All questions

Data protection

i Requirements for registration

The collection, processing, use, disclosure and transfer of personal data is governed by the Personal Data (Privacy) Ordinance (PDPO). It sets out six data protection principles (DPPs) drawn from the 1981 OECD Guidelines and the EU Directive at the time of its enactment in 1996, with some modifications. The employer as a data user will be required to comply with the DPPs and with the PDPO. Compliance with the PDPO is generally overseen by the Privacy Commissioner. Employers are not required to register with the Privacy Commissioner.

Personal data is defined in the PDPO as any data: (1) relating directly or indirectly to a living individual; (2) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (3) in a form of which the access to or the processing of the data is practicable. Data that would typically fall within this definition would include the employee's name, address, telephone number, and passport and identity numbers.

Before an employer may collect any personal data from an employee, it must first provide the employee with a PICS. The PICS would usually be attached to the employee's offer of employment. Its content should include explicit statements as to the purposes for which the data is to be used, the classes of persons to whom the data may be transferred and whether it is obligatory or voluntary for the individual to supply the data.

If it is later proposed that the data be used for a purpose not expressly included in the PICS, the employer must obtain separate consent from the employee for that use. An employee is entitled to request access to his or her data and to correct it if necessary.

The employer should only retain personal data for as long as is necessary to fulfil its purpose. It is also required to take 'all practicable steps' to ensure that personal data held is protected against unauthorised or accidental access, processing, erasure or other use.

ii Cross-border data transfers

Although the PDPO contains a provision for the regulation of transfers of personal data to a place outside Hong Kong, it has never been enacted. The DPPs, as described in subsection i, require that the employee be informed explicitly of the purpose for which the data is to be used, including a transfer out of the jurisdiction (i.e., in the PICS). If the purpose for this transfer does not fall within the original purposes stated in the PICS, then the consent of the employee must be obtained. In this circumstance, there is no requirement for a data protection agreement to be entered into.

iii Sensitive data

No distinction is drawn between different types of personal data.

iv Background checks

Background checks are permitted in Hong Kong and are commonly carried out against prospective employees. Criminal record checks made with the Hong Kong police are also permitted in limited situations, with the consent of the prospective employee. Hong Kong has legislation for the rehabilitation of offenders under which certain convicted offences will be treated as spent with the lapse of time, but they will remain on the record.