journal article
Nov 14, 2023
Personal Information Protection and Privacy Policy Compliance of Health Code Apps in China: Scale Development and Content Analysis
Abstract
Abstract
Background
Digital technologies, especially contact tracing apps, have been crucial in monitoring and tracing the transmission of COVID-19 worldwide. China developed health code apps as an emergency response to the pandemic with plans to use them for broader public health services. However, potential problems within privacy policies may compromise personal information (PI) protection.
Objective
We aimed to evaluate the compliance of the privacy policies of 30 health code apps in the mainland of China with the Personal Information Protection Law (PIPL) and related specifications.
Methods
We reviewed and assessed the privacy policies of 30 health code apps between August 26 and September 6, 2023. We used a 3-level indicator scale based on the information life cycle as provided in the PIPL and related specifications. The scale comprised 7 level-1 indicators, 26 level-2 indicators, and 71 level-3 indicators.
Results
The mean compliance score of the 30 health code apps was 59.9% (SD 22.6%). A total of 13 (43.3%) apps scored below this average, and 6 apps scored below 40%. Level-1 indicator scores included the following: general attributes (mean 85.6%, SD 23.3%); PI collection and use (mean 66.2%, SD 22.7%); PI storage and protection (mean 63.3%, SD 30.8%); PI sharing, transfer, disclosure, and transmission (mean 57.2%, SD 27.3%); PI deletion (mean 52.2%, SD 29.4%); individual rights (mean 59.3%, SD 25.7%); and PI processor duties (mean 43.7%, SD 23.8%). Sensitive PI protection compliance (mean 51.4%, SD 26.0%) lagged behind general PI protection (mean 83.3%, SD 24.3%), with only 1 app requiring separate consent for sensitive PI processing. Additionally, 46.7% (n=14) of the apps needed separate consent for subcontracting activities, while fewer disclosed PI recipient information (n=13, 43.3%), safety precautions (n=11, 36.7%), and rules of PI transfer during specific events (n=10, 33.3%). Most privacy policies specified the PI retention period (n=23, 76.7%) and postperiod deletion or anonymization (n=22, 73.3%), but only 6.7% (n=2) were committed to prompt third-party PI deletion. Most apps delineated various individual rights: the right to inquire (n=25, 83.3%), correct (n=24, 80%), and delete PI (n=24, 80%); cancel their account (n=21, 70%); withdraw consent (n=20, 60%); and request privacy policy explanations (n=24, 80%). Only a fraction addressed the rights to obtain copies (n=4, 13.3%) or refuse advertisement of automated decision-making (n=1, 3.3%). The mean compliance rate of PI processor duties was only 43.7% (SD 23.8%), with significant deficiencies in impact assessments (mean 5.0%, SD 19.8%), PI protection officer appointment (mean 6.7%, SD 24.9%), regular compliance audits (mean 6.7%, SD 24.9%), and complaint management (mean 37.8%, SD 39.2%).
Conclusions
Our analysis revealed both strengths and significant shortcomings in the compliance of privacy policies of health code apps with the PIPL and related specifications considering the information life cycle. As China contemplates the future extended use of health code apps, it should articulate the legitimacy of the apps’ normalization and ensure that users provide informed consent. Meanwhile, China should raise the compliance level of relevant privacy policies and fortify its enforcement mechanisms.
Background
Digital technologies, especially contact tracing apps, have been crucial in monitoring and tracing the transmission of COVID-19 worldwide. China developed health code apps as an emergency response to the pandemic with plans to use them for broader public health services. However, potential problems within privacy policies may compromise personal information (PI) protection.
Objective
We aimed to evaluate the compliance of the privacy policies of 30 health code apps in the mainland of China with the Personal Information Protection Law (PIPL) and related specifications.
Methods
We reviewed and assessed the privacy policies of 30 health code apps between August 26 and September 6, 2023. We used a 3-level indicator scale based on the information life cycle as provided in the PIPL and related specifications. The scale comprised 7 level-1 indicators, 26 level-2 indicators, and 71 level-3 indicators.
