Returned Employees’ Personal Information Protection - Chapter I

Authors: Marissa, DONG  Lena, YUAN

Minji, WEI  Junjie, DONG

Foreword

As of today, the epidemic situation has gone far beyond our expectations.  However, we are now at the next stage, whereby people are back to work.  At present, we are noticing that in order to ensure the epidemic’s control and the safety of citizens, different institutions and channels are using various methods to collect, process and analyze personal information.  The question of how to collect personal information in full compliance with the rights of personal information subjects, as well as effectively preventing and controlling the spread of the epidemic is a big challenge. It is also a difficult topic, which may not have been addressed in previous legal studies. How enterprises will deal with the challenges raised by remote work during the epidemic is also another relevant issue.

In the following days, we will try to share with you some of our thoughts on the questions related to the collection and processing of personal information in the epidemic’s prevention and control, based on our understanding and experience in the relevant field of law. We will provide answers to the relevant issues, alongside some relatively short articles.

In this article, based on the specific requirements of the current laws and regulations on the protection of personal information and from the perspective of a general enterprise, we will address some practical issues relating to the collection and processing of the personal information of returned employees in a Q&A manner.  Due to space limitations, we have not carried out a detailed legal analysis or theoretical discussion, but we have strived to provide the overall ideas and principles for enterprises.

Ⅰ. What is the legal basis for enterprises to collect employees’ information？

Article 12 of the Law on the Prevention and Treatment of Infectious Diseases stipulates that all entities and individuals within the territory of the People's Republic of China shall accept the preventive and control measures taken by disease prevention and control institutions and medical agencies with respect to the investigation, inspection, sample collection and quarantined treatment of infectious diseases, and they must provide truthful information relating to such diseases; disease prevention and control institutions and medical agencies shall not divulge any information or materials relating to personal privacy. Article 21 of the Public Health Emergencies Regulations stipulates that no entity or individual may conceal, postpone the reporting of, misreport or instruct others to conceal, or postpone the reporting of, or misreport, an emergency.

It can be seen that in an epidemic situation, enterprises and individuals have a legal obligation to participate in epidemic prevention and control and truthfully provide relevant information. Therefore, in case of a request by the competent authorities, enterprises need to collect the relevant information of employees and report to the disease prevention and control department and other relevant authorities in a timely manner.

Ⅱ. Is the consent of returned employees required for collecting their personal information?

The Cybersecurity Law  requires that the purpose, method, and scope of personal information to be collected should be clearly notified to the personal information subject, and the collection of personal information is allowed only after obtaining consent from the personal information subject¹.  In addition, according to the “Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work” (“Notice”) issued by the China Cybersecurity Administration on February 4, 2020², without the consent of the employees returning to work, the enterprise shall not arbitrarily collect their personal information on the grounds of epidemic prevention and control and disease prevention.

In summary, we recommend that, when an enterprise needs to collect its employees’ personal information related to the epidemic for the purpose of epidemic prevention and control and the protection of the health of all employees, such an enterprise should follow the principle of informed consent, clearly inform its employees of the purpose, method and scope of the collection of their personal information, and only collect their personal information after obtaining their consent. 

Ⅲ. What personal information is appropriate to be collected?

According to the provisions of the Cybersecurity Law, the collection of personal information should follow the principles of legitimacy, justification, and necessity³.  In addition, the Notice once again emphasizes that the collection of personal information during the epidemic outbreak should follow the "minimum scope principle".  Therefore, even if the current situation of epidemic prevention and control is still severe, it is still advisable that enterprises pay attention to assessing the necessity of the collection methods and scope, and collect personal information of the returned employees in the minimum scope that is closely related to the prevention and control of the epidemic, protecting the health of returned employees and the orderly production and operation of the enterprise.

For example, considering that the incubation period of COVID-19 is 14 days according to some experts, the collection of information about the cities that employees have visited in the past 14 days may be necessary for epidemic prevention and control,whereas it is questionable whether requiring employees to provide detailed records of their whereabouts for the past 30 days is necessary.  Another example is that, asking employees to provide their recent health status (such as whether they have a fever or a cough, etc.) is necessary under the premise of epidemic prevention and control. However, asking employees to provide previous chronic medical history is not directly related to the epidemic prevention and control, and it is thus not advisable for enterprises to collect such information.

In addition, for the convenience of enterprises, based on the specific requirements⁴ under the Guideline on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production (“Guideline on Work-Resumption”) issued by the Joint Prevention and Control Mechanism for Novel Coronavirus Pneumonia of the State Council, we have prepared a brief summary of the types of personal information of returned employees that general enterprises may consider to collect as follows: 

• Employees’ identification information, such as their name, ID number;

• Employees’ contact information, such as their mobile phone number;

• Recent health and physiological information of employees, such as whether they have had suspected symptoms of the COVID-19 recently, such as, fever, cough or dyspnea, etc., or whether they have ever been diagnosed with COVID-19;

• Recent traveling information of employees, such as information relating to the means of transport they took on their way back to work, and their recent residence or travel history in epidemic outbreak areas.

