EN
日本語

律师文库

主页 > 专业研究 > 律师文库 >

Employee Monitoring in China

2020-05-12

Earlier this year, River Delta’s Attorney Ms. Xinli Ma cooperated with OneTrust DataGuidance to publish a guidance note on employee monitoring in China and today we share it to our followers. By reading this summary, you will obtain a general understanding of matters to consider when approaching employee monitoring in the People’s Republic of China.

1. GOVERNING TEXTS
1.1 Legislation relevant to employee monitoring
There is no direct legislation relevant to employee monitoring in China. The question must be reviewed under laws and regulations regarding personal information security and privacy protection.

At present, China has not yet enacted specific laws and regulations for the protection of employees' personal information. From the point of view of labor laws and regulations, the provisions on workers' right to privacy are mainly reflected in the worker's right-to-know[1], as well as the privacy of workers' health and disease information[2] . In addition, the Employment Services and Employment Administration Regulations require the employer's written consent to disclose employee personal data information.

General legislation on personal information security and privacy protection.

The protection of the right of privacy of employees is based on the provisions of the Constitutional Law on the respect and protection of human rights by the State, the inviolability of the human dignity of citizens and the protection of citizens' freedom of communication and confidentiality of communications. [3] Articles 110 and 111 of the General Principles of Civil Law, which came into force in 2017, further clarify the protection of the privacy and information of citizens. Although the General Principles of Civil Law for the first time proposed the right to privacy and personal information from the level of the Civil Basic Law, the definition of the scope of personal privacy and information and what constitutes illegal collection, use, processing, transmission of other people's personal information is not provided.

In recent years, legal provisions related to network security and data security and various documents have been gradually increased, including the Law of the People's Republic of China on Cybersecurity (hereinafter referred to as the "Cybersecurity Law") and the Data Security Management Measures (Draft for Comments) (which, once in force, have the effect of departmental regulations). In addition, there are national recommendation standards, "Information Security Technology - Personal Information Security Code" as a national recommendation standard, together with the Internet Personal Information Security Protection Guide.

The Cybersecurity Law, which came into effect in the same year as the General Principles of Civil law, sets out the principles and methods for the collection and use of personal information, the responsibilities of the operators of the network, etc.[4] According to the Comprehensive Definition of Personal Information under the Cybersecurity Law, the scope of protection will include employers collecting, storing, transmitting, processing and generating personal information from workers' social media, computers and mobile networks. The Code for the Security of Personal “Information Security Technology-Personal information security specification”, formulated by the National Technical Committee for Information Security Standardization and officially which will be implemented on October 1, 2020, further defines the connotation of personal information (including subjects, sensitive information, information controllers, etc.), various acts of collection and use, and basic principles for the security of personal information.

Provisions on the right-to-know of the employer during the background check

Background check is a common method during the recruitment and daily management of employers. There are several reasons to conduct the background check, such as whether employees are honest and trustworthy, can they be qualified for jobs, avoiding employment and business risks. Thus, it is necessary to review the authenticity of the basic information, the capacity for the position performance in previous roles work, attitude, ethical reliability, and legal liabilities from previous employers of work experience of the employee. Therefore, it is inevitable to discuss the employer's right-to-know boundary.

The employer's right-to-know is directly regulated in Article 8 of the Labor Contract Law: “The employer has the right to know the basic situation directly related to the labor contract and the employee should truthfully explain it.” This clause not only creates a legitimate basis of the employer the right-to-know, but also limits to reasonable boundaries. According to local regulations and judicial practice, “the basic situation directly related to labor contracts” includes gender, age, educational background, vocational skills and professional qualifications, work experience, work attitude and business quality, etc. In practice, the right-to-know should be directly related to the performance requirements of the proposed position and a decisive factor whether to sign a labor contract or not. It has substantial significance for the performance of the labor contract.

Employers need to follow Cybersecurity Law when using an internal LAN to collect and use employee personal information

According to the relevant provisions of the Cybersecurity Law, the network operator[5] has a duty of confidentiality for the collected personal information. The use of personal information shall be in accordance with the principles of legality, justification and necessity, and the network operator shall not disclose, tamper with or destroy the collected personal information, and shall not provide personal information to others without the consent of the data subject. It is also worth noting that the Data Security Management Measures (Draft for Comments) are detailed in the use of data collection and processing.

In addition, there are general provisions under the Cybersecurity Law that apply to all business operators, including network operators. Employers are subject to these general terms even if they are not "network operators" when it comes to processing personal information about their employees.

1.2 Sector-specific legislation relevant to employee monitoring
Not applicable.

1.3 Guidelines from supervisory authorities
Not applicable.

1.4 Notable decisions, i.e. case law or decisions from supervisory authorities
Not applicable.

2. TELEPHONE
2.1. What are the rules for recording telephone conversations?
There is no rules and regulations both at national and local level for recording telephone conversation. However, the above-mentioned laws and regulations should be strictly followed, even the “Information Security Technology-Personal information security specification”, it is not mandatory, but still strongly recommended to abide by.

