Internal investigation is a powerful tool for companies to weed out fraud, sexual harassment or other wrongdoings in the workplace. However, with the Personal Information Protection Law (PIPL), an internal investigation must contend with new compliance requirements.
The PIPL requires a lawful cause for companies to process employee personal information. According to article 13 of the law, companies may process employee information without individual consent if the processing is necessary for a contract’s conclusion or performance, or conducting human resource management according to lawfully formulated labour rules and regulations, or a lawfully concluded collective contract.
Article 17 requires companies to truthfully, accurately and completely notify individuals of the purpose and method of personal information processing, and the categories and retention periods of such information in a conspicuous and easily understandable manner.
Investigation begins with the obtaining and identification of clues and evidence, which in many cases come from internal whistle-blowing. For neutrality and confidentiality purposes, many companies opt for a related third party to receive such reports and handle the investigation, such as an overseas parent company or a domestic law firm.
If the reported issue concerns employee personal information, companies should beware of situations where such information is not received by the company itself, but a related third party. As the third party has no contractual relationship with the employee, it does not fall in line with the purpose of conducting human resource management according to labour regulations or a collective contract, while there is also doubt whether companies can entrust a third party to process employee information that companies do not have.
In such cases the employee’s individual consent should be obtained in principle. We recommend the companies inform employees of the processing of personal information by the third party in its rules and regulations, or at the time of recruitment, and allow the third party to obtain individual consent from the employees.
Depending on the complexity and concealed nature of the case, companies may consider bringing in external support such as law firms early on in the investigation. We tend to believe that companies are entitled to commission the processing of employee information to external agencies without seeking individual consent, because such agencies would only collect employee information on the condition that the company has lawfully obtained the right to process the information.
Naturally, companies should also pay attention to article 21 of the PIPL, which requires them to come to an agreement with the external agencies in terms of the purpose, term, method of information processing, categories of personal information, and the rights and obligations of both parties. Companies should also supervise the commissioned agencies’ processing activities.
Collecting evidence to corroborate the illegal activity or disciplinary offence is the core of internal investigation, which at times inevitably involves processing personal information. One of the most common methods to look for evidence is to isolate and dig into the employee’s work computer and phone.
Before the PIPL, some court decisions suggested that it is illegal for companies to arbitrarily restore call recordings on a work phone, and that they should, to the greatest extent, perform their duty of care to protect employees’ privacy. Since the PIPL came out, some also believe that companies may process personal information in company-provided computers and phones for the purpose of internal investigation, which falls under human resource management.
As the PIPL is yet to be supported by more detailed legal stipulations, compounded with the legal risks concerning the right of privacy in the Civil Code, companies as a matter of prudence should give employees reasonable expectations by informing them of the company’s rights to process of personal information in work computers and phones for investigative purpose. Where privacy is concerned, companies should seek individual authorisation or consent before collecting information.
Unless in cases posing a violation of privacy, such as sexual harassment, most companies, as a means of deterrence, announce the confirmed investigation result to all staff, commonly including the employee’s name, employee number, ID, portrait, a description of the offence and other identifying information.
Since the promulgation of the PIPL, companies’ management authority began to conflict with the protection of employee personal information. Articles 5 and 6 of the PIPL require that, under the principle of necessity, the processing of personal information should be limited to the minimum scope necessary for achieving its purpose.
Disclosing information such as IDs and portraits are therefore prone to legal risks as they represent a step beyond necessity and the minimum scope. To minimise this risk, companies should avoid including employee information that is less relevant to the punitive activity, simplify the description of the offence, and adopt de-identification with the employee’s name. Thus, the company maintains workplace discipline while remaining compliant in the handling of personal information.
Leo Yu is a partner and Diana Duan is an associate at Jingtian & Gongcheng
34/F, Tower 3, China Central Place
77 Jianguo Road
Beijing 100025, China
Tel: +86 10 5809 1368
Fax: +86 10 5809 1100