Internal compliance investigations are now laden with legal pitfalls for companies. Any mishandling of personal employee information risks invoking the increasingly strict regulations and enforcement of the Personal Information Protection Law (PIPL).
Partner
Jingtian & Gongcheng
In particular, it is common for internal investigations to involve inspecting files and information that is stored on company-issued office equipment like computers and hard drives. This makes it difficult for inspectors to avoid any contact with employees’ personal or private information, such as correspondence records of instant messaging software like WeChat and QQ, or private mailboxes.
Under the PIPL, when handling personal information, companies must abide by the “inform and consent” principle. This means informing the individual and obtaining their consent beforehand. The Civil Code further provides that no organisation or individual may handle another’s privacy information unless otherwise provided by law, or with the express consent of the rights owner.
This article offers practical advice based on the authors’ professional experience about properly handling employee personal information during internal investigations.
PRIOR CONSENT
The “inform and consent” principle remains the ideal standard. To this end, a company can prepare a notification of consent letter that thoroughly covers all statutory notification issues around personal information, including the purpose (e.g. internal investigation), scope and method (e.g. entrusting to third-party suppliers, sharing with affiliated companies, or cross-border transfer). The letter should be signed at the time of each employee’s induction. It is much more difficult to secure ad hoc consent after that point.
Workarounds may also be considered, if judged to be prudent, feasible and necessary. This includes conducting keyword searches on instant messaging and email records stored in office equipment in the presence of the employee who is being investigated, or asking the employee to export work-related records in front of the company and/or a third-party institution.
REGULATORY DESIGN
Counsel
Jingtian & Gongcheng
Without prior consent, a company may consider citing PIPL provisions that exempt it from the need to obtain individual consent before handling personal information.
One applicable circumstance is personal information that is “necessary for human resources management in accordance with the lawfully established labour rules and regulations, and the lawfully signed collective contracts”.
As there remains no clear definition to the scope of being “necessary for human resources management”, companies are advised to clearly state the following in their employee handbooks or relevant policies:
“Internal investigation may be conducted as part of the human resources management. The company has ownership to all information stored on office equipment, which the company has the right to monitor and inspect at any time for the purpose of internal investigation. Employees are forbidden from storing personal information in office equipment. Where personal information is stored in office equipment, any monitoring, inspection and acquisition of such information by the company shall not constitute an invasion of the employee’s privacy or personal information security.”
RISK CONTROL
Recent judicial practice tends to particularly protect individuals’ privacy of their personal information. Plenty of adjudicators have determined correspondence to be private when it is contained in instant messaging apps like QQ, WeChat and DingTalk, emails in personal mailboxes, and mobile phone call records.
In other words, accessing, copying or using such information may be viewed as a violation of privacy or an infringement of personal information if a company does so without the employee’s consent, even if it is stored on company-issued computers or other equipment.
Accordingly, companies should prudently handle any personal information that is obtained without prior consent to lower the risk of infringement, or of the evidence being deemed illegitimate and invalid.
The authors offer the following advice:
- When it comes to obviously personal or private information falling under the above-mentioned categories, unless absolutely necessary, companies should avoid an undifferentiated, exhaustive approach to reviewing, identifying, recovering or reproducing all items.
- When it comes to obviously personal or private information falling under the above-mentioned categories, unless absolutely necessary, companies should avoid an undifferentiated, exhaustive approach to reviewing, identifying, recovering or reproducing all items.
Consider the following before deciding whether to use the information:
-
-
-
- Is the information private or another type of personal information?;
- What is the source of the information?;
- Does it come from personal instant messaging records or a system explicitly for work purposes, such as the company mailbox?; and
- The information’s impact on the handling of the case.
-
-
- To preserve evidence, companies may consider video-recording the key steps of inspecting office equipment, such as exporting data in the employee’s presence.
When it comes to transferring information across borders, companies must adopt measures such as cross-border security evaluation, certification and standard contracting, in addition to securing prior consent.
They should make a comprehensive analysis of the necessity of transferring personal information overseas. For example, if a data transfer is to facilitate a headquarters’ decision, perhaps the information could be provided in anonymous form only, avoiding individual identification but describing the activity of non-compliance. Doing so would effectively avoid triggering the security procedures, while the purpose of the information transfer remains intact.
Tracy Liu is a partner and Larry Lian is a counsel at Jingtian & Gongcheng
45/F, K. Wah Centre
1010 Huai Hai M. Road,
Shanghai 200031, China
Tel: +86 21 2613 6125
E-mail: tracy.liu@jingtian.com
