Compliance Issues on Employees' Personal Information
I. What Constitutes Personal Information
Personal information refers to information recorded in electronic or other forms that can be used, alone or in combination with other information, to identify a natural person. Personal information includes but is not limited to the natural person's name, date of birth, ID number, personal biological identification information, address and telephone number[1].
II. PRC Laws on Protection of Employees' Personal Information
1. General Provisions
The General Rules of the Civil Law of the People's Republic of China contains basic provisions concerning the protection of personal information: any organization and individual seeking to acquire personal information of others must obtain the information legally and safeguard the obtained information; illegal collection, use, process, transmission, sale, supply and publication of personal information of others are prohibited[2]. In addition, the Decision of the Standing Committee of the National People's Congress on Strengthening Internet Information Protection also stipulates that collection and use of citizens' personal electronic information in the course of business must follow the principles of lawfulness, reasonableness and necessity. The collector must obtain the citizen's consent and explicitly state the purpose, method and scope of the collection and usage[3]. Any information collected must be kept strictly confidential to avoid disclosure, damage and loss[4].
According to the Criminal Law of the People's Republic of China, sale or supply of any citizen's personal information obtained in the course of performing a duty or providing a service in violation of laws, regulations and other government rules may constitute the crime of infringing citizens' personal information and be heavily penalized[5].
Employers should abide by the above provisions when acquiring, collecting, storing, processing and using their employees' personal information.
2. Relevant Provisions in Labor Law
Currently, no law or regulation has been designed specifically to protect employees' personal information in China.
Traditional labor law contains provisions governing the protection of employees' personal information, which include the following:
1) The Labor Contract Law of the People's Republic of China allows employers to request employees' basic information directly related to their labor contract[6]. Of course, the scope of the aforementioned "basic information" varies from region to region. For example, the Rules of Shanghai Municipality Employment Contract stipulates that employers have the right to know the employee's health condition, depth of knowledge, skills and work experience[7]. The Regulations of Beijing Municipality on Labor Contracts stipulates that employers may demand the employee's identification cards, diplomas, and information about their employment status, work experience, professional skills, etc.[8]
2) Besides, the Regulations on Employment Services and Employment Management requires employers to obtain their employees' written consent before disclosing their personal information[9].
3. Provisions on Network and Data Security
In recent years, the laws, regulations and legal documents related to network and data security have gradually increased. Newly promulgated statutes include the Cybersecurity Law of the People's Republic of China (hereinafter referred to as the "Cybersecurity Law") and the Administrative Measures on Data Security (Consultation Draft). In addition, as the nationally recommended standard, the Information Security Technology - Personal Information Security Specification, together with the Guidelines for Internet Personal Information Security Protection, serve as a guide to personal information protection.
Generally speaking, the above-mentioned legal provisions and documents for personal information protection are mainly aimed at regulating network operators and have relatively limited and indirect impacts on protection of employees' personal information. However, if the employer maintains an intranet for business management, the above legal provisions and documents would also apply to the collection and use of personal information through the intranet.
Specifically, laws aimed at network operators that may require compliance by employers collecting and using employees' personal information through the intranet mainly include the following: firstly, under the Cybersecurity Law, network operators must keep information collected from users in strict confidence[10], abide by the principles of lawfulness, reasonableness and necessity in collecting and using personal information[11], not disclose, tamper with or destroy the personal information collected, and not disclose such information to any third party without prior consent[12]. In addition, it is noteworthy that the Administrative Measures on Data Security (Consultation Draft) has detailed provisions on data collection and processing. It grants individuals the right to access, correct and delete personal information and close accounts[13]; furthermore, network operators must make a filing with the local cyberspace administration department when collecting important data or sensitive personal information for purposes of business operations[14]. As this draft has not yet been officially promulgated, the final content of the regulations remains uncertain. However, employers should continue to monitor its progress and prepare to comply once the official version is promulgated.
When dealing with employees' personal information, the employer is also bound by the general provisions of the Cybersecurity Law, which prohibits illegal acquisition (e.g. theft), sale, and provision of personal information to others[15], etc.
