Home > Insights > Insights >

Personal Information Protection in the Recruitment Process


Author: Sun Lin, Qi Siyao
Translator: Qi Siyao
Editor: Wang Xinyue

Assessment of a job applicant’s abilities and personality is indispensable for an enterprise to ascertain whether he or she fulfills the requirements of the job position. Thus, collecting job-position-related information from an applicant is an essential part of the recruitment process. However, if an employer gathers information beyond the reasonable scope, or fails to take sufficient measures in protecting the information, it may result in legal disputes with the applicants, or even incur legal liabilities. So, it is necessary for enterprises to understand the dos and don’ts in the recruitment process, and to establish personal information protection procedures to ensure the gathering, processing and saving of personal information is compliant with relevant laws and regulations, and to avoid risks.

I. Common risks in personal information protection during the recruitment process
The gathering and saving of personal information during the recruitment process is a commonplace for both the enterprise and the job applicants. Nevertheless, as the legal requirements for personal information protection are being tightened in China, some commonly adopted practices may violate relevant laws and regulations. According to our experience, the following aspects are frequently exposed to risks:

a. Gathering personal information beyond reasonable scope
An employer usually requests an applicant to fill in their marital status, fertility status, and family member information. However, Article 8 of Labor Contract Law stipulates that an employer has the right to learn a laborer’s situation directly related to the labor contract. The stipulation means that an employer does not have the right to know the laborer’s personal information which are not directly related to the labor contract. Particularly when an employer gathers sensitive information of applicants, the act may infringe upon the laborer’s privacy and constitute employment discrimination.
Taken women’s marital and fertility status as an example: according to The Notice on Further Regulation of Recruitment to Promote Woman Employment (the “Notice”), promulgated by the nine ministries including the Ministry of Human Resource and Social Security of the PRC, the Ministry of Education etc. on 28 February 2019, the gathering of women’s marital and fertility status constitutes employment discrimination and is prohibited. The Notice specified: a. sexual discrimination during the recruitment process is prohibited by law; b. no inquiries may be made about women’s marital and fertility status, c. pregnancy tests should be excluded from employee on-boarding physical examination; restrictions on childbirth shall not be included as employment conditions.

b. Insufficient notification and lack of consent
Many employers did not sufficiently inform the applicants of the purpose and use of the information gathered, and no explicit consent from the applicant is obtained beforehand. Under this circumstance, even if the job applicants filled in personal information voluntarily, they might afterward claim that because the employer did not adequately notify them of the purpose and use collecting such personal information, thus the employer is not entitled to process or save the relevant information, bringing inconveniences for enterprise recruitment.
In addition, most employers conduct background checks to learn about the applicant’s ability and professional assessment. To prevent the applicant from communicating with ex-employers and securing a favorable evaluation beforehand, some employers conduct the background check without any prior notification or entrust a third party to conduct the background check. As the background check very likely involves sensitive information such as the remuneration package of the applicant, there are potential risks that the applicant may sue the employer for violation of privacy.
c. No confidentiality or safety measures are taken
Most enterprises will save personal information gathered for archiving or human resource data base building purposes. However, some enterprises save the information in computers or on internal servers without taking confidentiality or safety measures. If an enterprise gathers job applicants’ personal information via networks owned or managed by the enterprise itself (including email or internal server etc.), it shall comply with Article 48 in Internet Security Law. The enterprises’ obligations under this article include:
“a. maintaining strict confidentiality of personal information gathered from job applicants;
b. taking technological and other necessary measures to ensure the safety of personal information gathered from job applicants;
c. prohibition from divulging, falsifying, damaging the gathered personal information;
d. not providing the applicants’ personal information to others unless with prior consent from applicants.”
d. Overseas transmission of applicants’ personal information
For some enterprises, the recruitment process involves their overseas headquarters or branches, thus requires overseas transmission or even storage of personal information. Presently, Chinese laws and regulations do not directly prohibit enterprises from transmitting job applicants’ personal information overseas. Nevertheless, the (Draft) Personal Information and Important Data Overseas Transmission Safety Evaluation Measures (the “Measure”), published for comments in 2017, sets out that “The personal information and important data collected and generated during operation shall be stored in the PRC. In the event that any information has to be transmitted overseas, safety assessment pursuant to this measure is a must.” The stipulation means that once the Measure is effective, the overseas transmission of applicants’ personal information gathered from the web will be restricted.
Evidently, as the legal protection of personal information becomes stronger, overseas transmission or storage of applicants’ personal information faces challenges.

II. Personal information protection measures during recruitment process
What measures can an enterprise take to prevent the above risks? To begin with, to discern personal information from other information is necessary.

a. The scope of personal information and sensitive personal information
1. Personal information
Pursuant to Article 76 Item 5 of Internet Security Law, and Article 1 in Interpretations of Several Law Application Issues on the Handling of Personal Information Infringement Criminal Cases, “Personal information is the information which can be used individually or collectively to identify a natural person’s identity, and which is recorded electronically or via other means.” Thus, a job applicant’s name, date of birth, contact information, identification card number, education background, work experience all belong to the scope of personal information, as they can be used to identify a particular person.

