Shihui Articles || What does the PIPL mean for an HR manager?

As an HR manager, part of the job is to gather and understand employees’ personal information. The new Personal Information Protection Law (“PIPL”) is however already setting out new requirements for HR management. This article in a chronological order will try to point out and respond to important questions which are commonly seen from commencement to termination of employment.

Author：Shihui Partners | Chang Liu |  Hongyuan Zhang

1. As an HR manager, how should you handle candidates’ personal information?

For an HR manager, vacancies can usually bring a drastic surge of CVs, and in there a large amount of personal information. According to the PIPL, we recommend that an HR manager should pay attention to the following issues when handling candidates’ personal information.

For CVs submitted by candidates – we recommend that the candidates should be informed of the relevant information below (“Relevant Information”) and their consent should be obtained.

According to the PIPL, enterprises should inform the individual of the following matters –

• Name and contact details of the enterprise;

• The purpose and methods for processing personal information, and the categories and storage time of the personal information to be processed;

• The methods and procedures for exercising the rights under the PIPL.

According to the above requirements, we recommend that prior to collecting candidates’ personal information, HR managers can consider using pop-up windows on the CV upload page or email communications to inform the candidates the Relevant Information, and the candidates’ personal information can be taken after they have given their consent. 

Candidates’ personal information – it should only be collected when it is necessary to do so

Compared with collecting employees’ personal information, when enterprises collect candidates’ personal information we recommend them to be more cautious and the collection should only be done within a reasonable and necessary scope, in that candidates have not established an employment relationship with enterprises and they are not yet managed by their employer. For example, for employees, it can be considered reasonable for their marriage information to be collected by their employer when they apply to take marriage leave. For candidates, however, collecting their marriage information may be considered unreasonable. We recommend that for candidates enterprises should only collect basic information such as names, addresses and contact details and information that is related to the fulfilment of their obligations under their employment contract, such as education background and work experience.

CVs provided by a third-party agency – rights and obligations should be clearly defined

If CVs are sent through by a third-party agency (e.g. recruitment agency), then it is possible that an enterprise and the third-party agency may constitute “simultaneous processing” under the PIPL. As such, once there is infringement of personal information rights by any party, the other party should be held jointly and severally liable.

We recommend that enterprises can consider negotiating with third-party agencies about the terms of cooperation and set out each party’s rights and obligations, including requiring the agencies to obtain each candidate’s consent to providing their CVs, and at the same time for mitigating the risks it can be agreed that the third-party agencies should be liable for incompliant processing of personal information. 

CVs of candidates who have not been recruited – immediate deletion or storage upon consent is recommended

Considering one of the requirements under the PIPL – the storage time of personal information should be the shortest possible allowing achievement of the processing purpose, we recommend that enterprises should immediately delete the CVs of the candidates who have not been recruited. Some enterprises however may expect to store the candidates’ information for potential needs in the future, and as such we recommend that each candidate’s consent should be obtained. Nonetheless, if the information to be used is information that have been anonymized for the purpose of conducting recruitment analysis, considering that such information should no longer be personal information, the use of it should not entail individuals’ consent.

Methods for tracking attendance have become more and more accurate and also convenient, from a signature, clocking-in, fingerprint to facial recognition. The PIPL sets out certain processing restrictions on the biometric information due to its sensitive nature.

Fingerprint and facial recognition – sensitive personal information

Different from ordinary personal information, biometric information such as fingerprint and facial recognition are listed as sensitive personal information together with information such as religious belief, specific identity, medical health, financial account and tracks under the PIPL that is likely to result in damage to the personal dignity of any natural person or damage to the personal or property safety once disclosed or illegally used.

When processing sensitive personal information, enterprises need to meet the following conditions –

• Obtaining an individual's separate consent；

• For a specific purpose and sufficient necessity；

• Strict protection measures have been taken；

• Conduct an impact assessment on personal information protection;

• Inform an individual of the specified matters, the necessity of processing the sensitive personal information and the impact on the personal rights and interests.

