Managing personal information of employees under PIPL

With the coming into force of the Personal Information Protection Law from 1 November 2021, companies will have to re-evaluate how they look after such data about their new, incumbent and former employees.

CATEGORISING PERSONAL INFO

The new law provides that “personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”. Personal information, in the context of labour management, includes general information such as the name, gender, educational background, professional qualifications and attendance record of an employee.

The PIPL also provides for a separate category of “sensitive personal information” that is covered by harsher regulation. Sensitive personal information refers to data that can easily lead to the infringement of the personal dignity of natural persons or expose a person or their property to harm if leaked or used illegally. In labour management, such information includes biometric identification, religious belief, specific identities, medical health, financial accounts and whereabouts. Employers can process sensitive personal information only when they have a specific purpose and sufficient need, and ensure they take strict protective measures.

NEW EMPLOYEES

Article 8 of the Labour Contract Law provides that the employer “has the right to acquire the basic information of the worker which is directly related to the labour contract, and the worker shall truthfully provide the same”. In addition, article 6 of the PIPL dictates that “the collection of personal information shall be limited to the smallest scope for realising the handling purpose, and excessive personal information collection is prohibited”. Evidently, employers are entitled to collect employee personal information, but their rights in that regard are restricted.

What about employee’s marital or parental status? Does it fall under information directly related to the labour contract or sensitive personal information? Should employers be allowed to make the giving of such information mandatory? We believe that, unless absolutely required given the nature of the position, such information is not essential for contract fulfilment. Taking into account the further requirements under the PIPL, employers should not collect such personal information unless there is a specific and rational purpose; such information is directly related to that purpose; and steps are taken to minimise the effects on the employee’s personal interest.

INCUMBENT EMPLOYEES

Is it legal for employers to install software on an employee’s computer at work to track their browsing history in order to detect any disciplinary offence? Can they log onto an employee’s work e-mail or access their instant messaging history?

Considering that it is well within employers’ rights to monitor and manage their employees at work, we believe such actions are permissible so far as they are reasonable. Under the PIPL, such information collection must adhere to the following principles: it is necessary for achieving sound operational and personnel management; it is open and transparent, with its purpose, method and scope disclosed; and it is performed in good faith and in a lawful and proper manner on an as-needed basis.

Employers should have carried out a self-appraisal of their compliance with the general rules under the PIPL and have made the necessary corrections before it becomes effective.

FORMER EMPLOYEES

Should employers retain a former employee’s personal information after they have left the company? Is there a time limit? According to article 19 of the PIPL, the retention period of personal information should be the minimum necessary to achieve the required processing. We recommend employers to ascertain the scope and timeframe of information retention based on the term of confidentiality, term of non-competition and limitation of action. If practicable, such information may be anonymised and retained long-term even after the expiry of the retention period.

OUTCOMES OF NON-COMPLIANCE

Administrative penalties for violations may include: a warning with an order for correction; confiscation of illegal gains; suspension or termination of all services on the application illegally handling personal information; a fine up to RMB1 million (USD156,000) for persistent violators; a fine ranging from RMB10,000 to RMB100,000 for the directly liable person in charge and other directly liable persons.

Serious violators face a fine of up to RMB50 million or 5% of the turnover from the previous year, while an order may be issued to suspend their business, make due rectifications, or revoke the relevant business permits or licences. The directly liable person in charge and other directly liable persons may be subject to a fine ranging from RMB100,000 to RMB1 million, and they may be banned from acting as a director, supervisor, member of senior management or the person in charge of personal information protection of the related company for a certain period of time.

In summary, the PIPL highlights personal information protection in the following two respects: that personal information handlers may only process personal information after meeting certain prerequisites; and it sets out the legal responsibilities and obligations of personal information processors. To handle employees’ personal information, employers should at first satisfy the prerequisites under the PIPL by obtaining their consent and confirming that it is indeed necessary for HR management or to fulfil legal obligations.

In addition, employers should set up an internal system for managing and processing personal information. The system should include proper categorisation with well-defined security clearances and a contingency plan for information security incidents. A personal information protection system should be established within the PIPL framework to safeguard employee interests and regulate the employer’s handling of such information.

Xie Yang is a senior partner at Zhilin Law Firm