Employee Data Security and Protection in China

July 13, 20202:59 pm1932 views
Employee Data Security and Protection in China
Image source: Pixabay

Under the Labour Contract Law of the People’s Republic of China (PRC), an employer could formulate its internal policies in accordance with law. If the policies involve matters which have a direct impact on employee’s immediate rights and interest like working hours, work discipline, etc., they should be discussed by the employee representative congress of all employees, and then determined by the employer after consultation with a labour union or employee representative. 

Regarding confidential information, pursuant to PRC Labour Contract Law, confidentiality obligation could be agreed upon between employer and employee in the employment contract. If the employee has divulged confidential information to any third party, the employer could claim any damage incurred thereof against the employee. 

See also: Data Protection Law in India that HR Leaders Should Know 

Employee privacy protection  

According to PRC Labour Contract Law, employers are entitled to know an employee’s basic information, which directly relates to the employment contract and the employee is obligated to inform the employer of the said information truthfully. 

When conducting background check, however, the practice shall not infringe employees’ privacy rights or equal employment rights, otherwise the employer could be litigated pursuant to PRC Tort Law. In addition, when collecting or using employees’ personal electronic information obtained via background check or application questions, employers shall follow the principle of lawfulness, properness, methods, and scopes for collection and use of the information. Employers must also keep in strict confidence any personal electronic information of citizens collected in their business activities. Employers shall not divulge, distort or damage such information, or sell or illegally provide the same to others. 

Data security protection obligations 

The National People’s Congress of China (NPC) deliberated on the draft of the Data Security Law which will be finalised within the year and that the regulatory requirements relating to data security will be reflected in law in China. In the draft, the NPC imposes multiple obligations with respect to conducting Data Activities, as follows: 

  • compliance with laws and regulations; 
  • improvement of a data security management system, establishment of data security education and training and technical and other necessary measures;
  • favoring economic and social development and improvement of people’s happiness in line with social morality and ethics;
  • enhancing risk inspection, taking remedial measures in case of data security defects or bugs, informing customers and reporting to regulatory authorities in case of security incidents;
  • periodic risk assessment and reporting to the regulatory authorities by important data processors (of the categories, amount, collection, storage, processing, usage of the important data, along with security risks and countermeasures);
  • legitimate methods to collect data, within necessity;
  • requesting data source notification, reviewing identities of parties and keeping records by agents of data transactions;
  • obtaining necessary legal permits or registration for specialized online data processors;
  • cooperation by organizations and individuals during evidence collection by police and national security authorities in accordance with legal procedures; and
  • reporting to competent Chinese regulatory authorities upon request by regulatory authorities abroad. 

Consequences of failure to comply with the law  

Organisations and individuals conducting Data Activities that fail to fulfil the data security protection obligations will be subject to correction orders, warnings or penalties ranging from RMB 10,000 to RMB 100,000, including penalties on individuals directly in charge ranging from RMB 5,000 to RMB 50,000. 

In the case of refusals to rectify or of serious consequences, such as massive leaks, penalties will be charged ranging from RMB 100,000 to RMB 1 million, including on individuals directly in charge ranging from RMB 10,000 to RMB 100,000. 

Data transaction agents who fail to perform relevant obligations, where such failures result in an illegal data transaction, might be subject to a correction order, confiscation of illegal gains, penalties and penalties on the individual directly in charge. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics