Fundamentals for Managing Employees' Personal Information in China

​China's Personal Information Protection Law (PIPL) took effect on Nov. 1, 2021, and applies to all individuals and organizations handling personal data. Regulators have been actively investigating suspected violations and issuing fines. For employers, implementing PIPL compliance measures when processing employees' personal information reduces legal risks. This article provides the fundamentals for managing employees' personal information.

Obtain Specific Consent When Using Third Parties

Employees' personal information shall not be provided to third parties without consent. During recruitment, if the enterprise uses a third party to provide recruitment services or conduct a background investigation, the enterprise must obtain the written authorization of the employee. In other words, the employer shall inform and obtain the consent of the individual, otherwise, the enterprise may infringe on the individual's rights.

Collect Only Minimum Personal Information

The personal information of employees shall not be collected excessively. The collection is limited to "basic information directly related to the labor contract," and mainly includes name, gender, nationality, identity certificate number, address, personal e-mail, health status, education and degree, work experience, emergency contact and so forth.

Employers shall determine the scope and content of information according to their actual needs and ensure the collected employee personal information is reasonable and adheres to the minimal principle. For any sensitive information that is necessary to be collected, the explicit consent of employees shall be obtained.

Use Encryption When Processing Personal Information

Employers shall safeguard any collected personal information in both hard or soft copies such as employees' certificates, files, and documents with personal information, fingerprints, and face recognition information (if any). Any storage equipment, transmission equipment and used equipment shall be encrypted for security measures. Further measures could be implemented to strengthen security, such as confidentiality agreements and related employee training.

Restrict Personal Use of Company Equipment

Employees' personal information can be stored on equipment provided by the company, including mobile phones, computers and other devices. To reduce legal risks, employees shall be informed in writing before the company provides equipment that it shall not be used for personal affairs, and the employer reserves the right to inspect and monitor information on such equipment. Employees should be reminded to delete personal information before equipment is repaired, inspected or recycled. Any employee's personal information found shall be kept strictly confidential.

Adhere to Related Cross-Border Transfer Requirements

Before transmitting employees' personal information abroad, employees' written authorization and consent shall be obtained. Relevant requirements such as network security agency services, firewalls and other means to ensure the security of information shall be implemented.

Archive Only Necessary Information

When an employee leaves the company, employees should only archive necessary information and delete the sensitive personal information and information that is no longer required. If the new employer requests a background check, the employee must have provided prior written consent for the employer to disclose the information to other companies, otherwise, the company is likely to infringe on the employee's information rights and interests.

Horizons Corporate Advisory provides corporate advisory solutions for local, regional and global challenges, and has offices in Hong Kong and Shanghai, among other locations worldwide. © 2022 Horizons Corporate Advisory. All rights reserved. Reposted with permission of Lexology.