Key Points Analysis of Employee Personal Information Management Compliance
With the intensive development of personal information security compliance, most enterprises have paid attention to personal information compliance work and made considerable efforts to comply with legal and regulatory requirements. However, in practice, enterprises are often faced with questions such as, "Does employee information fall under the scope of personal information protection? How to dispose resumes of candidates who are not recruited? How to make it compliant if employees are required to clock in and out via facial recognition" Under these circumstances, it is of realistic value to discuss corporate compliance relating to the protection of employees' personal information.
In practice, it is difficult to deal with inter-departmental issues such as management and compliance of employee personal information as the human resource department, legal compliance department and technology department perform own duties respectively. This article is divided into three sections: relevant regulations and regulatory focuses, key points of compliance in real scenarios, and comprehensive recommendations for compliance, with a view of providing targeted compliance recommendations for companies to collect, use, and store employees' personal information and reference to the employee’s personal information management work.
I.Regulations and regulatory focuses
1. Scope of employees’ personal information
Name of law and regulation
5. Personal information refers to all kinds of information recorded by electronic or otherwise that can be used to independently identify or be combined with other information to identify natural persons' personal information including but not limited to: natural persons' names, dates of birth, ID numbers, biologically identified personal information, addresses and telephone numbers, etc.
Administrative Measures for Data Security (Draft for Comment)
3. Personal information refers to various information recorded electronically or by other means that can be used for identification of a natural person's personal identity individually or in combination with other information, including but not limited to, a natural person's name, date of birth, ID number, personal biometric information, domicile and phone number, etc.
Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Information
The term "personal information of a citizen" as mentioned in Article 253A of the Criminal Law refers to all kinds of information recorded by electronic means or otherwise that can be used independently or together with other information to identify a particular natural person's identity or reflect particulars on his or her activities, including the natural person's name, ID number, contact information about his or her e-mail address or phone number, address, account name and password thereof, property conditions, whereabouts and tracks, etc.
Personal Information Security Specification
Any information recorded in electronic form or otherwise that can be used independently or together with other information to identify a natural person or reflect the activities of a natural person.
According to the above table, the scope of personal information subject to regulatory protection is relatively broad. According to the judgment criteria in Appendix A of the Personal Information Security Specification, if the information can identify a specific natural person or is known to be generated by a specific natural person in the course of his or her activities, it should be deemed as personal information enjoying protection. China is yet to have any specific regulatory requirements for employees' personal information, but according to Article 8 of the Labor Contract Law, "the employer has the right to know the basic information directly related to the labor contract, and the employee shall state it truthfully." Therefore for the daily practice of managing and performing the labor contract, the enterprise has the right to collect necessary information of its employees, which are in the form of resume, biometric information, medical examination health report, etc. In most cases, this type of information belongs to the personal information listed in the above provisions. Therefore, for employee information that falls under the category of personal information, companies are still required to comply with regulatory requirements to legally collect, use and store such information. We recommend that companies pay attention to the regulations and regulatory documents on personal information, collate personal information related to their human resource work and include it in the personal information security compliance system.
2. Legal liabilities and risks
Name of law and regulation
Where network operators or providers of cyber products and services, in violation of Paragraph 3 of Article 22, and Article 41 to Article 43 hereof, infringe the rights that personal information shall be protected in accordance with the law, they shall be ordered to effect rectification, and be subject to a warning, confiscation of illegal gains, or a fine of no less than one but no more than ten times the illegal gains or be subject to a combination thereof as the case may be; where there is no illegal gain, a fine of no more than CNY1 million shall be imposed; and a fine of no less than CNY10,000 but no more than CNY100,000 shall be imposed on the persons directly in charge and other directly responsible persons. Where the circumstances are serious, they shall be ordered to suspend relevant business, stop the business for rectification or close down the website, or relevant business permits or their business licenses may be revoked.
Article 253a [crime of infringement of citizen’s personal information]
Whoever, in violation of the relevant provisions of the State, sells or provides others with the personal information of a citizen with serious circumstances shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention and concurrently or separately sentenced to a fine; if the circumstances are especially serious, the person shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and concurrently sentenced to a fine.