III. Collecting and Using Employees' Personal Information: Methods, Typical Scenarios of Violation and Compliance Advices
In the following table, we list different methods by which employees' personal information is collected and used, typical cases of violation, and our compliance advices:
IV. Summary and Suggestion
According to current laws and regulations on personal information protection in China, obtaining the employees' consent before collecting and using employees' personal information largely ensures the employer's compliance. Employers should also attend closely to the legislative and judicial developments related to personal information protection, and formulate and timely adjust their corporate rules and regulations.
注释:
[1]:The definition comes from Article 76 of the Cybersecurity Law of the People's Republic of China and Article 38 of the Administrative Measures on Data Security (Consultation Draft).
[2]:See Article 111 of the General Rules of the Civil Law of the People's Republic of China.
[3]:See Article 2 of the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection.
[4]:See Articles 3 and 4 of the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection.
[5]:See Article 253 (1) of the Criminal Law of the People's Republic of China.
[6]:See Article 8 of the Labor Contract Law of the People's Republic of China.
[7]:See Article 8 of the Rules of Shanghai Municipality on Employment Contract.
[8]:See Article 10 of the Regulations of Beijing Municipality on Labor Contract.
[9]:See Article 13 of the Provisions on Employment Services and Employment Management.
[10]:See Article 40 of the Cybersecurity Law of the People's Republic of China.
[11]:See Article 41 of the Cybersecurity Law of the People's Republic of China.
[12]:See Article 42 of the Cybersecurity Law of the People's Republic of China.
[13]:See Article 21 of the Administrative Measures on Data Security (Consultation Draft).
[14]:See Article 15 of the Administrative Measures on Data Security (Consultation Draft).
[15]:See Article 44 of the Cybersecurity Law of the People's Republic of China.
劳动法专栏往期文章
1. 谈谈企业规章制度民主程序的“是与非” ——以《劳动合同法》第四条第二款的司法实践解读为视角
2. 防止被收购企业股东另起炉灶,竞业禁止条款如何巧妙设置?
4. 董事与高级管理人员的法定竞业限制义务——用人单位救济障碍与应对策略分析
5. Directors and Senior Management's Non-Compete Obligations
合伙人
021- 2613 6125
tracy.liu@jingtian.com
刘琦律师毕业于华东政法大学和德国法兰克福大学,分别获得法学学士和法学硕士学位。刘律师具有超过10年的法律从业经验,主要业务领域为劳动与雇佣法律和外商投资并购。
刘律师拥有丰富的涉外法律服务经验,曾在一流国际、国内律师事务所工作十余年。刘律师擅长为跨国企业提供高质量的人力资源法律服务,包括提供日常法律咨询,高管解雇谈判,法律风险评估,人力资源合规,劳动合同、规章制度及其他雇佣相关的法律文件的起草与修订,劳务派遣与人力资源外包,员工安置及遣散,外国人在华就业和居留相关事宜,劳动争议解决等方面的法律服务。
顾问
021- 2613 6129
larry.lian@jingtian.com
连煜雄律师毕业于中南财经政法大学和厦门大学,分别获得法学学士和法学硕士学位。连律师具有超过10年的法律从业经验,主要业务领域为劳动与雇佣法律和外商投资并购。
连律师擅长为各类内外资企业提供高质量的人力资源法律服务,包括日常法律咨询,法律风险评估,提供合规整体方案,审查、起草和修改劳动合同、规章制度及其他劳动法律文件,处理外国人在华就业和居留的相关事宜,为客户及其员工提供培训服务,设计员工安置方案,高管解雇/离职等。
声明 DISCLAIMER
本文观点仅供参考,不可视为竞天公诚律师事务所及其律师对有关问题出具的正式法律意见。如您有任何法律问题或需要法律意见,请与本所联系。
This article is for your reference only and not to be deemed as formal legal advice given by Jingtian & Gongcheng or its lawyers. Please contact us directly for formal legal advice or further discussion about the relevant issues.