The introduction of data protection laws in many countries around the world was a welcome advance in recognising the value of data and the risks it might pose if that data were to fall into the wrong hands. It’s made things a little trickier for researchers, who now have to navigate not only their own country’s laws but also the laws of the partner country that they might be working in. Data protection, in spirit, is the same everywhere, but the nuances can be tricky to navigate. Here’s what you need to know about collecting data in the People’s Republic of China (PRC).

Data collecting: a matter of consent

Data collection in the PRC has many similarities to data collection in the UK: consent is required if you are collecting data from humans. What’s different about the PRC is that you need specific and separate consent for each general type of information (source). Which means you can’t just ask for permission to use personal, medical and financial data in the same sentence – each of these needs its own question that the participants can agree to (or not). In truth, it wouldn’t be a bad idea to do that all the time: it makes it super clear for the participants what you’re collecting and what they are agreeing to.

What’s personal information? What’s sensitive data?

Surprisingly, there’s an easy out-clause: anonymised data. If the data you are collecting is anonymous, then you don’t need to worry about consent (see Article 4). Note that it needs to be truly anonymous, not just de-identified or pseudo-anonymised. If you’re counting the number of times a gate is opened, for example, by watching who might open the gate, that would count as anonymous, provided you don’t record anything about the opener.

There is a very broad definition of personal information: “refers to various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymised information” (Article 4).

“Sensitive personal information” is personal information that once leaked or illegally used, may easily lead to the infringement of the personal dignity of a natural person or may endanger his [hers/their] personal safety or property, including information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person’s whereabouts, as well as the personal information of a minor under the age of 14 years” (Article 28).

It’s interesting to note that anyone over the age of 14 would not need parental consent. In the UK, it would be 13 (source). These small differences are what make data protection and research a challenge!

Transferring data out of the PRC

To move collected data out of the PRC, what’s known as a cross-border transfer, you’ll need to contact the Cyberspace Administration of China (Article 38). I wasn’t able to find any practical information on how to do this, and I would suggest that researchers have a local contact to guide them through these administrative tasks.

Legislation

Three PRC laws are relevant: the Personal Information Protection Law, the Cybersecurity Law, and the Data Security Law.

Disclaimer

I am not a lawyer, nor have I done any research involving the PRC. The above post is my opinion only, and should not be taken as official guidance. I am not liable for any claims resulting from anything written in this post. I welcome any corrections at RDM@lboro.ac.uk.