Whoever, in violation of the relevant provisions of the State, sells or provides others with the citizens' personal information obtained during the course of performing duties or providing services shall be given a heavier punishment in accordance with the preceding paragraph.
Whoever illegally obtains the above-mentioned information by theft or otherwise shall be punished in accordance with the provisions of Paragraph 1.
Where an organization commits any of the crimes mentioned in the preceding three paragraphs, a fine shall be imposed on the organization, and the persons directly in charge of the organization and other persons directly liable shall be punished in accordance with the respective provisions of the preceding three paragraph
It should be noted that, as shown in the above table, the legal risk consists of administrative liability and criminal liability, and according to existing punishment cases, the regulatory authorities may also impose measures such as prohibiting the sale of the product or interviewing responsible parties according to departmental regulations and regulatory documents. The responsible parties include not only the enterprise, but the direct manager and other persons directly in charge. Based on actual work analysis, means such as establishment of compliance systems and recording of compliance measures can effectively reduce the risk of legal liability. Therefore it is recommended that companies take effective compliance measures for the collection, processing and storage of employees' personal information and other aspects of the whole life cycle of personal information and make timely adjustments in response to regulatory requirements.
In the following sections, the author will provide some key points of compliance in the context of real scenarios for companies’ reference in their staff management practices.
II. Key points of compliance in real scenarios
1. Before employment
（1）obtain personal resume
At this stage, if the applicant voluntarily submits the resume to the company, the company is deemed to have obtained authorization from the data subject to collect the personal information. If the resume is obtained from a third party (including recruitment information websites, headhunters, external recommendations, etc.), the company is required to verify with the third party whether the source of the personal information is legal and compliant to relevant regulations, whether the authorization of the information subject has been obtained, and whether the information subject has been informed and consent has been obtained for providing the resume to the company. For the third party of long-term cooperation, it is recommended that the company signs a cooperation agreement with it to clarify the obligation and responsibility of verifying the legality and compliance of the information source.
After resume screening, resumes of applicants ineligible for an interview should, in principle, be deleted immediately, or a mechanism should be established for regular checking and cleaning. For the establishment of a talent pool or the provision of resumes to related parties, the company may obtain authorization from the subject of the information by e-mail or other electronic means, while not exceeding the aforementioned purposes in its use.
（2）obtain interview information
During the interview, some companies still require interviewees to fill out a personal information form that the company prepares on its own, which usually includes questions about the interviewee's age, gender, ethnicity, registered residence, home address, marital status, educational background, work experience, family members, and even family members' work information.
It should be noted that companies can only obtain information related to the job itself without exceeding the minimum scope of necessity. Such information as ethnicity, household location, home address, family member information, etc., which are not directly related to the job, is unnecessary for collection, unless the company can prove the necessity of collection due to the special nature of the job.
It is also recommended that companies add a clause of notification and consent at the end of the Personal Information Form highlighted in bold for the interviewee’s execution. The HR interviewer should carefully keep the interviewer's private information recorded by the HR interviewer him/herself and delete them as soon as the result of the interview is achieved.
（2）obtain background check information
When a company entrusts a third-party organization to conduct a background check on a prospective employee, it should specify the corresponding confidentiality clause in the contract signed with the third party, requiring the vendor to delete the entrusted information promptly after completing the entrusted matters. At the same time, the company should also inform the candidate through e-mail or other means that the company may conduct background check on the candidate through legal means, as well as the content of candidate's personal information provided to the third party for the candidate’s approval.
（3）obtain medical report
Medical reports have become an integral part of employee information that a company must collect. According to the definition set out in Article 3.2 of the Personal Information Security Specification, personal health and physiological information is personal sensitive information. This type of information requires additional protection because its disclosure, unlawful provision or misuse may endanger personal and property safety and may result in damage to personal reputation, physical and mental health or discriminatory treatment. In this context, medical reports are personal sensitive information, and the company is required to comply with appropriate regulatory requirements when obtaining such information from individuals.
