The Centre (including all its legal entities) already has a stringent data protection policy (see here). In addition to that, this guideline defines additional guidance for our Chinese entities (Beijing and its Shenzhen branch) to ensure that we fully comply with the Chinese Personal Information Protection Law (PIPL) for data gathered in China and where the law’s requirement goes beyond our current data protection processes.
During our child labour assessment and remediation work we collect a range of information from minors, sometimes from children under the age of 14. Below we clearly define what information we collect, what information we do not collect and how we handle this information in accordance with company policy and the Chinese Personal Information Protection Law from 2021.
WHAT WE COLLECT (AND UNNECESSARY INFORMATION WE SHOULD NOT COLLECT):
Before we start the assessment, the client informs The Centre via a notification form about the child labour case. The client will be responsible to ensure that the children (if aged 14 or older) or the parents (if the children are under 14) can give their consent before they share any personal information. Should it not be possible to gain consent, the client shall refrain from communicating personal information, to ensure no personal data is collected until the correct form of consent can be achieved. Introduction to the children will be made orally.
All case notification forms in China shall be shared via WeChat or via a China based file sharing service
During the first meeting with the child and his/her legal guardians, the case manager shall at the very beginning
a. Introduce who we are to them, and explain what the meeting is about, what we are going to collect.
b. Assure them that we will only collect the data necessary for the project (e.g., name, date of birth, phone number) and this data will not be shared with anyone without their explicit agreement (e.g., when we enrol the child in a school).
c. Confirm that the information, records (e.g., copy of ID cards, or other age-related official documents) and photos taken during the interview will be only used to develop the assessment report and proposal by The Centre. Only the anonymized reportswill be shared with the client to protect their privacy.
With the consent of legal guardians(refer to appendix 4.1.2), The Centre will move on to the assessment. If they disagree, we will respect their decision and not share their personal information in the report.
When a remediation programme is confirmed, a programme introduction letter with a consent agreement will be explained clearly by the case manager and signed by the legal guardians of the concerned child. The consent gathered in the remediation preparation will also be a clear part of the agreement of the legal parents to participate in the remediation process.
All the private information shall be processed to be individually non-identifiable in all reports, records and emails with clients and people not involved at The Centre. This applies to all child labour cases in all countries involved. The table highlights the specific measures for key private information.
WHAT WE COLLECT
For the cases in China, all the documents with personal information are stored on a separate platform (the server should be located inside of Mainland China) other than Dropbox. Only the Chinese staff of the Global Child Labour Remediation team and related case managers can have the access to these documents.
We will destroy the personal data of the child at the latest two years after completion of the remediation, but the anonymised information will be kept indefinitely. If the deletion of personal information is difficult to be realized technically, The Centre will stop processing and store the personal information with necessary security protection measures.
Only staff in China upload the documents and reports. When a draft version of reports is reviewed by foreign staff, the privacy information is already covered and individuals become non-identifiable.
Staff (anywhere) who needs to have access to the personal data in order to do their job will be given access to view documents on the China server, but cannot download or transfer the data.
Only individual non-identifiable reports are shared with the client. No personal data of children in the child labour programme is shared with our client companies. All reports use aliases and do not reveal any contact information, which makes the data there untraceable.
WHAT WE COLLECT
When asking the factory to send worker lists for survey sampling, 1) we ask for the factory’s consent for us to use the info collected by the factory for survey sampling 2) we clearly state the purpose and approach of using the data/due date/content of the data, etc. 3) we ask the factory to confirm the workers have agreed the data transfer.
We minimise the info required in the worker name-list: remove the names/ID no./address, etc.
For all assessments, at the beginning of the survey/interview/FGD, we have a statement that tells anyone giving information our principles of collecting data (see appendix 2 for the statement) , and ask for consent to share anonymized untraceable information , mention that data might be shared outside China in untraceable and aggregated form.
In case real name or traceable personal data is used, or images and their real names in the communications package are used, we ask for the consent and consider the key points before using such data (see appendix 4 for the key points)
Assessment: If we are going to use any real-name info or any info that can be traced back to the person, we ask for his/her WRITTEN approval first
In case of children under 14
- Assessment: for interviews or FGD, we don’t ask for their real names
- Image consent form: we ask for their legal guardian’s consent and they need to confirm they have asked for the children’s consent to sign on behalf of them
Factory information from China is stored only on a China-based server.
Information including but not limited to worker name-list, basic factory info form, participant list, other relevant info concerning individuals’ personal info required from different projects is saved on a domestic platform
We make sure the data is password protected
Only people physically within China’s borders can access the data. No staff, no matter their managerial position, outside China can have data access
After the sampling, we take out all essential info that may be traced back to a specific person
We ensure that any data that is handled outside China and e.g., stored on Dropbox or shared with others, is ALWAYS fully anonymised and non-identifiable
Image consent form: we add the due date (generally 5 years after taking it) (Meaning the picture will not be newly used after 5 years (e.g. if the picture was in a report or on a specific page it will stay in this report indefinitely, but we will not use it for a new leaflet or a new web page after the due date).
Traceable data used during the sample process will be destroyed latest 2 years after the data was collected.
Factory data lists can never be shared with anyone outside China and people not part of the project.
We ask the factory to upload the list on to a Chinese server (or do file share on a Chinese server) but do not send it via email or to a foreign client.
Information including but not limited to worker name-list, basic factory info form, participant list, other relevant info concerning individuals’ person info required from different projects is not shared with anyone outside The Centre.
Assessment: we avoid sharing raw data with client/other parties; if we have to, we make sure it’s anonymised and cannot be traced back to the specific person.
Image consent form: if our clients also want to use the image, we add them to the consent form along with their contact info, purpose/scope/due date of using the image.
From 2022, The Centre will not collect data other than the data obtained through voluntary self-sign up our services.
Each of our newsletters states why the recipient is receiving this newsletter (i.e. because they agreed to be added to our mailing list in the past). All users are given the option to opt out every time they receive a newsletter. They will be informed that not opting out will be considered as giving consent to continue receiving newsletters.
The personal data that you provide to us by visiting our website or signing up to our events is generally stored on servers located in the United States. If you are located in another jurisdiction, you should be aware that once your Personal Data is submitted through our website, it will be transferred to our servers in the United States where there are varying U.S. federal and state laws, and industry recognised data protection requirements in place. If you provide us with any personal data through our website, you agree to provide separate consent to our processing and use of such personal data.
The collection of personal information is limited to that which is relevant and necessary to our communication and marketing efforts.
If we have registered your personal data in connection with participation at one of our events conducted together with an external party, we may pass over some personal data to our event partners, such as contact details, name, job title and the name of the company you work for. The Centre will never give away, or sell, your personal information for any commercial purposes.
Your information, including personal data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.