Results
The mean compliance score of the 30 health code apps was 59.9% (SD 22.6%). A total of 13 (43.3%) apps scored below this average, and 6 apps scored below 40%. Level-1 indicator scores included the following: general attributes (mean 85.6%, SD 23.3%); PI collection and use (mean 66.2%, SD 22.7%); PI storage and protection (mean 63.3%, SD 30.8%); PI sharing, transfer, disclosure, and transmission (mean 57.2%, SD 27.3%); PI deletion (mean 52.2%, SD 29.4%); individual rights (mean 59.3%, SD 25.7%); and PI processor duties (mean 43.7%, SD 23.8%). Sensitive PI protection compliance (mean 51.4%, SD 26.0%) lagged behind general PI protection (mean 83.3%, SD 24.3%), with only 1 app requiring separate consent for sensitive PI processing. Additionally, 46.7% (n=14) of the apps needed separate consent for subcontracting activities, while fewer disclosed PI recipient information (n=13, 43.3%), safety precautions (n=11, 36.7%), and rules of PI transfer during specific events (n=10, 33.3%). Most privacy policies specified the PI retention period (n=23, 76.7%) and postperiod deletion or anonymization (n=22, 73.3%), but only 6.7% (n=2) were committed to prompt third-party PI deletion. Most apps delineated various individual rights: the right to inquire (n=25, 83.3%), correct (n=24, 80%), and delete PI (n=24, 80%); cancel their account (n=21, 70%); withdraw consent (n=20, 60%); and request privacy policy explanations (n=24, 80%). Only a fraction addressed the rights to obtain copies (n=4, 13.3%) or refuse advertisement of automated decision-making (n=1, 3.3%). The mean compliance rate of PI processor duties was only 43.7% (SD 23.8%), with significant deficiencies in impact assessments (mean 5.0%, SD 19.8%), PI protection officer appointment (mean 6.7%, SD 24.9%), regular compliance audits (mean 6.7%, SD 24.9%), and complaint management (mean 37.8%, SD 39.2%).
Conclusions
Our analysis revealed both strengths and significant shortcomings in the compliance of privacy policies of health code apps with the PIPL and related specifications considering the information life cycle. As China contemplates the future extended use of health code apps, it should articulate the legitimacy of the apps’ normalization and ensure that users provide informed consent. Meanwhile, China should raise the compliance level of relevant privacy policies and fortify its enforcement mechanisms.
Topics
No keywords indexed for this article. Browse by subject →
References
43
[1]
Ting "Digital technology and COVID-19" Nat Med 10.1038/s41591-020-0824-5
[2]
Kolasa "State of the art in adoption of contact tracing apps and recommendations regarding privacy protection and public health: systematic review" JMIR Mhealth Uhealth 10.2196/23250
[3]
Rothstein "Public health and privacy in the pandemic" Am J Public Health 10.2105/ajph.2020.305849
[4]
Whitelaw "Applications of digital technology in COVID-19 pandemic planning and response" Lancet Digit Health 10.1016/s2589-7500(20)30142-4
[5]
Jalabneh R Syed HZ Pillai S Jalabneh R Syed HZ Pillai S et al. Use of mobile phone apps for contact tracing to control the COVID-19 pandemic: a literature review. In: Nandan Mohanty S Saxena SK Satpathy S Chatterjee JM , editors. Applications of Artificial Intelligence in COVID-19. Springer; 2021; 389-404. [doi: 10.1007/978-981-15-7317-0]
10.1007/978-981-15-7317-0_19
[6]
Fahey "COVID-19, digital privacy, and the social limits on data-focused public health responses" Int J Inf Manage 10.1016/j.ijinfomgt.2020.102181
[7]
Akinbi "Contact tracing apps for the COVID-19 pandemic: a systematic literature review of challenges and future directions for neo-liberal societies" Health Inf Sci Syst 10.1007/s13755-021-00147-7
[8]
Seberger "Post-COVID public health surveillance and privacy expectations in the United States: scenario-based interview study" JMIR Mhealth Uhealth 10.2196/30871
[9]
