The World Health Organization (WHO) declared on 30 January, 2020, that the outbreak of 2019 nCoV (novel coronavirus) is a "Public Health Emergency of International Concern." This is, in part, an acknowledgement of the geographic spread of the virus and the need for intensified support for preparation and response, especially in vulnerable countries and regions. Further information is available in the WHO statement. On 31 January, 2020, the Centers for Disease Control and Prevention (CDC) in the United States also declared a public health emergency for the U.S.
This alert focuses on issues relating to data privacy in an employment context. We outline common issues that businesses operating in the People’s Republic of China (PRC or China), Hong Kong and Singapore are likely to face arising from the outbreak of a novel type of coronavirus. The issues that we have identified are not meant to be exhaustive. As this is a developing situation, governments are revising their responses to mitigate the emerging risk to public health.
As multinational corporations (MNCs) doing business in regions affected by the novel coronavirus strive to ensure the health and safety of their employees, they must be aware of the various restrictions and requirements imposed on them for the collection, use, disclosure and retention of employee personal data. It is not advisable for MNCs to adopt the same measures across jurisdictions, as each jurisdiction has its own distinct requirements and limitations.
While this commentary is focussed on the PRC, Hong Kong and Singapore, as these jurisdictions have comprehensive and relatively active regulation and enforcement, similar issues and implications are likely to apply across other jurisdictions in Southeast Asia, where the laws are fragmented and diverse. We invite readers to contact us directly with questions regarding other jurisdictions in Southeast Asia, such as the Philippines, Thailand and Malaysia, as well as any other issues not addressed below.
Can an employer ask its employees to submit health declaration forms that provide personal data – for instance, whether they are experiencing symptoms and have traveled to, or been in close contact with persons who have traveled to, regions affected by the novel coronavirus?
PRC laws do not prohibit employers from collecting health declarations containing personal data from their employees. In addition, the PRC Employment Contract Law allows employers to collect their employees’ basic information where it directly relates to the employment contract. Therefore, employers may collect health declarations from their employees with respect to efforts to monitor for infection or otherwise maintain public health.
However, restrictions do apply, and as such, we recommend that employers also strictly abide by applicable PRC data privacy rules pertaining to the collection and processing of their employees’ personal data. In particular, employers should:
- only collect and process personal data for a legitimate, just, necessary, and specific purpose;
- inform data subjects of the purpose(s), methods, and scope of data collection and use, and obtain their consent before collecting, processing or using personal data (in case of sensitive personal data, “explicit consent,” i.e., consent given in writing or through another affirmative act, from data subjects must be obtained);
- not collect irrelevant personal data, divulge, tamper with or damage the personal data collected, or provide such data to others without the data subjects’ consent; and
- adopt technical and any other necessary measures to ensure the security of the collected personal data and prevent the personal data from being divulged, damaged or lost.
Additionally, we recommend that companies designate HR to be in charge of communicating with employees regarding the collection of employee personal data and to address questions or concerns that the employees might have related to the novel coronavirus outbreak. Furthermore, employers should ensure that personal data contained in a health declaration, or otherwise disclosed by an employee, is deleted when it is no longer necessary to retain such data.
The leaking of information concerning any suspected case of infection within a company could give rise to speculation concerning the medical condition of the particular employee. We therefore recommend that discussions with any employee regarding their health status or close contact with individuals who have contracted the novel coronavirus, or any other discussions related to the novel coronavirus, be conducted by HR in a setting where the confidentiality of the discussion can be maintained. Other managers who have similar discussions with employees should consult HR, who can follow up with the employees regarding related company policies. HR should also be tasked with continuously monitoring government directives on disease controls and workplace environmental health and safety, while also taking appropriate measures to comply with data protection requirements.
Yes. It is permissible for an employer to request its employees to submit health declaration forms, especially in the event of an outbreak of an infectious disease such as coronavirus. In collecting and using the personal data of employees, the employer should be careful not to contravene the provisions of the Personal Data (Privacy) Ordinance (PDPO) and its own personal data policy (if there is an existing one). In the request (or in the health declaration form), the employer should set out the purposes of collecting the data, such as assessing the risk of an outbreak of the disease in the workplace, implementing control measures, ensuring a safe and healthy working environment, and sharing of the data with governmental authorities, insurers and the health care providers involved in treating the employees.
