Data protection has become a high profile topic due to cases of mishandling and abuse ofpersonal data. In response, employee data privacy laws around the globe are becoming more stringent. With increasing globalization and employee mobility, as well as the relative ease with which data can be transferred between legal entities and across borders, complying with all requirements relating to personal data has become a complicated exercise.
For example, in Hong Kong, a data access request is a statutory mechanism where an employee can obtain access to personal data held about the employee by his/her employer. Employees have been making these requests in order to obtain information about themselves in support of claims that they are bringing against their employers.
In the United States, the federal government has not passed any legislation aimed at broadly protecting the privacy and security of personal data. Instead, the federal government specifically regulates information that is obtained by particular entities (e.g., an employee’s health and fitness, social security number, address, credit reports, employer performance reviews). Each US state also has its own framework and laws regulating personal data collection, storage and destruction by employers, and the kind of request for personnel files that is new in Hong Kong is standard fare in the US.
In the United Kingdom, the collection and use of personal data is governed by the Data Protection Act of 1998 (the “DPA”), which requires anyone who handles personal information to comply with certain data protection principles. The DPA also gives individuals rights over their personal data. Employers will also need to refer to the Information Commissioner’s Employment Practices Code (the “Code”), which covers recruitment and selection of procedures, management of employment records (including medical information), monitoring of employees and the transfer of employment records in the context of a business sale.