21 March, 2020
Foreword
The epidemic situation has gone far beyond our expectations. However, we are now at the next stage, whereby people are back to work. At present, we are noticing that in order to ensure the epidemic’s control and the safety of citizens, different institutions and channels are using various methods to collect, process and analyze personal information. The question of how to collect personal information in full compliance with the rights of personal information subjects, as well as effectively preventing and controlling the spread of the epidemic is a big challenge. It is also a difficult topic, which may not have been addressed in previous legal studies. How enterprises will deal with the challenges raised by remote work during the epidemic is also another relevant issue.
In the following days, we will try to share with you some of our thoughts on the questions related to the collection and processing of personal information in the epidemic’s prevention and control, based on our understanding and experience in the relevant field of law. We will provide answers to the relevant issues, alongside some relatively short articles.
In this article, based on the specific requirements of the current laws and regulations on the protection of personal information and from the perspective of a general enterprise, we will address some practical issues relating to the collection and processing of the personal information of returned employees in a Q&A manner. Due to space limitations, we have not carried out a detailed legal analysis or theoretical discussion, but we have strived to provide the overall ideas and principles for enterprises.
I.What is the legal basis for enterprises to collect employees’ information?
Article 12 of the Law on the Prevention and Treatment of Infectious Diseases stipulates that all entities and individuals within the territory of the People's Republic of China shall accept the preventive and control measures taken by disease prevention and control institutions and medical agencies with respect to the investigation, inspection, sample collection and quarantined treatment of infectious diseases, and they must provide truthful information relating to such diseases. Disease prevention and control institutions and medical agencies shall not divulge any information or material relating to personal privacy; Article 21 of the Public Health Emergencies Regulations stipulates that no entity or individual may conceal, postpone the reporting of, misreport or instruct others to conceal, or postpone the reporting of, or misreport, an emergency.
It can be seen that in an epidemic situation, enterprises and individuals have a legal obligation to participate in epidemic prevention and control and truthfully provide relevant information. Therefore, in case of a request by the competent authorities, enterprises need to collect the relevant information of employees and report to the disease control department and other relevant authorities in a timely manner.
II.Is the consent of employees returning to work required for the collection of their personal information?
The Cybersecurity Law requires that the purpose, method, and scope of personal information to be collected should be clearly notified to the personal information subject, and the collection of personal information is allowed only after obtaining consent from the personal information subject’1. In addition, according to the “Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work” (“Notice”) issued by the China Cybersecurity Administration on February 4, 20202, without the consent of the employees returning to work, the enterprise shall not arbitrarily collect their personal information on the grounds of epidemic prevention and control and disease prevention.
In summary, we recommend that, when an enterprise needs to collect its employees’ personal information related to the epidemic for the purpose of epidemic prevention and control and the protection of the health of all employees, such an enterprise should follow the principle of informed consent, clearly inform its employees of the purpose, method and scope of the collection of their personal information, and only collect their personal information after obtaining their consent.
III.What personal information is appropriate to be collected?
According to the provisions of the Cybersecurity Law, the collection of personal information should follow the principles of legitimacy, justification, and necessity3. In addition, the Notice once again emphasizes that the collection of personal information during the epidemic outbreak should follow the "minimum scope principle". Therefore, even if the current situation of epidemic prevention and control is still severe, it is still advisable that enterprises pay attention to assessing the necessity of the collection methods and scope, and collect personal information of the returned employee in a minimum scope that is closely related to the prevention and control of the epidemic, protecting the health of returned employees and the orderly production and operation of the enterprise.
For example, considering that the incubation period of COVID-19 is 14 days according to some experts, the collection of information about the cities that employees have visited in the past 14 days may be necessary for epidemic prevention and control, it is questionable whether requiring employees to provide detailed records of their whereabouts for the past 30 days is necessary. Another example is whether asking employees to provide their recent health status (such as whether they have a fever or a cough, etc.) is necessary under the premise of epidemic prevention and control. Asking employees to provide previous chronic medical history is not directly related to the epidemic prevention and control, and it is thus not advisable for enterprises to collect such information.
In addition, for the convenience of enterprises, based on the specific requirements4 under the Guideline on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production (“Guideline on Work-Resumption”) issued by the Joint Prevention and Control Mechanism for Novel Coronavirus Pneumonia of the State Council, we have prepared a brief summary of the types of personal information of returned employees that general enterprises may consider to collect as follows:
-
Employees’ identification information, such as their name, ID number;
-
Employees’ contact information, such as their mobile phone number;
-
Recent health and physiological information of employees, such as whether they have had suspected symptoms of the COVID-19 recently, such as, fever, cough or dyspnea, etc., or whether they have ever been diagnosed with COVID-19;
-
Recent traveling information of employees, such as information relating to the transport they took on their way back to work, and their recent residence or travel history in epidemic outbreak areas.
In summary, when enterprises collect the personal information of returned employees, they shall not only collect such information to satisfy the needs of epidemic prevention and control, the protection of their employees’ health, and keep track of the health status of employees, but also take into consideration the relevancy and necessity of the collection of the personal information of returned employees for epidemic prevention and control, and avoid the collection of large quantities of employee’s personal information in a general manner so as to avoid unnecessary compliance risks.
IV.How shall enterprises report and disclose employees’ personal information related to the epidemic situation?
