According to Article 4 of PIPL, personal information refers to all information relating to an identified or identifiable individual that is recorded electronically or otherwise, excluding anonymized information. Based on this definition, the scope of employees' personal information can be very broad.

1. In terms of form, it includes not only electronic records, such as the record of an employee's basic information stored in the IT system, but also non-electronic records, such as hard copies of academic credentials and degree certificates provided by the employee.

2. In terms of substance, all types of information related to an employee fall into the scope of personal information, such as education experience, work experience as well as qualification and certificates obtained.

Note that personal information does not include anonymized information. But PIPL provides for very strict requirements as to what may be considered anonymization. Proper anonymization of personal information should guarantee that a specific natural person is not identifiable, and such anonymization should be an irreversible process. From the perspective of HR management, anonymized employee information cannot be used for employee management, undercutting its value.

There are different stages in the employment process of a company, and the needs for HR management are diverse. In the daily operation of a company, many scenarios involve the processing of employees' personal information. For example:

1. In the initial stage of recruitment, the collection of various types of information about an applicant through headhunters, recruitment websites or other channels, such as his or her name, mobile phone number, email address, academic degree, and work experience.

2. In the process of background check, the collection and verification of (or entrusting a third party to collect and verify) the information about an applicant’s work experience and qualifications.

3. At the establishment of employment relationship, an employer may ask the employee for medical examination report or information about the employee's identity card number, residential address, emergency contact, ethnicity, marital status, family members’ names, and bank account for salary payments.

4. In the process of managing employees:

a. The process of attendance tracking may involve the collection and use of personal biometric information such as facial features, fingerprints, and irises, as well as real-time location information.

b. When an internal investigation of employees is conducted, the employer may retrieve an employee’s personal information stored in the IT system and office equipment.

c. Multinational companies may provide its overseas parent company with employees’ personal information.

d. Companies may provide the contact information of employees to their suppliers or customers.

e. An employer may provide personal information of employees to external parties when it contracts with a third party to pay employee wages, provide trainings to employees, manage personnel files, calculate and pay taxes, or to conduct investigations into internal irregularities.

1. Five Legal Bases for Exempting Processors from the Obligation to Obtain Consent

Article 13 of PIPL sets out the legal bases for the processing of personal information. In addition to obtaining an individual's consent, a personal information processor may process personal information on five other legal bases.

Take “necessity for the performance of a contract to which the individual is a party" as an example, if an employer agrees in the employment contract to purchase supplementary commercial insurance for its employees, it may use employees’ personal information for the purchase of commercial insurance according to the agreement without the consent from the employee.

2. Whether "Separate Consent" is Applicable on the Five Legitimate Circumstances that Exempt a Processor from Obtaining Personal Consent

In addition to the above five legitimate circumstances under which an information processor can be exempted from obtaining consent from an individual, PIPL also specifies five circumstances where "separate consent" from an individual is required.  In the following table, we give contextualized examples for these five circumstances:

Furthermore, according to the Management Regulation of Network Data Security (Draft for Comment), which was published on 14 November, 2021, operators of internet platforms must also obtain separate consent from individuals if personal information is collected for personalized pushes.

PIPL does not specify the format to obtain separate consent from individuals.  However, "separate consent" must at least satisfy the basic criteria of a regular consent, i.e., it must be based on the "full knowledge of the individual" and be "voluntarily and expressly made by the individual". Furthermore, based on the legislative intent, "separate consent" is intended to allow individuals to have more say in the processing of personal information, become fully aware of how their personal information will be processed under certain circumstances, and decide on the consent, restriction, or refusal of the processing of their personal information. Therefore, "separate consent" must be separately solicited from the individual by the processor after regular consent is obtained from the individual as stipulated in Article 13 of PIPL.

According to the Management Regulation of Network Data Security (Draft for Comment), separate consent means that processors must obtain separate consent for each type of personal information involved in the processing instead of soliciting overall consent for multiple processing activities involving multiple types of personal information. Such requirement will almost certainly make it more difficult for employers to obtain separate consent. On the one hand, employers must obtain separate consent when processing corresponding personal information, such as when using employees’ sensitive personal information. On the other hand, separate consent must be solicited for every single processing activity based on each type of personal information involved. Employers are no longer allowed to conduct all processing activities based on overall consent.

