United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
As part of the Chinese government’s effort to build a modernized data protection regime, the Information Security Technology – Personal Information Security Specification became effective on May 1, 2018. This is the latest—but not the last—in a series of regulatory documents driven by China’s new Cyber Security Law. It elaborates on certain data protection principles that, though currently nonbinding, serve as guidance for employers as they implement data-privacy protocols in China, and worldwide, and avoid employee claims
The specification defines “personal information” as any information that can be used on its own or in conjunction with other information to reveal the identity of a natural person, including the person’s name, date of birth, identification card number, and biological identification information (e.g., fingerprints and irises, addresses, and telephone numbers). This naturally includes information obtained by employers about their employees, as well as that of candidates at the recruitment stage.
Information Collection
Although an employer has a right to know its employees, the first rule of information collection is that it should be consensual. Employees are very unlikely to object to their employer having information necessary to execute an employment contract, such as details on bank accounts and addresses, but other areas may inspire more resistance (e.g., commissioning a third-party investigator to conduct a background check on a candidate for a senior management position).
Another general tenet with information collection is that the scope of personal information collected should be determined on the principle of necessity. This means that an employer should collect only information that is reasonably necessary for it to know, such as qualifications, experience, addresses, and bank account numbers. Employees (and potential candidates) have the right to refuse to give personal information that does not have a direct connection with the work.
Monitoring and Surveillance
Employers may have justifiable business reasons for monitoring emails and the use of its computers, smartphones, and other technology. Employers may also have good reasons to use video surveillance. However, the law requires that employers that engage in monitoring follow the principles of necessity, transparency, and informed consent. In the case of video surveillance, the law requires employers to notify employees of relevant information, such as the purpose of the surveillance and the locations of the cameras.
Storage and Cross-Border Transmission
It is common for multinational companies to store employees’ personal information (such as EHRs) in a global human resources management system, which is frequently hosted on a server outside of China. This involves a cross-border transmission of personal information, which is included under the data protection legislation.
The specification expresses the view that personal information should be stored within China and should be transmitted out of China only for legitimate reasons. The new legislation requires employers that transmit data out of China to disclose to employees the purpose, scope, content, recipient, and other relevant factors of any cross-border personal information transmission and obtain each employee’s consent to the transfer. Furthermore, employers may want to conduct an internal security evaluation of the risks associated with cross-border transmission and overseas storage in order to ensure the security of the personal information.
Comment
Multinational organizations may want to conduct a compliance review of their policies against emerging data protection rules in China and make any necessary adjustments, such as updating employment contracts to cover consent, altering employee handbooks, and ensuring compliance regarding data transfers outside of China.
Written by Edward Song of MHP Law Firm and Bonnie Puckett of Ogletree Deakins