The company is suggested indicating clearly in the employment notice whether the medical check items are relevant to the job in order to comply with the principle of minimum necessity, and obtaining the explicit consent of the information subject through the e-mail acknowledgement, etc., before obtaining the written authorization of the employee when the employee is going through entry formalities. The information should be destroyed or deleted once it has served its required purpose.
2. After employment
（1） establish personal profile
Upon joining the company, employees are often required to fill out a personal information registration form to establish their personal management files to satisfy the company’s regular management requirement. The act of filling out the form on the employee's own initiative can be regarded as his/her consent for the company to collect such information. However, in order to comply with the principle of clear purpose and minimal necessity, it is recommended that the company specify the scope of personal information collected, the purpose of use and the retention period in documents such as employee handbooks or employment contracts. The company may inform the employee that it will only collect information related to the employment contract, such as the employee's name, identity information, educational background, work experience, history of serious illnesses, criminal records, etc. The company may also inform the employee of the department in charge of gathering and managing the collected information and the way to search personal information records. In cases where there is a possibility of providing the information to a third party, the company may inform the employee in the aforementioned rules when collecting personal information, and again notify the relevant information subject in writing and obtain consent before making the transfer. Where sensitive personal information, such as medical records, ID information, etc., is involved, the type of sensitive information, the identity of the recipient, and the data security capabilities of the recipient are also required to be notified in accordance with the requirements of Article 9.1 of the Personal Information Security Specification.
（2） collection and use of biometric information
Compliance requirements in attendance check scenarios.Due to the wide adoption of technologies such as fingerprint and facial recognition check in, more and more companies are collecting employees' biometric information such as fingerprints and facial features for attendance check management. According to Article 5.4 of the Personal Information Security Specification, before collecting personal biometric information, the collector shall separately notify the personal information subject of the purpose, method and scope of collection and use of the personal biometric information, as well as the storage time and other rules, and obtain the explicit consent of the personal information subject. It is recommended that the company send written notification to employees and obtain their consent before the initial collection of personal biometric information. At the same time, the company should add rules for the protection of personal biometric information to employee handbooks or work management documents, and include them in employee training. In addition, according to Article 6.3 of the Personal Information Security Specification, the company should not store original biometric information (e.g., original files of employees' facial images) unless there are exceptional circumstances. The company may store the abstract of such information, or not upload such images to the company server, but only keep them in the identification device terminal for identification and authentication; in addition, the company can delete the original images from which such information that can be extracted after the authentication function is realized.
Compliance requirements in work environment monitoring scenarios. To protect corporate trade secrets, some companies set up internal monitoring systems to monitor employee’s email correspondence. In addition, in order to improve work efficiency and maintain network security, companies usually set up automatic or manual decision-making mechanisms to cope with abnormal access and security incidents by traffic monitoring and placement of monitoring systems. In addition, some special industries (e.g., food delivery, online car booking) also have the demand for tracking movement of individuals in need of monitoring work quality.
It is recommended for the company to first assess the necessity, reasonableness and risk consequences of monitoring before implementing different monitoring measures to determine if the monitoring measures are necessary and whether there are alternative solutions. For example, to prevent employees from browsing pornographic websites, installation of network firewalls will have less impact on employee’s privacy compared to recording employees' web browsing logs; to prevent employees from idling, the company may conduct unannounced inspections from time to time, thereby replacing the installation of video surveillance in semi-public areas. Video surveillance must not be installed in dressing rooms, restrooms, baby care rooms and other more private areas.
Secondly, companies should inform their employees of the monitoring scenarios and the purpose of the monitoring, the type of information collected and what will be done with such information. Such measures that are relevant to the interests of employees should also be discussed democratically to get majority consent. At the same time, it is important to be transparent about the procedural aspects of the implementation to make the legitimacy of the monitoring acceptable to employees..
As the monitoring information involves relatively private behavior of employees, the company is advised to set up a strict management system and access authority for the collection and use of such information, and specify the responsible personnel, the purpose of use and storage period, so as to prevent negative impact on the company and employees due to the leakage of information.
