As an employer, what are my personal data privacy obligations?

If you are an employer, you may often need to handle personal data in performing certain human resource management activities, such as recruitment and management of former and current employees’ personal data. Hence, you should observe the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”) as you are liable to protect the personal data of your prospective, former and current employees. The protection encompasses the scope of collecting, using, sharing and maintaining of the collected data. 

For more details about the dos and don’ts of handling prospective, former and current employees’ personal data, you can have a look at the Code of Practice on Human Resource Management: Compliance Guide for Employers and Human Resource Management Practitioners.

Your personal data privacy obligations

As an employer, you should take all practicable steps to ensure that your employees’ personal data are properly handled, including implementing sufficient security measures and obtaining authorisation for accessing the data.

Sections 53 and 55 of the PDPO provides that personal data is exempt from the data access requests’ provisions if it is used for the following employment-related purposes:

  • Staff planning;
  • Generated by certain evaluative processes (including a promotion or recruitment exercise, before a decision is taken and where such a decision can be appealed); and
  • Personal reference for an appointment up to the point when the relevant position is filled.

The Code of Practice on Human Resource Management was issued by the Office of the Privacy Commissioner for Personal Data in 2001 and is designed to provide practical guidance in this area. If you breach any of the mandatory provisions within the Code, it may give rise to a presumption against you, or any third party who is contracted to act on your behalf, in any proceedings involving an alleged breach of the Personal Data (Privacy) Ordinance (Cap. 486).  It will be taken into account in deciding whether the Code was contravened by a court, magistrate, the Administrative Appeals Board

In 2004, the Office of the Privacy Commissioner for Personal Data also issued the Privacy Guidelines: Monitoring and Personal Data Privacy at Work to provide more information about employers’ personal data privacy obligations. The guidelines are not legally binding, but they are established with reference to the six Data Protection Principles under the Personal Data (Privacy) Ordinance (Cap. 486). Some recommended steps are listed in the guidelines for when employers monitor their employees using the following methods:

  • E-mail monitoring: This refers to any incoming and outgoing e-mails sent or received by their employees.
  • Internet monitoring: This refers to their employees’ web browsing activities.
  • Telephone monitoring: This refers to phone calls and voicemails either made or received by their employees.
  • Video monitoring: This refers to employers using CCTVs or video cameras to record or monitor their employees’ work activities and behaviours.

It is important for you to note that you must not disclose any of your employees’ employment-related data to a third party unless you have obtained your employees’ consent, the disclosure is for a purpose that is directly related to their employment, or the disclosure is required by any law or statutory authority (e.g. for the purposes of a criminal investigation or tax collection/assessment).

If you have any queries about the Guidelines or Codes mentioned above, you should consult a lawyer or contact the Office of the Privacy Commissioner for Personal Data.

Key takeaways

Bibliography:

  1. Trade and Industry Department, ‘Human Resource Management Guidebook for SMEs’: https://www.smefund.tid.gov.hk/english/sdf/deliverables/SME_HRM_guidebk_eng.pdf