Collection of fingerprint and facial recognition – should have the consent of the individual

In the context of employment management, in addition to obtaining individuals’ consent, enterprises can process personal information in the course of “human resources management in accordance with employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law" ("HR management"), which is another common method of processing personal information under the PIPL. The method is also applicable to sensitive personal information. In other words, if an enterprise's processing of employees’ personal information/sensitive personal information meets the conditions for HR management, then the consent/separate consent of the individual is not required.

Note that, although the above regulations give enterprises certain flexibilities in employment management, enterprises are still required to meet the statutory conditions –

• The scope of employees’ personal information processing is clearly written in employment rules and regulations or collective contracts;

• The processing of employees’ personal information by enterprises should be necessary for HR management and follow the principles of legitimacy, necessity, and minimum scope under the PIPL；

• Employment rules and regulations and collective contracts should be formulated in accordance with statutory procedures. For example, rules and regulations should be subject to consultation and publicizing procedures, and collective contracts should be concluded in accordance with the requirements of the Collective Contract Provisions.

Different to subjects such as bank account and doctor notes which are closely related to salary payment and sick leave management, there are discussions in practice as to whether fingerprints and facial recognition are must haves for tracking attendance. Even if such sensitive personal information is included in the collection scope stipulated in employment rules and regulations or collective contracts, there is still room for discussion on whether it can be enforced. In practice, enterprises that are more careful on top of using HR management may still ask for individuals’ consent through personal notification letters, underlining relevant paragraphs and using pop-up windows in relevant systems to reduce the risks in compliance.

In order to manage employees, enterprises often try to collect every category of their information, but this behavior is not actually supported by laws. The PIPL provides that the processing of personal information should follow the necessity principle and have a clear and reasonable purpose. The collection should also be limited to the minimum scope for the purpose. Enterprises should not collect personal information excessively. Therefore, it is necessary for an HR manager to categorize complicated personal information involved in employment management –

Based on the laws

The Employment Contract Law clearly gives employers the right to understand basic information of employees directly related to employment contract. Such information usually includes an employee’s name, gender, ID number, contact information and address, etc. Enterprises can collect them legally. For specific industries and positions, enterprises may need to know further special information. For example, enterprises involved in catering, medical treatment and public area operations may need to know the contagious disease information of employees to be working in specific positions. For female employees whose positions are prone to contracting related occupational diseases, an enterprise may need to know their marriage and childbearing.

Based on HR management

As mentioned above, enterprises can also determine the scope of necessary information for HR management according to their own needs under the principles of necessity, legitimacy and minimum scope. Otherwise, it may be difficult to be supported for excessive collection of employees’ personal information.

Due to differences in business and management needs, enterprises often have different scopes for processing personal information. For example, the tracks of a delivery man is closely related to the business of the logistics company. It is necessary and reasonable for the company to collect such information. But other types of companies may lack the necessity to track the employee's movement.

Based on an individual's consent

In practice, some personal information collected by enterprises may be beyond the scope mentioned above (e.g. fingerprints and facial identification recognition obtained for tracking attendance). But with clear and justified reasons and necessity of collection, they can be collected and processed by obtaining an individual’s consent.

In HR management, external transmission of personal information may happen in the following circumstances – providing employees’ information to professional service agencies for the purpose of conducting investigation and audit, providing employees’ account to HR management companies for salary payment, etc. According to the PIPL, under the above circumstances, an enterprise should inform the employees of the recipient's name, contact information, processing purpose, processing method and the category of personal information, and obtain employees’ separate consent. However, if the external transmission is for HR management, it is necessary to specify the relevant matters in internal policies or collective contracts. Simultaneously, in order to reduce risks, enterprises may ask for employees’ individual consent. 

According to the PIPL, in joint processing, authorized processing and transfer processing, an enterprise also needs to perform corresponding obligations according to the actual situation.

