ASIA: DATA PRIVACY CONSIDERATIONS FOR EMPLOYERS
This update considers key data privacy issues for employers.
What rules protect the privacy of employee data?
The Personal Data Protection Act 2012 (PDPA) governs the collection, use and disclosure of personal data by organisations.
Under the PDPA, the term "personal data" refers to data, whether true or not, about an individual who can be identified either: (a) from that data, or (b) from that data and other information that the organisation has, or is likely to have access.
Breach of the PDPA may attract civil and/or criminal penalties.
The Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) governs the collection, holding, processing and use of personal data by any person, based on six data protection principles.
Under the PDPO, the term "personal data" means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.
The Office of the Privacy Commissioner for Personal Data may issue enforcement notices in relation to breaches under the PDPO. Non-
The Personal Data Protection Act BE 2562 (PDPA) will be fully effective from 1 June 2022. The PDPA governs the collection, processing, use or disclosure of personal data by data controllers.
Under the PDPA, the term "personal data" refers to any information relating to a natural, living person which could identify such individual directly or indirectly.
Breach of the PDPA may attract civil liabilities, administrative fines and/or criminal penalties.
The Personal Information Protection Law (PIPL) governs the collection, storage, use, refining, transmission, disclosure or deletion of personal information.
Under the PIPL, the term "personal information" refers to any information recorded electronically or otherwise relating to a natural person which could identify such person, but excluding anonymised information.
The PIPL also defines sensitive personal information to include information relating to an individual's biometric recognition, religious belief and medical health data, amongst others. The collection, use and disclosure of sensitive personal information is
Pending the issuance of the privacy bill by the Indonesian government, the protection of personal data is regulated by various regulations including (i) Law No. 11 of 2008 on Electronic Information and Transactions (as amended), (ii) Government Regulation No. 71 of 2019 on Management of Electronic Systems and Transactions, and (ii) Minister of Communication and Informatics Regulation No. 20 of 2016 on Protection of Personal Data in Electronic Systems, hereinafter (PDP Regulations).
PDP Regulations apply generally to personal data and not specifically to employees.
What information must employers
Unless a consent exception applies, personal data must only be collected, used or
compliance with the enforcement notices may attract fines and/or criminal penalties.
On or before collection of personal data from an employee, an employer should provide a
Unless a consent exception applies, personal data must only be collected with an
subject to further regulations under the PIPL.
Breach of the PIPL may lead to civil, administrative, and/or criminal penalties.
Under the PDP Regulations, electronic system providers (ESP) are obliged to protect personal data when processing that data (ie during acquisition and collection, processing and analysis, correction and update, display, announcement, transfer, dissemination, or disclosure, and/or deletion or destruction of personal data).
ESPs include any person, state administrator, business entity, and community that provides, manages, and/or operates electronic systems individually or jointly to electronic system users for their own needs and/or needs of other parties (including employers).
Unless a consent exception applies, personal information must only be collected with an
Personal data should be
processed only with the employee's consent for
one or several specific
provide to employees before processing their personal data?
disclosed with employee consent and the employee must be notified of the purpose of the collection, use and disclosure of their personal data before such data is collected.
In the employment context, an employer may rely on a specific legitimate interests exception that allows the employer to collect, use or disclose personal data reasonably for the purpose of or in relation to the employer: (a) entering into an employment relationship with the individual; or (b) managing or terminating the employment relationship with the employee.
The purpose must be one that a reasonable person would consider appropriate in the circumstances.
Personal Information Collection Statement (PICS), which will usually be attached to the employee's employment contract. The PICS should detail information relating to (i) the purpose for which the personal data is to be used; (ii) the classes of persons to whom the personal data may be transferred; (iii) whether it is obligatory or voluntary for the employee to supply the personal data; (iv) the consequences arising if the employee fails to supply such data; and (v) that the employee has the right to request access to and correction of their personal data.
Additional requirements apply if the personal data of the employees is to be used in direct marketing.
The collection of personal data should be lawful, fair, necessary (i.e. directly related to a
employee's consent. In the employment context, an employer may rely on a number of consent exceptions including where it is necessary for the performance of a contract with the employee, to take steps at the request of the employee prior to entering into a contract or where it is necessary for compliance with law.
In addition to the above, collection of personal data such as racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data and biometric data require explicit consent, unless an exception applies. In the employment context, such exceptions include where it is necessary for compliance with law in relation to employment
employee's consent and the employee should be notified of the purpose of collection, storage, use, refining, transmission, disclosure or deletion of their personal information before such data is collected.
In the employment context, an employer may rely on consent exceptions, including the contract necessity exception, ie the collection, storage, use, refining, transmission, disclosure or deletion of the employee's personal information is necessary for the conclusion or performance of an employment contract to which the employee is a contracting party. However, this consent exception does not cover all types of processing of employees' data as the processing must be based on contract necessity.
purposes that have been previously informed to the employee.
Under the PDP Regulations, consent will be considered lawful if it is expressed explicitly, not hidden or based on error, negligence, or coercion.
