Administrative Regulation of Health Code Application in the Post-Epidemic Era ()
1. Introduction
As China enters the post-epidemic era, on November 9, 2022, the National Health Commission and other departments jointly issued an important directive to address the new challenges facing digital governance (Asbury et al., 2021) . “The 14th Five-Year Plan for National Health Informatization states that by 2025, a systematic, reliable, and interconnected national health information platform should be established so that public health units can be more closely connected to it and achieve full coverage. Everyone should hold a mobile information management electronic health record and a set of well-functioning electronic health care codes, and the health code, which played a prominent role during the epidemic, will be a powerful guarantee for the construction of the national health information platform and will have a significant impact on the physical health of citizens in the future long term use” (Berkowitz & Basu, 2021) . For this reason, we must study the problems in the application of health codes and adopt specific measures to deal with them. In this context, it is particularly important to regulate the use of health codes through administrative regulations. The health code is a digital proof adopted by the governmental administrative system, which can be held by the administrative relative to prove his/her health status and has legal attributes. Some researchers have defined health codes as follows: “Health codes are generated by automatically comparing sensitive information provided by individuals in public big data and are the basis for law enforcement to prevent and control epidemics (Di Fusco et al., 2021) . Different color codes then indicate an individual’s level of risk for epidemics.” The promotion of health codes has become an innovation in China’s digital governance with positive control effects, but it also poses a threat to the security of personal data by unduly limiting its benefits. In the absence of effective legal guidance, personal data is under serious threat of being unduly restricted by the government, and a large amount of sensitive personal data is centralized under government control, which greatly increases the risk of personal data leakage and leads to frequent practices that violate the principles of informed consent and necessity. The implementation of the health code is the government’s restriction on private rights, which is not only based on the values of public health and safety and the supremacy of public health but also based on the need to limit public power within commensurate limits. The protection of personal data in the application of the health code should weaken the informed consent rule, follow the informed rule, and strengthen the principle of minimum necessity, to strictly limit the scope, time, and disclosure of personal data processing. To sum up, the existing research on the protection of personal information in the application of health codes in China has accumulated. However, at the legislative level, there are still loopholes in the system, which need to be further improved and refined to better tap the potential space.
2. Analysis of the Legal Attributes of the Health Code
The health code we use on a daily basis is where citizens use their capable cell phone to fill in personal data such as name, ID, gender, address, age, mode of transportation, and physical condition. The back-end server analyzes the citizen’s data and generates the corresponding electronic QR code (Hagström et al., 2021) . The process of generating the health code consists of two steps: in the first step, citizens need to lose their personal information through apps such as WeChat or Alipay in order to obtain the health code; in the second step, based on the big data carried in the health code, a pre-set algorithm is used to calculate the health condition of the individual, which is then converted into a health code of a different color and inserted into the person’s cell phone for daily use. The health code is created by an administrative agency that first sets the assessment criteria, then the relevant parties provide information and submit an online application, and the system machine automatically generates a color-coded QR code to better identify the individual’s health status. From a process point of view, the generation of health codes is a complex process that requires multiple parties to collaborate in order to achieve the final goal. Automated administration is a technology that is managed by the administration to serve administrative goals with high efficiency and flexibility (Kristensen et al., 2023) . The generation of health code is an automatic administrative factual behavior, which does not directly affect the formation, change, or disappearance of personal information, but is realized through the analysis and evaluation of existing personal information. Although there is no law to completely restrict automatic administrative acts, we should pay attention to the risks of automatic administrative acts in general, especially the provisions of the Personal Data Protection Law.
