Employee Data Protection Series (I): What Do Employers Need To Know About Managing Employee Data In China?

As employee personal information (“PI”) falls within the ambit of the PIPL, the legislation will have significant ramifications in virtually all aspects of HR operations. This is the first of a series of articles on employee data protection. In this Article, we summarize the key implications of the PIPL for employers and employees.

1.What is Employee PI?

PI refers to any kind of information related to identified or identifiable natural persons which is recorded by electronic or other means (Art.4 PIPL). Specifically, the PIPL defines the more sensitive information such as information on medical health and financial accounts, etc. as sensitive personal information (“Sensitive PI”) which will be subject to more stringent regulations (Arts.28-32 PIPL).

Based on the above definitions, among the employee data which the employer may have access to, an employee’s PI includes but is not limited to his/her name, date of birth, identification number, residential address, telephone number, email address, etc. and the employee’s Sensitive PI includes, for examples, his/her biometric recognition, religious belief, specific identity, medical health data, financial account, personal location tracking, etc.

2. What are processing of employee PI and principles of processing? 

PI processing includes, among others, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of information (Art.4 PIPL). Therefore, the PIPL is relevant in the entire lifecycle of employee PI, starting from the collection of a job candidate’s PI to the deletion of PI after the employee leaves, i.e. all actions taken by the employer with respect to the employee PI may be deemed as processing.

Arts.5-9 of PIPL sets out the guiding principles for PI processing, which includes lawfulness, legitimacy, necessity and good faith, legitimate purpose and data minimization, transparency, accuracy, accountability, and security. Art.19 stipulates the retention period of PI which is the minimum period necessary for achieving the purpose of processing.

3. Must an employer obtain the consent of the employee before processing PI?

Apart from obtaining employee’s consent (which will be explained further below), PI can only be processed under one of the legal bases set out in Art. 13. We have specified the grounds which are relevant in the employment context:

1. Where necessary for the execution or performance of an employment contract, or necessary for carrying out HR management under labour/employment rules and regulations legally established or a collective contract legally concluded.
2. Where necessary for compliance with the employer’s legal responsibility and obligations. For example, an employer may provide the required employees' PI to the Social Security Bureau and tax authorities in order to fulfill the statutory obligation to pay social insurance and personal income tax without employees’ consents.
3. Where necessary for responding to a public health emergency or in an emergency to protect a natural persons’ health and property. For example, in an pandemic outbreak, the employer may be permitted to collect an employee's certain information as may be considered necessary for epidemic prevention without his or her consent.
4. Where the PI has been legally made public and is processed within a reasonable scope and in accordance with PIPL. For example, an employer may collect the employee’s location data which the employee has posted on public social media platforms (such as WeiBo).

4. Consent

As referenced above, consent forms another of PIPL’s legal bases under which PI can be processed. Art.14 provides the essential features for a valid consent:

1. employees must be fully informed of the details of the processing;
2. consent must be freely given; and
3. consent must be unambiguous.

Furthermore, “separate consent” is required to be obtained in the specific scenarios as following scenarios:

1. providing PI to a third party (Art.23 PIPL), such as providing the employee’s ID number to an insurance company in order to purchase commercial insurance.
2. public disclosure of PI (Art.25 PIPL), such as showing an employee’s PI on the company’s website;
3. image collection or personal identity identification by devices installed in public place if used for purposes other than public security (Art.26 PIPL), e.g. the employer using facial recognition for attendance management at the building reception area;
4. processing of Sensitive PI (Art.29 PIPL), such as collecting an employee’s prescriptions, lab reports and other detailed medical information; and
5. providing PI of an individual to a party outside the territory of China (Art. 39 PIPL), such as the employer sharing the employees’ contact information with other offices outside mainland China.

As the meaning of "separate consent" is not specified under the PIPL, how it is required to be implemented by organizations in practice remains to be seen. As a general starting point, (i) a "separate consent" should at least meet essential features of a valid consent under Art.14 as mentioned above; and (ii) it is likely that the requirement of "separate consent" cannot be fulfilled by a way of a "bundled consent" (i.e. an employer obtains one consent for personal information processing for multiple purposes).

