Employee Data Protection Series (V): Processing Employees’ Personal Information for Daily HR Management

This article will focus on some typical personal information (“PI”) processing issues involved under daily HR management scenarios.

1. What PI of employees may be processed for daily HR management?

Management relating to attendance, leave, performance, benefits, etc. are the typical scenarios in daily HR management, under which an employer may process the following categories of PI:

• Attendance management: It’s inevitable that employees’ PI will be processed when the employer conducts attendance check, which may include an employee’s identity information contained in the key card, finger or facial recognition, location tracking, etc.
• Leave management: Except for annual leave and personal leave, employers usually require their employees to provide certain evidence to prove they are eligible for the leaves. These may include, for example, a sick leave certificate issued by the doctor when applying for sick leave, marriage certificate when applying for marriage leave, certificate of delivery issued by hospital when applying for maternity/paternity leave, etc.
• Performance management: In the performance review process, information relating to an employee's job responsibilities, work performance and result of the review, etc., might all be regarded as the employee’s PI.
• Benefits management: In order to provide specific benefits to employee, the employer may need to collect the employee’s PI and provide such PI to third parties. For instance, the employer may collect employees' identity, medical and health and financial accounts and provide such information to the insurance company when purchasing commercial insurance for employees. The employer may also collect the employee's identity information and contact information and provide such information to travel agency when purchasing air tickets and booking hotels for employees in relation to group building activities, etc.

As a side note, the employer shall conduct a PI protection impact assessment (“PIPIA”) and keep a record of the processing before processing sensitive PI according to PIPL, since there is no lack of employee’s sensitive PI among the PI that employers may handle in the above daily HR management.

2. The application of data minimization principle in daily HR management

As mentioned in our previous article (click here), the principle of data minimization is one of the guiding principles for PI processing in PIPL. There is no exception for the application of this principle in daily HR management.

For attendance management, the employer should only process the corresponding PI during working hours or when the employee is working under his or her employment. For example, some employers check the employees’ attendance through location tracking, which allows employers to collect an employee’s location during working hours. This might be justified out of the HR management necessity, and/or on the condition that the employee's separate consent has been obtained. However, if the employer collects the employee’s location information beyond working hours, it can be a clear violation of the data minimisation principle.

For leave management, data minimisation means that the proof required by the employer should be limited to the minimum scope necessary for the approval of such leave. If the proof required by the employer are beyond the minimum scope (e.g. requiring the employee to provide his/her spouse’s contact information when applying for marriage leave), the employer may violate PIPL’s requirement.

3. Sick leave management

In order to prevent employees from taking false sick leave, some employers used to require employees to provide as detailed medical materials as possible when applying for sick leave such as prescriptions, medical records, laboratory tests, payment invoice, etc., apart from the sick leave proposal issued by the hospital or doctor. Moreover, some employers stipulate in its internal policy that the company has the right to verify the authenticity of employees' sick leave at any time or require employees to do re-examination at the hospital designated by the company. With the PIPL coming into force, such practice without legitimate purposes may easily be deemed as an infringement upon employees’ PI interest under PIPL.

It, however, does not mean that the employer has no right to further verify the employees’ sick leave. Where the employer has evidence to prove or reasonably suspects that the sick leave proposal provided by the employee is false, it may be necessary for the employer to require the employee to provide more detailed sick leave materials for verification or requiring the employee to obtain a medical report at the hospital designated by the employer.

4. Attendance checking

Before PIPL came into effective, there were a number of labor disputes caused by the employee’s refusing the employer’s attendance check via fingerprint or facial recognition, or location tracking. The interplay between employees' rights to privacy, PI protection and employers' rights of HR management, has long been a controversial topic in the judicial practice. The PIPL may help provide some clarity.

As discussed in our previous articles, employers can process employees' PI when it’s NECESSARY for human resource management. As facial or finger recognition and location tracking information are not the only feasible ways for attendance checking (e.g. the key card record can also be a common way for attendance check), forcing employees to consent to the processing of their biometric or sensitive PI will unlikely pass the necessity test. Hence, it is advisable to obtain employees’ separate consent prior to using employees’ biometric or sensitive PI for attendance check. If an employee does not agree with the former methods for attendance checking, the employer shall provide other reasonable alternatives.

5. Key takeaways

Daily HR management is an important part of a company’s daily operation and management, often linked to employees’ remuneration and even rewards and penalties. Failing to comply with the PIPL in daily HR management may not only invalidate the employer’s management decision but may also make the employer liable for PI infringement. Employers are recommended to self-check whether their current practice meets the PIPL requirements. Here are the key takeaways for employers:

• Identify the types of PI that are necessary for daily HR management, and obtain consent and/or separate consent (where required) when there is no other appropriate legal basis for processing the employee’s PI;
• Formulate or update the internal labour rules and regulations for the processing of employee's PI, pursuant to the compliance requirements of the PIPL, which should be adopted following democratic and public disclosure procedures as required under employment laws and regulations;
• Only process PI that is necessary for daily HR management, and prevent excessive collection of employees’ PI, e.g. providing alternative attendance checking methods if any employee refuse to provide their facial or finger recognition or to use location tracking; and
• Develop a PIPIA template and conduct an assessment in advance where employees’ sensitive PI is processed or in other specified scenarios specified under the PIPL.