conditions to establish clinical-trial electronic medical records; the corresponding computerized system shall have sound permission management and an audit trail, traceable to the creator or modifier of the record, so as to ensure that the collected source data can be traced.

  3. Medical-health data used in clinical trials for drug-registration applications shall be retained for at least five years after the trial drug is approved for marketing; data for clinical trials not used for drug-registration applications shall be retained for at least five years after the termination of the clinical trial.

Where the certification object utilizes or externally provides human genetic resources, it shall meet the following requirements:

  1. Where the certification unit uses human genetic resources of China to conduct biotechnology research and development or clinical trials, it shall comply with the relevant laws, administrative regulations, and national provisions on biotechnology research and clinical-application management.

  2. Where the certification unit and a foreign party use human genetic resources of China to conduct international-collaborative scientific research, the two parties shall jointly apply, subject to the approval of the health authority of the State Council. Where the purpose is solely to obtain marketing authorization for the relevant drug or medical device in China and no human-genetic-resources materials leave the country, the types, quantities, and uses of the human genetic resources to be used shall be filed with the health authority of the State Council before the clinical trial is conducted.

  3. Where, in the course of using human genetic resources of China to conduct international-collaborative scientific research, major matters such as the collaborating party, research purpose, research content, or collaboration period change, change-approval procedures shall be handled.

    The certification unit and the two collaborating parties shall, within six months after the end of the international-collaboration activity, jointly submit a collaboration-research report to the health authority of the State Council.

c) Where the certification object processes medical-health data generated in the course of operations management — in particular, drug and medical-consumable usage information:

  1. The certification object shall establish and improve a management system for the information system, implement dedicated-personnel responsibility and encrypted management of statistical functions such as drug and medical-consumable usage in the information system, implement strict graded management and approval procedures for permissions to query drug and medical-consumable usage and similar information through the information system, set a trace function for queries of important and sensitive information in the information system, establish query logs, analyse them regularly, and promptly detect and handle abnormalities.

  2. The certification object shall sign information-confidentiality agreements with the IT personnel and bodies that provide routine maintenance, upgrades, and replacement of the information system and that install new systems and equipment, and set reasonable access permissions. External IT personnel and bodies shall complete handover procedures after finishing work, ensuring that passwords, equipment, technical materials, and related sensitive information are handed over according to standardized procedures.

  3. When the certification object provides drug and medical-consumable usage information to the administrative department or its authorized industry organization, and applies the relevant information in routine management, it shall strictly implement the relevant work systems to ensure information security at every stage.

Compliance of external circulation of medical-health data within the certification business scope

External circulation of medical-health data shall comply with the relevant requirements of the General Certification Guidelines; where the following scenarios are involved, it shall additionally comply with the following requirements:

(1) The certification object shall, when providing data externally, submit the matter to the internal data-use application-and-approval process as required, and supervise the receiving party’s security responsibilities. The certification object shall assess the security risks that may arise when publishing or sharing data and adopt necessary security-prevention-and-control measures, and shall promptly report the external provision of data to the local health administrative department.

The certification object shall regularly monitor sharing and invocation, audit operation logs, promptly detect and handle violations, and equip itself with authentication, authorization, threat-alerting, and similar measures.

Where data reporting is involved, the party proposing the data report shall be responsible for interpreting the reporting requirements and determining the reporting scope and rules, so as to ensure that data reporting is secure and controllable.

(2) The certification object shall, in accordance with the national provisions on the development and utilization of public-data resources, explore the establishment of a data-classification-grading authorized-operation mechanism, incorporate authorized operation into the leadership team’s collective decision-making, define the authorization conditions, model, period, exit mechanism, and security responsibilities, and authorize qualified institutions to conduct development, operation, and services.

(3) Where the certification object genuinely needs, for business reasons, to provide medical-health data overseas, it shall conduct a security assessment or review in accordance with the relevant laws, regulations, and requirements, and shall submit a national-security review for data-processing activities that affect or may affect national security, so as to prevent data-security incidents.

(4) Where the certification object provides or makes available human-genetic-resources information to foreign organizations or individuals, or to institutions established or actually controlled by them, it shall not endanger China’s public health, national security, or the social public interest; where it may affect China’s public health, national security, or the social public interest, it shall undergo a security review organized by the health authority of the State Council. Such provision or making-available shall be filed with the health authority of the State Council and an information backup submitted.