Moreover, according to the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases with Respect to Processing Personal Information by Using Facial Recognition Technology, to obtain separate consent, the processor may not: (i) request consent by means of bundling such consent with other consents, or (ii) otherwise force the person to give consent.  Therefore, if an employer needs to obtain separate consent from its employees, it should avoid using "bundling consent" or "forced consent", such as obtaining all consent to process employees' personal information through a general Employee Privacy Statement or dismissing employees if they refuse to provide consent.

The above strict requirements for separate consent imposed by PIPL and relevant judicial interpretations will certainly increase the compliance costs of employers, and the processing of employees' personal information will certainly become more complicated. Thus, a question may arise: can the five legitimate circumstances that exempt processors from obtaining consent from individuals apply to the scenarios where separate consent is required?

Currently, there are three types of opinions on this issue:

1. The dominant opinion believes that “separate consent" is a type of regular consent. If a processor can exempt itself from obtaining consent in accordance with the five legitimate circumstances, then it does not need to obtain separate consent from individuals. The authors also agree with this view. For example, if an employer agrees in an employment contract to purchase supplementary commercial insurance for its employees, the employer may, in accordance with such contract, use relevant personal information of the employees to make such pruchase by providing the employees’ personal information to insurance companies. Such action constitutes the provision of personal information to other processors, but there's no need to obtain separate consent from the employees.

2. Another opinion is that “separate consent" is of higher standard than regular consent. Even if a processor is exempted from obtaining consent based on the five legitimate circumstances, it cannot be exempted from the requirement of obtaining separate consent. This view focuses on the original legislative purpose: “separate consent" is designed to provide individuals the right to make decisions in the processing of their personal information. If "separate consent" is exempted, the individual will not be able to fully participate in the decision-making of the personal information processing.

3. The third opinion states that whether “separate consent" is required depends on whether private interests or public interests are involved in a particular circumstance. For example, under the circumstances that only involve private interest, such as “it is necessary to conclude or perform a contract to which the individual concerned is a party", or “it is necessary for human resources management in accordance with legally formulated employment policies and collective contracts", separate consent is still required because the processing is only for personal or business interests. However, for matters relating to public interest, such as “public health emergency responses", separate consent is not required.

Each of the abovementioned opinions has its own merits, and the contention among the three brings uncertainties to the processing activities. Which opinion should be adopted requires further clarification by relevant law enforcement and judicial practices.

Even if an employer has the legal basis to process employees' personal information, it still needs to comply with other requirements of PIPL, most importantly, the "principle of the minimality and necessity" and the "principle of openness and transparency".

1.  Principle of the Minimality and Necessity

According to Articles 6, 19 and 28 of PIPL, compliance with the principle of the minimality and necessity means an employer must review the following aspects regardless of the legal ground on which it processes its employees’ personal information:

a. whether the processing of employees' personal information has specific and reasonable purpose(s);

b. whether the processing is directly related to such purpose(s);

c. whether the processing is conducted in a way that has the least influence on employees’ individual rights and interests;

d. whether employees' personal information is collected only to the extent necessary;

e. whether the retention period of employees’ personal information is the shortest period necessary to achieve the processing purpose; and

f. employers should also evaluate whether the processing has a specific purpose and sufficient necessity, and whether strict measures have been taken to protect employees' sensitive personal information.

The following chart lists legal bases with regard to employees' personal information that is likely to be handled by the employer during the hiring process.

Local regulations on employment contract have more specific provisions on what constitutes the "basic information directly related to the employee and his/her employment contract" as set forth in the Employment Contract Law. Regulations in different provinces vary slightly, but generally include basic identity information (such as name, address and valid identity number), health conditions, knowledge and skills, work experience and status of competition restriction as “basic information related to the employee and employment contract".

