Data protection update: Collection of employee data upon request of Chinese authorities
(Author: Mrs. Mao Yahui)
“The Chinese authorities have asked us to collect the personal information of our employees and report to them every day during the COVID-19, but our employees refused to provide. What should we do?” said one of our clients, who was caught between the requirement from the local government and protest from employees asking for protecting their privacy and personal data.
Since the outbreak of COVID-19, the Chinese government has resorted to plenty of protection and prevention measures to avoid the transmission of the virus. Companies, as one of the most important roles in society, are asked to proactively take the responsibility to participate and cooperate to handle the COVID-19 situation.
“For a period of time, we received all kinds of requirements from our building landlord nearly every week because of the orders from local district authorities, to establish and update the special record of our employees every day, which includes the name, ID, telephone number, address, family’s contacts, business trip, vaccine, acid test, meetings, visitors, etc. We are a multinational company and have diverse employees. Some of them understood the situation and were quite cooperative. While others showed some concerns, and therefore we need more efforts to explain so as to put off their doubts and fears.” Said one of the employees of our clients.
How to meet the requirements of the local governments during the COVID-19 period and at the same time comply with the Chinese Personal Information Protection Law (PIPL) with respect to the collection and processing of employee’s personal information become a tricky question for many companies.
In this newsletter, we will focus on the most important and frequently asked questions during the COVID-19 time and present our opinions.
1. Do companies need consent from employees to collect their personal information?
In general, collection of the personal information from others requires their explicit consent. In the event of COVID-19, the situation is a little bit different.
According to Art. 13 of the PIPL, companies do not need an explicit consent to collect personal data in case of a public health emergency. According to the definition of the World Health Organization (to which China is a member), COVID-19 is considered a public health emergency.
This is also confirmed in certain local policies published by some cities, for example, in Beijing the Art. 6 of the Beijing Municipal Public Health Emergency Response Regulations dated September 25th (2020) specifically stated that enterprises shall actively cooperate in case of public emergencies. The scope of participation is further specified in Art. 4 of the Guidelines for Prevention and Control of Office Premises during the Covid Pandemic (http://www.beijing.gov.cn/ywdt/zwzt/yqfk/kpzs/202204/t20220409_2670596.html), which states that enterprises need to collect and record name, ID number, mobile phone number, detailed current address, family contact, etc. of the employees. In addition, according to the Guidance on common Legal Issues during Epidemic Prevention and Control (疫情防控期间常见法律问题指引（三）_便民提示_上海市司法局 (sh.gov.cn)) issued by the Shanghai Judicial Bureau on March 31, 2022, to respond epidemic or to implement relevant epidemic prevention and control requirements, enterprises can collect personal information related to its employees without obtaining the employee's personal consent.
Therefore, companies can collect the personal information from their employees without their consent in order to implement relevant epidemic prevention and control requirements from district governments or authorities. However, if the data is for other purposes other than COVID-19 related implementation measures, consent shall be obtained even during COVID-19 times.
2. Who shall protect the personal information of employees collected for the COVID-19 and how to protect it?
According to Art. 6 PIPL, “the processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing and shall be conducted in a way that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for achieving the purpose of processing and it is not allowed to excessively collect personal information.”
Moreover, in the Notice on Proper Personal Information Protection to Support Joint Prevention and Control with Big Data issued by the Office of the Central Cyberspace Affairs Commission on February 4, 2020, it specifically mentioned that personal information collected for epidemic prevention and control as well as disease prevention and control shall not be used for other purposes, and highlighted that any agency collecting or possessing personal information shall be responsible for protecting the security of personal information and take strict management and technical protection measures to prevent the same from being stolen or disclosed.
Thus, companies, which collected the personal information from employees, shall take measures to protect such information, for instance (e.g. password protection and limited access). Besides, companies shall only collect the information to the extent of handling the COVID-19 and shall not use the information for other purposes.
3. How should companies deal with the personal information after COVID-19?
Pursuant to Art. 47.1 PIPL, once the purpose of handling has been achieved, companies should delete the personal information collected for such purpose. Otherwise, the employees have the right to ask companies to delete their personal information related to COVID-19.
Moreover, the Personal Information Security Specification, a national standard, also stipulates the minimum necessary principle, that is, only the minimum type and quantity of personal information required to meet the purpose of the authorization and consent of the personal information subject is processed. After the purpose is achieved, the personal information should be deleted in time, which is also suggested by the Shanghai Judicial Bureau in the Guidance on common Legal Issues during Epidemic Prevention and Control (疫情防控期间常见法律问题指引（三）_便民提示_上海市司法局 (sh.gov.cn)).
Therefore, once the COVID-19 situation is over, companies are suggested to sort out the specific personal information collected and processed for COVID-19 and delete such data, such as the vaccination status collected when required by local government. Meanwhile, companies can make a record of the deletion process as proof, including the date, the method, the personnel who conduct or supervise the deletion.
In conclusion, with the effectiveness of the Chinese PIPL since November 2021, the awareness of personal information protection of Chinese people has been gradually strengthened and it brought continuous challenges to companies particularly during the special time of COVID-19.
“How to handle the challenges smartly and legally is not an easy task for every company. We do not know when and how China would announce the COVID-19 period is over. But the Chinese Ministry of Industry and Information Technology has made an announcement of canceling the asterisk on the travel card recently, which we believe is a good sign that the worst time is over”, said Dr. Florian Kessler, the CEO of WZR.
Thanks for your time! And if you have any questions or interesting stories in this regard, please do not hesitate to contact us and we will be really glad and honored to discuss with you!