By applying health code, we can record personal and health data in digital form, thus better reflecting the health risk relationship between citizens and between different regions, thus better protecting and improving the health status of citizens (Nemesure et al., 2021) . In other words, how citizens as a society affect the health of other citizens and regions HealthCode works by collecting a large amount of data on individuals in the region and processing it using algorithms to calculate the health status of an individual. When processors handle a certain amount of personal data, it raises data security concerns. Therefore, the legal characterization of the health code is actually the use of data by administrative subjects and the implementation of digital governance. Based on the different phases of the health code application, the health code application has evolved from a single individual level to multiple phases, thus bringing more convenience to society. Managing and using human data is the core goal of health code applications, which can help us build health records and thus better protect our health status. Integrating citizens’ health data in the post-epidemic era, digital management not only requires administrative subjects to pay attention to the management of data collected by health codes, but also emphasizes the mutual exchange of information between the governing subjects and the solution targets, and makes it possible for the public to use technology to actively participate in public affairs.
3. Current Status of Administrative Regulations for the Protection of Personal Information in the Application of Health Codes
Currently, the central government has not yet formulated specific administrative regulations on health codes to protect public health safety, and there are only national standards (Romanello et al., 2021) . When researchers discuss administrative regulations for health codes, they mostly base on relevant laws such as the Data Security Law and the Personal Data Protection Law, and combine them with the national standard for personal health codes issued by the National Standardization Committee in 2020, which provides a detailed specification of the health code technology, which consists of three parts: GB/T38961-2020 “Reference Model for Personal Health Information Codes”, GB/T 38962-2020 “Personal Health Information Code Data Format” and GB/T38963-2020 “Personal Health Information Code Application Interface”. In 2013, the General Office of the State Council and the Ministry of Industry and Information Technology (MIIT) published the “Regulations on China’s Credit Collection Industry” and the “Specification for the Protection of Personal Information of Communication and Network Users” to ensure that private information collected and used by online platforms and apps, including health codes and data security, and formulate relevant administrative regulations to ensure the security and integrity of information. In 2019, the NBS launched a series of documents supporting the cybersecurity law to ensure the security of citizens’ personal data and protect their legitimate rights and interests online. In 2020, China’s Information Security Standardization Council (ISSC) published the “Circular on Issuing Guidelines on Issues and Disposal of Questions and Dispositions”, which aims to address the application system’s Excessive collection, coercive demand, and frequent right requests exist in the application system, providing operators with effective preventive measures to ensure the security of personal data, and providing effective guidance for practice (Simard et al., 2022) . In order to protect the security of personalized information, the National Information Security Standardization Technical Committee has formulated the Technical Specification for Personal Network Security of Network Security Professional Technology. The standard aims to technically regulate activities such as the collection, utilization, transfer, storage, and publication of corporate information. Each category is listed in detail, and how to obtain recognition in these categories is analyzed and explained.
Due to the differences in economic development, traffic conditions, and technology among provinces, cities, and districts, some provinces, district governments, and epidemic prevention departments implement administrative regulations on the application of local health regulations, mainly involving personal data protection and data security. HCM City introduced the city’s Health Code Development and Operation Code Administration in 2020, which it uses to regulate the development and operation of local health codes and data security. It defines the roles and responsibilities of organizations responsible for the development, maintenance, and visual management of health codes, as well as departments and units related to data security. The Zhejiang Provincial Government has issued a Circular of the Office of the Head of the Prevention and Control Management Organization of the New Coronavirus Influenza Pneumonia Epidemic in Zhejiang Province on Taking Effective Measures to Strengthen Prevention and Control Management (Subhan, 2021) . In order to further standardize the management of mutual recognition of “health codes”, four provinces and cities, namely Jiangsu, Shanghai, Anhui, and Hangzhou, have begun to implement the exchange and mutual recognition of health codes. 2021, Haikou Province issued the “Guidance Department of the Prevention and Control Management of the Novel Coronavirus Pneumonia Influenza Epidemic in Haikou Province on the issuance of definitions of the colors, and rules for assigning and transferring the codes,” in order to ensure the effective use of health codes.