Yes. Asking employees to complete a health declaration does not constitute a breach of Singapore data protection law. There are specific rules in Singapore restricting the collection and use of national identification information such as an individual’s national registration identity card number, passport number or foreign identity card number. An organization can only collect or use such national identification information where this is required by law or where there is a need to ascertain or verify identities to a high degree of fidelity. However, pursuant to their obligations under the Singapore Employment Act, employers are required to maintain the employment records of their employees and therefore the collection of employees’ national identification numbers is already required, and so authorized, by law. Accordingly, employers can collect their employees’ national identification information as part of the health declarations.
In contrast, for any individuals who are not employees – for instance, interns or visitors to the office – it would accord with good practice for an organization to collect and use unique identifiers other than national identification information. These may include their full name, designation, company name, mobile number and email address.
Can the employer disclose the personal data collected from employees to third parties?
Entities in China are required to keep confidential any personal data they collect, and any disclosure of personal data to third parties is subject to the informed and express consent of the data subjects. However, PRC national standards concerning the protection of personal data provide certain exceptions, where personal data may be disclosed to third parties without the data subject’s consent. For example, consent is not required if the disclosure is:
- required by government authorities in order to cooperate with an inquiry or investigation;
- directly related to national security or national defense;
- indirectly related to public safety, public health, or significant public interests;
- indirectly related to a criminal investigation, prosecution or trial, or the enforcement of a judgment, etc.;
- required to safeguard the basic rights and interests of individuals (such as the right to life and property), where obtaining consent would be impracticable;
- of personal data that the data subject has made publicly available; or
- of personal data that was obtained from legitimate public sources, such as legitimate news reports and open government information.
In response to the outbreak of the novel coronavirus, companies’ disclosure of employees’ health status to government agencies may become mandatory as it directly relates to public safety and public health, and is of significant public interest. Accordingly, companies may invoke this particular exception to the consent requirement, if necessary.
Under the relevant data protection principle of the PDPO, personal data cannot be used or disclosed for a purpose other than the original purpose of its collection or any directly related purposes, unless voluntary and express consent for a new purpose is obtained from the relevant employee. In other words, consent from the employee is not required where the personal data is used or disclosed for the original purpose of its collection or any directly related purposes.
Where the disclosure is not for the original or related purposes and no consent has been obtained from the employee, the PDPO provides some exceptions where the use of personal data is not restricted by the provisions of the PDPO. For example, section 59 of the PDPO provides that in a case where application of the provisions to personal data would be likely to cause serious harm to the physical or mental health of the data subject (i.e., the employee) or any other individual, the provisions would not apply. Section 61 also provides that personal data may be disclosed in the event that such disclosure is made by a data user (i.e., the employer) who has reasonable grounds to believe that the disclosure of the personal data is in the public interest. However, as noted by the Privacy Commissioner for Personal Data, given the terms “serious harm” or “public interest” are not explicitly defined in the PDPO and it is not compulsory for data users to apply the exceptions, employers should consider whether an exception applies in the circumstances before disclosing the personal data of an employee.
It depends. If an employer is legally required or permitted by any written law to disclose personal data, e.g., pursuant to a request by a public agency, then it can disclose that data without the need for employee consent. There are also exceptions to consent for any disclosure to a public agency where the disclosure is “necessary in the public interest,” or to any person where the disclosure is “necessary in the national interest.”
Further, the Personal Data Protection Act allows personal data about any current or former patients of a health care institution licensed under the Private Hospitals and Medical Clinics Act or prescribed health care body in Singapore to be disclosed without consent to a public agency for the purposes of policy formulation or review.
Additionally, consent is not required where the disclosure of data can be shown to be reasonable for the purpose of managing the employment relationship, e.g., limiting nonessential business travel to areas affected by the novel coronavirus.