Employers must provide a detailed explanation of the purpose of collecting the employee's data and are required to receive the consent of the employee prior to processing the data.
function or the activity of the data user) and not excessive for the purpose of collection.
Unless the employee has been notified of the purposes of use or disclosure of his/her personal data before data collection via the PICS, employers must not use or otherwise disclose an employee's personal data for any new purpose without the employee's consent, unless the disclosure is directly related to the purpose in the PICS, or required by law or statutory authorities (e.g. for tax assessment or criminal investigation purposes).
protection, social security, national health security or social health welfare.
The following information must also be provided to an employee before collecting their personal data: the purpose of
collection, use and disclosure of their personal data; whether the employee must provide their personal data for compliance with law or contract, or whether it is necessary to provide the data for the purpose of entering into a contract, including the consequences for failing to provide such data; the personal data to be collected and the period for which the personal data will be retained; the classes of persons to whom the
Additionally, a number of data processing activities require separate consent to be obtained, namely: disclosure of personal
information to other personal information processors; publicising personal information; using personal images and identification information collected from CCTV for purposes other than maintaining public safety; transferring personal information outside the PRC; or processing sensitive personal information.
The PIPL does not define separate consent.
However, at a minimum, the requirements for valid consent must be met and it is recommended that additional consent is obtained for the activities set out above by way of a
data may be
contact details of the
employer and the
the employee's rights,
including the right to
consent, to request
access to and obtain
a copy of their data,
to request disclosure
of personal data
obtained without their
consent, to object to
the collection, use, or
disclosure of their
data, to request that
the employer erase,
destroy or anonymise
their data, to request
the restriction in the
use of the data and to
file a complaint.
What access do employees have to records kept about them by the employer?
The PDPA set out the rights of individuals to request access to, or correction of, their personal data that is in the possession of an
The PDPO sets out the rights of individuals to request access to, or correction of, their personal data that is in the possession of any
The PDPA set out the rights of data subjects to request access to, or correction of, their personal data that is in the possession of a data
The PIPL protects employees' rights to their data, such as the right to access, correct, delete personal information as well as the right to be
Based on the PDP Regulations, data owners, including employees, have the right to gain access or opportunity:
organisation, and such rights apply to employees vis--vis their employer.
Upon request by an individual, an organisation must provide that individual with the following as soon as reasonably possible: personal data about
the individual that is in the possession or control of the organisation; and information about the ways in which that personal data has been or may have been used or disclosed by the organisation within the past year.
There is no requirement for the request to be accompanied by a reason for the request.
There are certain exceptions to the requirement to provide access, including:
data users, and such rights apply to employees vis--vis their employers.
Individuals are entitled to lodge a formal data access request to ask any data user whether or not it holds their personal data, and if so, to request a copy of any such data. If it is found that the data contained therein is inaccurate, individuals can request the data user to correct the record. The data user is then required to make necessary correction of the data and supply the requestor with a copy of the data so corrected.
The data user must accede to the access and correction requests within a statutory period of 40 days. If the data user cannot comply with the requests, it must give written notice and reasons for refusal within 40 days.
controller, and such rights apply to employees vis-vis their employer.
Upon request by a data subject, a data controller must provide that individual with their personal data that is in the control of the data controller without delay and within 30 days from receipt of the request.
There is no requirement for the request to be accompanied by a reason for the request.
There are certain exceptions to the requirement to provide access, including: where the rejection is
permitted by law or pursuant to a court order; and where such access will adversely affect the rights and freedoms of others.
The data subject also has the right to, amongst
notified of, or to object to, the processing of personal information.
to change or update their personal data;
to obtain historical personal data that has been submitted to the ESP as long as it is still in accordance with the provisions of the laws and regulations; and
request the destruction of the personal data in the electronic system managed by the ESP, unless otherwise stipulated by the provisions of laws and regulations.
To the extent that employers fall within the definition of ESPs, they are required, among other things, to: provide options to the
personal data owner as to whether the personal data that it manages can be used and/or displayed by/to third parties upon approval
where the personal data is opinion data kept solely for an evaluative purpose;
where the personal data is subject to legal privilege; and
where the personal data would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation.
A data user can refuse to comply with a data access request if: it is not supplied with
sufficient information to identify the requestor; it cannot comply with the request without disclosing the personal data of a third party; compliance with the request is for the time being prohibited under the PDPO or any other ordinance.
others, request that the data controller erase, destroy or anonymise their data.
An individual may also request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. The organisation must make the correction as soon as practicable, unless they are satisfied on reasonable grounds that a correction should not be made.
The data user is obliged to give written notice and reasons for refusal to the requestor within 40 days from receiving the data access request. It is also required to keep a log entry containing the particulars of the reasons for the refusal of the data access request for four years.
as long as it is still related to the purpose of obtaining and collecting personal data; provide access or opportunity for the personal data owner to change or update their personal data; destroy personal data in accordance with the provisions of the applicable laws and regulations (including upon request by the data owner); and provide a contact person who is contactable by the personal data owners regarding the management of their personal data.