With the European Union's General Data Protection Regulation coming into force earlier this year, data protection is on everyone's mind. While the Hong Kong Personal Data (Privacy) Ordinance (PDPO) is far less onerous in terms of the obligations that it imposes upon organisations, there are certain areas where employers must take particular care when collecting data from employees or potential employees. In this bulletin, we look at some key data protection considerations for employers in Hong Kong under the PDPO.
1 Consent to collect data
Consent to collect personal data is normally not required under Hong Kong law, but there are certain notification requirements which need to be complied with for the collection of personal data. The Code of Practice on Human Resource Management (Code) recommends that employers comply with the notification requirements contained in the PDPO (and most organisations do so) through having a carefully drafted Personal Information Collection Statement (PICS). The PICS may, for example, be attached to, or printed as an integral part of standard employment forms used to collect data, e.g. a job application form.
2 Background checks
In addition to complying with the notification requirements referred to above, the purpose of collection must be directly related to a function or activity of that organisation (such as assessing suitability for employment/ ongoing employment) and the data collected should not be excessive. For example, in the recruitment process, collection should be limited to information related to an applicant's work experience, qualifications and other qualities required for the role for which they are applying.
Other more complicated issues can arise in relation to seeking disclosures of criminal convictions (as we have discussed in a previous bulletin) or where data relates to an attribute protected under Hong Kong antidiscrimination laws (such as sex, pregnancy, family status, race, disability etc.). Finally, the Privacy Commissioner has warned against employers and potential employers using open source data such as that from social media in making employment decisions given the requirement that such data can only be used in line with the purpose for which it was made available in the first place.
3 Sensitive information
There is no designation of "sensitive information" under Hong Kong law, but when considering whether an organisation has complied with the PDPO, the nature (and sensitivity) of the data involved will be taken into account in deciding whether a data protection principle has met. For example, the Privacy Commissioner has issued guidance which includes advocating more stringent practices in relation to the collection and retention of HKID numbers and cards, due to the risk of identity theft if this data is misused.
4 Overseas payroll or HR functions
Where payroll or HR functions are performed outside the country in which employees work, it is important to consider what is required to transfer employee personal data overseas. Although section 33 of the PDPO prohibits the transfer of personal data to a place outside Hong Kong (except in specified circumstances), this section has never been enacted. That said, the Privacy Commissioner encourages data users to comply with the principles set out in section 33 and has published specific guidance on cross-border data transfers with which data users are encouraged to comply.
The overseas transfer of employee personal data will be subject to the general provisions of the PDPO, including the principle that, without the express consent of the data subject, such data cannot be used for a purpose than that for which it was collected and any directly related purpose.
5 Data access requests by employees
In Hong Kong, employees have a right to request access to the personal data held in relation to them by their employer, and to request the correction of their personal data if it is inaccurate. Information relating to rights of access and correction, including the contact details of the person to whom any such request may be made, should be included in the PICS.
An employer's obligation to comply with the access or correction request is subject to certain exceptions and exemptions which range from where the request does not comply with form or language requirements, through to where compliance with an access request would be unlawful for example, under laws relating to banking secrecy or tipping off.
Enforcement mechanisms under the PDPO are relatively weak, particularly when compared to those under the GDPR. For instance, breach of a Data Protection Principle is not in itself an offence. Instead, the failure to comply with an enforcement notice issued by the Privacy Commissioner (following such a breach) is an offence. However, as an enforcement notice is usually made public, the potential reputational damage for organisations seen to be breaching their data protection obligations can be significant. It is therefore important that organisations are aware of and comply with these obligations.