Checking an employee’s browsing history may be a common practice for many employers. In many situations, a monitoring activity would amount to “collection” of personal information and therefore you have to make sure everything is in line with the Personal Data (Privacy) Ordinance (Cap. 486). This article wishes to provide you with a brief overview of the guidelines.
3Cs – Clarity, Communication and Control
When there is a strong business need to develop employee monitoring policies, remember to follow the 3Cs – Clarity, Communication and Control.
- Clarity – specify the purposes served by employee monitoring and circumstances under which monitoring may take place.
- Communication – inform employees about the nature and purpose of monitoring their activities prior to undertaking employee monitoring
- Control – safely holding, processing and using the monitoring records
Employee Monitoring Policy
Employers are encouraged to adopt a transparent approach to the formulation of the employee monitoring policies and practices. For instance, employers might provide a written Employee Monitoring Policy to govern personal data management practices.
The Employee Monitoring Policy should include the following areas:
- The business purposes of employee monitoring
- The circumstances under which monitoring will take place
- The kind of personal information that may be collected
- The purposes for which the personal information collected in monitoring records may be used
Clear communication with the employees
In the situation of the employee’s internet monitoring policy, employers are recommended to include a clear statement declaring the “house rules” of the company. This can enable employees to regulate their behaviours and manage their expectations. You are also recommended to consult employees in the course of developing the Employee Monitoring Policy. This can help formulate the policy from the perspective of employees and reduce the potential dispute in the future.
Restricted use of the personal information
It is important to remember that the personal data collected in monitoring records can only be used for the purpose stated in the Employee Monitoring Policy or for a directly related purpose, unless it is proof of “seriously improper conduct” that amounts to a valid ground for summary dismissal.
Personal data should also not be kept longer than necessary for fulfilling the purpose. Typically, the retention period is not more than 6 months. However, a longer period of retention is also allowed on a case-by-case basis. The employee should also be able to access their own personal data in the course of the employee monitoring, subject to the provisions of the Ordinance.
For more information, you are advised to visit the Privacy Guidelines: Monitoring and Personal Data Privacy at Work.
Key takeaways
- Employers who wish to develop the employee monitoring policy must comply with Personal Data (Privacy) Ordinance (Cap. 486) with the 3Cs in mind.
- Clear communication is always advised when developing employee monitoring policies. Laying down the “house rules” and consulting with employees are two good ways to communicate.
- Remember the personal information must be handled with care. Personal information should not be kept longer than necessary for fulfilling the purpose.