The number of “blind” recruitment ads – i.e., ads that do not identify the employer or their recruitment agent – circulating in Hong Kong has led to a growing concern about the possible unscrupulous collection and use of personal data of job applicants. In response:
- The Privacy Commissioner initiated a number of investigations in relation to the use of blind recruitment ads.
- Blind recruitment ads are deemed to be in breach of the Hong Kong Personal (Data) Privacy Ordinance (“PDPO”) because they are an unfair means of collecting personal data.
- The Privacy Commissioner has issued a report on the results of its investigations regarding the use of blind recruitment ads, and also a new information leaflet to provide further guidance on the use of recruitment ads.
Companies are advised to review their recruitment practices to ensure that they do not breach the PDPO, and that they have proper privacy management procedures in place. A useful starting place is to consider the issues highlighted in the Privacy Commissioner’s report and the guidance provided by the information leaflet, as discussed in this legal update.
Report and guidance on the use of blind recruitment ads
Spurred by the receipt of hundreds of enquiries regarding blind recruitment ads, the Hong Kong Privacy Commissioner initiated 71 investigations in relation to the use of blind recruitment advertisements.
By 29 May 2014, 48 of the investigations were completed, and a report on the “Unfair Collection of Personal Data by the Use of ‘Blind’ Recruitment Advertisement” was issued (the “Report”). In all the cases the ads in question were found by the Privacy Commissioner to be in breach of the PDPO. A new information leaflet was also released in May by the Privacy Commissioner entitled “Understanding the Code of Practice on Human Resource Management - Frequently Asked Questions About Recruitment Advertisements” (“Information Leaflet”), to complement the release of the Report and to provide guidance on the use of recruitment advertisements.
What is a blind recruitment advertisement and what are the concerns?
A blind recruitment advertisement is an advertisement seeking job applicants, which does not identify the employer, or the employer’s recruitment agent (“Blind Ad”).
Since 2009, the Privacy Commissioner received 550 enquiries regarding Blind Ads. Many potential job applicants were concerned about what they saw as an unfair means of collecting personal data, and the risk of Blind Ads being used to obtain personal data as part of fraudulent activities (including identity theft) or for direct marketing purposes, and not in relation to a genuine job vacancy.
What was the result of the Privacy Commissioner’s investigations?
The Privacy Commissioner initiated an investigation into 71 cases of such Blind Ads; 48 of the cases were completed in May 2014. The Privacy Commissioner found that in all 48 cases the advertisers were in breach of the PDPO’s Data Protection Principle 1(2) (“DPP 1(2)”).
DPP 1(2) provides that personal data must be collected by means that are fair in the circumstances. The Code of Practice on Human Resource Management (“HR Code”), issued by the Privacy Commissioner in 2000, also specifically states that
advertisements for job vacancies and the solicitation of personal data from job applicants, must provide a way for the employer, or its agent, to be identified by the applicants. Breach of the Code will be taken into account by the Privacy Commissioner to determine whether or not there has been a contravention of the PDPO.
The Blind Ads invited the provision of personal data, e.g., by email or fax, but failed to identify either the employer or their recruitment agent. As such, the Privacy Commissioner found the advertisers to be engaging in an unfair collection of personal data in breach of DPP1(2), and also in breach of the HR Code.
The defences put forward by the advertisers (i.e., the employers) ranged from ignorance of the law, to trying to transfer blame to the recruitment media agent (e.g., the newspaper or website in which the Blind Ad is displayed), and to assertions that the Blind Ads did not amount to a breach of the PDPO.
Ignorance, negligence or a misunderstanding of the law by the advertisers was found by the Privacy Commissioner not to be a valid defence. As such, advertisers would not be exonerated from liability by trying to shift blame onto the recruitment media agent. The advertisers, i.e., employers, were the ultimate persons responsible for ensuring that the recruitment advertisements or solicitation of personal data from job applicants were in compliance with the PDPO.
The Privacy Commissioner found that using an abbreviation of the employer’s company name was, in the circumstances, insufficient to provide unambiguous information to job applicants of the identity of the employer and, as such, fell foul of the HR Code issued under the PDPO in 2000.
The Privacy Commissioner also rejected the defence raised by some of the advertisers that their Blind Ads did not expressly solicit personal data and so were not in breach of the PDPO. The advertisers argued that interested parties were only asked to send an email along with their expected salary, but there was no obligation on them to do so; they could have instead simply requested an interview. The Privacy Commissioner did not find this defence credible as it is unlikely that a job applicant would ever request an interview without submitting any personal data.
