Employers’ collection and use of employee personal information pervades the entire process of recruitment, employment and departure. With the implementation of the Personal Information Protection Law (PIPL) on 1 November 2021, an employer that mishandles personal information will face such risks as administrative penalties and infringement disputes, which, in serious cases, may even constitute a criminal offence. So how best to handle personal information in the course of labour management in light of the PIPL?
Every step of an employer’s day-to-day labour management may involve the collection and use of personal information. Some typical instances include the following:
- The employer requests an applicant to fill out a personal information form containing educational background, work experience, marital status and family background.
- When an employee applies for sick leave, the employer will typically require the employee to provide his or her medical records or even a record of prescriptions, in addition to the sick leave form.
- An employer monitors the employees’ work computers and email system, as well as stored or transmitted data in the internal network.
- In a non-competition investigation, the employer may engage investigators to track and take photographs of the employee to obtain evidence of their joining a competitor.
PIPL, as a standalone law that regulates the protection of personal information, specifies numerous matters concerning the protection of personal information, mainly including the respective rules for processing personal information and sensitive personal information, the provision of personal information to parties outside China and legal liability for violations.
The processing of personal information is the core of the PIPL, key to which being the “inform and consent” rule. In other words, the processing of personal information is conditional on fully informing the individual and securing their consent to do so.
However, article 13 of the law reserves for employers certain exceptions to the “consent” requirement. Specifically, an employer may process personal information without the individual’s consent if the same is essential for entering into and performing a contract to which the individual is a party, or to effecting human resources management pursuant to its lawful labour rules and regulations or a collective contract executed in accordance with the law. However, it remains unclear how “essential for performing a contract” and “essential for effecting human resources management” are defined.
In terms of legal liability, the PIPL establishes the rule for shifting the burden of proof for the bearing of civil liability and provides that, in the event of a violation of the law, the executive of the enterprise directly responsible and other directly responsible persons could face fines and a ban on serving as a director, supervisor, senior executive or personal information protection executive of a relevant enterprise for a certain period of time. Furthermore, an offending employer may face credit discipline, with its illegal act recorded in its credit file and made public.
To this end, employers are advised to abide by the following when handling employees’ personal information:
Personal informed consent form. An employer should sort out and classify the personal information it needs to process in the course of labour management, produce lists based on the types of personal information, attach them to the informed consent form for the collection of information and, on the basis of ensuring that the employee is fully informed of the purpose, manner and scope of the processing of personal information, require them to sign the form. For sensitive personal information for which an employee’s separate consent is required, employers should mark this conspicuously and require the employee to check off each item in confirmation and place their signature by each item.
Rules and regulations for processing personal information. The employer can specify the content and scope of personal information, the purpose of use and the rules for the processing in its existing rules and regulations, or formulate a separate policy that specifically addresses the protection of employee personal information. They should then publicise the relevant systems and policies, using this as the legal basis for future processing of personal information.
An employer may consider taking the following specific measures for the protection of personal information:
- Classify personal information for management. The employer can list all types of employee personal information it needs to process at each stage of labour management and for each type of employee. On this basis, it can then mark the two categories of special information, namely private information and sensitive personal information, contained in the personal information and strictly manage them in accordance with the PIPL.
- Sort out the private employee information that could be involved at each stage of the labour management process, pre-emptively formulate sound policies and compliance guidelines in accordance with legal requirements and take necessary measures for each scenario. For example, if the employer is to install surveillance equipment on its office premises, it should inform employees of the installation and use of the equipment as early as possible, and clearly mark the office areas where the surveillance equipment is installed.
- Establish sound information and data protection rules and systems and specify each responsible functional department (e.g., human resources, information technology and compliance departments). Monitor and ensure compliance of the collection, accessing, use of personal information by way of day-to-day supervision and regular reviews.
- Strengthen management and employee training to reinforce their awareness of the importance of confidentiality. An employer should require, in confidentiality agreements, its employees to perform stringent non-disclosure obligations in respect of their colleagues’ personal information, as well as any personal information to which they have access in the course of their work.
Tracy Liu is a partner and Larry Lian is a counsel at Jingtian & Gongcheng
45/F, K. Wah Centre
1010 Huai Hai M. Road
Shanghai 200031, China
Tel: +86 21 2613 6125