If an enterprise needs to provide personal information across borders (for example, multinationals transmitting employees’ personal information to overseas headquarters), it should also inform employees of the methods and procedures for exercising their statutory rights. Due to the particularity of cross-border transmission, enterprises should also meet at least one of the following conditions –

• It should pass the security evaluation organized by the Cyberspace Administration of China;

• It should be certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China;

• It should enter into a contract with the overseas recipient under the standard contract drafted by the Cyberspace Administration of China, specifying the rights and obligations of both parties.

As for the practical operations about personal information protection certification and standard contract execution required by the PIPL, the relevant authorities have not yet issued detailed implementation rules. However, with the implementation of the PIPL, the relevant details will be published in the near future. We recommend that enterprises of interest should stay tuned for any further updates. 

Before the PIPL was published, individuals’ rights of personal information protection were often ignored. The PIPL provides for individuals’ rights and requires enterprises to establish convenient application acceptance and relevant mechanisms so that individuals can exercise their rights. In HR management, an employee has the following rights –

To know and make decisions on the processing of personal information, and the right to restrict or refuse others to process personal information;

• To consult or copy personal information from a personal information processor;

• To request transfer of personal information to a personal information processor designated by him/her;

• To request an enterprise to make corrections or supplement information where an individual finds that the personal information is inaccurate or incomplete;

• To request deletion where the purpose of handling has been achieved, or it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose;

• To request an enterprise to explain its processing rules for personal information.

According to the above regulations, we recommend that enterprises should establish appropriate channels for employees to exercise their personal rights and should fully inform employees of such channels. For example, enterprises can consider having a chapter on personal information protection in internal policies, such as employee handbook, to introduce how employees can exercise their rights.

Generally, when an employee’s employment terminates, processing of the employee’s personal information will also terminate. We recommend that HR managers can process personal information as follows –

Information that should be stored

According to the Employment Contract Law, an employer should keep copies of terminated employment contracts for at least two years for inspection purpose. The personal information contained in employment contracts such as employee’s name, ID number, address, and contact information therefore should be preserved after termination. According to the Temporary Provisions on Payment of Wages, an employer must record in writing salary payment information such as the amount and date of payment for at least two years following termination. 

Information that should be deleted

According to the PIPL, the preservation period of personal information should be the minimum period necessary for achieving the purpose of processing. For sensitive personal information such as fingerprint and facial recognition, we recommend that HR managers should delete them immediately following employees’ termination as it is no longer required for tracking their attendance. 

Other information

At present, there are no clear rules for storing or deleting information of employee's attendance, rewards and punishments, performance evaluation, etc. However, considering the statute of limitations for employment arbitration, we recommend that enterprises should keep the relevant record for at least one year following employees’ termination. 

Under PRC laws, for certain positions, there are also some special provisions. According to the Measures for the Supervision and Administration of Food Safety for Online Catering Services, third party platform providers for online catering services should conduct annual training and assessment for food safety management personnel. The preservation period for training and assessment records should be kept for more than two years. As such, enterprises should practice accordingly.

The PIPL provides for heavy punishment for unlawful processing of personal information. In addition to improving the protection of employees' personal information in HR management process, enterprises also need to prevent the disclosure of information internally. We have the following suggestions –

Hierarchy for information access

Following categorizing personal information, it is necessary for enterprises to set out different levels of clearance required for processing personal information through internal policies and technical means, and determine the assessable personal information for each level of staff members under the hierarchy. This should be able to effectively reduce the legal risks that may be caused by employees' unlawful actions.

Internal policies and confidentiality agreement

Enterprises can categorize unlawful processing of personal information into serious violation of internal policies and point out the corresponding disciplinary actions. In addition, enterprises can also emphasize the confidentiality obligation of employees in their confidentiality agreements for the purpose of intimidating and reducing personal information disclosure risks.

Compliance training

The PIPL sets out higher requirements for all categories of staff members, including HR managers. It is necessary for enterprises to regularly conduct security education and training for relevant employees. After the training, enterprises should keep training record to prove the fulfilment of statutory obligations so as to reduce the related risks.