（4）cross-border transfer of employees’ personal information
Some companies may need to transfer employee information to their overseas parent company due to office locations in different countries or management requirements, which raises compliance issues regarding the cross-border transfer of personal information. According to the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment), companies should conduct a self-assessment and apply for security assessment for cross-border transfer of personal information to the local provincial network information department before transferring the information out of the country. According to Article 14 of the Measures, the company shall execute contracts or other legally binding documents with the overseas recipients and notify personal information subjects of basic information of network operators and recipients, the purpose of transfer of personal information overseas, type of personal information and retention period by means such as email, instant messaging, letter or fax. Since the Measures have not yet come into effect, it is advisable for the company to establish a compliance process for the cross-border transfer of personal information in advance based on the Measures and make timely adjustments based on the effective document released subsequently.
（5）scenarios of entrustment, sharing, transfer, disclosure and publication
During business operation, a company may entrust a third party to process its employee information or transfer the employee information to a third party. For example, a company may outsource its internal financial processing to a third party, or may share or transfer employees' personal information in the event of a merger, division or reorganization. There are also situations in which employees' personal information needs to be disclosed or made public in accordance with laws, regulations or regulatory requirements, such as reporting information about employees with suspected symptoms to the health department for the purpose of infectious disease outbreak control; or disclosing employees' personal information in accordance with the law, such as when a network operator appoints a network security officer or a personal information protection officer and discloses such officer’s personal information to users.
If the foregoing circumstances are involved and a third party is entrusted, companies are recommended to strictly distinguish whether there is an exception to authorized consent and conduct a personal information security impact assessment of the entrusted act in accordance with the provisions of Article 9.1 of the Personal Information Security Specification, take supervisory measures for the entrusted person and record and store the entrusted person's handling of personal information, and formulate remedial measures for the corresponding occurrence of risks. In cases involving the sharing or transfer of employees' personal information, companies should take measures in accordance with the requirements of Article 9.2 of the Personal Information Security Specification, including security impact assessment, informing employees of the purpose, type of recipient, and possible consequences, obtaining authorization, supervising the recipient and clarifying responsibilities, and assisting employees in performing their individual rights. In addition, employees' personal information must be de-identified during transmission.
3. after employees' departure
After an employee terminates the employment relationship with the company, it is recommended for the company to make a written agreement on the handling of the employee's personal information during the handover process, specifying the retention time, the purpose and use of such information, and whether the information can be provided as a basis for a third party to conduct background checks on the employee. After the agreed purpose is achieved, the company should promptly delete or anonymize such information. Based on working practices, the author recommends that companies establish a mechanism for regular verification and checking of the status of personal information, and conduct timely compliance processing of personal information of departed employees.
III. Conclusion and suggestion
As the protection of employees' personal information currently requires the selective application of personal information protection laws and regulations and regulatory requirements, the author recommends that companies, in the process of establishing or improving their personal information security compliance systems, design and implement institutional documents for the protection of employees' personal information as part of the compliance process with special attention to the following four aspects:
1. Evaluate the compliance status of collection and use of existing employee personal information, distinguish between general personal information and sensitive personal information, and classify and organize such information.
2. Establish a leading department to centralize personnel from the human resources department, legal compliance department, and IT department to handle this type of work, and design the employ personal information compliance work to improve its operability and feasibility.
3. Implement security measures for the transmission and storage of employees' personal information and other links, and establish systems such as encrypted transmission requirements, access restrictions, and periodic inspection and audit.
4. Pay close attention to regulatory requirements and make adjustment in a timely manner, and consider entrusting professional organizations to assist in interpreting rules and making compliance recommendations if necessary to cope with the frequent issuance and update of personal information and data security regulations and regulatory requirements recently.
The Watson & Band website is intended for informational purposes only. Nothing in this site is to be construed as creating an attorney-client relationship between the reader and Watson & Band or as offering legal advice on any specific matter. Since we are not providing legal advice through this website, you should not act upon any information that you might receive here without first seeking professional counsel. No client or other reader should act or refrain from acting on the basis of any information contained in the Watson & Band website without seeking appropriate legal or other professional advice based on the particular facts and circumstances at issue.