How to Collect and Use Employees' Outbreak-related Information

Under the severe situation of 2019-nCoV outbreak, expecting and accompanying the post-Spring Festival return rush, many employers have been collecting from employees their information relating to the outbreak, such as health status, recently visited cities, recently used public transportation, recently contacted people and return plans, so as to improve management over employees, as well as in preparation for reopening. Personal information refers to any information that can be used alone or together with other information to identify or indicate the activities of an individual.[1] The aforesaid outbreak-related information is mostly personal information. In recent years, China has taken leaps in the area of personal information protection. While taking quick actions to collect information from employees, HR may also be concerned – will it infringe on employees’ privacy to collect such information? Can employees refuse to disclose such information? What are the “dos and don’ts” in collection and use of such information? What are the potential legal liabilities for improper processing of such information? While making efforts to prevent and control the infection, it is also necessary to prevent and control the compliance risks in processing personal information. This article is going to analyze the issues and try to make practical suggestions.

Question 1：

Can employers collect and use employees’ personal information relating to the outbreak?

During the special period of the 2019-nCov outbreak, employers can collect and use employees’ personal information relating to the outbreak to contain infection.

Based on Article 8 of the Employment Contract Law, employers are entitled to learn about their employees’ “basic information directly related to employment contract”. During the 2019-nCoV outbreak, when employees’ outbreak-related personal information has a direct influence on employers’ production, operation and work arrangement, it becomes information “directly related to employment contract”, and the employers should be entitled to possess such information.

Further, pursuant to Article 54 of the Labor Law, employers shall provide safe and sanitary working environment for their employees.[2] If an employee is infected with the 2019-nCoV disease during working hours, in the workplace and for work-related reasons, he or she will be deemed as having sustained a work-related injury. During the outbreak, by timely obtaining employees’ outbreak-related information, employers are also fulfilling their responsibility to protect their employees. In addition, according to Article 22 of the Emergency Response Law,[3] Article 38 of the Work Safety Law[4] and Article 26 of the Interim Provisions on Checkup and Rectification of Hidden Dangers of Work Safety Accidents,[5] etc., employers shall check and manage potential dangers of accidents, and shall timely report to the relevant authority upon discovery of any abnormal conditions.

Question 2：

What are the adverse consequences for improper processing of employees’ outbreak-related personal information?

During the 2019-nCoV outbreak, while it is permissible for employers to collect and use employees’ outbreak-related personal information, employers shall process such information properly. Otherwise, improper processing of such information may bring adverse impacts on the employees, and legal liability to the employers.

During the outbreak, the leakage, unlawful provision or abuse of employees’ outbreak-related personal information is likely to cause discrimination against the individual, damage to his/her reputation, injury to physical or mental health or other adverse effects.

Once found having infringed on personal information, the organization or individual shall bear tort liabilities based on their fault, including but not limited to ceasing infringement, paying damages, eliminating impacts, restoring reputation, and apologizing. If the employer acts as a network operator in the processing of such personal information, according to Article 64 of the Cybersecurity Law, the employer and/or personnel in charge will be ordered to correct, and may be punished with other administrative penalties such as warnings and fines.[6] If constituting unlawfully providing personal information to others severely, the employer or individual may be charged with the crime of infringing on personal information.[7]

Question 3：

How should employers process employees’ outbreak-related personal information?

Concerning employees’ outbreak-related personal information, employers may be involved in the processing activities ranging from collection, transmission, storage, access, operation, to disclosure or sharing thereof. In accordance with the relevant provisions in the General Rules of the Civil Law,[8] Cybersecurity Law,[9] etc., when processing personal information, the basic principles of transparency and consent, minimization and necessity, security and confidentiality, etc. should generally be followed.

As to the principle of consent, as analyzed under Question 1 above, as employees’ outbreak-related personal information is “directly related to employment contract” in the current situation, employers are not required to obtain their employees’ consent separately beforehand.

With respect to the principles of “minimization and necessity”, and “security and confidentiality”, since the employees’ outbreak-related personal information, the leakage, unlawful provision or abuse of which during the 2019-nCoV outbreak is likely to cause discrimination against the individual, or damage to his/her reputation, or physical or mental health, is now “sensitive personal information”[10](specially protected under the Personal Information Security Specification), we suggest employers’ observing the stricter standards intended for sensitive personal information in the Personal Information Security Specification in their implementation of the two principles – more explanations are given below in the contexts of specific processing activities.

