Zhang Ying, Deputy Director, Shanghai Municipal Commission of Economy and Informatisation, China
By Medha Basu
Women in GovTech Special Report 2020.
What are your key priorities?
Issues like personal information collection, non-uniform standards, and great security risks have become a top concern of me. I think that during the epidemic, a large number of communities, property management parties, business district administration, and other grass-roots organizations became the main collectors of personal information, but there are hidden dangers to the methods and standards of data collection by these parties.
Some directly use QR code scanning, but lack authorisation agreement and “User Notice”, and personal information flows directly to third-party companies. Some over-collect important personal information such as personal ID info, mobile phone numbers, biological characteristics (such as human faces), but lack the necessary security retention mechanism, and there is a great data leakage risk.
The destruction and de-identification of personal information lack corresponding regulations. During the epidemic, due to the need for epidemic prevention, organisations at all levels collected a lot of important personal information, some of which were stored in the organization system or paper ledger, and some even remained in the third-party enterprise system.
Under normalised prevention and control, how should the personal data be retained for epidemic prevention be disposed of, destroyed, and deprived of privacy? There is a lack of guidance and regulation from competent authorities.
At this year's National "Two Sessions", I will submit a proposal to improve the relevant legal provisions of emergency management and establish a standard for the classification and collection of personal information for major emergencies at different levels of response and identify collection content, collection method, storage medium, circulation range, protection mechanism and the like under different circumstances to ensure that there are rules and laws to follow. If leakage is caused by irregular data collection, a corresponding disciplinary mechanism shall be established to strengthen the responsibility of the subject.
What areas need the greatest improvement in China?
Last year, I submitted four proposals, one of which mentioned the need to strengthen data circulation. This year, during the Covid-19 epidemic, she witnessed the leakage of personal information in newspapers, hoping that the relevant departments would add a "lock" on the data, especially personal information, and supervise the usage of personal information.
I participated in the survey and consultation meeting of CPPCC last year, and noticed that relevant national ministries and departments attached great importance to the protection of personal information. However, it is also found that some small and medium-sized enterprises do not pay enough attention to this field.
Software development companies must be legally conscious when collecting personal information and never engage in illegal sales, especially the small and medium-sized enterprises.
What does Covid-19 mean for data security?
I believe that data, as a new type of production factor, is quite powerful in epidemic situation monitoring, prevention and treatment, resource allocation, and health QR code management. It has played a huge role in personnel management, epidemic situation traceability, precise deployment control, and social governance.
But at the same time, massive personal information is intensively collected through multiple channels, which greatly increases the risk that the information will be illegally collected, used, leaked, or even sold.
According to relevant data, more than 60 data security incidents involving COVID-19 were reported on websites during the epidemic, including information leakage, out-of-range sharing, and misappropriation.
Besides, the epidemic has spawned the development of an online new economy represented by the remote office, remote education, and telemedicine. But at the same time, a large number of individuals, companies, and organizations using online applications are exposed to new risks such as bugs, viruses, malicious code, and cyber attacks.
For example, the video conference software, Zoom, encountered security and privacy storms, and China CITIC Bank is under investigation because of leaking client information. More than 50 million pieces of personal information data for sale on the "dark web" have been found in Nantong, Jiangsu Province.
In the Weimeng database incident, a staff member with insufficient original authority was working from home, and used VPN to destroy the company data, then more than 3 million platform merchants were affected, and the company's market value evaporated by 900 million yuan in one day.
What steps can China take to improve data security?
We should strengthen the whole process management of personal information under normalized prevention and control. Establish a full process management mechanism for personal information collection, storage, application, de-identification, and destruction during the epidemic.
Especially in this normalized epidemic prevention and control, we must establish a follow-up personal information de-identification and safe destruction mechanism. I propose that the network information departments take the lead and coordinate with the health, industry and information technology, and public security departments to carry out special inspections, enhance efforts on striking the illegal industries of selling and utilizing epidemic data and break down the chain of interest.
I have also suggested that the Ministry of Industry and Information Technology should take the lead in studying the new types and modes of businesses spawned by the online new economy, strengthen the application of new technology systems such as blockchain, federal learning, and data watermarking, cultivate and regulate the data factor market, set up a national-level major project to develop security products of risk assessment, dynamic monitoring, traceability and forensics, and the like related to the new online economy, and promote the transformation of system reliability to data mutual reliability.