We continue our review of the different obligations employers have around the region in relation to collecting, using and storing employee data by looking at some further common issues.

Country Is it necessary for employers to have a separate data privacy policy? Are there any restrictions on sending personal information (“PI”) overseas e.g. to payroll/HR in overseas headquarters?
China No. However, matters relating to data privacy are usually stated as part of the employment contract, staff handbook or other internal rules. Yes. The obligations which apply are complex and will vary depending on whether the organisation is a operator of critical information infrastructure (“CII“).
Hong Kong Yes. Employers mush take all practicable steps to ensure that their policies and practices in relation to PI are readily accessible and that a person can ascertain the kind of PI held by the data user (i.e. the employer) and the main purposes for which the PI is or is to be used. No. However, the overseas transfer of PI remains subject to the general data protection provisions regarding the collection and use of data, including the principle that PI cannot be used for any other purpose than that for which it was to be used at the time of collection and any directly related purpose, without the express consent of the data subject.
Indonesia Yes. An electronic system administrator must have a specific internal data privacy policy. No. However, sending PI overseas may be classified as sending to third party and may be considered as breach of data privacy without express prior consent from the relevant employee.
Japan No. However, it is common practice to include the standard uses of PI in Work Rules / employment contracts so employees know what uses they have already consented to. Yes, consent must be obtained to transfer PI overseas, and the o
Singapore Yes. Employers must develop and implement policies and practices that are necessary for them to meet their obligations under the PDPA and develop a process to receive and respond to complaints that may arise. Yes. In addition to the Consent and Notification requirements, employers cannot transfer any PI to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA, to ensure that organisations provide a standard of protection of PI comparable to the protection under the PDPA. The requirements are to:
  1. take appropriate steps to ensure that the employer complies with the PDPA in respect of the transferred PI while it remains in its possession or under its control; and
  2. taking appropriate steps to ascertain whether, and to ensure that, the recipient of the PI in that country or territory outside Singapore is bound by legally enforceable obligations to provide to the transferred PI a standard of protection that is at least comparable to the protection under the PDPA.
South Korea Yes. Employers must establish and implement an internal management plan for the secure processing of personal information. Yes. The requirements that apply for international data transfers (including those made among affiliate entities) vary depending on whether the data transfer constitutes a third party provision or the outsourcing of PI processing.
Thailand No. No. However, sending PI overseas without the employees’ consent could be in violation of employees’ right to privacy under the Constitution.