The World Health Organization (WHO) declared on January 30, 2020, that the outbreak of novel coronavirus (COVID-19) is a "public health emergency of international concern." This was, in part, an acknowledgement of the geographic spread of the virus and the need for intensified support for preparation and response, especially in vulnerable countries and regions. Further information is available in the WHO statement. On January 31, 2020, the Centers for Disease Control and Prevention (CDC) in the United States also declared a public health emergency for the United States. Further information from the CDC can be found at cdc.gov. COVID-19 is now affecting an increasing number of countries in Asia, including Korea, and Japan.
This alert focuses on issues relating to data privacy in an employment context. We outline common issues that businesses operating in the People’s Republic of China (PRC or China), Hong Kong, and Singapore are likely to face arising from the outbreak of COVID-19. The issues that we have identified are not meant to be exhaustive. As this is a developing situation, governments are revising their responses to mitigate the emerging risk to public health.
As multinational corporations (MNCs) doing business in regions affected by COVID-19 strive to ensure the health and safety of their employees, they must be aware of the various restrictions and requirements imposed on them for the collection, use, disclosure, and retention of employee personal data. It is not advisable for MNCs to adopt the same measures across jurisdictions, as each jurisdiction has its own distinct requirements and limitations.
China, the country most severely affected by the outbreak to date, has taken steps to protect personal information in the midst of its efforts to prevent and control COVID-19. In addition to the personal data protections already in effect under the Cybersecurity Law and the national-level Personal Information Security Standard (PIS Standard), government agencies have also issued additional, specific cybersecurity and personal information protection notices in connection with the outbreak.
On January 30, the Ministry of Transport of the PRC issued the Urgent Notice of the Ministry of Transport on Coordinating the Work of COVID-19 Prevention and Control and Transport Security, which stipulates that other than providing passenger information to public health and other related authorities in connection with COVID-19 prevention and control, no additional personal information may be disclosed to other agencies, organizations, or individuals.1
Subsequently, the National Health Commission of the PRC issued the Notice of the General Office of the National Health Commission on Strengthening the Informationization to Support the Prevention and Control of COVID-19 Infection, which clearly states the government’s policy to strengthen the protection of privacy.2 The Cyberspace Administration of China, the primary Chinese regulator of cybersecurity and data privacy, also issued the Notice on Ensuring Personal Information Protection and Utilization of Big Data to Support Joint Efforts for COVID-19 Prevention and Control, listing more detailed requirements for personal information protection in the context of COVID-19 prevention and control.3
Collection of personal information for the purposes of COVID-19 prevention, control, or treatment shall comply with the national standards set forth in Personal Information Security Specification and adhere to the principle of minimal scope. Specifically, the data collection should be limited to key groups such as confirmed cases, suspected cases, and close contacts of confirmed cases; and it should not constitute de facto discrimination against individuals from targeted geographic locations. The institutions that collect or control personal information shall be responsible for the security and protection of such data, and adopt strict management and technical measures to prevent theft, misappropriation or leakage of personal information. Any entity or individual who discovers any unlawful collection, use, or disclosure of personal information may report the misconduct to cybersecurity administration agencies and public security bureaus. The competent authorities will promptly respond to illegal acts of collecting, using, and disclosing personal information.
Chinese law enforcement agencies have reportedly investigated and prosecuted several cases involving suspected violations of personal information in connection with the COVID-19 outbreak, mostly cases involving the disclosure of the personal information of patients and their close contacts. For example, in Jincheng, Shanxi province, a woman received a picture of a COVID-19 patient from her daughter-in-law, who worked at a local hospital, via the social media platform WeChat. The picture included the patient's personal and medical history information. The woman subsequently disseminated the picture in a WeChat group, and was later sentenced to administrative detention for ten days for the unlawful dissemination of personal information.4
The enforcement has targeted not only isolated incidents of infringement of privacy rights, but also unauthorized disclosure of patient information by public officials or any individual who is in a position to collect the personal information of others, such as HR or office managers.5 While these new government directives aim to provide guidance to the general public concerning privacy protection, the increased enforcement of privacy laws underscores both the importance as well as the challenge of ensuring privacy protection at a time when efforts to contain the outbreak need to be balanced with the regulatory mandate to protect personal information in accordance with law.