Question 4：

How should employers collect employees’ outbreak-related personal information?

When collecting employees’ outbreak-related personal information, the key principle employers should follow is the principle of minimization and necessity, in other words, to refrain from collecting irrelevant or overly indirect information in principle. In connection with the process of collection, our specific suggestions are as follows:

(1)   When requiring employees to provide the personal information, explicitly bring the intended purposes and uses to their attention. Simultaneously, in view of the uncertainties about whether the requested information is directly related and reasonably necessary in the changing situation, it is recommended to collect the employees’ confirmation of voluntary submission and consent. For instance, if to collect information through questionnaires, employers should set forth the purposes of collection, and include a statement of consent; and in the scenario of using electronic questionnaires, it can be set that before submitting the information, the employees need to proactively check the box or click the button of “awareness and consent”.

(2)   Collect the minimum amount and types of personal information necessary for the infection control and employee management, e.g. ask more closed questions with choices given than open questions; and if needed, follow up on abnormal or suspicious cases to collect more personal information. For example, employers can enquire about travel records and contact with or exposure to certain groups of people within the recent 14 days, rather than asking more remotely in time; enquire about typical symptoms associated with the disease, such as fever, dry cough and shortness of breath, instead of doing general survey on health status, illness or medical history.

(3)   Refrain from repeatedly collecting personal information that has been obtained, e.g. ID numbers, home addresses and contact information, in case that the complied information is divulged, resulting in worse consequences.

(4)   Adopt safe and reliable means for submission and receipt of the personal information, to avoid any leakage, damage or loss thereof.

Question 5：

How should employers manage employees’ outbreak-related personal information?

Employers should properly manage the collected personal information, including transmitting, storing, accessing, operating and other activities. The key principles for management of the personal information are “safety and confidentiality” and “minimization and necessity”. In connection with the foregoing activities, we have the following suggestions:

(1)   Adopt safe and reliable means for transmission and storage of the collected personal information. In view of the sensitive nature of the personal information, such should be encrypted and further, de-identified with the re-identifying elements stored separately.

(2)   Use the collected personal information for infection control and employee management purposes only. Regarding access and operations to the personal information, stick to the minimum authorization principle, i.e. authorize only the personnel that have a necessity to know or use the personal information, to perform minimum operations such as access, replicating, alteration, input and deletion, on the minimum personal information, that are necessary for fulfilling their own job duties.

Question 6：

If abnormal cases are found, can employers disclose employees’ outbreak-related personal information?

First of all, employers can and should report infected or suspicious cases and involved personal information to the competent authority. Pursuant to Articles 31 and 77 of the Law on Prevention and Treatment of Infectious Diseases, when discovering an infectious disease patient or a suspected one, any organization or individual shall timely report to a nearby disease prevention and control institution or medical institution; otherwise, where a spread or prevalence of the disease, and personal injuries or property loss to others are caused, the organization or individual shall assume civil liability.

In parallel, for the purposes of infection control and protecting other employees, weighing between the individual’s right to and interests in keeping his/her personal information confidential, and other employees’ rights to and interests in health and safety, it should be permissible to disclose the concerned employee’s personal information internally. To balance between protecting employees’ personal information, and maintaining occupational health and safety and work safety, we suggest the employer’s confining the disclosure to the necessary extent and scope, e.g. disclosing to impacted employees only, refraining from disclosing any unrelated personal information, and reminding informed employees of no further disclosure or spreading of such personal information.

Question 7：

Can employees refuse to provide outbreak-related personal information? What measures can be taken against the employees concealing or misrepresenting their outbreak-related personal information?

As analyzed under Question 1 above, during the outbreak, the employee's outbreak-related personal information falls within the scope of "basic information directly related to the employment contract" stipulated in Article 8 of the Employment Contract Law, which the employer has the right to know and the employee should disclose truthfully.

If an employee refuses to provide outbreak-related personal information, we suggest that – (1) First, explaining to the employee that employees are obligated to disclose relevant information and enquiring about the reasons for refusal, and further, indicating that concealing or misrepresenting outbreak-related personal information violates the Law on Prevention and Treatment of Infectious Diseases and may even constitute the crime of "endangering public safety by dangerous means".[11] (2) If the employee still refuses to provide the information, subject to the actual situations, the employer may take measures to isolate the employee, such as arranging for leave or working from home, and decide whether such refusal violates its internal policies and procedures.

If an employee is found to conceal or misrepresent their outbreak-related personal information, the employer shall take emergency measures such as isolation and reporting to the competent authority depending on the actual situations, and may take disciplinary actions against the employee according to its internal policies and procedures.

[1] Article 3.1 of the Personal Information Security Specification: “Various information recorded electronically or in other ways that can show the identity of an individual or indicate the activities of an individual, independently or in combination with other information.”

[2] Article 54 of the Labor Law: “Employers must provide employees with safe and sanitary working conditions and necessary labor protection supplies in accordance with state regulations, and arrange regular health checks for employees engaged in operations exposed to occupational hazards.”

[3] Article 22 of the Emergency Response Law: “All units should establish and improve safety management systems, regularly check the implementation of various safety precautions of their units, and eliminate potential accidents in a timely manner; learn about and deal with problems that may cause social security incidents in their units in a timely manner to prevent the intensification of conflicts and the expansion of events; in case of any possible emergencies and safety precautions taken by the unit, they shall report to the local people's government or relevant departments of the people's government in a timely manner in accordance with regulations.”

[4] Article 38 of the Work Safety Law: “Production and operation units shall establish and improve a system for the investigation and management of hidden dangers of production safety accidents, and adopt technical and management measures to timely discover and eliminate hidden dangers of accidents. The investigation and management of the hidden dangers of the accident shall be truthfully recorded and reported to the practitioners.”

[5] Article 26 of the Interim Provisions on Checkup and Rectification of Hidden Dangers of Work Safety Accidents: “If production and operation units violate these provisions and commit one of the following acts, the safety supervision department shall give warning and impose fine of no more than 30,000 yuan: (1) failing to establish various systems for the investigation and management of hidden dangers in production safety accidents; (2) failing to report the statistical analysis table for the investigation and management of hidden dangers of accidents according to regulations; (3) failing to formulate the management plan of hidden dangers of accidents; (4) failing to report or failing to timely report major hidden dangers of accidents; (5) failing to investigate and manage the hidden dangers of accidents and conduct unauthorized production and operation; (6) being unqualified after rectification or resuming production and operation without the approval of the safety supervision and inspection department.”

[6] Article 64 of the Cybersecurity Law: “If network operators, providers of network products or service violate the provisions of Article 22, Paragraph 3, Articles 41 to 43 of this Law, and infringe upon the right of personal information legally protected, the relevant authorities shall order corrections, and may punish, based on the circumstances independently or in combination with warnings, confiscation of illegal gains, fines of one to ten times of the illegal gains, and fines of no more than 1,000,000 yuan if there is no illegal gains. The relevant authorities shall impose fine from 10,000 yuan to 100,000 yuan to the directly responsible personnel in charge and other directly responsible personnel; if the circumstances are serious, the relevant authorities may order to suspend related business, suspend business for rectification, close the website, revoke the relevant operation license, or revoke the business license. If network operators, providers of network products or service, in violation of Article 44 of this law, steal or otherwise obtain, illegally sell, or illegally provide personal information to others, if not constituting a crime, the police departments shall confiscate the illegal gains and impose fines from one to ten times of the illegal gains, or fines of less than 1,000,000 yuan if there are no illegal gains”

[7] Article 253-1 of the Criminal Law: “Those who in violation of the relevant regulations of the State, sell or provide personal information of citizens to others, in the case of serious circumstances, shall be imposed fine, and/or sentenced to imprisonment of no more than three years or detention, in case of particularly serious circumstances, shall be fined alone or at the same time, sentenced to imprisonment of more than three years and less than seven years. Those who in violation of relevant regulations of State, sell or provide to others the personal information of citizens obtained in the course of performing duties or providing services shall be punished in accordance with the provisions of the preceding paragraph with heavier punishment. Those who steal or illegally obtain personal information of citizens by other methods shall be punished in accordance with the provisions of the first paragraph. If the unit commits the crimes stipulated in the preceding three paragraphs, the unit shall be fined, and the directly responsible person in charge and other directly responsible persons shall be punished in accordance with each preceding paragraph. "

[8] Article 111 of the General Rules of the Civil Law: “Personal information of natural persons is protected by the law. Any organization or individual who needs to obtain the personal information of others shall obtain and ensure the security of the information in accordance with the law. No organization or individual shall illegally collect, use, process, or transmit the personal information of others, or illegally buy, sell, provide or publicly disclose the personal information of others.”

