The novel coronavirus pneumonia (COVID-19) has been classified as a Class B infectious disease under the Law on the Prevention and Treatment of Infectious Diseases and preventive and control measures for Class A infectious diseases have been taken. Thirty-one provinces, municipalities and autonomous regions across the country initiated the Severity 1 response to major public health emergencies. To cooperate with the state epidemic control measures and protect the health of employees, employers must provide outbreak-related information on their employees, resulting in some special legal issues regarding personal information protection. Such issues should be subject to personal information protection provisions, including:
- the Cybersecurity Law;
- the Personal Information Security Specification (GB/ T 35273-2017);
- the Law on the Prevention and Treatment of Infectious Diseases;
- the Emergency Response Law;
- the Regulation on Responses to Public Health Emergencies; and
- related employment law and regulations.
On 9 February 2020 the Office of the Central Cyberspace Affairs Commission issued the Notice on Protecting Personal Information and Using Big Data to Support Joint Prevention and Control (the CAC Notice), further clarifying the personal information protection matters in the COVID-19 outbreak.(1)
This article addresses the main concerns of employers regarding data protection and the coronavirus outbreak and summarises some of the legal issues concerning the collection and use of personal information of employees during the epidemic.
The primary purpose of collecting employee personal information during the COVID-19 outbreak is to cooperate with state epidemic control measures and protect the health of employees. Apart from employee basic identity and contact information (eg, name, gender, address, phone number and email address), companies must also generally collect employee location information (eg, recent travel records, transportation means, accommodation information and quarantine locations) and health information (eg, whether they have fever or have been diagnosed with COVID-19). For suspected infection cases, companies may also need to collect information about employees' close contacts (such as family and friends) according to the requirements of the competent authorities.
According to the CAC Notice, the collection of personal information must comply with the Personal Information Security Specification and adhere to the principle of minimum scope. Data subjects should in principle be limited to critical groups such as diagnosed COVID-19 patients, suspected COVID-19 patients and their close contacts. Normally, the collection of said data must not target all people in a specific area to prevent de facto discrimination of specific groups of people based on geographical location.
Health administrations, medical and health institutions, disease prevention and control institutions and other government-designated or authorised institutions at or above the county level or emergency command headquarters are authorised to demand that companies collect and provide employee personal information.
According to the Law on the Prevention and Treatment of Infectious Diseases, the Emergency Response Law and the Regulation on Responses to Public Health Emergencies, the health administration department, medical and health institutions and disease prevention and control institutions have the authority to collect and report information concerning public health emergencies. Further, the government and emergency command headquarters have the power to designate or authorise other institutions (eg, sub-districts, townships or resident committees) to assist in collecting and reporting relevant information through emergency response plans, infectious disease prevention and control schemes and emergency decisions.(2) If the abovementioned competent authorities and authorised institutions demand companies to cooperate in collecting and providing personal information of employees, said companies must cooperate.
The CAC Notice provides that except for institutions authorised by the State Council's health and sanitation department in accordance with the Cybersecurity Law, the Law on the Prevention and Treatment of Infectious Diseases and the Regulation on Responses to Public Health Emergencies, no other entities or individuals may collect or use personal information on the grounds of epidemic prevention and control without the consent of the person whose personal information is collected. Where laws or administrative regulations provide otherwise, such provisions will prevail. Thus, no individual or entity other than the abovementioned authorised institutions may force companies and their employees to provide personal information. For example, if an office building's property management requires its tenants or their employees to provide relevant personal information, but fails to prove that it has obtained the above authorisation, the tenant and its employees can refuse to do so.
Where a company collects and uses employee personal information at the request of disease prevention and control and medical institutions in the prevention, control and treatment of infectious diseases in accordance with the CAC Notice and relevant laws and regulations, the company does not need to obtain employee consent.
