Employers in China obliged to keep personal data confidential

Data protection in China has been regularly in the news this year. Not only have new data protection regulations been issued, but prosecutions have increased dramatically. In this article, Karen Ip and Owen Cox discuss the employers' obligations and the risks involved.

In terms of prosecutions, Dun & Bradstreet reportedly had four of its Chinese employees jailed in January for buying the personal data of Chinese citizens. Chinese prosecutors have also reported 30 cases of personal data theft, involving 57 suspects, in the first half of 2013. By contrast there was only one case, involving eight suspects, in the first half of 2012. More recently the arrest of private investigators, Peter Humphrey and Yu Yingzeng, is reported to concern the trafficking of personal data of Chinese citizens.

China’s Tort Liability Law has recognized a general right to privacy since 2010. However, the Tort Liability Law is short on details and doesn’t even specify whether the right to privacy extends to personal information. Since then, various data-protection regulations have been issued although many tend to be industry-specific, with a number covering internet service providers.

One of the more recent data protection initiatives was the Guidelines for Personal Information Protection, effective February 2013. The guidelines are only applicable to certain data collectors and data processers on a voluntary basis; however, it is broadly expected that more general regulations, when issued, will reflect the principles set out in the guidelines.

We comment below on certain employment-related data protection issues to which all employers must pay attention. For the purposes of this article we do not look at industry-specific data protection obligations.

Employee personal data

While there are no general data protection provisions in China, employers do have a specific obligation to keep confidential the personal data of their employees. The requirement is brief and apparently simple. That is, an employer must maintain the confidentiality of personal information relating to its employees and, in particular, employee consent is required before his/her personal information is disclosed to a third party.

This requirement, which dates back to 2008, is not new. However, it remains to be seen whether the authorities will refer to guidelines from earlier this year in order to determine whether the employer has taken adequate steps to ensure that personal data has been kept confidential.

One area in which employers can easily trip-up concerns the outsourcing of human resources functions. Care must be taken to ensure that each employee has consented to having their personal information transferred to the third party. A good place to document consent is in the employment contract. But if consent is not given in the employment contract, then it must be documented separately. The drafting of the consent should be broad enough to cover various types of data transfers that may be needed, but not so broad as to essentially negate the employee’s right to confidentiality.

Customer personal data

According to Chinese prosecutors, around half of the cases arising in the first half of 2013 involved employees taking advantage of their position to sell customer data or to use customer data to promote their own products. Thus, although an obligation to safeguard customer personal data is not directly an employment law matter, it can quickly become so.

Employers need to be extra vigilant with the customer data that they hold. Not only can the leakage of personal data cause significant embarrassment for the employer, but the possibility of being found liable for negligence should be avoided.

In order to decrease the risk of leakage, employers should ensure that customer data is only accessed by those who truly require access for their jobs. Access to such data should also be monitored, preferably in real time. On the legal side, employee contracts and the employment handbook should contain appropriate disciplinary measures in the event that an employee misuses customer personal data. Employee obligations should also be adequately addressed at induction and periodically reinforced.