[9] Article 41 of the Cybersecurity Law: “Network operators collecting and using personal information shall observe the principles of lawfulness, justification and necessity, publicize the rules of collection and use, and expressly disclose the purpose, method, and scope of collection and use of information, and obtain consent from the collected. Network operators must not collect personal information irrelevant to the services they provide, or collect or use personal information in violation of the provisions of laws, administrative regulations and the agreement of both parties, and shall process the personal information they stored in accordance with the provisions of laws, administrative regulations and the agreement with users.”

[10] Article 3.2 of the Personal Information Security Specification: “Personal Sensitive Information. The personal information  the leakage, illegally provision or abuse of which may endanger the individual’s personal and property safety and can easily lead to damage to personal reputation or physical and mental health, or discriminatory treatment.”

[11] Article 114 of the Criminal Law: “Those who set fire, breach dikes, cause explosions and releases toxic, radioactive, infectious disease pathogens or other materials or endanger public safety by other dangerous methods, but have not caused serious consequences, shall be sentenced to imprisonment of more than three years but less than ten years." Article 115: "Those who set fire, breach dikes, casue explosions, and releases toxic, radioactive, infectious disease pathogens or other materials or cause serious injury or death, or significant loss of public or private property by other dangerous methods, shall be sentenced to imprisonment of more than ten years, life imprisonment or death. Those who commit the crime stipulated in the preceding paragraph negligently shall be sentenced to imprisonment of more than three years and less than seven years, or in the case of less serious circumstances, imprisonment of no more than three years or detention.”

金杜研究院

相关文章链接  

Links of Related Articles

• 戴口罩多洗手，延迟复工别发愁
  

• 疫情防控 | 紧缺物资进口通关和进口捐赠十问
  

• 世卫宣布PHEIC时局之海外援赠武汉战“疫”指引
  

• 抗击疫情，冷静面对PHEIC，企业及个人需要了解的进出口（境）热点问题
  

• 疫情防控 | 疫情期间的企业应急管理
  

• 疫情防控 | “房东，能免租吗？”--浅谈新冠肺炎疫情下合同履行问题

• 疫情防控 | 电子印章-防疫办公居家旅行之利器
  

• 众志成城、共克时艰——金杜从海外筹措医疗急需物资驰援“抗疫”一线

• 疫情防控 | 商业房屋租赁合同可否因疫情援引不可抗力条款？

• 疫情防控 | 北京企业究竟咋安排职工上班？

• 疫情防控 | 员工跨境工作应如何安排？

• 疫情防控 | 上海复工有说法，企业落实有讲究

• 疫情防控 | 疫情期间，广东企业究竟应该如何安排职工上班？

• 疫情防控 | 疫情之下网络服务提供者的新型刑事合规风险

• How to Manage International Employees During Quarantine?

• 疫情防控丨野生动物交易相关刑事规制问题探讨

• 疫情防控 | “双城经济圈”相关劳动法问题——看这一篇就够了

• 疫情防控 | 员工疫情相关个人信息应如何收集使用？

• 疫情防控丨远程办公，你准备好了吗？

• 疫情防控丨关于不可抗力“有关事实”证明等几个问题

• 疫情防控丨一文读懂疫情防控期间外汇政策绿色通道

——— 本文作者 ———

Ai Luo

合伙人

Regulatory & Compliance Group

luoai@cn.kwm.com

Ms. Luo specializes in Labor law, social security law, labor dispute and collective bargaining.She has advised and represented numerous multinational companies as well as state owned enterprises and listed companies in dealing with labor and employment issues, such as labor law compliance consultation, labor contract and employee handbook formulation, labor and employment annual compliance inspection, and transfer, relocation and settlement of employees as well as redundancy matters related to M&A, corporate restructuring and dissolution.

Xiaojing Tang

Associate

Regulatory & Compliance Group

Ning Zhang

Associate Assistant

Regulatory & Compliance Group

感谢关注金杜研究院