Career Advice Legal Case studies for employers

Employers are obliged to keep personal data private

The Background
Data protection in China has been in the news a lot this year. Not only have new data-protection regulations been issued, but prosecutions have also increased dramatically. Employers, therefore, should be aware of their obligations and the risks involved.

In terms of prosecutions, four Chinese employees at business-information firm Dun & Bradstreet were reportedly jailed in January for buying the personal data of Chinese citizens. Chinese prosecutors also reported 30 cases of personal-data theft, involving 57 suspects, in the first half of this year. By contrast, there was only one case, involving eight suspects, in the first half of last year. More recently, the arrest of private investigators Peter Humphrey and Yu Yingzeng is reported to concern the trafficking of personal data of Chinese citizens.

Below we will look at related laws and regulations and comment on certain employment-related data-protection issues to which all employers must pay attention.

The Laws
China’s Tort Liability Law has recognised a general right to privacy since 2010. However, the law is short on details, and fails to even specify whether or not the right to privacy extends to personal information. Since the implementation of this law, various data-protection regulations have been issued, although many tend to be industry-specific, with a number covering internet service providers.

One of the more recent data-protection initiatives is the Guidelines for Personal Information Protection, effective since February 2013. The guidelines are only applicable to certain data collectors and data processers on a voluntary basis. However, it is broadly expected that more general regulations, when issued, will reflect the principles set out in the guidelines.

The Action Required
While there are no general data-protection provisions in China, employers do have a specific obligation to keep the personal data of their employees confidential. The requirement is brief and apparently simple. That is, an employer must maintain the confidentiality of personal information relating to its employees and, in particular, employee consent is required before their personal information can be disclosed to a third party.

This requirement, which dates back to 2008, is not new. However, it remains to be seen whether the authorities will refer to guidelines from earlier this year in order to determine whether the employer has taken adequate steps to ensure that personal data has is being kept confidential.

One area where employers can easily trip up concerns the outsourcing of human resources functions. Care must be taken to ensure that each employee has consented to having their personal information transferred to the third party. A good place to document consent is in the employment contract. If consent is not given there, then it must be documented separately. The drafting of the consent should be broad enough to cover various types of data transfers that may be needed, but not so broad as to essentially negate the employee’s right to confidentiality.

According to Chinese prosecutors, around half of the cases arising in the first half of this year involved employees taking advantage of their positions to sell customer data or to use customer data to promote their own products. This means that although an obligation to safeguard customer personal data is not directly an employment-law matter, it can quickly become one.

Employers need to be extra vigilant with the customer data that they hold. Not only can the leakage of personal data cause significant embarrassment for the employer, there is also the possibility of being found liable for negligence.

In order to decrease the risk of leakage, employers should ensure that customer data is only accessed by those who truly require access for their jobs. Access to such data should also be monitored, preferably in real time.

On the legal side, employee contracts and the employment handbook should contain appropriate disciplinary measures in the event that an employee misuses customer personal data. Employee obligations should also be adequately addressed at induction and periodically reinforced.


Herbert Smith Freehills has 2,800 lawyers and 460 partners in over 20 offices globally. It advises on dispute resolution and employment, among other areas.
Karen Ip is a partner of Herbert Smith Freehills in Beijing.


The information contained in this article should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases. If advice concerning individual problems or other expert assistance is required, the service of a competent professional adviser should be sought.