Why your employee’s privacy in Mainland China should matter

In this second issue of employee’s privacy in Mainland China we will discuss what actions employer could take to favor employee’s privacy while also complying with the law. We will focus on proportional protection of trade secret and intellectual property, sick leave management and network monitoring.

Last month in our previous article on employee’s privacy in Mainland China we discussed how the Cybersecurity Law of China (the CSL) was pushing forward the employees’ right to privacy. We also covered how employees’ privacy has become a priority for companies as well as the protection of customer information.

In this second issue of employee’s privacy in Mainland China we will discuss what actions employer could take to favor employee’s privacy while also complying with the law. We will focus on proportional protection of trade secret and intellectual property, sick leave management and network monitoring.

1 Limiting employee’s monitoring in protection of trade secret and intellectual property

As trade secrets and intellectual property are critical elements of any company’s operation, they receive specific protection, that will include specific measures taken that will encompass employees. The protection of company’s trade secret and intellectual property, for example, can be done through an intensive monitoring of employee’s actions on their corporate device, as well as their personal device. However, employers should understand that such monitoring should abide by the principle of proportionality before developing and deploying their monitoring tool and framework.

Given that company A has a trade secret to protect. This trade secret can only be accessed by employees from the R&D department whose rank is manager and above. A proportionate monitoring would solely include employees from the R&D department whose rank is manager and above. The monitoring of employees of rank under manager, or of employees outside of the R&D department would be disproportionate, as there is no reason for them to be included in a monitoring, which purpose is to prevent dissemination of a material to which they should not have access. Of course, proportionate monitoring requires from the company already existing cybersecurity protocol to prevent employees outside of authorized employees to access trade secret and restricted information. Such protocol can include control access list, an airlock of the R&D department, a strict ban on removable storage devices and disabling relevant ports.

It should be noted that a disproportionate monitoring also increases noise among monitored data. By increasing the amount of data monitored and stored, there is a proportionally higher risk of false positive and false negative that could limit the effectiveness of the monitoring policy. Our recommendation would be for companies to set in place a robust cybersecurity protocol designed around the employees’ privacy and the protection of their trade secret and intellectual property.

2 Sick leave assessment and privacy

A critical function of human resource management is bound to its interaction with employees that need to claim sick leave benefits. This interaction can have lasting negative effects on employees if mishandled, intrusive or non-confidential.

Given that company A’s policy on sick leave requires employees to provide the HR department with a proof from a medical institution or their practitioner, relevant steps should be taken to preserve the confidentiality of: the employee’s condition, the proof and information regarding the medical institution. Process that would suggest multiple intermediaries between the employee and the HR department should not be favored, as the increase of intermediaries also increases the risk of indiscretion. This process should be as direct as possible, ideally being a direct physical communication from the employee to the relevant HR department person. If intermediaries are necessary due to the scale of the company, relevant process should be taken to ensure the confidentially of the proof and information on the employee’s condition from the moment the employee gives the proof to the intermediary to its reception by the relevant person. This confidentiality can be reached using either sealed envelopes or using a sealed depository box which key is unique and only possessed by the relevant person. Finally, depending on the sick leave policy of the company regarding the retention of the proof, it should be kept only for the strict minimum amount of time needed, then securely disposed of. It is not recommended to create digital copies of the proof for archiving as it would create a set of personal medical information within the corporate network that will trigger specific protection requirements.

As such, we recommend companies to design ahead the complete process through which employees can claim sick leave benefits from the employer to be pro-privacy. Such process should be designed around the protection of the employee’s privacy, and make sure that the confidentiality of the employee’s condition is preserved at all times from the moment the proof is provided by the employees to the moment it is disposed of.

3 Complying with network monitoring and promoting pro-privacy behavior

As companies must comply with Article 21.3 of the CSL, they need to monitor, record and store network log for at least six months: a monitoring that has a high probability to also intercept personal information and sensitive personal information sent by employees through the network.

Due to the legal requirement to proceed with monitoring, the risk must be acknowledged by companies that personal information and sensitive personal information will be collected and stored if shared through the network. However, the company can take a pro-privacy stance to the monitoring of the network log by informing his employees of this legal obligation, as well as actively informing employees not to use the network for personal use if they do not want to have their personal information or sensitive information captured through network monitoring. This include network for the intranet, and access to internet through ethernet connection, Wi-Fi-connection or other means when provided by the company.

We recommend companies to actively make mention of the monitoring not only through the IT chart governing employees’ use of the network, but also through internal communication on a regular basis to employees to nurture pro-privacy conduct.

When discussing employee’s privacy and data protection or cybersecurity compliance in Mainland China, a critical misconception is to understand this relationship as a balancing relationship. Viewing this relationship as a zero-sum game may have lasting effect on your company’s handling of privacy, especially regarding employee’s happiness at work. If employees are presented with a corporate strategy that considers sacrificing their privacy for compliance, there will be a lasting negative impression, an issue that can be prevented by researching how privacy could be reached in addition to compliance, through a framework that leverages employee’s privacy to comply with data protection and cybersecurity laws while supporting the protection of employee’s privacy.

For more information, please contact us:

Dr. Zhong Lin

Managing partner    Chen & Co. Law  Firm

Direct: + 86 21 2228 8358


Galaad Delval

Data protection officer, CIPP/E    Chen & Co. Law Firm

Direct: + 86 21 2228 8330


All files