The number of “blind” recruitment ads – i.e., ads that do not identify the employer or their recruitment agent – circulating in Hong Kong has led to a  growing concern about the possible unscrupulous collection and use of personal data of job  applicants. In response:

  • The Privacy Commissioner initiated a number of investigations in relation to the use of blind  recruitment ads.
  • Blind recruitment ads are deemed to be in  breach of the Hong Kong Personal (Data) Privacy  Ordinance (“PDPO”) because they are an unfair means of collecting personal data.
  • The Privacy Commissioner has issued a report on the results of its investigations regarding the  use of blind recruitment ads, and also a new information leaflet to provide further guidance on the use of recruitment ads.

Companies are advised to review their recruitment practices to ensure that they do not breach the  PDPO, and that they have proper privacy management procedures in place. A useful starting place is  to consider the issues highlighted in the Privacy Commissioner’s report and the guidance provided  by the information leaflet, as discussed in this legal update.

Report and guidance on the use of blind recruitment ads

Spurred by the receipt of hundreds of enquiries regarding blind recruitment ads, the Hong Kong  Privacy Commissioner initiated 71 investigations in relation to the use of blind recruitment  advertisements.

By 29 May 2014, 48 of the investigations were completed, and a report on the “Unfair Collection of   Personal Data by the Use of ‘Blind’ Recruitment  Advertisement” was issued (the “Report”). In all the cases the ads in question were found by the Privacy Commissioner to be in breach of the PDPO. A new information leaflet was also released in May by the Privacy Commissioner entitled “Understanding the Code of Practice on Human Resource Management - Frequently Asked Questions About Recruitment Advertisements” (“Information Leaflet”), to complement the release of the Report and to provide guidance on the use of recruitment advertisements.

What is a blind recruitment advertisement and what are the concerns?

A blind recruitment advertisement is an advertisement seeking job applicants, which does not  identify the employer, or the employer’s recruitment agent (“Blind Ad”).

Since 2009, the Privacy Commissioner received 550 enquiries regarding Blind Ads. Many potential job  applicants were concerned about what they saw as an unfair means of collecting personal data, and  the risk of Blind Ads being used to obtain personal data as part of fraudulent activities  (including identity theft) or for direct marketing purposes, and not in relation to a genuine job  vacancy.

What was the result of the Privacy Commissioner’s investigations?

The Privacy Commissioner initiated an investigation into 71 cases of such Blind Ads; 48 of the  cases were completed in May 2014. The Privacy Commissioner found that in all 48 cases the  advertisers were in breach of the PDPO’s Data Protection Principle 1(2) (“DPP 1(2)”).

DPP 1(2) provides that personal data must be collected by means that are fair in the circumstances.  The Code of Practice on Human Resource  Management (“HR Code”), issued by the Privacy Commissioner  in 2000, also specifically states that 

advertisements for job vacancies and the solicitation of personal data from job applicants, must provide a way for the employer, or its agent, to be  identified by the applicants. Breach of the Code will be taken into account by the Privacy  Commissioner to determine whether or not there has been a contravention of the PDPO.

The Blind Ads invited the provision of personal data, e.g., by email or fax, but failed to identify  either the employer or their recruitment agent. As such, the Privacy Commissioner found the  advertisers to be engaging in an unfair collection of personal data in breach of DPP1(2), and also  in breach of the HR Code.

The defences put forward by the advertisers (i.e., the employers) ranged from ignorance of the law,  to trying to transfer blame to the recruitment media agent (e.g., the newspaper or website in which  the Blind Ad is displayed), and to assertions that the Blind Ads did not amount to a breach of the  PDPO.

Ignorance, negligence or a misunderstanding of the law by the advertisers was found by the Privacy  Commissioner not to be a valid defence. As such, advertisers would not be exonerated from liability  by trying to shift blame onto the recruitment media agent. The advertisers, i.e., employers, were  the ultimate persons responsible for ensuring that the recruitment advertisements or solicitation  of  personal data from job applicants were in compliance with the PDPO.

The Privacy Commissioner found that using an abbreviation of the employer’s company name was, in  the circumstances, insufficient to provide unambiguous information to job applicants of the  identity of the employer and, as such, fell foul of the HR Code issued under the PDPO in 2000.

The Privacy Commissioner also rejected the defence raised by some of the advertisers that their  Blind Ads did not expressly solicit personal data and so were not in breach of the PDPO. The  advertisers argued that interested parties were only asked to send an email along with their  expected salary, but there was no obligation on them to do so; they could have instead simply  requested an interview. The Privacy Commissioner did not find this defence credible as it is  unlikely that a job applicant would ever request an interview without submitting any personal data.

