Investigation on anti-corruption vs. protection on personal information

Employees’ fraud not only damages employers’ interests and social image, but also corrupts workplace atmosphere. If employers fail to manage such behaviors, it would encounter “the embankment of a thousand miles, collapsed in an ant’s nest.” Therefore, many companies attach great importance to compliance management, establish anti-corruption investigation mechanisms and rules, and several companies even set up anti-corruption reward funds to reward the report person. Recently years, cases involve employee corruption in well-known companies have been verified and released in the newspapers from time to time.

However, anti-corruption investigations would inevitably involve employees’ personal information (“PI”), because you have to consider what PI is wanted and available, how to obtain it, use it and etc.. With the implementation of “Personal Information Protection Law”, those aforesaid issues becomes more sensitive. Anti-corruption investigation staffs are wondering how to effectively carry out anti-corruption investigations while avoiding touching the red line of PI protection?

Anti-corruption investigations involve 3 aspects of PI, which are, (1) the scope of PI which could be collected; (2) the collection methods; and (3) the restrictions on use and management of the collected PI.

First of all, regarding the collection of PI, there are mainly two situations in anti-corruption investigations:

Article 13 of the “Personal Information Protection Law” stipulates that where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law, such PI includes name, ID number, contact information, residential address, etc., could be collected and used without the consent of the individual concerned. In practice, employers shall pay attention to two points: (1) the scope of PI as “necessary for the implementation of human resource management” is not clearly defined, so it is recommended to specify the scope, such as the specific items, purpose, usage, storage and etc., in employers’ labor rules and regulations, or supporting documents; and (2) the rules on the circumstances that employers could check the computer and mobile phone provided by employers for work usage, and obtain the employee’s written confirmation based on the explanation to the employee on the aforesaid rules. If employers did not pay attention to the above two points, the legality of PI collected from the human resource department might be challenged.

Another situation is during investigations, if investigators could obtain the consent of relevant interviewees, then investigators could collect more PI outside the aforementioned scope. It is worth to be noted that investigators shall be cautious with their words and tone which might not be deemed as an intimidating or threatening one.

While conducting an external investigation, employers shall ensure that relevant PI is obtained from legal channels. According to Article 5 of the “Interpretation of Supreme People’s Court and Supreme People’s Procuratorate on Several Issues regarding Application of Law in Handling of Criminal Cases Involving Infringement of Citizen’s Personal Information”, illegally obtain, sell or provide more than 50 pieces of PI on whereabouts, communication, credit information, property information would commit a crime. Article 10 of the “Personal Information Protection Law” also stipulates that no organization or individual may illegally collect, use, process or transmit PI of others, illegally buy or sell, provide or make public PI of others. If relevant PI is obtained from illegal channels, such as the so-called “private detective” eavesdrops on an employee and etc., then such behavior is very risky, which might be deemed as committing a crime. Therefore, regarding the external investigations, it is recommended to satisfy three prerequisites: (1) entrust a third party with corresponding qualifications; (2) use legal means; and (3) obtain information within the scope permitted by law.

 

Regarding the use and management of PI obtained in anti-corruption investigations, the following issues should be noted: (1) PI could not be disclosed to a designated scope of personnel, which says just those employees with corresponding job responsibilities or third-party related personnel entrusted by the employer could access PI and ensure the aforesaid personnel could use PI in accordance with relevant regulations or agreements; and (2) PI could be kept for a limited time period. Article 19 of the “Personal Information Protection Law” stipulates that the retention period of PI shall be the minimum period necessary for achieving the purpose of processing. Therefore, under normal circumstances, once the investigation is over and the case is processed, the relevant PI should be completely deleted or anonymized in the shortest time.

Regarding the internal education or external publicity by using anti-corruption cases, it is recommended to anonymize PI (especially sensitive parts) to avoid unnecessary risks.