In summary, when enterprises collect the personal information of returned employees, they shall not only collect such information to satisfy the needs of epidemic prevention and control, the protection of their employees’ health, and keep track of the health status of employees, but also take into consideration the relevancy and necessity of the collection of the personal information of returned employees for epidemic prevention and control, and not collect large quantities of employee’s personal information in a general manner so as to avoid unnecessary compliance risks.

Ⅳ. How shall enterprises report and disclose employees’ personal information related to the epidemic situation?

According to the requirements of the Law on Prevention and Treatment of Infectious Diseases⁵ and the Guideline on Work-Resumption⁶, enterprises should report to the disease prevention and control institutions and medical institutions truthful information relating to the prevention and control of the epidemic.  Therefore, after collecting the personal information related to the epidemic of their returned employees, the concerned enterprises shall report the relevant information in a timely manner in accordance with the specific requirements of the disease prevention and control institutions or medical institutions in various areas.

Except to fulfill the reporting obligations provided by the aforementioned laws and regulations, if an enterprise needs to provide or disclose to a third party the personal information related to the epidemic situation of its returned employees, it must obtain consent from the concerned employees.  The Notice emphasizes that even in the special period of epidemic prevention and control, no unit or individual shall disclose  personal information such as name, age, ID number, phone number, home address, etc. without the consent of the personal information subjects, except when such personal information is indeed necessary to be disclosed for the purpose of epidemic prevention and control and it has been desensitized before disclosure⁷.  We advise that if the company really needs to provide or disclose such personal information to other third parties, it should first communicate with their employees and obtain their consent; if employees do not want to publicly disclose their information but public disclosure of such information is necessary for the company to prevent and control the epidemic, such information should be desensitized before public disclosure. 

Ⅴ. How long can the personal information of returned employees related to the epidemic be stored?

According to the requirements of the National Standard GB/T 35273-2017, the Information Security Technology-Personal Information Security Specification, the storage of personal information should follow the principle of minimum storage, and the time limit of the storage of personal information shall be the shortest time needed to achieve the purpose for which the concerned personal information is collected and processed.  After the time limit of storage expires, the relevant personal information should be deleted or anonymized in a timely manner.

Therefore, we understand that personal information of returned employees collected by relevant enterprises should be kept within the shortest period of time necessary to fulfill the purpose of epidemic prevention and control.  Generally speaking, before the State and local government announces the end of the epidemic prevention and control, it is still necessary for relevant enterprises to properly keep such personal information.  After the epidemic prevention and control work is completed, except if it is indeed necessary for some enterprises to extend the storage period and that consent from relevant employees has been obtained, such personal information should be deleted or anonymized in a timely manner.

Ⅵ. Should enterprises cooperate with information collection conducted by a third party, related to their workplace?

When an enterprise participates in epidemic prevention work, in addition to the requirements by local government to submit the relevant employees’ personal information, they may also face a situation where they are required by a third party, for example, by a property management company, to submit relevant information. We understand that it is advisable for enterprises to deal with such situations in consideration of the following:

1. If the information requested by a third party does not fall within the scope of personal information, it is advisable for relevant enterprises to cooperate with such a request.  For example, employees may be required to take a temperature measurement before entering the office building, but employees may not have to provide their names or other personal information.

   
   

2. If the third party requests the provision of personal information, the concerned enterprises shall take into consideration whether the requesting third party is an authorized institution under the Law on the Prevention and Treatment of Infectious Diseases and the Public Health Emergencies Regulations.  If the third party is an authorized institution and the type of personal information required is indeed necessary for epidemic prevention, the concerned enterprises shall cooperate and provide such information.

   
   

3. If the third party is not clearly authorized by above mentioned laws and regulations, the concerned enterprises may require that the third party provide authorization documents by competent authorities.  If the third party is unable to provide such authorization documents, the concerned enterprises shall not provide their employees’ personal information.

   
   

4. If the personal information requested by the third party is apparently irrelevant to the epidemic prevention and control, the concerned enterprises shall refuse to provide the relevant personal information.
   

1.According to Article 41 of the Cybersecurity Law, network operators shall abide by the "lawful, justifiable and necessary" principles to collect and use personal information by announcing the rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.

2.According to Article 1 of the Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work, all the local departments should attach great importance to the protection of personal information.  Except for institutions authorized by the health department of the State Council, no other unit or individual shall use personal information on the grounds of epidemic prevention and control and disease prevention without the consent of the personal information subject.  Where the laws and administrative regulations provide otherwise, they shall be followed.

3.According to Article 41 of the Cybersecurity Law, network operators shall abide by the "lawful, justifiable and necessary" principles to collect and use personal information by announcing the rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.

4. According to the Guidelines on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production, (1) make sure employee health management is properly conducted. ...... Each unit should effectively acquire and keep updated of the situation of the flow of employees......

(2) implement health status report mechanisms. ... health status of employees should be gathered every day ...

5.According to Article 12 of the Law on Prevention and Treatment of Infectious Diseases, all units and individuals within the territory of the People's Republic of China shall accept the preventive and control measures taken by disease prevention and control institutions and medical agencies with respect to the investigation, inspection, sample collection and quarantined treatment of infectious diseases, and must provide truthful information relating to such diseases, and they shall provide truthful information about the diseases. Disease prevention and control institutions and medical agencies shall not divulge any information or materials relating to personal privacy.