(5) The certification object shall strictly implement the Provisions on Establishing Adverse Records of Commercial Bribery in the Field of Pharmaceutical Procurement and Sales, and shall not, in any form, provide to pharmaceutical-marketing personnel, non-administrative departments, or industry organizations not authorized by the administrative department, the drug and medical-consumable usage information of individual medical personnel or departments, nor provide convenience for pharmaceutical-marketing personnel’s statistics. The drug and medical-consumable usage information that the certification object provides to the administrative department or its authorized industry organization shall be information at the level of the institution as a unit.


[Grade-AA compliance standard]

Where a certification object applies for Grade-AA certification, it shall satisfy the Grade-AA compliance requirements set out in the General Certification Guidelines, together with the provisions of Article 3 of these Implementing Rules.

[Grade-AAA compliance standard]

After obtaining Grade A or Grade AA, a certification object that simultaneously meets the following conditions may apply to be certified as Grade AAA:

  • having cumulatively conducted on-Exchange medical-health-data transaction business at the Exchange XX times or more, involving XX or more (inclusive) data-transaction buyers;
  • having a cumulative total value of on-Exchange medical-health-data transactions at the Exchange exceeding RMB XXX0,000, involving XX or more (inclusive) data-transaction buyers;
  • having cumulatively listed XX medical-health data products in the Exchange’s trading zone;
  • as of the certification-application date, the above conduct has been completed and no data-compliance-related complaint, dispute, litigation, or regulatory measure has arisen.

(The thresholds appear as placeholders “XX/XXX” in the draft source.)

These Implementing Rules shall be interpreted by the Compliance Department of the Exchange.

These Implementing Rules shall take effect from the date of release.


Source-citation map

The draft attaches a footnote to nearly every requirement, citing the underlying Chinese law or rule. The instrument is, in effect, a consolidation of those authorities into a single certification standard. The principal sources cited include:

  • Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial) — the single most frequently cited authority (data-classification grading into core/important/general data; responsibility system; cross-border and core-data thresholds; PI prohibition list; facial-recognition limits; AI-and-medical-records security; compliance audits; log-retention periods).
  • Measures for Cybersecurity Management of Healthcare Institutions (governance, MLPS, monitoring/incident response, backup, business continuity).
  • Measures for the Administration of Population Health Information (Trial) (graded storage; domestic storage; disaster-recovery backup; state-secret data).
  • Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial) (cross-border security assessment; audit trails).
  • Cybersecurity Law / MLPS, and the Cryptography Law (cryptographic protection).
  • Personal Information Protection Law and the Administrative Measures for Personal-Information-Protection Compliance Audits.
  • Regulation on the Administration of Human Genetic Resources and its Implementing Rules (collection/preservation approval and consent; international-collaboration approval and filing; outbound provision of HGR information).
  • Drug Administration Law; Good Clinical Practice for Drugs; Good Clinical Practice for Medical Devices (clinical-trial data integrity, source-data traceability, retention).
  • Regulation on the Supervision and Administration of Medical Devices (2024 Revision); Administrative Measures for the Supervision of Medical-Device Use Quality; Administrative Measures for Medical-Device Recall; Measures for the Administration of the Configuration and Use of Large Medical Equipment (Trial).
  • Provisions on Strengthening the Management of Prescription-Counting (统方) in Healthcare Institutions; Provisions on Establishing Adverse Records of Commercial Bribery in the Field of Pharmaceutical Procurement and Sales (drug/consumable usage-information controls).
  • Notice on Further Strengthening the Management of the Use of Electronic-Medical-Record Information in Medical Institutions; Provisions on the Administration of Medical Records of Medical Institutions (EMR controls; record-retention periods).
  • Administrative Measures for Internet Diagnosis and Treatment (Trial); Technical Guide for the Construction of Telemedicine Information Systems (2014 Edition) (Internet-diagnosis Level-3 protection; traceability).
  • Measures for the Administration of Designated Medical-Insurance Management of Medical Institutions (medical-insurance data transmission).
  • The 2026 Personal-Information-Protection Special-Action Announcement of the CAC, MIIT, and Ministry of Public Security (excessive collection; ultra-vires retrieval; unlawful image disclosure).

Reminder. The above is a faithful translation of the clean current text of a redline/draft certification rule from the Shenzhen Data Exchange. It is an industry self-regulatory certification standard, not a government regulation, and placeholder thresholds (“XX/XXX”) in the Grade-AAA section confirm its draft status. It is included here as a practical illustration of how a Chinese data exchange operationalizes the national health-data compliance regime into supplier-certification criteria; the binding obligations themselves arise from the underlying laws and rules listed in the source-citation map, several of which DCC covers as separate entries.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →