Authors: Liu Qi / Lian Yuxiong
(This article was first published on China Business Law Journal column "Labor Law", authorised reprint)
The collection and use of employees' personal information by employers runs through the whole process of recruitment, employment and resignation. With the implementation of the personal information protection law (hereinafter referred to as the personal information protection law) on November 1, 2021, once the employing unit handles the personal information improperly, it will face various risks such as administrative punishment and infringement disputes, and may even constitute a criminal crime in serious cases. Therefore, combined with the provisions of the personal security law, this paper shares some practical suggestions on how to properly deal with personal information in the process of employment management.
Typical scene
Each link of the daily employment management of the employer may involve the collection and use of personal information. Typical situations may include:
During the recruitment process, the employer requires the applicant to fill in the registration form of personal information (including educational background, work experience, marriage and childbirth status, family background, etc.);
For employees applying for sick leave, in addition to the sick leave form, employers often require employees to provide medical records or even prescription records;
The employer monitors the information stored or transmitted by employees in the work computer, the company's e-mail system or the company's internal network;
In the investigation of non competition cases, some employers will entrust the investigation company to track and shoot employees in order to obtain relevant evidence of employees' entry competitors.
Influence of new law
As a law that comprehensively regulates the protection of personal information alone, the personal security law defines many matters of personal information protection, mainly including the respective processing rules of personal information and sensitive personal information, the provision of personal information abroad and the legal liability for violating the personal security law. Among them, the personal information processing rules are the core content of the personal security law, and its key point is the "notification and consent" rule, that is, the processing of personal information should be based on full notification and personal consent.
However, Article 13 of the personal security law reserves the exception of requiring individual consent for the employer, that is, without individual consent, the employer may process personal information necessary for the conclusion and performance of the contract to which the individual is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated according to law and the collective contract signed according to law. However, it is not clear how to define "necessary for the performance of the contract" and "necessary for the implementation of human resource management".
In terms of legal liability, the personal security law establishes the inversion rules of the burden of proof for relevant civil liability, and stipulates that if there is an illegal act, the person in charge and other persons directly responsible of the enterprise may face fines and be prohibited from serving as the director, supervisor, senior manager and person in charge of personal information protection of the relevant enterprise within a certain period of time. In addition, illegal employers may face credit punishment, that is, their illegal acts are recorded in the credit file and publicized.
Compliance recommendations
Therefore, this paper provides the following suggestions on how to deal with employees' personal information in the process of employment management for reference:
Prepare personal informed consent form
The employer can comprehensively sort out and classify the personal information to be processed in the process of employment management, make a list according to the types of personal information, and use it as an annex to the informed consent form for information collection. On the basis of ensuring that the employees are fully informed of the purpose, method and scope of personal information processing, the employees are required to sign. For sensitive personal information that requires the employee's separate consent, we suggest that the employer mark it with emphasis, and require the employee to check and confirm one by one and sign one by one.
Formulate rules and regulations on personal information processing
The employer may specify the content, scope, purpose and processing rules of personal information in the current rules and regulations (or formulate a special policy for the protection of employees' personal information separately), and perform democratic procedures and publicize the relevant systems and policies as the legal basis for the employer to process personal information in the future.
The employer may consider taking a series of specific measures for personal information protection as follows:
Implement classified management of personal information. Employers can list all types of employee personal information that need to be processed for all links and personnel of employment management. On this basis, private information and sensitive personal information in personal information can be identified and strictly managed according to the provisions of the personal security law;
Comprehensively sort out the employee privacy that may be involved in all links and operations in the process of employment management, formulate perfect policies and compliance guidelines in advance according to legal requirements, and take necessary measures for various situations. For example, if the employer will install monitoring equipment in its office, it shall inform the employees of the installation and use of the equipment as far as possible in advance, and clearly mark the office area equipped with monitoring equipment;
Establish a sound information and data protection system and specify the responsible functional departments (such as human resources department, information technology department and compliance department). Monitor the collection, browsing and use of personal information through daily supervision and regular review, and ensure compliance;
Strengthen the training of managers and employees and strengthen the confidentiality awareness of all employees. In the confidentiality agreement with employees, the employer shall require them to perform strict confidentiality obligations on the personal information of their colleagues and the personal information they come into contact with at work.
