Regardless of their size, enterprises unavoidably will collect, store and process their employees' personal information. Such process falls within the scope of “personal information processing” under PRC Personal Information Protection Law (“PIPL”).
How to deal with employees' personal information in compliance with the PIPL?
Collection of personal information
When processing employee's personal information, employers should be guided by three main principles, requiring that the information be processed:
- in accordance with the principles of lawfulness, legitimacy, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive;
- for a specified and reasonable purpose, directly relevant to the purpose of processing and in a way that has the least impact on personal rights and interests; besides, collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and shall not be excessive;
- in accordance with the principles of openness and transparency, with the rules of processing of personal information disclosed, and the purpose, method and scope of processing expressly stated.
Generally speaking, in relation to the processing personal information, the employees must be informed of the specific scope and purpose of the processing (and such purpose has to be reasonable and the minimum necessary) and the collection and processing can only be initiated after the employee's consent has been obtained.
However, there are circumstances where consent is not required, namely:
- where it is necessary for the conclusion or performance of a contract to which the employee is a contracting party;
- where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
- where it is necessary for performing a statutory responsibility or statutory obligation;
- where it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of a natural person in the case of an emergency;
- where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;
- where the personal information, which has already been disclosed by the individual or otherwise legally disclosed, is processed within a reasonable scope and in accordance with the law.
Circumstances listed under (i) and (ii) particularly apply where employees are concerned.
Transferring personal information abroad
Personal information collected within the territory of China is, in principle, required to be stored in China. In practice, many foreign-invested companies normally transfer the personal information of their employees to their headquarters abroad or give them or their foreign affiliates access to their employees' database.
The law establishes clear rules for cross-border transfer of personal information. The following requirements must be met:
- the transfer has to be necessary;
- basic information of the foreign recipient must be given and consent to the cross-border transfer must be separately and expressly given by the employees before the transfer;
- the employer has to adopt such mandatory security measures as required by the law;
- the country where the personal information is to be transferred must not be a foreign destination prohibited by China; and
- the foreign entity to which the personal information is to be provided cannot be a foreign judicial or law enforcement body.
In addition to the legal requirements, the Cyberspace Administration of China (”CAC”) released draft Measures for Security Assessment of Cross-border Data Transfer in October 2021.
Although such measures are not effective yet, it is worth mentioning that in these measures an application to CAC for security assessment is required in any of the following circumstances:
- personal information and important details collected and generated by an operator of critical information infrastructure;
- the data to be transferred overseas contains important data;
- the data processor transferring the personal information overseas has processed personal information of one million individuals or above;
- the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals has been transferred overseas on a cumulative basis.
Given the potential impact of the provisions of the CAC draft measures, it will be interesting to verify whether the provisions referred to above will be adopted as they are or further amended, and monitor the enactment of any future regulatory provisions by CAC on the subject matter.
Sharing personal information
Many employers nowadays enlist the services of external professional consultants to assist in their daily operation, including human resource management. How should employers deal with it properly in the PIPL era?
In this aspect, a distinction should be made between commissioning to contracted parties and providing to third parties.
When an employer needs to provide personal information of its employees to a third party due to the outsourcing of some management functions, such as commissioning a headhunter to recruit staff or a bank to pay salaries on its behalf, the employer should abide by the following special rules:
- comply with its obligation to inform;
- implement a personal information protection impact assessment; and
- enter into a contract with the contracted parties, agreeing on the purpose, period, and method of the processing, the type of personal information to be processed, any protection measure to be taken, and the rights and obligations of both parties, and implementing supervision of the contracted parties' processing activities.
Under other scenarios where personal information is provided to other third parties (e.g., sharing information with or transferring information to commercial partners), employers should not only follow the aforementioned steps, but also expressly inform the employees the recipient's name, contact information, purpose of processing, method of processing and type of personal information, and obtain separate consent from the employees concerned.
In light of the PIPL's impacts on the management of employees, we would recommend that employers conduct a full and comprehensive assessment on their data compliance to identify possible non-compliance issues, formulate appropriate solutions and adopt measures in order to meet the PIPL's requirements.
In particular, we would recommend the following actions.
- Sorting and classifying employees' personal information
Employers should carry out a comprehensive classification of their employees' personal information to verify which types of personal information are processed (distinguishing personal information and personal sensitive information), identify the information that should be timely deleted (because collected in excess or no longer needed), arrange for data safety measures to be set up and establish different authorization levels in the corporate internal management.
- Establishing regulations on the protection of employees' personal information
Employers should also add a specific section on the protection of employees' personal information in their employees' handbook, or establish a separate policy for the protection of employees' personal information.
Regarding employees who are authorized to access the personal information that is processed, specific contractual provisions should be entered to with such employees, clarifying and regulating the authorization scope and relevant responsibilities and obligations.
- Signing consent letters with the employees and adding data chapter in the labor contract template
As mentioned above, notwithstanding the legal basis for handling employees' personal information, employers are still recommended to inform employees of the purpose, manner and scope of personal information processing. In this connection, it is highly recommended to have consent letters signed by the employees regarding the personal information processing. In particular, if processing of personal sensitive information is required, or if any personal information is to be shared with third parties or transferred overseas, additional separate consent of the employees must be obtained.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.