FAQ on the obligations for Employers in China of keeping personal data confidential (“the obligation”)
Q1. What are the main laws and regulations about the obligation?
A:( a)China’s Tort Liability Law has recognized a general right to privacy since 2010. However, the Tort Liability Law is short on details and doesn’t even specify whether the right to privacy extends to personal information. Since then, various data-protection regulations have been issued although many tend to be industry-specific, with a number covering internet service providers.
(b) One of the more recent data protection initiatives was the Guidelines for Personal Information Protection, effective February 2013. The guidelines are only applicable to certain data collectors and data processers on a voluntary basis; however, it is broadly expected that more general regulations, when issued, will reflect the principles set out in the guidelines.
Q2. What the Employer should do to the personal data of their employees?
A: An employer must maintain the confidentiality of personal information relating to its employees and, in particular, employee consent is required before his/her personal information is disclosed to a third party.
Care must be taken to ensure that each employee has consented to having their personal information transferred to the third party. A good place to document consent is in the employment contract. But if consent is not given in the employment contract, then it must be documented separately. The drafting of the consent should be broad enough to cover various types of data transfers that may be needed, but not so broad as to essentially negate the employee’s right to confidentiality.
Q3. What the Employer should do to the personal data of their customers?
A: Employers need to be extra vigilant with the customer data that they hold. Not only can the leakage of personal data cause significant embarrassment for the employer, but the possibility of being found liable for negligence should be avoided. In order to decrease the risk of leakage, employers should ensure that customer data is only accessed by those who truly require access for their jobs. Access to such data should also be monitored, preferably in real time. On the legal side, employee contracts and the employment handbook should contain appropriate disciplinary measures in the event that an employee misuses customer personal data. Employee obligations should also be adequately addressed at induction and periodically reinforced.