4. Administrative and Regulatory Strategies to Improve the Application of Health Codes in the Post-Epidemic Era
4.1. Constructing a Unified and Perfect Administrative Law System
The perfection of legislation is crucial, because health code, as a new governance tool, will inevitably face some challenges when it plays its role. Therefore, we should continue to improve the relevant legislation to ensure the effective application of health code and the effective implementation of government digital governance. While the Personal Information Protection Act clearly stipulates the legality of the collection of personal data, it needs to be combined with other laws and regulations to ensure the effectiveness and legality of the health code due to the lack of specific implementation rules (Tayefi et al., 2021) . Given that the processing of personal data under the health code requires the consent of the individual, the limits of the power of administrative subjects remain vague in this context, which may lead to public power exceeding its proper boundaries. To regulate the administrative law on the application of health codes in the post-epidemic era, it is necessary to first determine the mandatory nature of their use, which is different from the rules for the collection of personal data by Internet companies in the past, and to analyze the legal characteristics of health codes and the administrative legal relations related to them, to draw the responsibilities of administrative subjects in the application of health codes, and to pay attention to the requirement of smooth inter-regional data channels in the application of health codes. By analyzing the legal characteristics of the health code and the related administrative legal relationship, the responsibility of administrative subjects to protect citizens’ personal information in data governance is derived, with emphasis on the need for the smooth flow of information and data between provinces, and the promotion of the formulation of rules for the elimination of inter-regional “data borders”.
Administrative law is a legal system designed to regulate the exercise of power and the performance of duties by administrative subjects, and its basic principles provide administrative subjects with clear guidelines for administrative behavior to ensure that it is in line with the original intent of the legislation, and reflects the core values of administrative law, providing effective theoretical guidance for administrative activities. Therefore, administrative regulatory bodies should strengthen the supervision and management of health codes. Guided by the principles of administrative law, we must take effective measures to protect the security of citizens’ personal data to prevent possible adverse consequences. In order to avoid information leakage, we should simplify and clarify the running process of the health code background algorithm. As China enters the post-epidemic era, health code not only covers a wide range of legal fields but also provides more convenience for society. Therefore, it is necessary for us to deeply interpret the basic principles of administrative law to better reflect the actual situation and provide more reasonable legal protection for the application of health code.
4.2. Clarify the Responsibilities of Administrative Subjects in the Collection of Personal Information for Health Codes
The principle of data justice against unfair treatment requires opposing any form of unfair treatment and providing victims with reasonable channels of legal redress to ensure that they do not misuse their data power and that the authorities are held accountable by the law. In order to better manage health codes, it is important to strengthen cooperation in digital governance among provinces, establish unified rules for information exchange, and create effective channels to ensure the circulation of health code data among different regions, avoid prejudicial relief, clarify the boundaries of the functions and rights of the executive branch in managing market entities, and create reasonable channels of redress for the entire citizenry who have suffered harm.
This is because the correct and effective implementation of health codes is inextricably linked to the supervision of administrative subjects. The administrative subject restricts the rights of citizens and generates the health code under specific circumstances, so allowing the administrative subject to supervise the health code is tantamount to allowing the administrative subject to supervise itself, and the effectiveness of its supervision is questionable. This leads to a weak sense of responsibility and a passive position of the administrative subject. Therefore, it is necessary to clarify the responsibility of administrative subjects in order to solve these problems.
Health code is based on an online platform provided by a platform company, and the country is the data controller of personal data collected by health code. However, the platform company has great advantages and possibilities in obtaining information from the platform provided by it, and even collecting more personal data and storing and processing it separately, which requires the data subject to control the activities of the company providing the network platform. The details of the control of the company by the managing subject are as follows: at the stage of collection and processing of personal data, the managing subject owner will verify the data in strict accordance with the provisions of the Personal Information Protection Law to ensure that the platform company is qualified to process personal data legally, and to ensure that its processing procedures are in accordance with the provisions of the law, and the company will be required to set up a specialized supervisory body to ensure the security and validity of the data. In the process of personal data storage and dissemination, the technical strength of the platform company should be carefully examined to ensure that it has sufficient project experience, is skilled in data security technology, is familiar with algorithms and other basic legal knowledge, and is in compliance with the provisions of the Cybersecurity Law and the Data Security Law. In order to ensure the normal operation and use of the health code reference platform, we must establish a set of comprehensive risk monitoring mechanisms and contingency measures to ensure its compliance.
