To prevent and control the management risks brought about by the COVID-19 outbreak, most employers in China are facing the challenges of collecting information about health status and recent travel schedules from employees.
Under the PRC Cyber Security Law ("CSL"), information, whether recorded electronically or otherwise, that "can identify a natural person independently or in combination with other information", is personal information.Therefore, employers collecting employees' personal information for the purpose of epidemic prevention should pay attention to the accompanying compliance risks. This article aims to analyse the legal pitfalls relating to data privacy in the workplace and the COVID-19 outbreak through the following Q&As.
Article 8 of the Employment Contract Law stipulates that "an employer is entitled to know the basic information directly related to the employment contract". During the COVID-19 outbreak, the health status of employees could exert a direct impact on the production and operation arrangement of the employers. Therefore, employers could collect outbreak-related information of the employees within a certain limit.
In addition, the Law on the Prevention and Control of Infectious Diseases and the Regulations on Responses to Public Health Emergencies both stipulate the obligation of an employer to report to the relevant authorities when it discovers infected patients or suspected patients. Thus the collection of information about the outbreak of employees is, to a certain extent, necessary for an employer to fulfil its obligation.
Many provinces and cities have also issued requirements for specific business to collect information on the health status of their employees. For instance, Working Guidelines on Pneumonia Prevention and Control for Catering Service Industry in Guangdong Province clearly requires that "catering business should set up health administrators to be responsible for collecting the health status of employees, and to report to relevant authorities the health status of employees as required".
Answers to this question vary in practice. According to Article 1 of the Notice on the Protection of Personal Information and the Use of Big Data to Support Joint Prevention and Control (hereinafter referred to as the "Notice") issued by the Cyberspace Administration of China (“CAC”), any organisation or individual other than those authorised, shall not collect and use personal information without consent for epidemic prevention and control, unless as otherwise required by laws and regulations. Meanwhile, CSL Article 41 stipulates that the collection and use of personal information shall be subject to the consent of the data subject. The national guidelines on Personal Information Security Specification ("PI Specification") further provides for exceptions to consent, including "directly related to public safety, public health, significant public interest" and "legal obligations as specified under laws and regulations". However, certain risks exist in collecting personal information merely on the basis of such exceptions, taking into account the legal effect of the nature of PI Specification as a recommended national standard, whether the information collected by the employer is directly related to the performance of the employment contract, and whether the employer is authorised by relevant authorities.
Therefore, the prevailing view in the market is, unless authorised by the relevant authorities or the information collected is directly related to the performance of the employment contract, the employer, as the data controller, should inform the employees of the rules and the purposes for data collection before collecting their personal information, and obtain employees' consent. If an employee refuses to provide such information, the employer could communicate with the employee to further understand the reasons for refusal, inform him or her of the consequences of refusal, and to make a record and so on.
In collecting employees' personal information, employers should comply with the minimum necessary principle set out in the CSL and the PI Specification. The said Notice also outlines that "collection should be limited in principle to those who are identified, suspected, in close contacts, etc., and generally does not target those who are from specific areas, in order to prevent de facto discrimination against the latter".
Therefore, employers should control the collection activities to the minimum necessary for the purpose of preventing and controlling the outbreak, such as:
The following examples are likely to be deemed as beyond a reasonable scope and thus incompliant with the minimum necessary principle:
Collecting employees' personal information will inevitably involve broader processing activities, i.e. storage, use, transmission, disclosure, etc. Therefore, Chinese employers are required to comply with the data protection provisions under the General Principles of Civil Law, the CSL and the PI Specification, including following the principles of legitimacy, proportionality and necessity, informing data subjects of the rules of data collection and use, as well as the purposes, means and scope of the data collection and use, ensuring the accountability and taking technical and other necessary measures to safeguard the security. The Notice also makes it clear that "personal information collected for epidemic prevention and control shall not be used for other purposes. No unit or individual may disclose personal information such as name, age, national identity card number, telephone number, home address, etc. without the consent of the data subject, except for the necessity for joint prevention and control and after de-sensitisation. Any organisations that collect or hold personal information are responsible for the security and protection of personal information, and should take strict organisational and technical safeguards to prevent theft and disclosure". Employers could be subject to penalties by regulatory and law enforcement authorities under the CSL if they are found to have illegally collected, used, or disclosed personal information.