Executive search firms handle large amounts of sensitive personal data in relation to the candidates they target. In Hong Kong, the Personal Data (Privacy) Ordinance (the Ordinance) governs the collection, use and handling of personal data and raises a number of important restrictions on how executive search firms conduct their business in Hong Kong.

1. Collecting personal data from a candidate

The Ordinance requires that, when collecting personal data from an individual, data users take all practicable steps (at or before the time of collection) to provide the individual with certain details, including the purposes for which the data is to be used, the classes of third parties to which the data may be disclosed and the individual’s rights under the Ordinance to request access to or correction of their data. Typically, these details are set out in a "Personal Information Collection Statement" printed on an application form or provided in a notice or script.

Accordingly, executive search firms should ensure that they provide all prospective candidates who provide their personal data with a Personal Information Collection Statement containing the details required by the Ordinance. The Personal Information Collection Statement should be provided regardless of whether the firm requests personal data from the candidate or whether the candidate provides unsolicited personal data (provided that the firm chooses to retain it).

2. Using and disclosing candidate information

As noted above, the Ordinance provides that personal data may only be used and disclosed for:

  • the purpose it was to be used at the time of its collection (the "original purpose");
  • any purpose that is related to the original purpose; and
  • any purpose to which the individual consents.

The original purpose of collection will depend on the circumstances in which the personal data was collected. However, the Privacy Commissioner has indicated that the purposes expressly identified in the Personal Information Collection Statement are a key factor in determining the original purpose. Therefore, when collecting personal data, executive search firms should take care to expressly state that the personal data may be used for recruitment and employment purposes in their Personal Information Collection Statement.

This will allow the firm to use the candidate’s personal data for any purpose which is related to the recruitment and employment of the candidate – such as the myriad administrative tasks involved in interviewing, evaluating and employing a candidate. It is not necessary to separately specify these related purposes in the Personal Information Collection Statement (although you can if you wish).

Typically, an executive search firm will have no need to use candidate’s personal data for purposes that are unrelated to recruitment or employment. However, if you do, then you will need to obtain the candidate’s consent to those additional purposes.

3. Gathering personal data on candidates from public sources

The Ordinance applies equally to the collection and use of personal data from publicly-accessible sources as it does to other kinds of personal data. This has important implications for executive search firms which conduct research to gather personal data about candidates from social media sites such as LinkedIn and Facebook.

The Ordinance requires that personal data may only be collected by lawful and fair means. In order to be lawful, the collection of that data must not breach the terms and conditions of use of the site. In 2009, the Privacy Commissioner upheld a complaint by a civil servant who was contacted by an insurance company who had obtained her telephone number from the Hong Kong Government telephone directory, in breach of the terms of use of that directory.

As discussed above, personal data may only be used and disclosed for the original purpose, any purpose related to the original one and any purpose to which the individual consents. Generally, the "original purpose" is interpreted as meaning the main purpose for which the data user collected the personal data. However, in the case of personal data obtained from publicly-accessible sources, the Commissioner has taken the view that the original purpose means the purpose for which the data was made available to the public. In 2006, the Commissioner upheld a complaint against a company which used Land Registry data for direct marketing. While the company had always intended to use the data for direct marketing, the Commissioner held that the Land Registry made the data available for the sole purpose of conducting property transactions and that this was the "original purpose" in this case.

Therefore, executive search firms which gather personal data about candidates from social media sites and other public sources should ensure that:

  1. their collection of personal data does not breach any terms of use of those sources; and
  2. their use of the personal data they collect is consistent with the purposes for which that data was made available to the public.

4. Contacting prospective candidates

The Ordinance was recently amended to include new restrictions on direct marketing. We tend to associate the phrase "direct marketing" with pushy telemarketers and spam emails. However, the definition of "direct marketing" in the Ordinance covers most communications with an individual which seek to offer or promote goods or services. Executive search firms which contact candidates by telephone, email and on sites such as Linkedin all need to comply with the restrictions on direct marketing under the Ordinance.

Basically, the PDPO requires that, before you start to direct market to an individual, you must first:

  • inform them that you intend to use their personal data for direct marketing and that you require their consent to do so;
  • tell them the types of personal data you want to use for direct marketing and the types of goods and services you propose to market to them;
  • provide them with a way to communicate their consent to the proposed direct marketing; and
  • receive their consent to the proposed direct marketing.

Depending on your previous relationship with the candidate and the method of communicating with them, it can be easy or difficult to provide these details. The requirement poses a particular difficulty for cold calling, as the relevant details and consent are required to be obtained before any direct marketing takes place.

5. Data access requests from candidates

The Ordinance gives individuals the right to request access to or correction of any personal data that a data user holds about them. The grounds on which a data user can refuse to provide access are quite limited. The right to access personal data is particularly significant in the context of recruitment, because the records and correspondence kept by recruiters often need to record unvarnished opinions about a prospective recruit. For the individual to see these opinions may be merely embarrassing or may lead to legal action for defamation or discrimination. Accordingly, executive recruitment agencies need to be particularly careful about what personal data they keep about prospective recruits.