4.3. Construction of Diversified Health Code Personal Information Protection Regulatory Means
Because health code supervision requires professional knowledge and skills, it is difficult to determine who should be responsible for this work under the supervision of many departments, which brings challenges to the rights and interests of citizens. In order to solve this problem, we propose to set up a special health code supervision institution, which is jointly supervised by the national network information department and the health administrative department. It is very important to establish a health code supervision institution, which not only requires a unified standard to realize the interoperability and mutual recognition of health codes nationwide but also requires that when violations are found, the responsibilities can be clearly defined to ensure the effective management of health codes. It will help to clarify the user responsibility of health code and provide more effective support and guarantee for the single health code regulatory agency. Through enhanced communication and coordination with other government departments, stringent measures will be taken in the event that any illegal or criminal acts related to the use of health codes are detected (Zheng et al., 2023) . In addition, the independence of the Health Code Regulator is also essential, as there have been successful experiences in foreign countries. Only by upholding the independence and holistic view of the personal data protection authority can it effectively prevent and resist interference from other organizations, thereby ensuring that the personal data protection authority will discharge its regulatory duties by the law. The same applies to the health code regulator, but as the health code is administrative in nature and cannot be regulated by private individuals, it is difficult to establish an “independent” health code regulator. In fact, “independent” does not mean that “independent” cannot effectively regulate the health code, but it has independent authority, management, and reporting of the health code, and is not subject to the influence of any department, so as to ensure the safety and effectiveness of the health code. As seen in the application of health codes, this power is often abused by administrative agencies. When power cannot be effectively limited, “professionalism” should be the core responsibility of the health code regulator to ensure that it is independent in carrying out its oversight and that it effectively monitors the behavior of other administrative agencies. Now, as China enters the post-pandemic era, the health code must be perpetuated as a single, authoritative, interconnected support system for a universal health information platform. If health code regulators are not sufficiently specialized, this will lead to problems of overly strict or overly broad health code standards, posing an implicit threat to digital governance and civil rights protection.
Based on super Internet platforms such as Alipay and WeChat, the development of health code is dominated by platform vendors, but due to a lack of self-discipline, problems such as data abuse still exist. The existing administrative law system is still not perfect in the protection of personal information, and the regulatory measures for platform enterprises are not effective enough, which limits the development of health codes to some extent. With the development of China’s economy, it has become an irresistible trend to use big data for digital management, which is supported by the state. Firstly, in order to ensure the security of personal data, enterprises must establish perfect technical standards and equipment conditions in order to raise the threshold of access and promote the technical level of enterprises. Second, inspection mechanisms must be set up to ensure the security of internal systems and organizations of enterprises. The Personal Information Protection Act details the obligations of data controllers; however, these systems and departments will be ineffective if companies are not regularly monitored, and a regular monitoring system is an important tool for promoting self-management and self-control in enterprises.
There are no rights without remedies; the realization of rights is more important than the creation of rights, and the remedies of rights are more important than the swearing of rights. Inaccurate allocation of health codes may occur due to inherent problems in the calculation of health codes, poor flow of data and information between regions, and lack of data synchronization. Therefore, a comprehensive remedial mechanism should be established to ensure the accuracy of the allocation of health codes, divided into 3 important stages: before, during, and after the event, in order to ensure the accuracy and reliability of the allocation of health codes.
