It has been almost two years since the unprecedented outbreak of COVID-19 pandemic. We have been learning to live with the pandemic, whether we like it or not. In China, companies are responsible for pandemic prevention and control. Therefore, it is inevitable for employers to process their employees’ pandemic-related personal information (“PI”). With the Personal Information Protection Law (“PIPL”) taking effect on 1 November 2021, this newsletter discusses how to process employees’ PI in compliance with the laws during the pandemic. For overview and key implications of the PIPL for employers and employees you can read our previous article here.
An employee’s pandemic-related PI to which the employer may have access usually includes the employee’s health information (such as the temperature, nucleic acid test results, vaccination status and health code), location tracking information (such as recently visited sites, transportation details), etc. Most of such pandemic-related PI falls into the scope of sensitive PI as defined under the PIPL.
It is critical that processing of personal information is based on one of the legal grounds as set out under the PIPL. Apart from consent, the employers can rely on several other legal basis to process pandemic-related PI.
Under Art.13 of the PIPL, employers as PI processors may process employees’ PI without their consent, if the processing is for the purpose of responding to a public health emergency. With the COVID-19 pandemic having lasted for nearly two years and social life getting back to normal in a lot of places, processors may not be able to rely on this legal basis for processing of pandemic-related personal information in the absence of an outbreak.
Another legal basis for collecting personal information under the PIPL is the performance of the processors’ legal duties or legal obligations. According to Art.31 of PRC Prevention and Treatment of Infectious Diseases Law, Art.22 of PRC Emergency Response Law, the Guide for Health Protection Against COVID-19 and other regulations and policies, employers have the obligation to collect the information of their employees in time within the scope of their management, and report to relevant authority immediately once any employee is found to be infected. Therefore, employers may rely on this legal basis to collect pandemic-related PI.
If it is necessary to collect pandemic-related PI for work-related purposes, the processors may also rely on the legal basis of human resources management pursuant to legally effective internal employment rules. For instance, it may be necessary to collect certain pandemic-related PI to ensure health and safety at workplace.
However, Art.29 of the PIPL requires a processor to obtain a separate consent before processing sensitive PI, without stipulating any exemption under this provision. It is unclear whether employers have to obtain employees’ separate consent when processing their sensitive PI on the legal basis other than consent.
On the other hand, it would be odd for the processors to obtain consent for processing personal information when performing their legal obligations.
Where it is impractical to obtain pandemic-related PI, the employers may seek to rely upon lawful basis other than consent, which will greatly mitigate the risks of violating the PIPL.
i) Abide by general PI processing principles: Regardless the legal basis for processing, the employer must abide by the PI processing principles when processing an employee’s pandemic-related PI.
Under the principle of data minimization, employers should only collect the minimum amount of PI necessary for pandemic prevention and HR management. For example, when collecting information on the employees’ traveling history, the employers should only process personal information within a reasonable period of time.
ii) Keep employees informed: Employers are obligated to inform the employees of the details of the processing activities when collecting their pandemic-related PI.
iii) Conduct personal information protection impact assessment (PIPIA): as the pandemic-related PI is a type of sensitive PI, the processors must conduct PIPIA before processing such information.
Employers can process vaccination information provided that they have identified a lawful basis and will follow the general requirements under the PIPL in relation to sensitive PI.
For instance, in some in specific industries and workplaces employees are required to be vaccinated by the applicable laws and regulations or by the authorities, in this situation, the employers may process employees’ vaccination information relying on the necessity for performing legal obligations. (We have previously issued an HR Data Essentials regarding COVID-19 vaccine guidance, please click here for more details).
In certain circumstances, the employees may be punishable by administrative or even criminal penalties if they refuse to provide pandemic-related PI. The employer may also penalize the employee it also violates internal rules and regulations.
Where consent is required, the employers should not compel the employees to provide their pandemic-related PI or obtain such information without their consent.
According to Art.31 and Art.77 of the PRC Prevention and Treatment of Infectious Diseases Law, the employer shall disclose the information of the person infected or likely infected to the relevant authorities, and failure to do so may give rise to civil liability for causing the spread of the virus. Providing pandemic-related PI to other third parties will be subject to the general requirements under the PIPL.
Illegal disclosure, provision or abuse of the pandemic- related PI could easily lead to discrimination, damage to reputation, physical and mental health of the individuals. An employer that fails to comply with the laws will face penalties under the PIPL as well as negative media exposure.
We set out below key takeaways for employers when processing the pandemic-related PI:
i) Identifying the appropriate legal basis for processing the pandemic-related PI;
ii) Keeping a close eye on development of the national and local governmental policies and notices, and assessing the necessity for the processing of pandemic-related PI due to necessity of performing legal obligations;
iii) Complying with the general requirements under the PIPL;
iv) Conducting PIPIA and taking security measures, for example encryption and de-identification technologies, and granting access only to personnel on a need-to-know basis in relation to the pandemic-related PI;
v) Informing the employee of his/her legal obligation to disclose the pandemic-related PI and the liability for breach of such obligation if the employees refuse to provide the pandemic-related PI required by the authorities and/or the applicable laws, and rendering the breach of such obligation a serious violation in the internal labour/employment rules and regulations.