In August 2013, the Office of the Privacy Commissioner for Personal Data issued a guidance note entitled ‘Guidance on Use of Personal Data Obtained from the Public Domain’ (“Guidance”) to help data users comply with the requirements under the Personal Data (Privacy) Ordinance (“Ordinance”), in particular, the Data Protection Principles (“DPPs”).

The Guidance was issued against the backdrop of a recent investigation conducted by the Privacy Commissioner on the operator of the “Do No Evil” smartphone app. The “Do No Evil” app was designed to compile publically available litigation, bankruptcy and companies registry records into one database and enable users to search in one place for individuals’ names.

The Privacy Commissioner commented that even though information is in the public domain, it is still subject to the protections provided by Hong Kong data privacy law, and can only be used for the purposes for which it was collected. To think otherwise would mean that people could deliberately publish data in order to circumvent such protections.

Personal data should only be used for the purposes for which it was originally collected, or for a directly related purpose. Using personal data in the public domain for use in a search app was not the purpose for which the data was collected and made public by the government agencies collecting and posting it. Nor was such use within the expectation of the data subject when it was collected. The Privacy Commissioner issued an Enforcement Notice to prohibit the continued use of the app.

What does this mean for employers?

It is common practice for employers to conduct online searches of publically available information when undertaking a recruitment exercise. There is often a plethora of available data on candidates on various professional network and social media sites and other online sources. Such data can sometimes provide a helpful insight into a candidate’s background or character.

Employers need to be mindful of their obligations under the Ordinance and the DPPs when accessing data of potential (or actual) employees collected outside the employment context. In particular, DPP3 restricts the use of personal data to the original purpose for which the data is collected, or a directly related purpose, unless the explicit and voluntary consent of the data subject is obtained for collateral use. The Privacy Commissioner made a number of observations (set out below) which provide an insight into how his department will approach these issues should a complaint be lodged:

  • The fact that a data subject’s personal data can be obtained from the public domain should not be taken to mean that the data subject has given blanket consent for use of his or her personal data for unlimited purposes.
  • Where the original purpose of collecting the data and making it available is not explicitly defined, anyone who intends to use the data for secondary purposes, should not go beyond the reasonable privacy expectation of the data subject.
  • The test is whether a reasonable person in the data subject’s situation would find the re-use of the data unexpected, inappropriate or otherwise objectionable given the sensitivity of the data and the context of its initial collection.

Steps to ensure compliance

Employers are required to issue a Personal Information Collection Statement (“PICS”) to a job candidate when collecting information as part of the recruitment process. The PICS should make reference to the types of information that will be collected by the employer during the recruitment process and how this information will be used, processed and stored.

Employers should ensure that their recruitment teams are instructed to restrict their online searches to websites which are relevant to the recruitment process such as LinkedIn or other similar professional networking sites. The challenge for employers is to determine what should be categorised as personal and irrelevant versus professional and reasonable to review. The evolution of technology has resulted in a change in online behaviour of both companies and individuals, which often blur these lines. A number of companies have changed their recruitment strategies and post details of jobs on Facebook and Twitter. Previously it may have been possible to say with certainty that a candidate’s Facebook profile is not relevant to review in a recruitment process, however, if the post was advertised on Facebook and the company has encouraged the candidate to apply using that medium, then this may change the analysis.

Ultimately exercising common sense is the best way forward in this rapidly evolving medium. Employers must ensure that they understand the principles underlying their legal obligations under the Ordinance and the DPPs, as these must be applied to each scenario to ensure that data privacy breaches do not occur.

The guidance can be accessed via this link: publications/files/GN_public_domain_e.pdf