6.Guideline on Epidemic Prevention and Control Measures of Enterprises and Institutions to Resume Work and Production.

(All units) shall gather health status of their employees daily and report to the local disease prevention and control department.  In case of any abnormal conditions, such units shall report such situations and take relevant preventive and control measures in a timely manner.

7.According to Article 3 of the Notice on Better Protecting Personal Information and Utilizing Big Data to Support Joint Prevention and Control Work, personal information collected for epidemic prevention and control and disease prevention purposes shall not be used for other purposes.  No unit or individual may disclose personal information such as name, age, ID number, phone number, home address, etc. without the consent of the personal information subjects, except when such personal information is indeed necessary to be disclosed for the purpose of epidemic prevention and control and has been desensitized before disclosure.

Marissa DONG

Partner

dongx@junhe.com

Practice Area：

Corporate and M&A

Telecom and Internet

Data Privacy, Cybersecurity and Information Law

Lena, YUAN

yuanq@junhe.com

Minji, WEI

weimj@junhe.com

Junjie, Dong

dongjj@junhe.com

战“疫” 特辑文章2019-nCoV

劳动法领域

• 新冠病毒疫情特刊（一）

• 新冠病毒疫情特刊（二）

• 新冠病毒疫情特刊（三）

• 新冠病毒疫情特刊（四）

• 新冠病毒疫情特刊（五）

• Employment Policies Issued for Coronavirus Outbreak

• Additional employment policies issued for coronavirus outbreak

房地产领域

• 肺炎疫情等特殊时期租金减免的法律依据探讨和建议

• Discussion on the legal basis for rent reduction during extraordinary times such as the Pneumonia Epidemic and further comments

• 新冠肺炎疫情对房地产行业的法律影响专题系列之一

  ——疫情对商品房销售的影响

• Special Series regarding the Legal Impact of the COVID-19 Epidemic on the Real Estate Industry---Topic One: The Impact of the COVID-19 Epidemic on the Sale of Commodity Housing

• 新冠肺炎疫情对房地产行业的法律影响专题系列之二

  ——疫情对建设工程施工合同履行的影响

• Special Series regarding the legal impact of the COVID-19 Epidemic on the Real Estate Industry---Topic Two: the impact of the COVID-19 Epidemic on the performance of construction contracts

• 新冠肺炎疫情对房地产行业的法律影响专题系列之三

  ——疫情对房屋租赁合同的影响

• Special Series regarding the Legal Impact of the COVID-19 Epidemic on the Real Estate Industry---Topic Three: The Impact of the COVID-19 Epidemic on Property Lease Agreements

• 新冠肺炎疫情对房地产行业的法律影响专题系列之四

  ——疫情对物业管理的影响

• Special topics regarding the legal impact of the COVID-19 Epidemic on the Real Estate industry--Topic Four: the impact of the COVID-19 Epidemic on Property Management

争议解决领域

• 新冠疫情下合同履行及责任分担简析

• A Brief Analysis on Contract Performance and Liability Allocation due to the Novel Coronavirus Outbreak
  

• 突发事件背景下的多元化纠纷解决机制之发展

• 新冠肺炎疫情对涉外合同履行的影响及法律应对

• 从行政法角度浅谈关于抗击新冠肺炎疫情的几点建议

破产重组领域

资本市场领域

• 新冠疫情下主要证券监管防控措施及影响简析

• 新冠疫情下创业企业的自我保护

  ——谈“不可抗力”对业绩承诺的影响及其对策

• 餐饮企业投资攻略

  ——兼论新冠肺炎疫情下投资餐饮企业重点法律问题

教育领域

• 新冠疫情期间学校法律风险防范

• Suggestions Regarding the Prevention of Legal Risks in Schools during the Novel Coronavirus Epidemic

商事刑事领域

• 新冠疫情期间企业的行政及刑事风险及防护

  ——各市场主体与疫情相关行政及刑事法律风险探讨

• Criminal Risks for Business Operations during the Coronavirus Outbreak

税法领域

• 新冠肺炎疫情期间最新财税政策支持

• Summary of the PRC Tax Regulations issued in response to the COVID-19 Outbreak
  

国际贸易领域

合规领域

• 新冠肺炎疫情期间广告宣传合规核心要点

• 新冠疫情下医疗废物处置的合规注意事项

• 疫情相关的信息保护和网络问题研究系列之一

  ——返程复工员工个人信息收集与保护重点问答

环境健康安全领域

公共卫生领域

娱乐、传媒与体育领域

点击标题即可查看文章详情

Click "Views" to Visit JunHe Official Website

Disclaimer

Articles published on JUNHE Legal Updates represent only the opinions of the authors and should not in any way be considered as formal legal opinions or advice given by JunHe or its lawyers. If any part of these articles is reproduced or quoted, please indicate the source.Any picture or image contained in these articles MUST not be reproduced or used unless otherwise consented by us in writing. You are welcome to contact us for any further discussion or exchange of views on the relevant topic.