Clarify the purpose of collection and usage of collected information
In day-to-day management, companies may monitor employee for the sake of supervision and management. For example, companies may obtain images of employees through a camera, take the fingerprint employees through attendance machines, or collect employee location information through APP location, which often involves sensitive information about employees (track location, biometric information, etc.). For the purposes of compliance, the enterprise should ensure that the above-mentioned monitoring measures, as well as the employee information it collects, are for a legitimate purpose and necessary for the operation of the business (for example, for office personnel, there is no need to collect location information). Any employee information cannot be collected and monitored outside of working hours and workplace (e.g., not in the dressing room). Monitoring is installed in location such as lounges and employees’ location information should be monitored nor collected after business hours.

Storage and cross-border transfer of employees' personal information
In practice, employees of some multinational companies are required to fill in personal information on global personnel management electronic systems for storage, but servers for such systems in foreign companies are often overseas. In addition, some companies may need to transfer personal information collected within China to overseas. For example, they may need to transfer personal information collected in China to overseas service providers for data processing, or multinational companies may need to transfer personal information of Chinese employees to headquarters to manage personnel issues in a unified manner. All these are contrary to the laws and regulations, China has always emphasized the localization of the storage of personal information and the strict control of the cross-border transfer of personal information.

On June 14, 2019, the State Internet Information Office issued the Measures for the Security Assessment of Personal Information cross-border transfer (Draft for Comments), clearly define the protection of the right to know and other rights of the subject of personal information under the cross-border scenario. The measures guarantee the right of personal information subjects to know about the exit status of their personal information, the right to access and correct the deletion of personal information from various levels, and access a claim protection mechanism.

2.2. For which purposes may an employer carry out this type of monitoring?
Not applicable.

2.3. Is prior notification/approval with the data protection authority required?
Not applicable.

2.4. Is prior notification/approval/consultation from works' councils required?
Not applicable.

2.5. Is consent required from employees? If so, how should consent be sought?
According to China's current law on the protection of personal information, obtaining prior consent from employees can largely ensure compliance for the employers in the collection and use of employees’ personal information. Therefore, employers should ensure that employees' consent is obtained in activities involving the collection and use of employees' personal information. In addition, employers should pay close attention to legislative and judicial practices in the protection of personal information, and, as necessary, formulate and adjust relevant rules and regulations of the enterprise. Since employers need to achieve comprehensive internal and external compliance with the protection of employees' personal information, the employer should organize relevant departments to study and discuss the necessary measures that departments should take to properly handle employee personal information to ensure that there is no risk or responsibility for violating the law in this regard.

2.6. Is consent required from other party to the call? If so, how should consent be sought?
No.

2.7. Is there a legal requirement for employers to have a written policy in place governing telephone monitoring? If not, is there a recommendation to have one?
Yes, according to PRC labor contract law, employers must have a written policy governing telephone monitoring. Employers typically monitor employees’ mail, telephone, CCTV aiming at the computer monitor or other information systems. Since employees often store or transmit personal information in the enterprise system, it is advisable for the Company to establish rules and regulations on monitoring system. The Enterprise must also expressly inform employees of the company's monitoring measures and forms of monitoring of the company's equipment, mail, systems, etc. Such rules and regulations or other documents must be confirmed in writing by employees explicitly stating that the company can obtain all the information.

2.8. Are there any exemptions to the legal requirements which govern this type of monitoring?
No exemptions

2.9. What are the retention requirements applicable to data collected through telephone monitoring?
None.

3. CCTV
3.1. What are the rules for CCTV surveillance?
There is no rules and regulations both at national and local level for CCTV surveillance. However, the above-mentioned laws and regulations should be strictly followed, even the “Information Security Technology-Personal information security specification”, it is not mandatory, but still strongly recommended to abide by.

Please Refer to question 2.1

3.2. For which purposes may an employer carry out this type of monitoring?
Please Refer to question 2.2

3.3. Is prior notification/approval with the data protection authority required?
Please Refer to question 2.3

3.4. Is prior notification/approval/consultation from works' councils required?
Please Refer to question 2.4

3.5. Is consent required from employees? If so, how should consent be sought?
Yes, please Refer to question 2.5

3.6. Is there a legal requirement for employers to have a written policy in place governing CCTV surveillance? If not, is there a recommendation to have one?
Please Refer to question 2.6

3.7. Are there any exemptions?
No exemptions

3.8. What are the retention requirements applicable to data collected through CCTV surveillance?
None.

4. EMAIL
4.1. What are the rules regarding monitoring of employees' emails?
Please refer to the question 2.1

4.2. For which purposes may an employer carry out this type of monitoring?
Please refer to the question 2.2

4.3. Is prior notification/approval with the data protection authority required?
Please refer to the question 2.3

4.4. Is notification/approval/consultation with works' council required?
Please refer to the question 2.4

4.5. Is consent required from employees? If so, how should consent be sought?
Please refer to the question 2.6

4.6. Is there a legal requirement for employers to have a written policy in place governing email monitoring? If not, is there a recommendation to have one?
Please refer to the question 2.6

4.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
No.

