Monitor your work hours to submit resumes, according to what law?

Recently, it was exposed that an employee used the company's computer to submit resumes to the recruitment website during working hours, which was recorded in detail by the company's network monitoring system, so the employee was laid off after the leader interview.

This news has aroused widespread concern about the privacy of employees. For a time, critical remarks such as "you don't know that your 'pants' have been ripped off by your boss" and "technology helps companies do evil" filled the Internet.

So, does the use of a specific software system to monitor employees' online behavior violate the personal privacy rights of employees? How can a company manage compliance? How to do employee online monitoring management in specific industries? Internet Law Review today invited legal experts to analyze it.

Q1 Does the use of the Internet behavior management system by enterprises to collect employees' online behavior infringe on employees' personal information privacy rights?

There are 2 criteria for judging:

Whether to explicitly "inform" and obtain the "consent" of employees

Whether it is beyond the scope of "necessary"

Ms. Gao Jie:

First of all, to judge the problem, it is necessary to judge whether all the employee's online behavior constitutes the employee's personal information. According to article 1034 of the Civil Code, personal information refers to all kinds of information recorded electronically or otherwise that can be used alone or in combination with other information to identify a specific natural person, such as the name, date of birth, biometric information, address, whereabouts information, etc. of a natural person, which is identifiable.

The search keyword records formed by employees through the use of search engines reflect their network activity trajectory and Internet preferences, which are identifiable and therefore also belong to the personal information of employees.

So, does it constitute infringement for an enterprise to use the Internet behavior management system to collect such personal information from employees? According to the provisions of Article 1035 of the Civil Code, the handling of personal information shall follow the principles of legality, legitimacy and necessity. At the same time, article 13 of the Personal Information Protection Law (hereinafter referred to as the "Individual Protection Law") stipulates that the consent of the right holder should be obtained or there are statutory circumstances such as "necessary for the implementation of human resource management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law", so to determine whether the enterprise's act constitutes infringement, it is necessary to see whether the enterprise has obtained the employee's informed consent before carrying out the act. Or the scope of employees' personal information that must be processed for the implementation of human resources management is determined through the formulation of labor rules and regulations or the signing of a collective contract.

If an enterprise is necessary to implement human resource management, according to article 6 of the Personal Insurance Law, the collection of personal information shall be limited to the minimum scope for the purpose of processing. In this regard, reference can be made to the interpretation of the "minimum scope" in the "Regulations on the Administration of Network Data Security (Draft for Solicitation of Comments)", that is, where personal information is processed based on the consent of individuals, it is limited to the shortest period and lowest frequency for the purpose of processing, and the method with the least impact on the rights and interests of individuals is adopted. Therefore, even if an enterprise is necessary for the implementation of human resources management, the management supervision of employees' performance of work duties should be limited to the minimum scope, the shortest period and the lowest frequency, and the exercise of rights within the legal and reasonable limits.

In short, if the enterprise does not obtain the informed consent of the employee before implementing the act, does not determine the scope of the employee's personal information that is necessary for the implementation of human resource management by formulating labor rules and regulations or signing a collective contract, or even if it is necessary for the implementation of human resource management, but does not implement the act within the minimum scope, it may be suspected of infringing on the employee's personal information and thus bear the corresponding legal responsibility.

Lawyer Bai Xiaoli:

Enterprises monitoring employees' use of company computers may have the risk of infringing on employees' privacy rights and personal information rights. The potential risks are reflected in two ways:

1. Monitoring an employee's online behavior is less likely to be deemed to have infringed on the right to privacy if it is clearly notified in advance and the scope is limited to the necessary scope of the company's management, but if the operation is not standardized, or if the employee's privacy is probed beyond the necessary scope, it may be suspected of infringing the employee's privacy.

If in the company's rules and regulations, it is clearly stipulated that it is not allowed to browse the recruitment website during the work period, the company will deal with the above behavior once it is found, and the company clearly informs the employees of the need to install the Internet behavior monitoring system for standardized management, then the employee's behavior during this period will be considered not private, so in this case, the company's behavior will be considered to have a certain degree of reasonableness, and does not involve the issue of privacy infringement.

For example, in the (2020) Yue Min Shen No. 8843 "Employees Playing Umbrella to Work" case, the court held that the company's installation of cameras did not constitute an infringement of employees' privacy rights, and "the company's installation of surveillance cameras is a general company's normal exercise of the employer's right to supervise, and its behavior has a certain degree of reasonableness.".

However, the company should take care not to monitor the behavior of employees outside of working hours, nor to invade the personal life or privacy of employees in the name of supervision, otherwise it may constitute infringement.

2. Monitoring employees' online behavior may involve the protection of employees' personal information rights and interests, and shall follow the requirements of laws and regulations related to personal information protection.

According to the Provisions of the Individual Insurance Law, if it involves the processing of personal information, the principle of informed consent and the principle of minimum necessity need to be followed. Based on the Personal Insurance Law, if an enterprise can prove that it is necessary to perform the employment contract between the two parties and realize human resource management, it can process personal information without obtaining the consent of the employee.

According to the relevant provisions of the "Information Security Technology Personal Information Security Specifications", an individual's web browsing records may constitute sensitive personal information. The handling of sensitive personal information requires not only the individual's separate consent, but also a specific purpose and sufficient necessity, and strict protection measures. Therefore, if an enterprise wants to monitor the online behavior of employees, it needs to standardize its operations in accordance with the requirements of the Individual Insurance Law and other relevant regulations.

