Compliance Issues on Employees' Personal Information

Recently, the Administrative Measures on Data Security (Consultation Draft) issued by the Cyberspace Administration of China has once again triggered a heated discussion on the protection of personal information. This article aims to discuss the current legal framework and the latest legislative developments concerning the protection of employees' personal information in China. It also puts forward our suggestions on how employers can comply with the regulations in typical scenarios of personal information collection and usage.

I. What Constitutes Personal Information

Personal information refers to information recorded in electronic or other forms that can be used, alone or in combination with other information, to identify a natural person. Personal information includes but is not limited to the natural person's name, date of birth, ID number, personal biological identification information, address and telephone number[1].

II. PRC Laws on Protection of Employees' Personal Information

1. General Provisions

The General Rules of the Civil Law of the People's Republic of China contains basic provisions concerning the protection of personal information: any organization and individual seeking to acquire personal information of others must obtain the information legally and safeguard the obtained information; illegal collection, use, process, transmission, sale, supply and publication of personal information of others are prohibited[2]. In addition, the Decision of the Standing Committee of the National People's Congress on Strengthening Internet Information Protection also stipulates that collection and use of citizens' personal electronic information in the course of business must follow the principles of lawfulness, reasonableness and necessity. The collector must obtain the citizen's consent and explicitly state the purpose, method and scope of the collection and usage[3]. Any information collected must be kept strictly confidential to avoid disclosure, damage and loss[4].

According to the Criminal Law of the People's Republic of China, sale or supply of any citizen's personal information obtained in the course of performing a duty or providing a service in violation of laws, regulations and other government rules may constitute the crime of infringing citizens' personal information and be heavily penalized[5].

Employers should abide by the above provisions when acquiring, collecting, storing, processing and using their employees' personal information.

2. Relevant Provisions in Labor Law

Currently, no law or regulation has been designed specifically to protect employees' personal information in China.

Traditional labor law contains provisions governing the protection of employees' personal information, which include the following:

1) The Labor Contract Law of the People's Republic of China allows employers to request employees' basic information directly related to their labor contract[6]. Of course, the scope of the aforementioned "basic information" varies from region to region. For example, the Rules of Shanghai Municipality Employment Contract stipulates that employers have the right to know the employee's health condition, depth of knowledge, skills and work experience[7]. The Regulations of Beijing Municipality on Labor Contracts stipulates that employers may demand the employee's identification cards, diplomas, and information about their employment status, work experience, professional skills, etc.[8]

2) Besides, the Regulations on Employment Services and Employment Management requires employers to obtain their employees' written consent before disclosing their personal information[9].

3. Provisions on Network and Data Security

In recent years, the laws, regulations and legal documents related to network and data security have gradually increased.  Newly promulgated statutes include the Cybersecurity Law of the People's Republic of China (hereinafter referred to as the "Cybersecurity Law") and the Administrative Measures on Data Security (Consultation Draft). In addition, as the nationally recommended standard, the Information Security Technology - Personal Information Security Specification, together with the Guidelines for Internet Personal Information Security Protection, serve as a guide to personal information protection.

Generally speaking, the above-mentioned legal provisions and documents for personal information protection are mainly aimed at regulating network operators and have relatively limited and indirect impacts on protection of employees' personal information. However, if the employer maintains an intranet for business management, the above legal provisions and documents would also apply to the collection and use of personal information through the intranet.

Specifically, laws aimed at network operators that may require compliance by employers collecting and using employees' personal information through the intranet mainly include the following: firstly, under the Cybersecurity Law, network operators must keep information collected from users in strict confidence[10], abide by the principles of lawfulness, reasonableness and necessity in collecting and using personal information[11], not disclose, tamper with or destroy the personal information collected, and not disclose such information to any third party without prior consent[12]. In addition, it is noteworthy that the Administrative Measures on Data Security (Consultation Draft) has detailed provisions on data collection and processing. It grants individuals the right to access, correct and delete personal information and close accounts[13]; furthermore, network operators must make a filing with the local cyberspace administration department when collecting important data or sensitive personal information for purposes of business operations[14]. As this draft has not yet been officially promulgated, the final content of the regulations remains uncertain. However, employers should continue to monitor its progress and prepare to comply once the official version is promulgated.

When dealing with employees' personal information, the employer is also bound by the general provisions of the Cybersecurity Law, which prohibits illegal acquisition (e.g. theft), sale, and provision of personal information to others[15], etc.

III. Collecting and Using Employees' Personal Information: Methods, Typical Scenarios of Violation and Compliance Advices

In the following table, we list different methods by which employees' personal information is collected and used, typical cases of violation, and our compliance advices: 

IV. Summary and Suggestion

According to current laws and regulations on personal information protection in China, obtaining the employees' consent before collecting and using employees' personal information largely ensures the employer's compliance. Employers should also attend closely to the legislative and judicial developments related to personal information protection, and formulate and timely adjust their corporate rules and regulations.

[1]:The definition comes from Article 76 of the Cybersecurity Law of the People's Republic of China and Article 38 of the Administrative Measures on Data Security (Consultation Draft).

[2]:See Article 111 of the General Rules of the Civil Law of the People's Republic of China.

[3]:See Article 2 of the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection.

[4]:See Articles 3 and 4 of the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection.

[5]:See Article 253 (1) of the Criminal Law of the People's Republic of China.

[6]:See Article 8 of the Labor Contract Law of the People's Republic of China.

[7]:See Article 8 of the Rules of Shanghai Municipality on Employment Contract.

[8]:See Article 10 of the Regulations of Beijing Municipality on Labor Contract.

[9]:See Article 13 of the Provisions on Employment Services and Employment Management.

[10]:See Article 40 of the Cybersecurity Law of the People's Republic of China.

[11]:See Article 41 of the Cybersecurity Law of the People's Republic of China.

[12]:See Article 42 of the Cybersecurity Law of the People's Republic of China.

[13]:See Article 21 of the Administrative Measures on Data Security (Consultation Draft).

[14]:See Article 15 of the Administrative Measures on Data Security (Consultation Draft).

[15]:See Article 44 of the Cybersecurity Law of the People's Republic of China.