Employee Data Protection Series (III): Impact of Personal Information Protection Law on Employer's Internal Investigations

1. Legal basis for processing personal information in internal investigations

Employers need to process the personal information of employees throughout the entire process of internal investigations, including checking the personal information registration forms submitted by employees at the time of onboarding, asking employees to provide documents and explanations related to the investigations, collecting employees’ working records and making use of the materials provided by whistleblowers. And employers have to process the sensitive personal information of employees under certain circumstances, for example, collecting materials when investigating false sick leave and accessing the bank account details of some employees when investigating corruption and bribery behaviours.

The Article 13 of PIPL provide six legal bases for processing personal information, which are also applicable to the personal information processing during internal investigations. Employers should pay special attention to two of them: employee’s consent; necessity for the execution or performance of an employment contract, or for carrying out HR management.

• Employee's consent: Obtaining the employee's “consent” is not a one-off matter. According to the Article 14 of PIPL, in case of any change to the purpose or method of processing personal information, or the type of personal information to be processed, the individual’s consent shall be obtained again. This requires employers to consider the purpose, method of processing personal information, or the type of personal information to be processed, as fully as possible, when obtaining the consent of employees. More importantly, employers should fully describe the personal information processing activities which may be carried out for internal investigations and obtain the consent from corresponding employees as early as possible when developing privacy policies.
  
  Meanwhile, employers should always monitor the changes in situation when processing personal information of employees. It is worth noting that individuals have the right to withdraw their consent to the processing of personal information which is carried out based on their consent. Withdrawal of consent does not affect the validity of the personal data processing activities already carried out based on the individual's consent before the withdrawal. But the employer shall take the initiative to delete personal information after the employee has withdrawn his/her consent. “Withdrawal of consent” may cause some problems for employers in the event of internal investigations. For example, an employee may withdraw his/her consent to avoid an internal investigation when he/she is aware of any internal investigation against him/her. Therefore, employers should consider other legal basis besides of consent when processing personal information during internal investigations, to avoid compromising internal investigations by individual’s withdrawal of consent.

• The processing is necessary for the execution or performance of an employment contract, or necessary for carrying out HR management: Employers should consider specifying the obligations of employees to be honest, responsible and observe laws in the employment contract and regulations and grant the company the authority to process personal information for the purpose of investigating potential violations of employment laws and regulations.
  
  As in our previous analysis (click here), it does not mean employers can process any personal information related on the basis that “it is necessary for carrying out HR management”. Employers should still follow the principles of necessity and data minimisation for the purpose of processing to process data only to the extent necessary of minimum amount essential to meet the purpose of investigations. Here is an example. In an employment dispute heard by the Beijing Third Intermediate People’s Court in March 2021, the court held that the employer exceeded the necessary scope and violated the rights and interests of the employee by requiring the employee to provide medical history, psychotherapy documents, medical bills, psychotherapy materials, and psychoanalytical treatment records when applying for sick leave to investigate the authenticity of it. We believe that it is likely that the trial idea in this case to be followed with the implementation of PIPL.
  
  
• The processing is necessary for performing legal responsibilities or obligations: Under PRC Law, the employers has an obligation to stop and report criminal offences. The employer may conduct internal investigations and process personal information as necessary to fulfil this obligation.
  
  
• Processing publicly availability information: Employers may use personal information which is self-disclosed by individuals or legally made public for the purpose of investigation, but the information processed should be limited to the scope which is relevant to the investigation.

2. Cross-border transfer and investigation

For multinational companies, internal investigations often involve the cross-border transfer of personal information. The domestic investigation team always need to discuss and debrief with the compliance team at overseas headquarters to determine the investigation strategy and use of findings. In practice, it is also common to see the investigations are conducted directly by overseas teams. The cross-border transfer of such information and the conduct of investigation by overseas teams are subject to the requirements of PIPL and relevant regulations on data exports (click here).

In practice, multinational companies usually set up separate investigation departments which are responsible for all internal investigations globally to ensure the independence of investigations. Under such circumstance, employers may consider conducting cross-border data transfer and investigation on the legal basis of “necessary for carrying out HR management” and specify this in their regulations. However, the existing laws do not clarify whether employers still need to obtain separate consent of employees in such cases. Given the tightening regulations of personal information protection in China, we recommend companies obtain separate consent of employees in advance until further clarifications by laws or judicial practices.

3. Personal information protection in “whistleblower” system

Employees are usually the first to be aware of any non-compliance matters within the company. So internal investigations are often initiated by “whistle blowing”. Because of this, the whistleblower system has been established in many companies. When receiving reports, the company will also receive personal information about the whistle blower and may conduct investigations against employees in question based on it.

In such cases, the company should develop a whistleblower policy. The policy should specify, including but not limited to the legal basis for personal information processing, the scope of content to be reported, confidentiality requirements, the data retention period, and how the individuals involved can exercise their rights. In addition, to avoid over-collection of personal information and privacy due to unnecessary reports, the policy should clarify the scope of violations to be reported. Also, whistleblowers should be limited to those with direct knowledge of violations and real-name reporting should be encouraged.

In addition, the company should also consider conducting personal information protection impact assessment for data processing in accordance with relevant requirements, obtaining consent from employees as soon as possible if required, and meeting possible cross-border transfer requirements.

