Reed Smith Client Alerts

The World Health Organization (WHO) declared on January 30, 2020, that the outbreak of novel coronavirus (COVID-19) is a "public health emergency of international concern." This was, in part, an acknowledgement of the geographic spread of the virus and the need for intensified support for preparation and response, especially in vulnerable countries and regions. Further information is available in the WHO statement. On January 31, 2020, the Centers for Disease Control and Prevention (CDC) in the United States also declared a public health emergency for the United States. Further information from the CDC can be found at COVID-19 is now affecting an increasing number of countries in Asia, including Korea, and Japan.

This alert focuses on issues relating to data privacy in an employment context. We outline common issues that businesses operating in the People’s Republic of China (PRC or China), Hong Kong, and Singapore are likely to face arising from the outbreak of COVID-19. The issues that we have identified are not meant to be exhaustive. As this is a developing situation, governments are revising their responses to mitigate the emerging risk to public health.

Authors: Amy Yin Asha Sharma Steve Tam Carolyn Chia (Resource Law LLC)

As multinational corporations (MNCs) doing business in regions affected by COVID-19 strive to ensure the health and safety of their employees, they must be aware of the various restrictions and requirements imposed on them for the collection, use, disclosure, and retention of employee personal data. It is not advisable for MNCs to adopt the same measures across jurisdictions, as each jurisdiction has its own distinct requirements and limitations.

China, the country most severely affected by the outbreak to date, has taken steps to protect personal information in the midst of its efforts to prevent and control COVID-19. In addition to the personal data protections already in effect under the Cybersecurity Law and the national-level Personal Information Security Standard (PIS Standard), government agencies have also issued additional, specific cybersecurity and personal information protection notices in connection with the outbreak. 

On January 30, the Ministry of Transport of the PRC issued the Urgent Notice of the Ministry of Transport on Coordinating the Work of COVID-19 Prevention and Control and Transport Security, which stipulates that other than providing passenger information to public health and other related authorities in connection with COVID-19 prevention and control, no additional personal information may be disclosed to other agencies, organizations, or individuals.1

Subsequently, the National Health Commission of the PRC issued the Notice of the General Office of the National Health Commission on Strengthening the Informationization to Support the Prevention and Control of COVID-19 Infection, which clearly states the government’s policy to strengthen the protection of privacy.2 The Cyberspace Administration of China, the primary Chinese regulator of cybersecurity and data privacy, also issued the Notice on Ensuring Personal Information Protection and Utilization of Big Data to Support Joint Efforts for COVID-19 Prevention and Control, listing more detailed requirements for personal information protection in the context of COVID-19 prevention and control.3