4.8. What are the retention requirements applicable to data collected through email monitoring?
None.

5. BIOMETRICS
5.1. What are the rules regarding biometric monitoring?
On March 6, 2020, the State Administration of Market Supervision and Administration and the State Administration of Standardization issued the National Standards Bulletin of the People's Republic of China (No. 1 of 2020) releasing the GB/T35273-2020 "Information Security Technology - Personal Information Security Code”, which will be implemented on October 1, 2020. This standard replaces GB/T 35273-2017 Information Security Technology Personal Information Security Specification.

The Code adds new requirements for the collection of personal biometric information. Before collecting personal biometric information, individually inform the personal information subject of the purpose, manner and scope of the collection and use of personal biometric information, as well as the storage time and other rules, and obtain the personal information subject's express simultaneous. Personal biometric information includes personal genes, fingerprints, vocal patterns, palm prints, ear profiles, irises, facial recognition features, etc.

As with the Personal Information Security Code GB/T 35273-2017, the Code remains a recommended national standard and is not enforceable. However, with the release and implementation of the Personal Information Security Code GB/T 35273-2017, we have fully recognized the actual impact of the Personal Information Security Code.

5.2. For which purposes may an employer carry out this type of monitoring?
No applicable

5.3. Is prior notification/approval with the data protection authority required?
No.

5.4. Is notification/approval/consultation with works' council required?
No.

5.5. Is consent required from the employee? If so, how should consent be sought?
Yes, the employee's express consent should be obtained.

5.6. Is there a legal requirement for employers to have a written policy in place governing biometric monitoring? If not, is there a recommendation to have one?
Please refer to the question 2.6.

5.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
No.

5.8. What are the retention requirements applicable to data collected for biometric monitoring?
The Code makes it clear that, in principle, raw biometric information (e.g., samples, images, etc.) should not be stored. This means that not storing raw biometric information is a requirement and should not be breached in general. If employers want to store original biometric information, they need to have a particularly well-founded basis. What can be considered a particularly sufficient basis? Note 3 gives a basis, n order to fulfil the obligations of laws and regulations, the original biometric information can be stored, which can be said to be already very stringent.

The Code provides more path reference for storing personal biometric information. The first optional path is the collection terminal directly using personal biometric information to achieve identification, authentication and other functions. This means that personal biometric information is stored in the user's mobile phone and other collection terminals. The identification, authentication and other actions can be conducted in the user's mobile phone and other terminals, without the need to transmit personal biometric information to enterprises. The enterprise receives only the results of this information verification. The second optional path. to achieve identification, authentication and other functions, to remove the original image that can extract personal biometric information such as facial recognition features, fingerprints, palm prints, iris, etc. This means that the original is deleted when used. Simply, it is acquired then used then delete the image of personal biometric information collected used to identify identity, authentication, etc. In terms of deletion time, it is advisable to delete personal information as soon as it has been used.

6. DEVICE MONITORING
6.1. What are the rules regarding company-owned device monitoring?
Please refer to the question 2.1

6.2. For which purposes may an employer carry out this type of monitoring?
Please refer to the question 2.2

6.3. Is prior notification/approval with the data protection authority required?
No.

6.4. Is notification/approval/consultation with works' council required?
No.

6.5. Is consent required from the employee? If so, how should consent be sought?
Please refer to the question 2.5

6.6. Is there a legal requirement for employers to have a written policy in place governing company-owned device monitoring? If not, is there a recommendation to have one?
Please refer to the question 2.6

6.7. Are there any exemptions to the legal requirements which govern this type of monitoring?
No.

6.8. What are the retention requirements applicable to data collected from the company owned devices?
None.

7. Are there any instances in which an employer may carry covert surveillance of the above, and if so, what are the requirements?
No.

8. What are employees' rights to access data?
There is no specific laws and regulations regarding employees’ right to access data. However, experts on personal protection suggest to legislate the right of the information subject to query the personal information, delete information and other rights.

9. What are the penalties for non-compliance?
- Administrative liability: In accordance with the provisions of the relevant laws and administrative regulations, the credit file is recorded and made public.

- Civil liability: Whoever violates and causes damage to others shall bear civil liability in accordance with the law.

- Public security administrative liability: If it constitutes a violation of public security, it shall be given punishment by the public security administration in accordance with the law;

- Criminal penalties: if it constitutes a crime; criminal responsibility shall be investigated in accordance with the law.



[1] PRC Labor Contract Law, Article 8

[2] Occupational Disease Prevention and Control Law Articles 19 and 33

[3] PRC Constitutional law, Article 33, paragraph 3, 38, 40

[4] Cybersecurity Law of the PRC. Article 40, 41, 42, 43

[5] A network operator is an entity that operates and provides wired or wireless services.

分享到

新浪微博

分享到

朋友圈

分享到

Linkedin

通过邮件

分享给朋友