An organisation’s obligations in respect of managing personal information vary greatly from country to country. We consider the different obligations employers have around the region in relation to collecting, using and storing employee data.

IS THERE A DISTINCTION BETWEEN “GENERAL” PERSONAL INFORMATION (“PI”), AND SENSITIVE PI (“SPI”)?

IS CONSENT REQUIRED TO COLLECT PI?

CHINA PI is defined under the Cyber Security Law of China (“CSL”) as any information recorded electronically or otherwise that can independently or, combined with other information, identify an individual’s personal identity including but not limited to, an individual’s names, date of birth, ID number, biologically information, address and telephone numbers, etc.

SPI may be defined separately under certain non-mandatory industrial standards.

There is a third category of “important data” defined under draft guidelines by the Cyberspace Administration of China (“CAC”) as the data which is closely related to the national security, economic development and social and public interests.

Yes.

The individual whose information is to be collected and used must be informed of the purpose, method and scope of the collection, use of the personal information, the channels for inquiry and correction of information and the consequences of refusal to provide information. Consent of the person for collection and use of the personal information must be obtained.

According to the Guidelines, collection of general PI requires tacit consent (i.e. no explicit objection after being informed of the collection) while sensitive PI requires express consent.

HONG KONG PI is defined as any data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.

There is no distinction between PI and SPI under Hong Kong law, but when applying the rules, the courts will consider the nature (and sensitivity) of the data involved in deciding whether a data protection principle has been complied with. For example, the Privacy Commissioner has issued a Code of Practice on Identity Card Number and other Personal Identifiers, to make clear its expectations around the collection and retention of HKID numbers and cards, due to the potential risk of identity theft if this information is misused.

Consent to collect PI is normally not required under Hong Kong law, but there are certain notification requirements which need to be complied with for the collection of personal data.

The Code of Practice on Human Resource Management recommends that as a matter of good practice, an employer should comply with the notification requirements by means of a written Personal Information Collection Statement.

INDONESIA PI is not defined under Indonesian law, and there is also no distinction between PI and SPI, as Indonesian law is generally silent on such terms. Due to the absence of the law, there is no express requirement to obtain consent on PI although generally it is advisable to obtain consent to avoid any claim related to privacy rights.

However, PI protection specifically within electronic systems is specifically governed by the Minister of Communication and Information Technology Regulation No. 20 of 2016 (“MOCIT Reg 20/2016”). For gathering of PI within an electronic system, written consent is required.

JAPAN PI is defined as information of a living person that would allow identification of that person, i.e. name, DOB, address, fingerprint, facial recognition data, passport number, drivers licence number, My Number (similar to social security number), mobile phone number, etc.

SPI is defined as race, creed, social status, medical record (e.g. disabilities, prescriptions, results of annual health checks, etc.), criminal history, and status as a victim of crime, i.e. anything that can lead to social discrimination of that person.

Yes, consent is required. The uses of the PI must be set out (e.g. will be used to process payroll).
SINGAPORE There is no distinction between “general” PI and “sensitive” PI in Singapore.

The Personal Data Protection Commission has however issued advisory guidelines on the collection and processing of National Registration Identification Card numbers.

Yes. Pursuant to the Personal Data Protection Act 2012 (“PDPA”), consent from the employee is required before his/her PI can be collected, used or disclosed (“Consent Requirement”). For the purposes of obtaining consent, the employee must be informed of the purpose of such collection, use or disclosure (“Notification Requirement”).

There are certain specific exceptions to the Consent Requirement and/or Notification Requirements (such as where the collection / use / disclosure is necessary for any investigation or proceedings and it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the PI). Further, the Consent and Notification Requirements need not be met if the threshold for deemed consent can be established.

SOUTH KOREA There are three types of data recognised by Korean law. These are:
  1. Personal information;
  2. Sensitive personal information; and
  3. Unique identification information.

PI is defined as information that relates to a living individual, by which the individual can be identified on its own or when easily combined with other information. Examples of personal information include name, address and photographs.

SPI is defined as personal information concerning an individual’s ideology; faith; labour union membership; political views or membership in a political party; health or medical treatment; sexual orientation; genetics; and criminal record.

Unique identification information is an individual’s resident registration number; passport number; driver’s license number; and foreign registration number

The criteria for the collection of PI are:
  1. The target person must have agreed to give such information; or
  2. An article of law exists which requires the collection of such information in order to observe the law ; or
  3. It is needed by a public agency to carry out duties assigned by related law; or
  4. It is necessary for one party to enter into or implement a legal contract with the individuals concerned; or
  5. Such information is urgently necessary to protect life, body and interest of individuals and/or third party; or
  6. It is necessary for the justifiable interests of the handler of such information, and is more important than the rights of the individuals.

It is also necessary to advise the person that he/she has the right to refuse to give consent and the consequences of any such refusal.

SPI can be processed only if the processing is required or permitted by statute or the consent of the data subject is separately obtained.

Forms of unique identification information (except resident registration numbers) can be processed if the processing is required or permitted by statute or the consent of the data subject is separately obtained. However, resident registration numbers can only be processed if a statute or regulation specifically authorises or requires the processing. The data subject’s separate consent is not a sufficient basis for processing resident registration numbers.

THAILAND Currently, there is no specific statutory law governing data protection or privacy for the private sector in Thailand and there is also no distinction between “general” PI and sensitive PI.

In Thailand, a general data protection framework is derived from the Constitution of the Kingdom of Thailand (“Constitution”), which recognises the right to privacy. The right to privacy set out in the Constitution is further protected through secondary legislation, including:

  1. the Thai Civil and Commercial Code, which protects personal data under the wrongful act principle;
  2. the Thai Criminal Code, which protects personal data under the principle of disclosure of confidential information; and
  3. statutory laws specific to certain industries such as telecommunications, banking and financial businesses, which provide a certain level of protection against unauthorised collection, processing, disclosure and transfer of personal data.
Whilst there are no specific statutory laws governing data protection or privacy for private sector, a clear and written consent from the PI owner should generally be obtained before collecting PI.