Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In general, consent must be obtained for the collection, disclosure, international transfer, and other processing of personal information in China.
The PRC Civil Code, which defines personal information and the general principles of personal information protection, came into effect on January 1, 2021. Under the Civil Code (Art. 1035), processing personal information must follow the principles of lawfulness, fairness, and necessity, and requires consent, except as otherwise provided by law or regulation.
Exceptions to the consent requirement include when processing basic information directly related to the employee and the labor contract. Under Employment Contract Law, employers have the right to process basic information. That said, the law does not define what constitutes “basic information,” though in the context of the employment relationship, it could arguably include personal information that is necessary to sign the labor contract, manage the relationship, enroll in social insurance and other mandatory benefits as well as comply with audit requirements from authorities.
Under the Personal Information Protection Law (PIPL), data controllers (employers) must obtain express consent from data subjects (employees) unless one of the limited consent exceptions applies. Consent is not required when employers are processing employee’s personal information for HR management purposes. That said, the exact scope of this exception has yet to be outlined.
Employers must obtain “separate consent” from an employee in certain circumstances. Separate consent is not defined, but language in the PIPL suggests that express consent for each specific purpose is likely required:
- to provide personal information to a third-party that is not a service provider acting on the business’ behalf (Art. 23);
- to publicize an employee’s personal information (Art. 25), for example, in marketing or recruiting materials;
- to use an employee’s personal image and personal identification information collected by image capturing and personal identification equipment installed in the public workplace (such as a workplace CCTV system, facial recognition or, iris identification access control system) for purposes other than maintaining public security (Article 26);
- to process sensitive personal information (Arts. 28 and 29), which notably in the employment context may include biometric identification systems for entry onto premises or access to IT equipment, location tracking on company issued devices, health information related to medical insurance or periodic health checks, and financial account information needed to administer payroll; and
- to transfer employees’ personal information outside of China (for example, when providing employee data to an overseas parent company or affiliates) (Art. 39).
In addition, China’s Cybersecurity Law requires that network operators obtain consent from data subjects in order to collect and use their personal information. “Network operators” primarily applies to organizations who collect information from website users. That said, no guidance or regulation currently defines whether “network operators” includes employers who are processing their employees’ personal information.
HR Best Practices: Employers should establish specific rules for the collection, processing, storage, use, transmission, and disclosure of different categories of information, including obtaining consent when the processing goes beyond “basic information.”
Employers who collect personal information are expected to categorize the circumstances of the collection, use, transfer, and disclosure of employee information in its business management (not limited to human resource management), and establish a list of basic personal information, non-basic personal information, and sensitive personal information.