Sharma T Islam MM Das A Haque SMT Ahmed SI . Privacy during pandemic: a global view of privacy practices around COVID-19 apps. Presented at: COMPASS ’21; Jun 28 to Jul 2, 2021;215-229; Virtual Event, Australia. [doi: 10.1145/3460112.3471958]
10.1145/3460112.3471958
[10]
Li "COVID-19, policy change, and post-pandemic data governance: a case analysis of contact tracing applications in East Asia" Policy Soc 10.1093/polsoc/puab019
[11]
Hatamian "A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps" Empir Softw Eng 10.1007/s10664-020-09934-4
[12]
Zhang "COVID-19 contact-tracing apps: analysis of the readability of privacy policies" J Med Internet Res 10.2196/21572
[13]
Bardus "Data management and privacy policy of COVID-19 contact-tracing apps: systematic review and content analysis" JMIR Mhealth Uhealth 10.2196/35195
[14]
Wang "Reflection and foresight on personal information protection and optimization in public health emergencies in China-from the perspective of personal information collection during the period of China's dynamic-zero COVID-19 prevention and control policy" Int J Environ Res Public Health 10.3390/ijerph20021290
[15]
NHS COVID-19 App. GOV.UK. Mar28, 2023. URL: https://www.gov.uk/government/collections/nhs-covid-19-app#full-publication-update-history [Accessed 14-09-2023]
[16]
Kendall "Epidemiological impacts of the NHS COVID-19 app in England and Wales throughout its first year" Nat Commun 10.1038/s41467-023-36495-z
[17]
Aryan A . Contact tracing feature of Aarogya Setu disabled, data deleted: govt. The Economic Times. Feb9, 2023. URL: https://economictimes.indiatimes.com/tech/technology/contact-tracing-feature-of-aarogya-setu-disabled-data-deleted-govt/articleshow/97744445.cms [Accessed 03-11-2023]
[18]
Yu E . Singapore officially deactivates contact tracing system, to ‘refurbish’ wearables. ZDNET. Feb8, 2023. URL: https://www.zdnet.com/article/singapore-officially-deactivates-contact-tracing-system-to-refurbish-wearables/ [Accessed 14-09-2023]
[19]
Kamel Boulos "Geographical tracking and mapping of coronavirus disease COVID-19/severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) epidemic and associated events around the world: how 21st century GIS technologies are supporting the global fight against outbreaks and epidemics" Int J Health Geogr 10.1186/s12942-020-00202-8
[20]
Zhou "Lessons on mobile apps for COVID-19 from China" J Safety Sci Resilience 10.1016/j.jnlssr.2021.04.002
[21]
Ye "Using information technology to manage the COVID-19 pandemic: development of a technical framework based on practical experience in China" JMIR Med Inform 10.2196/19515
[22]
Circular on succeeding the endeavour of prevention and control of COVID-19 epidemic in a legal, scientific and accurate way. National Health Commission of the People’s Republic of China. Feb25, 2020. URL: http://www.nhc.gov.cn/jkj/s3577/202002/69b3fdcbb61f499ba50a25cdf1d5374e.shtml [Accessed 14-09-2023]
[23]
Liang "COVID-19 and health code: how digital platforms tackle the pandemic in China" Soc Media Soc 10.1177/2056305120947657
[24]
Wentao "Conceptions of definition of sensitive personal information in China" China Leg Sci 10.14111/j.cnki.zgfx.2018.05.013
[25]
Ning "China’s model to combat the COVID-19 epidemic: a public health emergency governance approach" Glob Health Res Policy 10.1186/s41256-020-00161-4
[26]
Shen "Big data technology applications and the right to health in China during the COVID-19 pandemic" Int J Environ Res Public Health 10.3390/ijerph18147325
[27]
Circular on deepening the service campaign for “Internet plus Healthcare” and "five ones”. Gov.CN. Dec4, 2020. URL: https://www.gov.cn/zhengce/zhengceku/2020-12/10/content_5568777.htm [Accessed 14-09-2023]
[28]
Circular on issuing the plan for Informatization in universal health during the 14th five-year plan period. National Health Commission of the People’s Republic of China. Nov9, 2022. URL: http://www.nhc.gov.cn/guihuaxxs/s3585u/202211/49eb570ca79a42f688f9efac42e3c0f1.shtml [Accessed 14-09-2023]
[29]
