1 September, 2021
On 20 August 2021, the Personal Information Protection Law of the People’s Republic of China (“PIPL”) was passed by the Standing Committee of the National People’s Congress, and will become effective on 1 November 2021. Comprising 8 chapters and 74 articles, PIPL lays down a clearer yet stricter regulatory framework for the protection of personal information. As the first comprehensive data protection legislation in China, PIPL will further strengthen China’s legislative efforts in protecting individuals’ data privacy rights.
Compared with the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong), PIPL has the following features:-
-
a broader definition of “personal information” which includes all kinds of information relating to an identifiable natural person as recorded electronically or in other forms but excludes anonymised information;
-
stricter requirements in respect of obtaining an individual’s consent where in many cases the individual’s “specific consent” (单独同意) is required;
-
more detailed provisions on the processing of personal information, where processing includes the collection, storage, use, transfer, disclosure, deletion, etc., of an individual’s personal information; and
-
more severe penalties.
From the employment perspective, it is imperative for employers in China to understand the impact of PIPL on the human resources management and take necessary actions to fully comply with the new legislative requirements.
Part 1 Major aspects of PIPL’s impact on the human resources management
1. |
An employer must have a valid ground under PIPL for processing an employee’s personal information. To process an employee’s personal information, an employer must have a valid ground under PIPL and the common grounds include:-
|
2. |
An employee’s personal information can only be processed for a proper purpose and in a reasonable manner. Even if an employee has duly consented, an employer still must ensure that the processing of the information is for a proper purpose and in a reasonable manner. For example, the collection of an employee’s information about his/her marital status or pregnancy is irrelevant to the establishment of employment relationship and lacks a proper purpose, which in practice may be regarded as violating PIPL. |
3. |
An employer must ensure the security of an employee’s personal information. Under PIPL, an employer has the duty to establish a system to ensure the security of the employees’ personal information. Depending on the purposes and manner of processing and the nature of the information, the employer needs to take measures including developing internal rules and procedures for processing the information, managing the information based on their different nature, adopting encryption and de-identification measures, duly authorising the data processing staff, providing regular training, and making emergency plans. In case future disputes arise, an employer may be liable if he/she cannot prove the implementation of such security measures. |
4. |
An employer has the duty to ensure an employee’s rights in respect of his/her personal information. PIPL has provided a series of rights to individuals in respect of their personal information, including right to information, decision, correction, and copying. The employer has the duty to ensure the employee’s access to these rights. For example, if surveillance cameras are installed at the workplace, the employees should be informed. |
Part 2 Key requirements for processing personal information in human resources management
1. |
The primary principle is to obtain informed consent. An employer must duly inform an employee before processing his/her personal information. In particular, the employer must inform the employee in a clear and comprehensible manner, and obtain the employee’s clear and voluntary consent. Should there be material change to the purpose or manner of processing or the type of processed information, the employer would need to obtain the employee’s consent again. |
2. |
For processing sensitive personal information, specific consent is required. “Sensitive personal information” refers to such personal information that the disclosure or unlawful use of which could endanger the individual’s dignity, personal safety or property, including biometric data, religion, medical data, finances and location, and all personal information of minors under the age of 14. It is only when there is a sufficiently necessary and specific purpose that an employer can process an employee’s sensitive personal information whilst the employer must also take strict protective measures. When processing such sensitive personal information, the employer must obtain the employee’s specific consent and inform him/her of the necessity of processing the information and the potential impact on him/her. |
3. |
Personal information cannot be stored in excess of a necessary period. An employer cannot retain an employee’s personal information in excess of a necessary period and the storage of which must comply with the relevant regulations. An employer should establish an internal mechanism to check and delete such information on a regular basis (e.g., check regularly and delete timely the personal information of previous employees). |
4. |
Third-party information processor must be duly authorised and supervised. If an employer engages a third party (e.g., human resources service providers) to process an employee’s personal information, the employer should carry out risk assessment in advance. The employer has the duty to supervise the third party’s processing of such information and ensure that the processing will not exceed the scope of authorisation. |
5. |
Joint processing of personal information can result in joint and several liability. If an employer processes an employee’s personal information jointly with a third party, the employer should agree in writing with the third party the requirements for secure processing of the information, and the respective responsibilities of the employer and the third party. Meanwhile, the employer should inform the employee of the fact of joint processing. |
6. |
Specific consent is required for the transfer or disclosure of the personal information. If an employer needs to transfer or disclose to a third party an employee’s personal information, the employer must inform him/her and obtain his/her specific consent. |
7. |
Specific consent is required for publicising the personal information.
If an employer needs to publicise an employee’s personal information, the employer must obtain the employee’s specific consent. |
8. |
An employee is entitled to withdraw the consent. An employee is entitled to withdraw the consent previously given to the employer for processing his/her personal information, though the withdrawal would not affect the validity of the processing activities previously conducted. |
Part 3 Liabilities for violating PIPL
1. |
Administrative liability
|
||||||||||
2. |
Civil liability
|
||||||||||
3. |
Criminal liability
|
Part 4 Measures for employers to take
In light of the stricter regulatory requirements under PIPL, an employer should:-
1. |
Review thoroughly the current internal management of the employees’ personal information The issues for review, among the others, include:-
|
2. |
Assess the risks of cross-border data transfer PIPL raises additional requirements for cross-border transfer of personal information, which, among the others, includes a separate risk assessment process with the cybersecurity authorities. |
3. |
Establish an effective system for protecting employees’ personal information An employer should establish an effective system for protecting employees’ personal information, supervising the processing of such information and handling complaints from employees, which should all be evidenced in writing in internal rules and regulations. |
4. |
Review and revise the relevant legal documents An employer should review and revise the employment contracts, employees’ handbook, personal information collection statement, internal information protection policies, and the relevant guidance, so as to strengthen the internal compliance with data protection laws. |
-
For further information, please contact:
-
Helen Liao, Partner, Deacons
helen.liao@deacons.com