Employers should pay special attention to the scope of the “basic information directly related to the employee and his/her employment contract". For example, when collecting “health conditions", employers should examine whether the information is related to the performance of duties of the recruiting position. For another example, companies may risk violating the principle of minimality and necessity by collecting fertility information from female candidates or employees without justified reasons. In June 2021, it was reported that a famous Chinese company required female candidates to report their "childbirth plan" during its recruitment process. Such action was considered as gender discrimination as well as excessive collection of personal information.

Employers should ensure that the collection and processing of relevant information during the recruitment process do not constitute discrimination against employees.  The Labor Law, the Employment Promotion Law and the Provisions on Employment Service and Employment Management prohibit discrimination on the ground of gender, ethnicity, race, religious belief, disability, infectious disease or whether the candidate is a rural worker. For example, Article 30 of the Employment Promotion Law provides that unless the employer recruits for a position which is likely to spread infectious diseases, it cannot refuse to recruit a person carrying any such disease. That is to say, for ordinary positions in ordinary businesses, employers will not have sufficient reasons to collect employees' information of infectious diseases like Hepatitis B and AIDS. Otherwise, employers may be subject to administrative penalties for discrimination in employment.

2. The Principle of Openness and Transparency

Article 7 of PIPL stipulates the principle of openness and transparency, requiring that processors must make public their rules on processing personal information, and expressly state the purpose, method and scope of such processing. The principle of openness and transparency entails the “duty of notification". No matter whether the processing is based on consent or any of the other five legal grounds, employers are obliged to inform employees of the rules applicable to such processing beforehand, unless otherwise exempted. In performing the duty of notification, employers should pay attention to the following two aspects, namely the notification’s form and substance:

1. As for the substance of notification, employers must inform employees of the following matters before processing employees' personal information:

a. the name and contact information of the employer that is to processemployees' personal information;

b. the purpose and method of processing, the type of personal information involved and the retention period of the processed personal information;

c. the method and procedure for employees to exercise relevant rights concerning their personal information (such as the rights to access and copy, to correct and supplement, to request deletion of and to withdraw consent regarding their personal information); and

d. in addition, pursuant to PIPL, under the following circumstances, certain matters must be in the notification to employees:

1) in the case of processing employees’ sensitive personal information, employers must also inform employees of the necessity of processing sensitive personal information and the impact on their personal rights and interests;

2) if personal information of employees is provided to a third party, employers must inform employees of the recipient's title or name, contact information, purpose and method of processing, and the type of personal information provided;

3) if  personal information of employees needs to be transferred due to merger, division, dissolution, bankruptcy of employers or other similar reasons, employees must be informed of the recipient's title or name and information relating to the transfer contact; and

4) if personal information is provided to overseas parties, employers must inform employees of the recipient's title or name, contact information, purpose and method of processing, type of personal information provided and methods or procedures for employees to exercise relevant rights of personal information against the overseas recipients.

Furthermore, as prescribed in the Management Regulation of Network Data Security (Draft for Comments), employers must explain to employees about personal information’s security risks and relevant protective measures taken.

2. As for the form of notification, employers should meet the following requirements:

a. in principle, employers must inform employees before processing their personal information. If in case of emergency, to protect the life, health and property of its employees, an employer is unable to inform employees in time, the employer should inform them promptly after the emergency ceases;

b. the notification must be conspicuous. Notifications made in a way that is hard for employees to access may not be deemed as effective notifications;

c. the notification must be clear and easy to understand. In particular, multinational companies must inform their employees in their native languages;

d. the notification must be true, accurate and complete. The employer's actual processing of employee information must be consistent with the notification;

e. if there is any change to the notification, the change should be informed to employees in time. This requires employers to establish a sound internal mechanism to identify any information inconsistent with the notification, and to perform the obligation of informing employees of the inconsistency without delay; and

f. if the notification has been made in the form of personal information processing rules, such rules should be publicized and easy for employees to access and save.

3. PIPL also prescribes the circumstances under which notification is exempted:

a. if a government authority processes personal information for the purpose of performing its statutory duties, and notification would prevent the authority from performing such duties, then it is not required to inform the individuals; and

b. if laws and regulations require confidentiality or waive the duty of notification, it is not necessary to notify the individuals.