According to the requirements of the Law on Prevention and Treatment of Infectious Diseases5 and the Guideline on Work-Resumption6, enterprises should report to the disease prevention and control institutions and medical institutions truthful information relating to the prevention and control of the epidemic. Therefore, after collecting the personal information related to the epidemic of their returned employees, the concerned enterprises shall report the relevant information in a timely manner in accordance with the specific requirements of the disease prevention and control institutions or medical institutions in various areas.
Except to fulfill the reporting obligations provided by the aforementioned laws and regulations, if an enterprise needs to provide or disclose to a third party the personal information related to the epidemic situation of its returned employees, it must obtain consent from the concerned employees. The Notice emphasizes that even in the special period of epidemic prevention and control, no unit or individual shall disclose personal information such as name, age, ID number, phone number, home address, etc. without the consent of the personal information subjects, except when such personal information is indeed necessary to be disclosed for the purpose of epidemic prevention and control and it has been desensitized before disclosure7. We advise that if the company really needs to provide or disclose such personal information to other third parties, it should first communicate with their employees and obtain their consent; if employees do not want to publicly disclose their information but public disclosure of such information is necessary for the company to prevent and control the epidemic, such information should be desensitized before public disclosure.
V.How long can the personal information of returned employees related to the epidemic be stored?
According to the requirements of the National Standard GB/T 35273-2017, the Information Security Technology-Personal Information Security Specification, the storage of personal information should follow the principle of minimum storage, and the time limit of the storage of personal information shall be the shortest time needed to achieve the purpose for which the concerned personal information is collected and processed. After the time limit of storage expires, the relevant personal information should be deleted or anonymized in a timely manner.
Therefore, we understand that personal information of returned employees collected by relevant enterprises should be kept within the shortest period of time necessary to fulfill the purpose of epidemic prevention and control. Generally speaking, before the State and local government announces the end of the epidemic prevention and control, it is still necessary for relevant enterprises to properly keep such personal information. After the epidemic prevention and control work is completed, except if it is indeed necessary for some enterprises to extend the storage period and that consent from relevant employees has been obtained, such personal information should be deleted or anonymized in a timely manner.
VI.Should enterprises cooperate with information collection conducted by a third party, related to their workplace?
When an enterprise participates in epidemic prevention work, in addition to the requirements by local government to submit the relevant employees’ personal information, enterprises may also face a situation where they are required by a third party, for example, by a property management company, to submit relevant information. We understand that it is advisable for enterprises to deal with such situations in consideration of the following:
1. If the information requested by a third party does not fall within the scope of personal information, it is advisable for relevant enterprises to cooperate with such a request. For example, employees may be required to take a temperature measurement before entering the office building, but employees may not have to provide their names or other personal information.
2. If the third party requests the provision of personal information, the concerned enterprises shall take into consideration whether the requesting third party is an authorized institution under the Law on the Prevention and Treatment of Infectious Diseases and the Public Health Emergencies Regulations. If the third party is an authorized institution and the type of personal information required is indeed necessary for epidemic prevention, the concerned enterprises shall cooperate and provide such information.
3. If the third party is not an authorized institution mentioned above, the concerned enterprises may require that the third party provide authorization documents. If the third party is unable to provide such authorization documents, the concerned enterprises shall not provide their employees’ personal information.
4. If the personal information requested by the third party is apparently irrelevant to the epidemic prevention and control, the concerned enterprises shall refuse to provide the relevant personal information.
Marissa (Xiao) Dong, Partner, Jun He
dongx@junhe.com
1.According to Article 41 of the Cybersecurity Law, network operators shall abide by the "lawful, justifiable and necessary" principles to collect and use personal information by announcing the rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.
2.According to Article 1 of the Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work, all the local departments should attach great importance to the protection of personal information. Except for institutions authorized by the health department of the State Council, no other unit or individual shall use personal information on the grounds of epidemic prevention and control and disease prevention without the consent of the personal information subject. Where the laws and administrative regulations provide otherwise, they shall be followed.
3.According to Article 41 of the Cybersecurity Law, network operators shall abide by the "lawful, justifiable and necessary" principles to collect and use personal information by announcing the rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.
4. According to the Guidelines on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production, (1) make sure employee health management is properly conducted. …… Each unit should effectively acquire and keep updated of the situation of the flow of employees……
(2) implement health status report mechanisms. … health status of employees should be gathered every day …
5.According to Article 12 of the Law on Prevention and Treatment of Infectious Diseases, all units and individuals within the territory of the People's Republic of China shall accept the preventive and control measures taken by disease prevention and control institutions and medical agencies with respect to the investigation, inspection, sample collection and quarantined treatment of infectious diseases, and must provide truthful information relating to such diseases, and they shall provide truthful information about the diseases. Disease prevention and control institutions and medical agencies shall not divulge any information or materials relating to personal privacy.
6.Guideline on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production.
(All units) shall gather health status of their employees daily and report to the local disease prevention and control department. In case of any abnormal conditions, such units shall report such situations and take relevant preventive and control measures in a timely manner.
7.According to Article 3 of the Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work, personal information collected for epidemic prevention and control and disease prevention purposes shall not be used for other purposes. No unit or individual may disclose personal information such as name, age, ID number, phone number, home address, etc. without the consent of the personal information subjects, except when such personal information is indeed necessary to be disclosed for the purpose of epidemic prevention and control and has been desensitized before disclosure.