Q2 How can enterprises comply with the law?

Enterprises use the management system to monitor employees' Online behavior, mostly for company management, business protection and other purposes, but because the Internet behavior involves employees' personal information and may even be sensitive personal information, if it is really necessary for enterprises to monitor employees' Online behavior, they also need to pay attention to the following points:

1. The enterprise shall, as far as possible, obtain the personal consent of the employee by signing an agreement or other means, and obtain the written approval of the employee (which can be paper or electronic) to comply with the principle of informed consent of the Individual Insurance Law; if the written consent of the employee cannot be obtained for special reasons, it should at least ensure that the employee is informed of it;

2. The use of personal information collected through the above-mentioned monitoring system by enterprises shall be limited to the necessity of company management, and the personal information obtained shall be used within a reasonable range, and the personal information of employees shall not be misused;

3. For the employee Internet information collected by the monitoring system, the scope of personnel who can access the information shall be strictly limited, and strict management shall be carried out to avoid irrelevant personnel from accessing the information, and the protection of sensitive personal information shall be strengthened to prevent information leakage;

4. A sound data management system shall be formulated to regulate the provision, use and disclosure of personal information, and employees' personal information must not be provided externally unless there is a legal reason, let alone disclosed.

In general, if an enterprise wants to use a management system to monitor employees' online behavior, it should obtain the employee's informed consent in advance, or determine the scope of employees' personal information necessary for the implementation of human resource management by formulating labor rules and regulations and signing a collective contract, and collect relevant information in the minimum scope, shortest period and lowest frequency. In this regard, it is recommended that enterprises adopt a cautious attitude when determining the scope of personal information processed, and take "full necessity" as a consideration factor in delineating the scope of processing.

In addition, it is necessary to remind enterprises that the "Personal Insurance Law" does not list all sensitive personal information, enterprises can refer to the "Information Security Technology Personal Information Security Specification" (GB/T 35273-2020) Table B.1 for examples of sensitive information, such as employees' personal information falls within the scope of protection of sensitive personal information, enterprises must take strict protective measures when handling such information, such as the use of encryption, access authentication, de-identification, etc.

Q3 How should the compliance management of enterprises deal with the monitoring of specific industries?

1. Legitimacy and necessity of employee control in special industries

First of all, such industries generally have industry personnel management norms issued by institutions such as the Securities Regulatory Commission, such as the Code of Conduct for Securities Industry Practitioners, the Interim Provisions on Securities Investment Consulting Business, and the Guidelines for the Implementation of Compliance Management of Securities Companies; secondly, the securities, funds, and futures industries are of a special nature, and the task of insider trading prevention is serious, especially in the Internet age, information circulation is large, and it is indeed necessary for enterprises to control employees' online behavior.

Therefore, the monitoring of employees in special industries is in line with the provisions of Article 13 (2) of the Individual Security Law: "Necessary for the conclusion and performance of contracts for individuals as a party, or for the implementation of human resources management in accordance with labor rules and regulations formulated in accordance with law and collective contracts signed in accordance with law", and has a certain legal basis.

Therefore, for special industries such as securities, funds, futures, etc., there has always been supervision of the call and Internet behavior of employees, including employee mobile phone number reporting, social software inspection, etc.; not only that, the competent departments will also make corresponding administrative penalties for those who are not well supervised by enterprises.

2. Special industries still need to pay attention to the "necessary scope" and protective measures

However, it should be noted that although there are relevant regulations on the control behavior of employees in such industries as a basis, it is known to the industry and practitioners that the monitoring behavior of enterprises should also be within the necessary range, and strictly abide by the minimum and necessary principles of control and handling.

For example, the "Guidelines for the Implementation of Compliance Management of Securities Companies" stipulates that securities companies should use information technology means to monitor the communication behavior of staff members and the securities investment behavior of staff, so for individual behaviors that are not included in the scope of regulations and have nothing to do with employee positions and industry information, enterprises should not monitor and respect employee privacy; for employee behavior information included in the scope of regulations, comply with the boundaries of control purposes, and do not use it for other purposes.

In addition, the monitoring of employees in securities and other industries has led to the acquisition of a large number of employees' personal information, from the micro level, enterprises should properly keep relevant information and data, strengthen the protection of sensitive information, beware of leakage; from the macro level, if the amount of employees' personal information is huge, constituting a certain scale of personal information data, or personal information is related to industry information, constituting important data, enterprises need to strictly evaluate and protect in accordance with the relevant data classification and grading principles.

Q4 What other regulations related to the protection of employees' personal information require enterprises to pay close attention to?

In addition to the laws and regulations, judicial interpretations, and court judgments related to the protection of employees' personal information, the guidelines related to personal information protection and the draft normative documents for solicitation of comments, such as the "Information Security Technology Personal Information Security Specification" (GB/T 35273-2020) and the "Regulations on the Administration of Network Data Security (Draft for Comments)" also need to attract great attention from enterprises, which can be used as a reference basis for the compliance of enterprise employees' personal information protection.

In addition, if it involves Chinese enterprises "going global", they should also pay attention to local data security laws and regulations related to employees' personal information, such as the EU's GDPR (General Data Protection Regulation), Opinion 2/2017 on Data Processing at Work, and the UK's DPA (Data Protection Act). At the same time, it is also recommended that enterprises always pay attention to the special laws and regulations of their industries and related guidelines, such as "Several Regulations on automotive data security management (trial)" and "Information Security Technology Health and Medical Data Security Guidelines", so as to improve their compliance system.