According to the abovementioned laws and regulations, in the face of infectious disease epidemics, all entities and individuals in China accept the preventive and control measures taken by disease prevention and control institutions and medical institutions for the investigation, testing, collection of samples of infectious diseases and for quarantined treatment of such diseases and they must provide truthful information about any relevant diseases. No entity or individual may conceal, delay reporting, make a false report or procure another person to conceal, delay or make a false report of any emergency. In such cases, the national and local governments and competent health administration department must immediately investigate and verify the reported matter, take necessary control measures and report the result of investigation without delay. Thus, in the event of a public health emergency, companies and employees have a legal obligation to provide relevant information truthfully according to the requirements (if any) of the disease prevention and control institutions, medical institutions, national and local governments and the competent authorities. Such legal obligation is imposed on companies and their employees on a compulsory basis and the consent of employees is not a must.
Yes, in particular where a company has not yet been asked by the disease prevention and control institutions, medical institutions, national and local governments and competent authorities to provide COVID-19-related information on its employees, but plans to collect relevant data to understand the impact of the outbreak on employees and take corresponding measures. Although cooperating with such information collection is not a legal obligation of employees, in the case of a severe epidemic, the collection of employee information is directly related to the life and health of employees, public health and significant public interests. To some extent, the voluntary collection and use by companies of their employees' personal information has certain justifications. Although the CAC Notice prohibits unauthorised entities and individuals from collecting and using personal information on the grounds of epidemic prevention and control without the consent of the person whose data is collected, it does not prohibit companies from collecting employee personal information with their permission. Thus, if companies can meet the principle of 'informed consent' under the Cybersecurity Law and the Personal Information Security Specification, they can still collect and use personal information relating to the epidemic, even without authorisation from relevant competent authorities.
Companies can require employees to provide personal information necessary for the performance of their employment contract at any time. By contrast, personal information that is not essential for the performance of an employment contract, but rather to fight an epidemic must be collected and used only during said epidemic.
In principle, the collection of employee personal information required by companies for the performance of their employment contract can be used only for the performance of said contract; the personal information needed for epidemic prevention and control is limited to the scope of the prevention, control and treatment of infectious diseases at the request of the disease prevention and control institutions and medical institutions (when companies collect employee personal information for the performance of legal obligations) or limited only to the scope consented to by employees (when companies voluntarily collect employee personal information).
When employee personal information is collected according to the requirements of disease prevention and control institutions, medical institutions, national and local governments and competent authorities, or collected by companies on their own initiatives, such information must be properly maintained by companies through strict management and technical protection measures to prevent theft and leakage. Further, according to the CAC Notice, no entity or individual can disclose personal information (eg, name, age, ID card number, telephone number or home address) without the consent of the person whose data is collected, except for the information needed in the joint prevention and control work which has been anonymised.
Companies should inform employees of the grounds for collecting relevant information, the aim of collecting such information and the consequences of refusing to provide said information. If employees still refuse to provide the relevant data, companies can provide any personal data on the employee that they hold to the competent authorities on request and the competent authorities may require the employees to provide additional personal information.
The relationship between companies and employees is usually an employment relationship. Companies do not have administrative authority over employees. If employees refuse to provide relevant personal information, companies cannot force them to do so.
Under the Law on the Prevention and Treatment of Infectious Diseases and the Regulation on Responses to Public Health Emergencies, individuals who fail to perform reporting duties and cooperate with investigation may be subject to administrative or disciplinary penalties. Where an individual's failure to adhere to their reporting duties leads to the spread and prevalence of infectious diseases or personal or financial damages to others, they will be liable under civil law. Parties that violate the Public Security Administration Punishment Law will be subject to penalties issued by the public security organs or criminal liabilities for any crimes committed.
If an employee's behaviour constitutes a crime and they are criminally liable by law, their employer may unilaterally terminate their employment contract under Article 39 of the Employment Contract Law. However, if the employee's behaviour does not constitute a crime and they have not been investigated for criminal liability according to the law, companies cannot directly punish the employee. In this situation, whether companies can punish their employees must be examined on a case-by-case basis, according to the company's rules and regulations.