While this commentary is focused on the PRC, Hong Kong, and Singapore, as these jurisdictions have comprehensive and relatively active regulation and enforcement, similar issues are likely to arise across other jurisdictions in Southeast Asia, where the laws are fragmented and diverse. We invite readers to contact us directly with questions regarding other jurisdictions in Southeast Asia, such as the Philippines, Thailand, and Malaysia, as well as any other issues not addressed below.
Can an employer ask its employees to submit health declaration forms that provide personal data – for instance, whether they are experiencing symptoms and whether they have traveled to, or been in close contact with persons who have traveled to, regions affected by COVID-19?
PRC laws do not prohibit employers from collecting health declarations containing personal data from their employees. In addition, the PRC Employment Contract Law allows employers to collect their employees’ basic information where it directly relates to their employment contract. Therefore, employers may collect health declarations from their employees with respect to efforts to monitor for infection or otherwise maintain public health.
However, restrictions do apply, and as such, we recommend that employers also strictly abide by applicable PRC data privacy rules pertaining to the collection and processing of their employees’ personal data. In particular, employers should:
- Only collect and process personal data for a legitimate, just, necessary, and specific purpose.
- Inform data subjects of the purpose(s), methods, and scope of data collection and use, and obtain their consent before collecting, processing, or using personal data (in case of sensitive personal data, “explicit consent” (i.e., consent given in writing or through another affirmative act from data subjects) must be obtained).
- Pursuant to the national-level PIS Standard, refrain from collecting irrelevant personal data; divulging, tampering with, or damaging the personal data collected; or providing such data to others without the data subjects’ consent.
- Adopt technical and any other necessary measures to ensure the security of the collected personal data and prevent the personal data from being divulged, damaged, or lost.
In principle, data collection should be limited to confirmed cases, suspected cases, and cases of those who have had close contact with people who have contracted COVID-19.6 With respect to close contacts of suspected cases, the collection of personal information should be limited to name; contact information; gender; age; relationship with suspected cases; the earliest and latest time of contact; the frequency, location, and manner of contact; and the duration of each exposure.7
Additionally, we recommend that companies designate HR to be in charge of communicating with employees regarding the collection of employee personal data and to address questions or concerns that the employees might have relating to the COVID-19 outbreak. Furthermore, employers should ensure that personal data contained in a health declaration, or otherwise disclosed by an employee, is deleted when it is no longer necessary to retain such data.
The leaking of information concerning any suspected case of infection within a company could give rise to speculation concerning the medical condition of the particular employee. We therefore recommend that discussions with any employee regarding their health status or close contact with individuals who have contracted COVID-19, or any other discussions related to COVID-19, be conducted by HR in a setting where the confidentiality of the discussion can be maintained. Other managers who have similar discussions with employees should consult HR, who can follow up with the employees regarding related company policies. HR should also be tasked with continuously monitoring government directives on disease controls and workplace environmental health and safety, while also taking appropriate measures to comply with data protection requirements.
Yes. It is permissible for an employer to request its employees to submit health declaration forms, especially in the event of an outbreak of an infectious disease such as COVID-19.
In collecting and using the personal data of employees, the employer should be careful not to contravene the provisions of the Personal Data (Privacy) Ordinance (PDPO) and its own personal data policy (if such a policy exists). In the request (or in the health declaration form), the employer should set out the purpose(s) of the data collection, such as assessing the risk of an outbreak of the disease in the workplace; implementing control measures; ensuring a safe and healthy working environment; and sharing with governmental authorities, insurers, and the health care providers involved in treating the employees.
Yes. Asking employees to complete a health declaration does not constitute a breach of Singapore data protection law.