With the development of big data technology, health codes can’t completely and accurately reflect personal health status. In order to reduce the algorithm deviation and discrimination risk in health code distribution and improve the accuracy of health codes, it is necessary to establish a health code error reporting mechanism and open up complaint channels to eliminate the algorithm deviation and discrimination risk in health code distribution and improve the accuracy of health codes. In order to effectively reduce the risk of errors in the distribution of health codes, we should establish a support mechanism to review and report health codes, so as to promote the self-authentication of the algorithm program. On the other hand, in a society where algorithms are monitored in real-time via the Internet, it is important to engage the algorithmic process and guide it to self-correction. However, due to the existing bias and discrimination against users’ personal information in the operation of algorithms, it is difficult for companies to make self-improvement without regulation. Therefore, it is necessary to establish a set of perfect manual supervision mechanisms and a special channel for complaints. Before citing the manual verification mechanism, its duties and procedures should be clearly defined to ensure the effectiveness and reliability of the algorithmic process. On the one hand, it can effectively make up for the shortcomings of the algorithm, and on the other hand, it can ensure that the manual verification can assign health codes more precisely, thus improving the accuracy of the results. It can effectively inhibit human interference and ensure that the correct algorithm can operate effectively.
The influence of health code personal information on personal life is mainly reflected in the following aspects:
The health code can effectively curb the spread of infectious diseases. By querying and uploading personal health information and travel tracks, epidemic tracking and prevention and control can be carried out more accurately, avoiding the spread of epidemics caused by crowded and unspecified contacts, thus safeguarding the health and life safety of the general public.
The use of health code promotes the standardization and order of daily life. Through the health code, people can self-evaluate their physical health, develop good living habits and avoid unhealthy behaviors such as irregular diet and lack of exercise, so as to maintain health and vitality and improve their quality of life.
The use of health codes also raises some potential privacy concerns. The data on which the health code is based includes sensitive personal information such as an individual’s health status, biometrics, whereabouts and trajectory. Once this information is leaked or used illegally, it can easily lead to the jeopardization of an individual’s personal property rights, the erosion of his or her human dignity, and even future discriminatory treatment. At the same time, the need to swipe a code to enter and exit almost any place, and the fact that an individual’s whereabouts are recorded after leaving home, may lead to the restriction of personal privacy.
In order to ensure the personal information security of the health code, the following measures can be taken:
Improve laws and regulations: formulate strict laws and regulations on personal information protection, clarify the responsibilities and obligations of all aspects of health code information collection, storage, use and destruction, and increase penalties for illegal acts.
Strengthen supervision: establish a professional personal information protection supervision institution to supervise the whole process of health code information management, and find and correct existing problems in time.
Standardize information management: managers in all aspects of health code information collection, storage, use and destruction are required to strictly abide by the regulations, and establish a sound internal management system and operating procedures to avoid information abuse, disclosure and loss.
Strengthening user education: Through publicity and education, etc., to raise users’ awareness of personal information protection and guide them to use the health code correctly and not to disclose personal information at will.
Technical means guarantee: Adopt advanced technical means, such as encrypted storage, access control, security audit, etc., to guarantee the security and privacy of health code information.
5. Concluding Remark
With the advent of the Internet information age, the development of data analysis technology provides more possibilities for the government, thus promoting the development of smart government and transparent government. This paper aims to study the protection mechanism of personal information in the application of health codes in post-epidemic period and puts forward improvement measures to solve the problems in practice. Due to the backwardness of data governance thinking and the lack of effective standards, errors such as “civilized codes” and “discolored codes” are common, and in order to pursue the efficiency of unilateral governance, people do not hesitate to cross the boundaries of social management, misuse data information, and abuse private rights, thus destroying the value of data information. Along with the continuous progress of digital governance science and technology, the government should strengthen the maintenance of data information, and incorporate personal data rights into the theoretical framework, process, and legal system standards of data information rule, so as to ensure the security and sustainable development in the era of data information. In the competitive digital information era, the maintenance of private information and privacy rights should be the focus of the government. At present, more and more scholars are focusing on the improvement of the personal information protection system in the application of health codes. This paper focuses on procedural details, proposes the establishment of a specialized regulatory agency to limit the content and space of personal information collection, and proposes the establishment of an administrative relief system for health code assignment errors. The shortcoming of this paper is that it does not analyze and improve the procedure in more depth. After in-depth research, we found that the standardization of the health code personal information collection process still needs to be improved. Therefore, we should put more effort in the subsequent research to ensure that the personal information protection system in the application of health code can be effectively implemented.