As a result of the Privacy Commissioner’s findings that the 48 advertisements in the cases investigated had breached DPP1(2) of the PDPO, the employees were all served with enforcement notices requiring them to comply with the following within two months: (i) formulate a policy on the use of recruitment advertisements, which should include a prohibition on Blind Ads; and (ii) delete the personal data collected (unless required to maintain it under other applicable laws or unless such data were required for ongoing recruitment purposes, in which case the job applicant would have to be informed and provided with the option of having the employer delete the personal data).
Breach of an enforcement notice is an offence and may result in a fine of HK$50,000 and two years imprisonment and, in the case of a continuing offence, to a daily fine of HK$1,000. In the event that an infringer, after complying with an enforcement notice, intentionally performs the same act or makes the same omission in breach of the PDPO, then it commits an offence and is liable to a fine of HK$50,000 and two years imprisonment, without the need for a new enforcement notice to be issued.
What guidance does the Information Leaflet provide?
In summary, the Information Leaflet provides the following guidelines in relation to the use of recruitment ads:
- An employer (or its recruitment agent) should only ask job applicants to provide their personal data in a recruitment advert, if the identity of the employer (or its recruitment agent) is clearly indicated in the advert – this applies equally to any individual who is seeking to hire someone in their personal capacity, say, a driver or domestic helper.
- If an employer finds it absolutely necessary to conceal its identity, it may use a recruitment agent to collect the personal data instead, so long as the agent is identified in the recruitment advert. Alternatively, if the employer does not wish to identify either itself or its recruitment agent in the advert, it cannot solicit or require any job applicant to provide their personal data in response to the advert. Instead, the employer can list a telephone number for job applicants to call in order to obtain further details or to request an application form (which should state the employer’s identity).
- Including the employer’s company logo on the recruitment advert will only be sufficient for the purposes of identifying the employer, if the full name of the employer appears in the logo.
- Stating only the employer’s email address, telephone number or fax number in a recruitment advert, without expressly identifying the employer, would generally be insufficient.
- Even if a recruitment advert does not expressly request personal data to be provided, if it lists a fax number, postal address or email address, then this is generally seen as an invitation to job applicants to submit their personal data, and is not permitted unless the employer (or its recruitment agent) is identified in the advert.
- An employer must inform job applicants of the purpose for which his/her personal data will be used and must comply with the other PDPO notification requirements, on or before the collection of his/her personal data. The recruitment advert should therefore include a personal information collection statement (“PICS”), or alternatively, provide a link to a website that contains the PICS, or state other means from which the PICS can be obtained.
- An employer can invite job applicants in a recruitment advert to submit a job application form online, but the identity of the employer should be clearly stated in the job application and a PICS should also be included.
- A recruitment advert should not be issued if there is no actual job vacancy (e.g., it is merely being used to collect personal data for other purposes, to test the job market, to put pressure on existing staff, etc.), as this may amount to a breach of the PDPO.
Blind Ads are receiving increased attention from the Privacy Commissioner given the risk of fraudulent collection of personal data for the purposes of identity theft. Companies should review their recruitment practices to ensure that they and their agents do not use Blind Ads. The amendment of the PDPO in 2012 introduced enhanced penalties for repeated breaches of enforcement notices and the PDPO. Subsequent repeat contraventions of the PDPO on the same facts after an enforcement notice has been issued and complied with, constitutes an offence attracting a fresh HK$50,000 fine (plus HK$1,000 on a daily basis if the breach continues) and a possible two years imprisonment. Companies that have breached enforcement notices in the past also face higher penalties if they breach an enforcement notice again (i.e., a fine of HK$100,000, and HK$2,000 per day for a continuing offence, and two years imprisonment).
Employers should ensure that internal policies and procedures, as well as agreements with its recruitment agents, are put in place in order to prevent the use of Blind Ads that may be in breach of the PDPO. If there is a genuine need to conceal the employer or its agent’s identity (e.g., the employer is seeking to replace an existing staff member, and wishes to avoid revealing this), then the recruitment ad should avoid soliciting personal data from job applicants, and should only invite interested applicants to call the employer (or its agent) for further information.
The Report and Information Leaflet are just some of the latest examples of the increased emphasis on enforcement of the PDPO in Hong Kong, and once again underscore the importance for companies to have proper privacy management procedures in place.