5. Obligation to inform individuals

Art.17 lays down the general obligation to keep individuals informed of the processing activities, which means except for the limited situations, the employer should inform the employee truthfully, accurately and completely of the following matters in a conspicuous way, using clear and plain language before the employer processes the employee’s PI:

1. name and contact information of the employer;
2. the purpose and method of processing PI, the type of PI to be processed and its retention period;
3. the way and procedure for the employee to exercise his/her rights provided in PIPL;
4. any other matter which is required by the law or administrative regulations to be informed to the employee.

6. Sharing employee PI with a third party

It is common for employers to engage third-party vendors for HR-related services such as recruitment, background checks, payrolls, etc.

Where employers share employee PI with a third party, the PIPL specifies the requirements to be complied with by the employer and such third party:

Where the third party processes employee PI on the employer’s behalf and cannot determine the means or purpose of the processing, then the employer and the third party should agree on the purpose, period and method of processing, the type of PI to be processed, any protection measure to be taken, and the rights and obligations of both parties, etc., and supervise the activities of processing of PI carried out by the third party. The third party must process the PI as agreed with the employer and must not process PI beyond the agreed purpose and method of the contracted processing or retain such PI after the contract was terminated or became invalid.

Where the third party also determines the means and purpose of the processing, the employer should inform the employees of the processing details and obtain the employee’s separate consent.

7. Establishing a complete PI protection mechanism

Chapter V of PIPL stipulates the obligations of PI processors (i.e., those who independently determine the processing purposes and means during PI processing activities). As a processor of employees’ PI, an employer should establish a complete PI protection mechanism including:

1. establishing policies and developing internal management systems and operating procedures for the processing of employee PI;
2. classifying PI,
3. taking security technical measures;
4. allocating reasonable operation permissions for PI processing and organizing regular security training to the employees;
5. organizing and implementing information security incidents contingency plan;
6. timely notifying employee and taking remedial measures in the event of a data breach;
7. running regular data protection compliance audits;
8. conducting PI protection impact assessment in certain circumstances; and
9. keeping records of processing activities.

8. Liability of employers

1. Administrative penalty: If an employer is found by the authority to have violated their employees’ PI rights (e.g. complaint lodged by an employee),, the employer could be faced with substantial administrative penalties. For serious violations, the employer may be fined up to RMB 50 million or less than 5% of the turnover of the previous year.
   In particular, personnel directly responsible for the violation will be subject to fines up to RMB 1 million in “serious cases”. In light of this, personnel directly in charge of employment management in the employer, such as HR, supervisors/managers, in-house lawyers supporting HR functions, could be held directly liable under the PIPL.
2. Civil liability: Employees can file a civil claim against employers for breach of employment contract, breach of personality right under the Civil Code, or tort liability in the wake of a data breach in the workplace.
   It is worth noting that, the PIPL has shifted the burden of proof, i.e. the PI processor has to establish that it is not at fault in order for its liability to be mitigated.
   It is recommended for employers to retain clear documentation (e.g. consent forms, privacy policies etc.) which will assist in evidencing compliance with PIPL and other data protection laws.
3. Criminal conviction: Criminal liability will apply if a violation amounts to a crime. Under the Criminal Law, illegally acquiring, selling or providing PI to third parties is punishable by imprisonment of up to 7 years' imprisonment and/or a fine in serious cases.

9. Key takeaways and recommended next steps

With PIPL becoming effective on 1 November 2021, employers should assess their existing data protection regime and introduce the necessary changes immediately to comply with the new legislation. The next steps of the employers should at least include:

1. assess the HR data flow and identify PI and Sensitive PI of employees being processed and the legal basis;
2. take required measures and perform protection obligations, such as preparing or updating consent letter, employment contract, privacy and PI protection policy, conducting PI protection impact assessment, keeping records of processing activities;
3. review and amend the relevant contracts and/or arrangements with third parties to insert data protection clauses; and
4. conduct training for management personnel who are involved in PI processing to make sure they are aware of the requirements and will comply with them.

10. Observations

Although there are still a number of question marks in relation to some key considerations and further clarifications and implementation rules remain to be released by the authority, immediate actions are called upon to mitigate the compliance risks.

With personal data being at the forefront of organisation’s agendas, we will be publishing a series of newsletters in the coming months, focusing on key issues and hot topics relevant to employee PI protection in HR management.

The PIPL also touches on other topical issues such as the PI subject rights, cross-border transfer, etc. Please click here for our previous newsletters on PIPL.