Zhongcheng Qingtai | HR Legal Corner: Employee Information Protection Compliance
Published:
2021-01-11
Zhongcheng Qingtai Perspective
With the tremendous development and wide application of information technology in China, big data, artificial intelligence, cloud and other technologies have profoundly changed our lives. There is no doubt that we are all in the era of big data. Personal information has become the hottest new resources, but also the object of strong legal protection. Among them, because of the close relationship between enterprises and employees, there is a risk of improper access to employee information or infringement of employee privacy in the process of employee entry, employment and resignation, and even disputes. As the direct manager of employees' personal information, how to carry out internal data compliance will become a realistic challenge that enterprises have to face, and employee data security will also become the top priority in corporate compliance. This article will discuss how enterprise managers manage compliance and protect employees' personal information from the aspects of case analysis, legal provisions and practical suggestions.
Case
1. In the process of recruitment, a large enterprise entrusts a third party to conduct background investigation on some employees, especially senior executives. However, such entrustment may be regarded as illegal collection, transmission, trading, provision or disclosure of other people's information, and will be investigated for civil liability or even criminal liability.
2. A joint venture monitored employees' work E-mail, work computers, and office LAN use. In this way, the company can not only see all kinds of contents in the employees' work E-mail, but also the personal mails, personal e-commerce trading records and QQ or WeChat chat records processed by employees through the office network are under the supervision of the company. After the dispute occurred, the company cited the web browsing records in the employee's work computer during the trial to prove that the employee "dealt with matters unrelated to work during working hours" and was relieved of serious violation of discipline. In addition to filing a labor dispute lawsuit, the employee sued the company for infringement of his or her personal privacy in court.
3. In the process of campus recruitment, a bank arranged for new employees to undergo an entry physical examination, including the hepatitis B project. An employee was required to undergo a liver function reexamination, and the bank was sued by the employee to the court. The court held that the bank's behavior violated the law, constituted employment discrimination and violated the personality rights of employees.
comment and analysis
Article 1034 of the Civil Code stipulates that the personal information of natural persons is protected by law, and points out that personal information is recorded electronically or otherwise that can identify a specific natural person alone or in combination with other information, including the natural person's name, date of birth, ID number, biometric information, address, telephone number, electronic E-mail, health information, whereabouts information, etc. The Civil Code came into force on January 1, 2021.
The "Information Security Technology Personal Information Security Specification" further states that personal information also includes account passwords, property information, credit information, accommodation information, and transaction information.
On October 21, 2020, the National People's Congress announced the Personal Information Protection Act (Draft), which focuses on the current outstanding issues of personal information protection, and is compared to the Chinese version of the GDPR (the General Data Regulation promulgated by the European Union, known as the world's most stringent personal data protection law).
The interpretation of the Supreme people's Court and the Supreme people's Procuratorate on several issues concerning the application of law in handling criminal cases of infringing upon citizens' personal information strictly defines "personal information" and increases the punishment for criminal acts of infringing upon citizens' personal information. the criminal law net has been tightened.
The "Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information" clearly requires enterprises to "collect and use citizens' personal electronic information in business activities, and shall follow the principles of legality, legitimacy, and necessity, and clearly indicate the purpose and method of collecting and using information And scope, and with the consent of the collector, information shall not be collected and used in violation of the provisions of laws and regulations and the agreement of both parties" and "the rules for its collection and use shall be made public".
Article 13 of the Regulations on Employment Services and Employment Administration issued by the Ministry of Human Resources and Social Security stipulates that "the employer shall keep the personal data of the worker confidential. The disclosure of the personal data of the worker and the use of the worker's technical and intellectual achievements shall be subject to the written consent of the worker himself."
……
The legislation responds to people's concerns about personal information protection in the era of big data. Under the background that the country continues to strengthen the protection of personal information, information data compliance will become an important cornerstone for maintaining the stable and healthy development of the industry, protecting the commercial interests and normal operations of enterprises, and corporate system compliance is also facing higher standards.
Practical operation suggestion
During the recruitment process, employers often conduct background checks on employees or require employees to fill in the "Personal Information Registration Form", set up cameras or monitor work E-mail and computers in the workplace, outsource non-core affairs to a third party to handle the transfer of personal information involving employees, and lack of attention to the personal information of employees who leave the company. These all face compliance risks and require employers to make a series of institutionalized and rationalized arrangements to ensure the compliance of the use of the obtained personal information.
For example, the employer can obtain the authorization of the employee to be investigated in advance, carefully use the third-party background investigation service provider to conduct the investigation, and accurately divide the rights and obligations on the protection of personal information through the entrustment contract. When collecting employee information, determine the information that needs to be collected according to the specific circumstances such as business and position to avoid excessive collection. In labor arbitration or litigation procedures, the employer submits evidence to the arbitration tribunal or court. If personal privacy is involved, it should take the initiative to submit it to the judicial organ, prompting the case to be heard in private, so as to limit the scope of personnel who have access to relevant evidence and avoid employees from raising objections. Strengthen the management of personal information of resigned employees, properly store personal information such as labor contract texts and work files, and delete personal information that has expired or no longer needs to be stored in a timely manner.
Key words:
Related News
Zhongcheng Qingtai Jinan Region
Address: Floor 55-57, Jinan China Resources Center, 11111 Jingshi Road, Lixia District, Jinan City, Shandong Province