In light of the above analysis, companies may want to add the following caveats in a written notice with regard to the collection of employee personal information:
- The collection of relevant COVID-19-related information as required by the relevant disease prevention and control institutions, medical institutions, national and local governments and competent authorities is a legal obligation for employees. The refusal to provide such information may constitute a violation of laws and regulations and trigger relevant legal liabilities.
- Where the collection of relevant information is not explicitly required by relevant disease prevention and control institutions, medical institutions, national and local governments and competent authorities, companies may explain to employees the purpose, scope and means of use of collected information, as well as other factors to justify any data processing (eg, considering the 14-day virus incubation period mentioned in the COVID-19 diagnosis and treatment plan published by the government, relevant information provided by employees will help competent departments and companies understand the situation, effectively respond to and control the development of the epidemic) and explicitly require employees to consent to the collection in writing.
Companies can also consider improving their rules and regulations or employment contracts to clarify that employees must cooperate to fulfil legal obligations provided by relevant laws and regulations or required by competent authorities in special cases such as health emergencies. Where an employee refuses to cooperate with an employer to fulfil such obligations and causes damage to the company, they will bear the corresponding liability.
When collecting personal information, companies must ask employees to verify that the information provided is legal, true, complete and valid. Where a company finds that the personal information provided by an employee is false, fabricated or incomplete, it can take disciplinary action against the employee according its rules and regulations. If an employee's behaviour is suspected to be illegal, the company should report it to the competent authorities.
According to the Employment Contract Law and other relevant regulations, companies can discipline employees and undertake relevant disciplinary actions against them through company rules and regulations. At the same time, employees who provide incorrect personal information that affects epidemic prevention and control will also bear corresponding legal liabilities under the Emergency Response Law.
Due to the need for epidemic prevention and control, companies can require employees to provide and update relevant personal information at any time. Even if employees are in a period of self-quarantine and delayed return to work, they should provide information to their employers according to the law. However, the principles described in the third and fourth questions above still apply to the provision of personal information by employees during this period. If employees fail to provide the personal information required by the relevant competent authorities, companies should report this to competent authorities promptly after having fully explained the potential legal consequences.
Differential treatment will be limited to the requirements for the prevention, control and treatment of infectious diseases. Employment discrimination is not allowed.
The Labour Law provides that "labourers have the right to be employed on an equal basis, choose occupations", while the Law on the Prevention and Treatment of Infectious Diseases provides that "no entities or individuals shall discriminate against infectious disease patients, pathogen carriers, and suspected infectious disease patients". The Cybersecurity Law, the Personal Information Security Specification and other relevant regulations also make it clear that personal data must be used for specific purposes.
The personal information collected and used by companies for epidemic prevention and control must be used strictly for those purposes and cannot be used for any other reason. After the epidemic, such personal information must be stored, deleted or destroyed according to the law. During the epidemic period, companies can take reasonable measures to prevent and control infectious diseases according to the different circumstances of employees affected by the epidemic (eg, a relatively longer home observation period is required for employees recently returning from Hubei Province). However, companies should note that such personal information cannot be used to discriminate against employees; in cases of discrimination, employees have the right to require companies to bear legal liabilities.
In response to the needs of epidemic prevention and control, various local governments have encouraged companies to carry out telecommuting (eg, working from home). Companies use their own platforms or third-party platforms to carry out their work. In this process, companies may need to collect, use and share personal information of employees, either alone or in conjunction with a third party. According to the relevant provisions of the Cybersecurity Law and the Personal Information Security Specification, personal information must not be provided to others without the consent of the personal information subject. When the personal information controller and the third party are the joint personal information controller, the personal information controller must jointly determine the personal information security requirements to be met by the third party through the contract and other forms, as well as its liabilities and obligations and those of the third party in terms of personal information security and inform the personal information subject.
(2) Please see Articles 11, 21, 31, 36 and 40 of the Regulation on Responses to Public Health Emergencies; Articles 7, 12, 20, 53 and 54 of the Law on the Prevention and Treatment of Infectious Diseases; and Articles 20, 44, 45 and 56 of the Emergency Response Law.