4. Typical issues in internal investigations

Is it compliant to examine the working equipment of employees?

Many companies provide employees with working equipment (working computer, working mobile phone, etc.) and the ownership of working equipment belongs to the company who has the rights to monitor and check the records in such equipment at any time. Is it true that the company can access records stored in working equipment without any restrictions under such provision? The answer is NO. In a case of privacy dispute heard by the People's Court of Xinghua City, Jiangsu Province in 2017, the court held that the employer violated the employee's confidentiality of personal information and privacy by checking the location information of the employee’s working equipment during non-working hours. In another case of employment dispute heard by the Jinshan District People's Court in Shanghai in 2020, the court held that the employer did not obtain the employee’s consent before recovering data from the employee’s working mobile phone to retrieve call recordings, so the validity of these evidence was not recognised. These cases indicate that the courts usually held a negative attitude towards the employer’s arbitrary processing of employees’ personal information stored in their working equipment. And the courts may even tighten the rules with the implementation of PIPL.

To meet the management requirements of employers to monitor employees’ activities at work, employers should further clarify the scenarios and methods in which they can access the working equipment of employees in rules and regulations. Besides, employers should emphasize that working equipment is restricted for working purpose only and are prohibited for non-working purposes, and warned employees of the possible consequences of storing personal information. In addition, employees should be fully informed of such rules and regulations, and their consent must be obtained. Employers should also conduct an assessment before accessing employee's working equipment.

Does the company have the rights to request relevant personal information from employees?

As discussed above, employers may request personal information from employees during internal investigations if it is necessary for the execution or performance of an employment contract or performing legal responsibilities or obligations. Where employers request personal information beyond the necessary scope, they must have legitimate purposes, fully inform the employee, and obtain his/her consent. In the above case heard by the Beijing Third Intermediate People’s Court where the company had the rights to request necessary proof documents for sick leave (normally a sick leave note issued by hospital advising the employee to take sick leave) when receiving the application according to the internal policy of sick leave. But there is no appropriate legal basis for the employer to request other documents beyond such necessary evidence of sick leave.

Where the company has certain clues and reasonably suspects the employee of violations, it is advisable to require the employee to provide further relevant personal information for the purpose of verification. For instance, if the company does not record attendance of employees but is investigating the absence of certain employee, it may ask the employee to explain the whereabouts and provide evidence to prove it for the period when there is no records of access card and leave.

Is the evidence obtained by tracking and audio and video recording legal and valid?

Tracking and audio and video recording are the most controversial ways of evidence collection during internal investigations. Prior to the implementation of the PIPL, when the employer investigated a former employee's compliance with his/her non-compete obligations, it was a common practice to follow the employee and film his/her regular visits to the office of the competing company as an evidence, and the audio and video recordings made by the employer were usually recognised by courts in the non-compete disputes. However, as the Article 28 of the PIPL defines "whereabouts" as sensitive personal information, employers must be more careful when taking evidence by tracking, and the evidence obtained by tracking is more likely to be inadmissible by judges.

In current judicial practice, except for recordings obtained illegally by audio monitoring devices, recording evidence is usually recognised by courts, even if the individual's consent was not obtained at the time of recording. With the implementation of PIPL, the courts may tighten the criteria for recording evidence, which will be determined on a case-by-case basis. In the author's view, if the audio monitoring device is installed on the working phone of an employee or in the workplace to record the employee's conversations with others without the employee's prior consent, it is much likely the court will hold that such recordings are infringement of the employee's personal information and were obtained in an illegal manner.

In relation to video recording, there is a dispute as to whether it is "necessary for the HR management" for a company to install surveillance or video recording equipment in the workplace to manage the working conditions of its employees. Companies often install surveillance and video recording equipment in the workplace not only for HR management, but also for purposes such as security, and it is debatable whether such equipment is necessary. Therefore, whether the use of video equipment for evidence during investigations or the use of pre-existing footage from surveillance and video equipment previously installed in the workplace as evidence, employers should obtain the employee’s consent.

5. Recommendations

In summary, in response to the multiple impacts and challenges of the PIPL on internal investigations, we make the following recommendations:

• Develop systems and documents (including the "whistleblower" policy) for the processing of employee's personal information during internal investigations and clarify policies and processes for identifying and processing of employee’s personal information during internal investigations. The development of such internal systems should comply with the provisions of the employment laws and regulations, following democratic and public disclosure procedures.
  
  
• Fully inform employees about the processing of personal information involved or likely to be involved during internal investigations and ask them to sign a consent form for the processing of personal information. It is worth noting that such consents should be signed as early as possible at the time of onboarding, as it will be difficult to obtain it once an investigation has been initiated.
  
  
• Equip employees with working equipment and accounts wherever possible and develop sound rules and regulations requiring employees to distinguish between working equipment/accounts and personal equipment/accounts.
  
  
• Well prepared for providing personal information to third parties and cross-border data transfer to ensure compliance with the PIPL. Where it is not possible to meet the requirements of the law, the personal information shared with third parties or exported should be anonymised to meet compliance requirements.
  
  
• Provide training on personal information protection to people involved in the investigations to prevent compliance risks caused by improper practices of investigators.