2. Sensitive personal information
Some personal information of the applicant is particularly sensitive, i.e. “the information that once divulged will endanger personal safety and property safety, and most likely damage reputation or physical and psychological health, or cause discrimination to an individual” (Article 3.2 of Information Safety Technology • Personal Information Safety Standard). For example, an applicant’s personal property information, medical record, identity card, sexual orientation, marital history, and religious belief are all sensitive personal information.
The gathering of applicants’ personal information may not only violate his or her privacy, but also constitute employment discrimination, incurring lawsuits. Pursuant to Article 3 of Employment Promotion Law of the PRC, “A laborer is entitled to fair employment opportunities and independent choice of profession. The employment of a laborer should not be affected by discrimination of ethnicity, race, sex, or religious beliefs.” Meanwhile, According to Article 62 of the aforesaid law, “The laborer can bring lawsuit against the discriminator via people’s court for employment discrimination.”

b. Establish basic principles for gathering and processing personal information during recruitment process
After discerning personal information from other information, an enterprise needs to establish basic principles of gathering, processing, and storing personal information, to guide the whole recruiting process.
Article 111 in General Provisions of Civil Law stipulates the protection of personal information from a general perspective: “A natural person’s personal information is protected by the law. Any entity seeking to obtain other individual’s personal information should abide by the law and ensure the safety of the information. It is prohibited to illegally gather, use, process, transmit other individual’s personal information, in addition, to illegally buy and sell, provide, and publicize other individual’s personal information.” Other separate laws concerning personal information protection are also being established or revised, such as the Internet Security Law and Information Security Technology • Personal Information Security Standard (GB/T 35273-2017, under revision). Based on present laws and regulations concerning personal information protection, it is uniformly required that personal information protection should be “legitimate, rightful, and necessary; the purpose, methods, and scope of personal information collection and use should be made clear, and consent from individuals whose information must be procured.”
To make sure an employer’s collection, process, and storage of personal information are compliant with relevant laws and regulations, the aforesaid principles are to be applied to its recruitment process, and taken with the following precautions:
  • Clearly sets out the purpose, the methods, the scope, and the rules of personal information gathering before any such action takes place, and obtaining consent from job applicants beforehand.
  • Only collecting the applicant’s personal information within the legitimate, rightful and necessary scope, which means information that is relevant to the recruitment and the job position.
  • Properly storing the applicants’ personal information gathered, and taking sufficient confidentiality and security measures.
  • Abiding by the requirements of laws and regulations on personal information collection and use.

c. Measures for personal information protection throughout the recruitment process
To apply the aforementioned personal information protection principles, an employer needs to formulate a standard recruitment process or procedures taken into consideration its operation status. Training sessions for recruitment staff are necessary to ensure the implementation of the procedures. To this end, we have the following suggestions:

1. Only collect recruitment-related information
When collecting personal information, limit the scope of collection to those which are directly related to the labor contract, including job-related knowledge and skills, professional experiences or work experiences, excluding sensitive information such as marital and fertility status of which the collection is prohibited by relevant laws and regulations. If an employer has to collect applicant’s family member information, it should be better left it until the employee on-boarding process, while the employee fills out personal information form. However, such information gathering should have a legitimate purpose, such as conflict of interest information disclosure, or emergency contact.

2. Obtain explicit consent from applicants
No matter how an enterprise gathers applicants’ personal information, written notification of the purpose, use, methods, and scope of such collection must be rendered beforehand, and explicit consent from the applicants shall be obtained. For example, on its official recruitment web page, an employer may insert a notification page informing the applicants of the details of personal information gathering, and the applicant must read the notification and give their consent before proceeding with the job application.

3. Take confidentiality and security measures
An employer should take confidentiality and safety measures while storing personal information, such as limiting the access to the system where personal information is stored in. The job application form should also be properly stored and any unauthorized procurement of the application forms prohibited.

4. Closely follow the restrictive regulations regarding overseas information transmission
The employers had better store the personal information of applicants domestically in China. If an overseas headquarters or branch need to participate in the recruitment decision or share the personal information of applicants, acquiring the prior consent of the applicant is necessary. Moreover, enterprises should pay close attention to updates of laws and regulations and national standards regarding overseas data transmission, and revise the relevant internal recruitment procedures timely and accordingly.

5. Manage the third party the enterprise employs
If an enterprise recruits through a third party such as a head hunter or a recruitment website, it should manifest the obligations of the third party on protecting the personal information in the contract. The liabilities set for the third party should be no less than those that are burdened by the employer.

Share to

Sina Weibo

Share to


Share to