Exit process is usually the end of HR management of an employee, but it is not necessarily the end of an employee’s personal information (“PI”) life cycle. In the exit process or even after the termination of the employment, the employer may still need to process the employee’s personal information. This article in our Employee Data Protection Series will focus on typical PI processing issues that employers may face during and after an employment relationship is terminated or ended.
1. Retention Period of an Employee’s PI
According to Article 19 of Personal Information Protection Law (the “PIPL”), the retention period of PI shall be the minimum period necessary for achieving the purpose of processing, unless any law or administrative regulation stipulates otherwise.
Given that there may be multiple purposes for processing certain PI, there is no unified standard in practice for minimum necessary period of retention. Before the official guidelines or implementation rules are issued, employers should identify clear and detailed purposes of processing PI to the extent possible before processing it so as to determine the minimum retention period.
In addition to the PIPL, there are several existing laws and administrative regulations that dictate the retention period of certain HR data. For example, pursuant to Article 50 of the PRC Labour Contract Law, an employee’s labour contracts should be kept for no less than 2 years after termination of the contract; and pursuant to Article 6 of the Tentative Provisions Payment of Wages, the payroll record should be kept for no less than 2 years.
Notably, Provisions on the Scope of Collection and Preservation Period in Archiving Document Enterprises (the “Provisions”) issued by National Archives Administration in 2012 also provide for retention period for certain employment documents. For example, employees’ labour contracts and payroll records shall be preserved permanently, and employees’ disciplinary warning shall be preserved for 30 years after it was issued. This Provision predate PIPL and seems to conflict with the “necessary minimum period” provided by PIPL. However, since the Provisions are still effective, employers are recommended to comply with it until further interpretation or detailed rules for the implementations provide otherwise. We suggest that employers inform employees of the retention period of relevant PI in the privacy policy or notice. We will also keep a close eye on the development of the law and keep you updated.
2. Deletion of an Employee’s PI
Art.47 of PIPL imposes on the employer the obligation of deleting an employee’s PI under the following circumstances:
- Where the purpose of processing has been achieved or is unable to be achieved or the PI is no longer necessary for achieving the purpose of processing: For example, if the employer changes the method of attendance check from facial recognition to key card, the employee’s facial recognition is no longer necessary, and the employer should delete all related PI;
- Where the PI processor ceases the provision of the product or service involved or the retention period has expired: For example, if the employer stops purchasing supplementary health insurance for employees or the retention period agreed by the employer and the employees for such purpose expires, the employer should delete the employees’ PI previously collected for purchasing supplementary health insurance;
- Where consent is withdrawn by the employee for processing based on consent: For example, if an employee withdraws his or her consent to provide facial recognition for attendance, the employer should delete the facial information;
- Where the processing of PI by the employer is in violation of any law, administrative regulations or agreement; or
- Any other circumstances as provided by law or administrative regulations.
Further, if the retention period prescribed by laws or administrative regulations has not expired or it is technically difficult to delete the PI, the employer shall cease the processing of the PI, except for the storage and any necessary measure taken for security protection.
3. Sharing a Former Employee’s PI
Employers may still share a former employee’s PI with others under certain circumstances after the employment terminates. We set out below some of the typical scenarios:
- Sharing with the employer’s alumni association: to share the former employee’s PI with the alumni association or keep the PI for alumni activities, the employer must obtain such employee’s consent in advance.
- Share with the employee’s new employer: In practice, it is common for an employee’s new employer to collect the employee’s PI from the former employer during background checks. The former employer should obtain the employee’s consent before sharing the employee’s PI with the new employer.
- Sharing with the arbitration commission or court in dispute with the employee: Normally, sharing the employee’s PI with an arbitration commission or court for the purpose of responding to lawsuits is necessary for compliance with the employer’s legal responsibility and obligations. However, it should be noted that the PI shared by the employer should be legally collected and stored within the reasonable retention period. Otherwise, if challenged by the employee, the involved evidence may not only be deemed invalid but also trigger a breach of PIPL.
- Public announcement of misconduct: In practice, in cases where an employee’s employment has been terminated for gross misconduct, some employers may announce the details of termination decision of the former employee to all employees as a warning. Such disclosure may infringe not only the employee’s right PI but also the employee’s privacy. Therefore, it is advisable for employers to avoid making such announcement.
4. Key Takeaways
Both in the process of separation management and after separation, employers should still process an employee’s PI in compliance with PIPL. Here are the key takeaways for employers:
- Identify the categories of PI that may be processed during and after separation and inform employees of the details in advance;
- Specify the processing purposes of the PI, determine the retention period of such PI according to the processing purposes, avoid saving the employees’ PI for longer than necessary, and pay attention to the retention period of specific PI under the relevant laws and the;
- Store employees’ PI within a reasonable period after separation for use in possible disputes with employees, but the purpose and retention period should be informed to the employee in advance; and
- Delete the employees’ PI as soon as the conditions for deleting PI are satisfied.
5. Conclusion
In this series of articles, starting with classic HR management scenarios, we analysed the impact of PIPL on various aspects of HR management and what employers should be aware of at each stage of the HR data life cycle. Although there are some questions in PIPL to be clarified by further guidance and implementation rules, employers should still ensure personal information protection compliance considering the consequences of violation.
In terms of HR data processing, we lay out the following steps that employers may take when processing employees’ personal information:
- Step 1: Specify the purpose of processing
- Step 2: Determine the legal basis of the processing
- Step 3: Conduct a personal information protection impact assessment (if required)
- Step 4: Inform the employee of the processing details
- Step 5: Obtain employee’s consent/separate consent (if required)
- Step 6: Meet specific requirements for sharing with third parties (if required)
- Step 7: Process employee’s PI in accordance with the processing details that have been notified to the employees
- Step 8: Delete the employee’s PI pursuant to the applicable rules
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com