There are specific rules in Singapore restricting the collection and use of national identification information, such as an individual’s national registration identity card number, passport number, or foreign identity card number. An organization can only collect or use such national identification information where this is required by law or where there is a need to ascertain or verify identities to a high degree of fidelity. However, pursuant to their obligations under the Singapore Employment Act, employers are required to maintain the employment records of their employees and therefore the collection of employees’ national identification numbers is already required, and so authorized, by law. Accordingly, employers can collect their employees’ national identification information as part of the health declarations.
In contrast, for any individuals who are not employees – for instance, interns or visitors to the office – it would accord with good practice for an organization to collect and use unique identifiers other than national identification information. These may include their full name, designation, company name, mobile number, and email address.
Can the employer disclose the personal data collected from employees to third parties?
Entities in China are required to keep confidential any personal data they collect, and any disclosure of personal data to third parties is subject to the informed and express consent of the data subjects. However, PRC national standards concerning the protection of personal data provide certain exceptions, where personal data may be disclosed to third parties without the data subject’s consent. For example, consent is not required if the disclosure is:
- Required by government authorities in order to cooperate with an inquiry or investigation.
- Related to the fulfillment of obligations imposed by laws and regulations on the data controller.
- Directly related to national security or national defense.
- Directly related to public safety, public health, or significant public interests.
- Directly related to a criminal investigation, prosecution or trial, or the enforcement of a judgment, etc.
- Required to safeguard the basic rights and interests of individuals (such as the right to life and property), where obtaining consent would be impracticable.
- Of personal data that the data subject has made publicly available.
- Of personal data that was obtained from legitimate public sources, such as legitimate news reports and open government information.
In response to the outbreak of COVID-19, companies’ disclosure of employees’ health status to government agencies may become mandatory as it directly relates to public safety and public health, and is of significant public interest. Accordingly, companies may invoke this particular exception to the consent requirement, if necessary. The exception is limited to the need for jointly defending against and controlling the COVID-19 outbreak, and the personal data should be desensitized before disclosure.8
Under the relevant data protection principle of the PDPO, personal data cannot be used or disclosed for a purpose other than the original purpose of its collection or any directly related purposes, unless voluntary and express consent for a new purpose is obtained from the relevant employee. In other words, consent from the employee is not required where the personal data is used or disclosed for the original purpose of its collection or any directly related purposes.
Where the disclosure is not for the original or related purposes and no consent has been obtained from the employee, the PDPO provides some exceptions where the use of personal data is not restricted by the provisions of the PDPO. For example, section 59 of the PDPO provides that in a case where application of the provisions to personal data would be likely to cause serious harm to the physical or mental health of the data subject (i.e., the employee) or any other individual, the provisions would not apply. Section 61 also provides that personal data may be disclosed in the event that such disclosure is made by a data user (i.e., the employer) who has reasonable grounds to believe that the disclosure of the personal data is in the public interest. However, as noted by the Privacy Commissioner for Personal Data, given the terms “serious harm” or “public interest” are not explicitly defined in the PDPO and it is not compulsory for data users to apply the exceptions, employers should consider whether an exception applies in the circumstances before disclosing the personal data of an employee.
It depends. If an employer is legally required or permitted by any written law to disclose personal data (e.g., pursuant to a request by a public agency), then it can disclose that data without the need for employee consent. There are also exceptions to consent for any disclosure to a public agency where the disclosure is “necessary in the public interest,” or to any person where the disclosure is “necessary in the national interest.”
Further, the Personal Data Protection Act allows personal data about any current or former patients of a health care institution licensed under the Private Hospitals and Medical Clinics Act or prescribed health care body in Singapore to be disclosed without consent to a public agency for the purposes of policy formulation or review.
Additionally, consent is not required where the disclosure of data can be shown to be reasonable for the purpose of managing the employment relationship (e.g., limiting non-essential business travel to areas affected by COVID-19).
Finally, disclosure of personal data without consent is permitted:
- Where the disclosure is necessary to respond to an emergency that threatens the life, health, or safety of any individuals.
