When collecting personal data in China, the Cybersecurity Law is very clear: you can collect only what is necessary for the purpose. And for many HR leaders these days, that purpose is health measures for preventing COVID-19.
To improve employee health and safety and to comply with regulations and guidelines, companies are setting up a range of measures to monitor their employees. Thermal monitors at the front desk to questions about travel are now becoming common across the country.
But in our zeal to collect and analyze data around employee health, are HR leaders in danger of running afoul of the Cybersecurity Law? The answer boils down to the comprehensiveness of your privacy framework.
Start with a privacy framework
Carolyn Bigg, partner at DLA Piper argues that China has a “very robust framework.” The issue is that the Cybersecurity Law is not the only one that addresses privacy. There are others, along with guidelines and recommended measures.
“So, it is a jigsaw of laws rather than one monitoring privacy law. But there is already a strong data protection framework that employers should be following. This is not new,” Bigg says.
COVID-19 has created an unusual situation for employers in China. Many employers are asked to adopt proper monitoring controls for prevention.
“The question is what form of controls,” says Lauren Hurcombe, a registered foreign lawyer from DLA Piper.
First, HR leaders need to separate monitoring and data collection. Monitoring temperatures to find out whether a person is fit to work is reasonable; collecting, storing and analyzing that health data can be privacy intrusive.
“What’s more important is that the methods [employers] have adopted are being proportionate and not excessive. So, it is really important to understand what [data] you are collecting and the reasons why you are collecting it,” says Hurcombe.
Second, HR leaders cannot hide behind an established privacy framework.
In China, privacy notices and consent are essential. “So, if you are collecting any personal data in China, you have to give an employee a privacy notice. You need to be clear and transparent in what you are doing, and you have to get their consent,” she says.
Many of these privacy matters are covered in the employment contract. The problem is that some of these may be outdated or may not cover monitoring for COVID-19.
“What organizations need to do is to look back at their notices and consent. And if they do not cover what you are doing, you need to revisit them,” says Hurcombe.
Bigg also notes that employee monitoring can differ from jurisdiction to jurisdiction.
“For example, in some parts of China and Asia there are already requirements for some of this monitoring to be in place. In contrast, in parts of Europe it is actually the opposite,” she says.
Across Asia and even in different provinces, health data collection is becoming accepted. In some cases, authorities ask employers to share this data.
However, Bigg points out that HR leaders should not immediately share employee data just because an authority asked for it.
“One thing the privacy and HR professionals need to bear in mind is that even if an authority is asking for the data, you still need to ensure it complies with your privacy framework,” she explains.
“You need to find out whether it is proportionate and justified. Obviously, everyone wants to cooperate with the authorities, but you need to make sure you are checking your framework.”
Laws can change
Both Bigg and Hurcombe agree that companies who are GDPR compliant or follow similar privacy frameworks “are in pretty good shape.” As a rule of thumb, they advise HR leaders to find the least privacy intrusive way to protect your employees while keeping the privacy framework in mind.
“That is the best approach for HR leaders: balancing those two,” says Bigg.
Being transparent on what you are doing with the data is equally important. “The current situation should remind us that health data is justifiable to collect from employees for business operations and protecting the security and health of employees,” says Bigg.
HR leaders also need to understand that the pandemic is an unusual situation that is constantly evolving. “So, the monitoring you think is appropriate now need to be kept under review. Because rules and regulations can change, and they do in China.”
Photo credit: iStockphoto/Evgeny Gromov