As a result of the Privacy Commissioner’s findings that the 48 advertisements in the cases investigated had breached DPP1(2) of the PDPO, the employees were all served with enforcement notices requiring them to comply with the following within two  months: (i) formulate a policy on the use of recruitment advertisements, which should include a  prohibition on Blind Ads; and (ii) delete the personal data collected (unless required to maintain  it under other applicable laws or unless such data were required for ongoing recruitment purposes,  in which case the job applicant would have to be informed and provided with the option of having  the employer delete the personal data).

Breach of an enforcement notice is an offence and may result in a fine of HK$50,000 and two years  imprisonment and, in the case of a continuing offence, to a daily fine of HK$1,000. In the event  that an infringer, after complying with an enforcement notice, intentionally performs the same act  or makes the same omission in breach of the PDPO, then it commits an offence and is liable to a  fine of HK$50,000 and two years imprisonment, without the need for a new enforcement notice to be issued.

What guidance does the Information Leaflet provide?

In summary, the Information Leaflet provides the following guidelines in relation to the use of recruitment ads:

  • An employer (or its recruitment agent) should only ask job applicants to provide their personal  data in a recruitment advert, if the identity of the employer (or its recruitment agent) is clearly  indicated in the advert – this applies equally to any individual who is seeking to hire someone in  their personal capacity, say, a driver or domestic helper.
  • If an employer finds it absolutely necessary to conceal its identity, it may use a recruitment  agent to collect the personal data instead, so long as the agent is identified in the recruitment  advert. Alternatively, if the employer does not wish to identify either itself or its recruitment  agent in the advert, it cannot solicit or require any job applicant to provide their personal data  in response to the advert. Instead, the employer can list a telephone number for job applicants to call in order to obtain further details or to request an application form (which should state the employer’s identity).
  • Including the employer’s company logo on the recruitment advert will only be sufficient for the purposes of identifying the employer, if the  full name of the employer appears in the logo.
  • Stating only the employer’s email address, telephone number or fax number in a recruitment  advert, without expressly identifying the employer, would generally be insufficient.
  • Even if a recruitment advert does not expressly request personal data to be provided, if it  lists a fax number, postal address or email address, then this is generally seen as an invitation  to job applicants to submit their personal data, and is not permitted unless the employer (or its  recruitment agent) is identified in the advert.
  • An employer must inform job applicants of the purpose for which his/her personal data will be  used and must comply with the other PDPO notification requirements, on or before the collection of  his/her personal data. The recruitment advert should therefore include a personal information collection statement (“PICS”), or alternatively, provide a link to a website  that contains the PICS, or state other means from which the PICS can be obtained.
  • An employer can invite job applicants in a recruitment advert to submit a job application form  online, but the identity of the employer should be clearly stated in the job application and a PICS  should also be included.
  • A recruitment advert should not be issued if there is no actual job vacancy (e.g., it is merely  being used to collect personal data for other purposes, to test the job market, to put pressure on  existing staff, etc.), as this may amount to a breach of the PDPO.


Blind Ads are receiving increased attention from the Privacy Commissioner given the risk of  fraudulent collection of personal data for the purposes of identity theft. Companies should review  their recruitment practices to ensure that they and their agents do not use Blind Ads. The amendment of the PDPO in 2012 introduced enhanced penalties for repeated breaches of  enforcement notices and the PDPO. Subsequent repeat contraventions of the PDPO on the same facts  after an enforcement notice has been issued and complied with, constitutes an offence attracting a  fresh HK$50,000 fine (plus HK$1,000 on a daily basis if the breach continues) and a possible two  years imprisonment. Companies that have breached enforcement notices in the past also face higher  penalties if they breach an enforcement notice again (i.e., a fine of HK$100,000, and HK$2,000 per  day for a continuing offence, and two years imprisonment).

Employers should ensure that internal policies and procedures, as well as agreements with its  recruitment agents, are put in place in order to prevent the use of Blind Ads that may be in breach  of the PDPO. If there is a genuine need to conceal the employer or its agent’s identity (e.g., the  employer is seeking to replace an existing staff member, and wishes to avoid revealing this), then  the recruitment ad should avoid soliciting personal data from job applicants, and should only  invite interested applicants to call the employer (or its agent) for further information.

The Report and Information Leaflet are just some of the latest examples of the increased emphasis  on enforcement of the PDPO in Hong Kong, and once again underscore the importance for companies to  have proper privacy management procedures in place.