Emergency plans

According to the PIPL, enterprises are also required to draft emergency plans for personal information security incidents. For any unauthorized access and disclosure, falsification and loss of personal information, enterprises should take immediate remedial measures and notify relevant departments and individuals. 

The PIPL already came into force on November 1, 2021. Personal information protection should have long become one of the priorities for each enterprise. The question now really is – for those who are still not catching up, who will receive the first ticket under Article 66 of the PIPL and how big can it really be?

Copyright and Disclaimer

This article is for reference only and should not be considered legal advice. This article should not be used for any other purposes without the written consent of Shihui Partners. If you need to forward, please indicate the source. If you have any questions about the content of this article, you can contact the authors of this article, Hongyuan Zhang and Chang Liu or other Shihui Partners's lawyers.

Hongyuan Zhang | Partner

zhanghy@shihuilaw.com

Chang Liu | Partner

liuch@shihuilaw.com

• 辉说A股 || 新规之下突击入股影响几何？——股东信息披露指引解读

• 辉说A股 || 审核监管2.0：A股IPO现场检查和现场督导

• 走近科创板 II 如何在创业板 「2.0时代」乘风破浪？

• 世辉观点II 又㕛叒叕上市了？—— 一起聊聊港股二次上市
  

• 世辉A股 II 战略投资者投资A股锁价定增应了解的九大问题
  

• 世辉观点 II 新《证券法》背景下上市地的简要对比

• 走近科创板：带期权计划科创板上市你准备好了吗？

• 辉说A股 II 股权投资基金坚持优惠新政策难点解读看这篇就够了

• 走近科创板：发行上市篇 || 红筹企业境内科创板上市离我们有多远？

• 扫雷贴 II 2018年度港股上市被否案例全解析

• 上交所新发权威问答！16个科创板发行上市审核问答要点梳理

• 走近科创板：发行上市篇 || 九问九答解读科创板上市标准与制度亮点

• 医疗健康系列 || 医疗机构赴港上市或海外融资模式解密——以赴港上市的境内医疗机构为例
  

• 辉说基金 || 简析私募基金参与非公开发行的发展近况与基金特殊事项
• 辉说基金 || 简析《关于加强私募投资基金监管的若干规定》（征求意见稿）》所可能带来的挑战
• 辉说互金 II 靴子落地，民间借贷利率司法保护上限的新安排
  
• 辉说基金 II 从实操视角解读新出台的“便利管理人登记的通知”
• 辉说基金 II 30秒读懂私募基金募集管理规定
• 辉说基金 II 分配机制（二）
• 辉说基金 II 后续募集
• 辉说互金系列（一）II 基于保险经纪牌照外资准入实务谈谈互联网企业对保险业务的布局
• 辉说基金 II 分配机制（一）
• 辉说基金 II 创投企业税收优惠之新解读
  
  
  

• 辉说期权 || VIE结构下的员工股权激励计划和信托
  
• 辉说并购 II 并购价格机制之二：锁箱机制
• 辉说并购 II 并购价格机制之一：交割账目机制
• 辉说期权 II 盘他！非上市公司股权激励的个人所得税
• 辉说期权 II 员工创富记的背后——揭秘小米、美团等公司的员工股权激励计划
• 辉说期权 II VIE结构中境外ESOP的外汇问题
  
  

• 辉说医疗 || 加强医疗器械临床试验合规监管
• 辉说医疗 || 医疗器械注册(备案)人相关制度解读
• 辉说医疗 || “行稳”方能“致远”——浅析医药相关企业机构如何建立完善药物警戒合规体系
• 辉说医疗 || 医疗监管创新模式大湾区再试水-简评《粤港澳大湾区药品医疗器械监管创新发展工作方案》
  
• 辉说医疗 || 坚冰已破，航道初开——浅评《药品网络销售监督管理办法（征求意见稿）》与处方药网售
• 辉说医疗 || 疫情下互联网医疗的机遇和挑战