With the Data Security Law of the PRC and the Personal Information Protection Law of the PRC (the PIPL) coming into effect, many companies have started to carry out compliance audit within their entities to make sure the collection, use, and processing of their employees’ personal information is compliant with the laws. This article will examine how companies can collect employees’ personal information while being legally compliant.
Common scenarios in which a company collects personal information from its employee
When enterprises conduct HR management as part of the daily business operation, they need to collect a lot of personal information from their employees. Below we introduce some common scenarios.
When hiring an employee
Candidates who apply for a job to the company or new employees who have just joined the company are usually required to fill in a written Applicant Information Registration Form or Entry Information Registration Form.
The personal information commonly collected in such forms includes:
- Basic personal information, such as height, weight, ethnicity, political status, marital status, health status, educational background, home address, contact information, ID card number, etc.
- Educational information, such as university, major, certificates, etc.
- Work experience information, such as previous employer(s), position, job duties, time, typical project, important achievements, reasons for leaving, reference, etc.
- Religion, personal interests, etc.
Specific jobs in specific industries with high public health and safety requirements may further require employees to provide a history of infection and cure of infectious diseases, such as:
- Jobs in food production and distribution industries that deal with food directly
- Jobs that involve in drinking water production, management, and supply
- Jobs that involve in serving customers in public places directly
- Jobs that involve in providing the care and education work in nursery and childcare institutions
- Cosmetic and plastic surgery work
- Jobs that directly involve in cosmetics production
When companies perform labor-related obligations
For performing its labor-related obligations as stipulated in the labor contract and the Labor Contract Law of the PRC, the company needs to collect the employees’ personal information, such as bank account information and social insurance account information, for payment of staff salaries and contributing to social insurance and housing fund.
In addition, the company requires the employee to provide their medical record, disease diagnostic report, or doctor’s suggestions when the employee applies for sick leaves; marriage certificate for marital leave; child’s birth certificate for nursing leaves, etc. Under such circumstances, the employee’s personal information, such as employee’s sick condition, employee’s marriage time and their spousal information, employee’s child’s birthday, name, gender, etc. will be collected by the company.
When the company offers special benefits to its employees
Some companies may provide certain special benefits for their employees, such as commercial insurance for employees and their families, group travel, employee’ physical examination, housing subsidies, transportation subsidies, etc. For enjoying such benefits, employees usually need to provide more personal information to the company.
For purchasing the commercial insurance, such as life insurance, medical insurance, accident insurance, serious disease insurance, etc., the company shall collect sensitive personal information from the employee and their family members, such as illness information, past medical history, recovery status, and health conditions to evaluate whether the employee or their family member could participate in such commercial insurance and how much the premium shall be paid. Normally, such sensitive personal information is collected by the company to be forwarded to the insurance company.
For paying the housing subsidy or transportation subsidy to employees, the company may require employees to provide documents such as lease contract, car refueling invoice, taxi receipt, etc. to verify the facts. Consequently, employee’s personal information, such as residence information, travel time, and payment information recorded on the ticket, will be collected by the company.
When the company conducts special management
When the company conducts some special management, employees may provide personal information to the company knowingly or unknowingly in the following scenarios:
- Using employee images in company promotion: Companies often need to use their employees’ images and profiles in their promotional videos or brochures. Such cases will involve the collection of employees’ portraits.
- Attendance management: Most companies adopt the modern attendance management method, such as fingerprint punch or face identification. In this case, the company collects its employee’s fingerprint information or face information, which are classified as personal sensitive information.
- Collecting employee’s personal information via electronic devices: Based on the needs of company management, the company may install some monitoring software on the employee’s work computer or mobile phone to monitor the employee’s computer usage time, website browse history, call duration, dial-in or dial-out numbers, etc. Some companies require their employees to report their whereabouts by using the remote punch software when employees are out of office to visit customers, on business trips, or in field work. When colleting the employee’s personal information via electronic devices, the company obtains various types of employee personal information and permissions, such as location information, hardware camera permissions, hardware storage permissions, hardware device information, etc.
- Collecting employee’s personal information during the COVID-19 outbreak period: For the purpose of COVID-19 prevention and control, the company shall collect employee’s personal information, such as body temperature, traveling record, residence lockdown information, employee’s illness infectious and recovery situation, employee’s health conditions, etc.
Basic requirements for collecting personal information from employees
According to the PIPL, this law applies to all activities involving the processing of personal information of natural persons. Consequently, companies must fully comply with the PIPL when collecting personal information from their employees. As per the PIPL’s basic principles, the collection of personal information by the company will include the following considerations:
- Companies must inform their employees about the purpose, scope, and methods of personal information collection, and obtain employees’ consent.
- The collection of employees’ personal information shall be legal, justified, and necessary, and shall be limited to the minimum scope to achieve the purpose of collection.
- When collecting employees’ sensitive personal information, companies must obtain separate consent of employees and can only collect such sensitive personal information for specific purposes and under sufficient necessity.
Legal basis for the company to collect personal information from its employees
When collecting employees’ personal information, except for employees’ consent, the company must have adequate legal basis for the collection. Under the current laws and regulations, the below five legal bases are frequently cited.
Labor-related laws and regulations
Article 8 of the Labor Contract Law of the PRC stipulates that the “employer has the right to know the basic information directly related to the labor contract, and the employee shall truthfully make an explanation.” Local regulations, such as Article 10 of Beijing Labor Contract Regulation, stipulates that “the employee has the right to know employer’s conditions and shall truthfully provide information such as his/her ID copy, education background, employment situation, working experience, and professional skills, etc.”
Therefore, based on the abovementioned law and local regulations, the employer has the legal ground to collect employee’s basic information, health condition, knowledge level, and work experience, etc.
Public health safety requirements
Article 45 of Food Safety Law stipulates that “persons suffering from diseases affecting food safety as stipulated by the administrative department of public health under the State Council shall not engage in any work involving contact with ready-to-eat food”. Article 7 of Regulations on the Administration of Public Health stipulates that “persons suffering from dysentery, typhoid fever, viral hepatitis, active pulmonary tuberculosis, suppurative or exudative skin disease, or any other disease affecting public health shall not engage in direct customer service until cured”. Article 33 of the Regulations on Supervision and Administration of Cosmetics also stipulates that person suffering from specific diseases may not directly engage in cosmetic production activities.
Therefore, if a company involves in the aforementioned work, it has the right to request its employee to provide sensitive personal information related to the illness.
Employment protection laws and regulations
The Occupational Disease Prevention and Control Law provides the special protections on employees who engaging in works exposed to toxic and harmful factors. Female Employee Labor Protection Provisions provides specific protections for female employees.
For example, the company must establish an archive to record employees’ personal information related to the occupational hazards, including but not limited to working history, contact history on occupational hazards, occupational health examination results, and personal health information such as occupational disease diagnosis and treatment, etc. For the female employees, the company cannot arrange them to do certain type of works during periods of menstruation, pregnancy, postpartum, breastfeeding, etc.
Given this, to protect the employees’ health, the company has the legal ground to collect employees’ personal information related to occupational history, occupational disease contact history, health examination results, occupational disease diagnosis, pregnancy status, and birth status, etc.
Public health emergency
According to the Notice on the Protection of Personal Information and the Use of Big Data to Support Joint Prevention and Control issued in February 2020, when collecting personal information for COVID-19 prevention and control, the subjects shall be confined to the confirmed cases, suspected cases, close contacts, and other key groups, shall not expand to all people in a given area; without personal information owner’s consent, no party or individual has the right to disclose other person’s name, age, ID number, telephone number, address, except for personal information went through the desensitization treatment and is necessary for the COVID-19 prevention and control.
As required by the local policies on COVID prevention and control, the company may examine the employees’ body temperature when they arrive at the company office every day, collect employee’s travelling information and their home address, ask the employee to give a prior notice to the company when they travel to other cities, etc. When colleting employees’ personal information, the company must abide by the principle of minimizing the scope of data required and securely storing the employees’ personal information collected.
Collective labor contract or company’s rules and regulations
According to the PIPL, the company can collect its employees’ personal information for the purpose of HR management in accordance with its collective labor contract with employees and its internal rules and policies formulated in accordance with applicable laws and regulations. As to the personal information necessary for company’s HR management, it could be employee’s ID number, fingerprint information, telephone number, address, social insurance number, bank account information, etc. The company shall include collection of such personal information in its collective labor contract or company’s internal rules and policies as a legal ground for collecting employee’s personal information.
Compliance suggestions for companies collecting personal information from employees
Where it is necessary to collect personal information from employees, we suggest companies follow the below best practices.
Minimize the collection scope
The scope of personal information collected from employees should be limited to the information directly related to the conclusion and performance of employee’s labor contract, such as ID information, communication information, education and employment qualification information, work experience information, etc. Personal sensitive information, such as health information, infectious disease information and special information of female employee, etc., could be collected for special positions or for labor protection or female employee labor protection. The separate consent of the employee is required for the collection of sensitive information.
Establish reasonable grounds for collecting female employee marriage and birth information and information of employee’s family members
Female employees’ marriage and birth information, menstrual period information, breastfeeding information, etc. should not be collected without a reasonable ground, except for the purpose of protection of female employees’ rights under the Female Employee Labor Protection Provisions. The company should not directly dismiss the employee or refuse to employ the employee if he/she refuses to provide such personal information to company.
Include in company’s collective labor contract or company’s internal rules and regulations of reasonable collection of employee’s personal information
Where a company intends to collect its employee’s personal information through working equipment, it should clearly stipulate in its company rules and regulations that:
- Work email, computer, mobile phone, and other work-related electronic devices and electronic accounts used by employees fall in the scope of “work equipment”.
- For the purpose of company’s administrative and HR managements, company has rights to supervise and examine employees’ working equipment and collect the information restored in such working equipment.
- During the term of employment, the employee shall use the work equipment only for the purpose of work and shall not use it for personal issues.
- Employees are prohibited to use their personal computers, devices, and email to deal with work-related issues.
In addition, the purpose of collecting of personal information and the personal information processing method should also be clearly stipulated in the company’s collective labor contract or company rules and regulations.
When collecting personal information of employees as requested by a third party, the company shall let the third party to collect the information directly from employees by itself
When the company purchase life insurance, health insurance, and accident insurance for employees and their families, the third party, i.e., the insurance company can directly collect personal information and sensitive information from employees. The company can perform its personal information protection obligation through a relevant contract with the third party in which the third party is required to fulfill the personal information protection obligation to the same level as the company.
Fulfill the obligation to inform the employee and obtain the employee’s consent
When collecting personal information from its employees, the company must clearly inform the employees about the purpose of collection, usage of the personal information to be collected, how the information will be stored, etc. For sensitive personal information collected, a separate consent from the employee must be taken.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org. Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.