Guiding opinions on strengthening the work on health and hygiene statistic. National Health Commission of the People’s Republic of China. Aug28, 2020. URL: http://www.nhc.gov.cn/guihuaxxs/s10743/202008/f4fce10ec10548fdbb1743ad29790024.shtml [Accessed 14-09-2023]
[30]
Huang "Privacy at risk? Understanding the perceived privacy protection of health code apps in China" Big Data Soc 10.1177/20539517221135132
[31]
Cong "From pandemic control to data-driven governance: the case of China’s health code" Front Polit Sci 10.3389/fpos.2021.627959
[32]
Liu "Making sense of algorithms: relational perception of contact tracing and risk assessment during COVID-19" Big Data Soc 10.1177/2053951721995218
[33]
Ni "Privacy policy compliance of chronic disease management apps in China: scale development and content evaluation" JMIR Mhealth Uhealth 10.2196/23409
[34]
Calzada "Citizens’ data privacy in China: the state of the art of the Personal Information Protection Law (PIPL)" Smart Cities 10.3390/smartcities5030057
[35]
Kui "The stumbling balance between public health and privacy amid the pandemic in China" Chin J Comp Law 10.1093/cjcl/cxaa035
[36]
Zhang "Decoding China’s COVID-19 health code apps: the legal challenges" Healthcare (Basel) 10.3390/healthcare10081479
[37]
Xiong "How to balance governance efficiency and privacy protection? A textual analysis of the privacy policies of the COVID-19 contact-tracing app in China and Singapore" Int J Chin Comp Phil Med 10.24112/ijccpm.181691
[38]
Krehling "A security and privacy scoring system for contact tracing apps" J Cybersecur Priv 10.3390/jcp1040030
[39]
Gathering the strong power of the whole nation to fight the war against the epidemic - on resolutely winning the battle against COVID-19 prevention and control. Xinhua News. Feb2, 2020. URL: http://www.xinhuanet.com/politics/2020-02/02/c_1125523580.htm [Accessed 14-09-2023]
[40]
China to manage COVID-19 with measures against class B infectious diseases. Xinhua Net. Dec27, 2022. URL: https://english.news.cn/20221227/0f5ffdc62cd841af8c274be6b16264e7/c.html [Accessed 14-09-2023]
[41]
Joint Prevention and Control Mechanism for COVID-19 of the People’s Republic of China. Circular on further optimizing the implementation of COVID-19 prevention and control measures. National Health Commission of the People’s Republic of China. Dec7, 2022. URL: http://www.nhc.gov.cn/xcs/gzzcwj/202212/8278e7a7aee34e5bb378f0e0fc94e0f0.shtml [Accessed 14-09-2023]
[42]
Parker "Ethics of instantaneous contact tracing using mobile phone apps in the control of the COVID-19 pandemic" J Med Ethics 10.1136/medethics-2020-106314
[43]
Gostin L Wiley L . Public Health Law: Power, Duty, Restraint. University of California Press; 2016.
Metrics
11
Citations
43
References
Details
- Published
- Nov 14, 2023
- Vol/Issue
- 11
- Pages
- e48714-e48714
Authors
Cite This Article
Jiayi Jiang, Zexing Zheng (2023). Personal Information Protection and Privacy Policy Compliance of Health Code Apps in China: Scale Development and Content Analysis. JMIR mHealth and uHealth, 11, e48714-e48714. https://doi.org/10.2196/48714
Related
You May Also Like
Development and Validation of the User Version of the Mobile Application Rating Scale (uMARS)
Stoyan R Stoyanov, Leanne Hides · 2016
817 citations
An Empathy-Driven, Conversational Artificial Intelligence Agent (Wysa) for Digital Mental Well-Being: Real-World Data Evaluation Mixed-Methods Study
Becky Inkster, Shubhankar Sarda · 2018
812 citations
Consumer-Based Wearable Activity Trackers Increase Physical Activity Participation: Systematic Review and Meta-Analysis
Katie-Jane Brickwood, Greig Watson · 2019
552 citations
Efficacy of the Mindfulness Meditation Mobile App “Calm” to Reduce Stress Among College Students: Randomized Controlled Trial
Jennifer Huberty, Jeni Green · 2019
404 citations
System Usability Scale Benchmarking for Digital Health Apps: Meta-analysis
Maciej Hyzy, Raymond Bond · 2022
363 citations