Finally, disclosure of personal data without consent is permitted:
- where the disclosure is necessary to respond to an emergency that threatens the life, health or safety of any individuals;
- where the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent cannot be obtained in a timely manner;
- where there are reasonable grounds to believe that the health or safety of the individual concerned or any other individual will be seriously affected and consent cannot be obtained in a timely manner, in which case the organization will need to, as soon as practicable, notify the individual of the disclosure as well as its purposes; or
- for the purpose of contacting the next of kin or a friend of an ill or deceased individual.
However, where none of the relevant exceptions applies, an organization must refrain from disclosing personal data without consent from the relevant individual.
For how long can an employer retain the personal data contained in the health declaration forms?
In general, employers will need to inform employees and obtain their consent for the company’s collection, processing, use and retention of their personal data. Unless otherwise agreed with the employee, an employer may only collect and process a minimal amount and limited types of personal data to meet the legitimate business purpose set out in the scope of consent granted by the employee. The employer may retain the personal information for as long as the purpose remains legitimate and necessary. After the purpose is fulfilled or if the purpose is no longer legitimate and necessary, the personal data contained in the health declaration must be deleted or anonymized in a timely manner.
The general principle is that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is collected or is (or may be) used. If the data is no longer necessary for such purpose, it should be erased at the earliest practicable opportunity.
An employer is only allowed to retain personal data records (including health declarations) if the employer has a specific legal or business purpose for doing so. If no such purpose exists, then the organization is obliged to destroy or anonymize that data completely. However, an employer could have a preexisting and long-established. HR policy to keep copies of all its employees’ records (such as medical certificates, expense claims and health declarations) for the period that they are employed and, say, for a further 12 months, as this would facilitate its employees’ annual performance reviews and enable it to evaluate recruitment practices and attrition rates. In such a case, it would be open to the employer to explain its justifications for revising the retention period, for instance, in its data protection or data retention policies.
Are there any other data protection requirements that organizations should be aware of?
Companies must obtain explicit consent from employees before collecting and using their personal data. When sharing, transferring or disclosing personal data, companies must comply with applicable regulations. Companies are also required to develop and implement privacy policies and a response plan for data breach incidents.
An employer should take reasonably practicable measures to ensure that any personal data collected from its employees is protected against unauthorized or accidental access, processing, erasure, loss or use. The staff handling the personal data of employees should be trained to observe the employer’s personal data privacy policies and exercise due diligence in the application of those policies, and be subject to procedures designed to ensure their compliance with those policies.
It is mandatory for an organization that collects, uses or discloses personal data in Singapore to appoint at least one data protection officer and to make their business contact information available to the public. Organizations are also required to develop and implement policies and practices to comply with the Personal Data Protection Act.
While employers can and should take steps to collect relevant data from or about their employees in addressing current public health concerns, the collection and use of such data, even if conducted in accordance with the relevant employment contracts, are still subject to restrictions and requirements under the applicable data protection law in each jurisdiction. In an atmosphere where employers may be under significant pressure to monitor the health of their employees, it is especially important to be aware of these limitations.
Although employee consent is generally required in most situations, employers should also be aware that they may be able to invoke exceptions to the general consent requirement where there is an overriding justification for the collection, processing, and use of personal data. In making a determination of whether consent is required, employers should balance the company’s legitimate business or other legal purpose for collecting the information against applicable restrictions and privacy protections, in order to ensure that the collection or processing is limited in scope and that appropriate security measures are implemented to protect the data from misuse or inadvertent disclosure.
Cyberspace Administration of China (CAC), which is considered the primary authority in charge of data privacy in the PRC, as well as the websites of related legislative and administrative authorities:
- Cyberspace Administration of China (CAC)
- National People’s Congress Standing Committee
- Ministry of Public Security
- Ministry of Industry and Information Technology
- State Administration for Market Regulation
- Ministry of Science and Technology
- Supreme People’s Court
- Supreme People’s Procuratorate
- National Information Security Standardization Technical Committee
- National Administration of State Secrets Protection
- Office of Security Commercial Code Administration
This article is co-authored by Carolyn Chia, a lawyer at Resource Law LLC.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.