- Where the disclosure is necessary to respond to an emergency that threatens the life, health, or safety of any individuals.
- Where there are reasonable grounds to believe that the health or safety of the individual concerned or any other individual will be seriously affected and consent cannot be obtained in a timely manner, in which case the organization will need to, as soon as practicable, notify the individual of the disclosure as well as its purposes.
- For the purpose of contacting the next of kin or a friend of an ill or deceased individual.
However, where none of the relevant exceptions apply, an organization must refrain from disclosing personal data without consent from the relevant individual.
For how long can an employer retain the personal data contained in the health declaration forms?
In general, employers will need to inform employees and obtain their consent for the company’s collection, processing, use, and retention of their personal data. Unless otherwise agreed with the employee, an employer may only collect and process a minimal amount and limited types of personal data to meet the legitimate business purpose set out in the scope of consent granted by the employee. The employer may retain the personal information for as long as the purpose remains legitimate and necessary. After the purpose is fulfilled or if the purpose is no longer legitimate and necessary, the personal data contained in the health declaration must be deleted or anonymized in a timely manner.
The general principle is that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is collected or is (or may be) used. If the data is no longer necessary for such purpose, it should be erased at the earliest practicable opportunity.
An employer is only allowed to retain personal data records (including health declarations) if it has a specific legal or business purpose for doing so. If no such purpose exists, then the organization is obliged to destroy or anonymize that data completely. However, an employer could have a pre-existing and long-established HR policy to keep copies of all its employees’ records (such as medical certificates, expense claims, and health declarations) for the period that they are employed and, say, for a further 12 months, as this would facilitate its employees’ annual performance reviews and enable it to evaluate recruitment practices and attrition rates. In such a case, it would be open to the employer to explain its justifications for revising the retention period, for instance, in its data protection or data retention policies.
Are there any other data protection requirements that organizations should be aware of?
Companies must obtain explicit consent from employees before collecting and using their personal data. When sharing, transferring, or disclosing personal data, companies must comply with applicable regulations. Companies are also required to develop and implement privacy policies and a response plan for data breach incidents. Personal data that is collected for the purpose of COVID-19 prevention may not be used for any other purpose. Additionally, instances of the improper collection use or storage of personal data may be reported to relevant government agencies, in accordance with PRC cybersecurity laws and regulations.9
An employer should take reasonably practicable measures to ensure that any personal data collected from its employees is protected against unauthorized or accidental access, processing, erasure, loss, or use. The staff handling the personal data of employees should be trained to observe the employer’s personal data privacy policies and exercise due diligence in the application of those policies, and be subject to procedures designed to ensure their compliance with those policies.
It is mandatory for an organization that collects, uses or discloses personal data in Singapore to appoint at least one data protection officer and to make their business contact information available to the public. Organizations are also required to develop and implement policies and practices to comply with the Personal Data Protection Act.
While employers can and should take steps to collect relevant data from or about their employees in addressing current public health concerns, the collection and use of such data, even if conducted in accordance with the relevant employment contracts, are still subject to restrictions and requirements under the applicable data protection law in each jurisdiction. In an atmosphere where employers may be under significant pressure to monitor the health of their employees, it is especially important to be aware of these limitations.
Although employee consent is generally required in most situations, employers should also be aware that they may be able to invoke exceptions to the general consent requirement where there is an overriding justification for the collection, processing, and use of personal data. In making a determination of whether consent is required, employers should balance the company’s legitimate business or other legal purpose for collecting the information against applicable restrictions and privacy protections in order to ensure that the collection or processing is limited in scope and that appropriate security measures are implemented to protect the data from misuse or inadvertent disclosure.
On January 31, 2020, the Centers for Disease Control and Prevention (CDC) in the United States also declared a public health emergency for the United States. Further information from the CDC can be found at cdc.gov.
This article is co-authored by Carolyn Chia, a lawyer at Resource Law LLC.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.