Fundamentals for managing employees’ personal information in China

Personal Information Protection Law (PIPL) was adopted on 1 November last year and applies to all individuals and organisation handling personal data. Since the adoption, regulators have been actively investigating suspected violations and issuing fines. For employers, implementing PIPL compliance measures when processing employees’ personal information reduces legal risks. In the below, we provide the fundamentals for managing employees’ personal information.  

Obtain specific consent when using third parties

Employees’ personal information shall not be provided to third parties without consent. During the recruitment, if the enterprise uses a third party to provide recruitment services or conduct a background investigation, the enterprise must obtain the written authorisation of the employee. In other words, the employer shall inform and obtain the consent of the individual, otherwise, the enterprise may infringe on the individual’s rights.

Collect only minimum personal information 

The personal information of employees shall not be collected excessively. The collection is limited to “basic information directly related to the labour contract”, and mainly includes name, gender, nationality, identity certificate number, address, personal email, health status, education and degree, work experience, emergency contact, and so forth.

Employers shall determine the scope and content of information according to their actual needs and ensure the collected employee personal information is reasonable and adheres to the minimal principle. For any sensitive information that is necessary to be collected, the explicit consent of employees shall be obtained.

Use encryption when processing personal information

Employers shall safeguard any collected personal information in both hard or soft copies such as employees’ certificates, files, and documents with personal information, fingerprints, and face recognition information (if any). Any storage equipment, transmission equipment, and used equipment shall be encrypted for security measures. Further measures could be implemented to strengthen security such as confidentiality agreements and related employee training.

Restrict personal use of company equipment

Employees’ personal information can be stored on equipment provided by the company, including mobile phones, computers, and other devices. To reduce legal risks, employees shall be informed in writing before the company provides equipment that it shall not be used for personal affairs, and the employer reserves the right to inspect and monitor information on such equipment. Employees should be reminded to delete personal information before equipment is repaired, inspected, or recycled. Any employee’s personal information found shall be strictly kept confidential.

Adhere to related cross-border transfer requirements

Before transmitting employees’ personal information abroad, employees’ written authorisation and consent shall be obtained. Relevant requirements such as network security agency services, firewalls, and other means to ensure the security of information shall be implemented. 

Archive only necessary information 

When an employee leaves the company, employees should only archive necessary information and delete the sensitive personal information and information that is no longer required. If the new employer requests a background check, the employee must have provided prior written consent for the employer to disclose his/her information to other companies, otherwise, the company is very likely to infringe on the employee’s information rights and interests.

If you are looking for labour law professionals to evaluate whether your data management or employee policy is compliant with PIPL, please contact Horizons at country.partners@horizons-advisory.com, and our Partner in charge will be in touch.