Employee Data Privacy & Protection Law in Hong Kong

August 14, 20201:29 pm976 views
Employee Data Privacy & Protection Law in Hong Kong
Image source: Pixabay

The Hong Kong legal framework concerning privacy, data protection, and cybersecurity is consolidated under one piece of legislation, the Personal Data (Privacy) Ordinance (PDPO). All organisations that collect, hold, process or use personal data must comply with the PDPO and in particular, the six data protection principles (DPPs) in Schedule 1 of the PDPO, which are the foundation upon which the PDPO is based. The Office of the Privacy Commissioner for Personal Data (PCPD), an independent statutory body, was established to oversee the enforcement of the PDPO. 

Employee monitoring 

The PCPD published the Privacy Guidelines: Monitoring and Personal Data Privacy at Work to aid employers in understanding steps they can take to assess the appropriateness of employee monitoring. The guidelines are applicable to monitoring by telecommunications equipment (e.g., telephones, computers, mobile phones), company email services, internet browsing, video recording and closed-circuit TV systems. 

See also: Employee Privacy & Data Protection Law in Indonesia

Employers must ensure that they do not contravene the data protection principles of the PDPO while monitoring employees’ activities. In particular, employers must ensure the following points: 

  • a monitoring is only carried out to the extent necessary to deal with their legitimate business purpose; 
  • personal data collected in the course of monitoring is kept to an absolute minimum and by means that are fair in the circumstances; and 
  • a written privacy policy on employee monitoring has been implemented and practicable steps have been taken to communicate that policy to employees. 

Company policies and practices  

Organisations that handle personal data are required to provide their privacy policy statements (PPS) to the public in an easily accessible manner. In addition, prior to collecting personal data from individuals, organisations must provide a personal information collection statement (PICS) that sets out, among other things, the purpose of collecting the personal data and the classes of transferees of the data. 

As mentioned above, the PCPD has published the Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement (see Section III.i, supra), which provides guidance for organisations when preparing their PPS and PICS. 

The Privacy Management Programme: Best Practice Guide (see Section II.i, supra) also provides guidance for organisations to develop their own privacy policies and practices. In particular, it is recommended that organisations should appoint a data protection officer to oversee the organisation’s compliance with the PDPO. In terms of company policies, apart from the PPS and PICS, the Best Practice Guide recommends that organisations develop key policies on the following areas:

  • a accuracy and retention of personal data;
  • security of personal data; and
  • access to and correction of personal data. 

The Best Practice Guide also emphasised the importance of ongoing oversight and review of the organisation’s privacy policies and practices to ensure they remain effective and up to date. 

Discovery 

The use of personal data in connection with any legal proceedings in Hong Kong is exempted from the requirements of DPP3 (use of personal data), which requires organisations to obtain prescribed consent (see Section III.i, supra) from individuals before using their personal data for a new purpose. Accordingly, the parties in legal proceedings are not required to obtain consent from the individuals concerned before disclosing documents containing their personal data for discovery purposes during legal proceedings. 

Disclosure 

Regulatory bodies in Hong Kong such as the Hong Kong Police Force, the Independent Commission Against Corruption and the Securities and Futures Commission are obliged to comply with the requirements of the PDPO during their investigations. For example, regulatory bodies in Hong Kong are required to provide PICS to the individuals prior to collecting information or documents containing their personal data during investigations. 

See also: Data Protection Law in India that HR Leaders Should Know 

Nevertheless, in certain circumstances, organisations and regulatory bodies are not required to comply with DPP3 to obtain prescribed consent from the individuals concerned. This includes cases where the personal data is to be used for the prevention or detection of crime and the apprehension, prosecution or detention of offenders, and where the compliance with DPP3 would likely prejudice the aforesaid purposes. 

Another exemption from DPP3 is where the personal data is required by or authorised under any enactment, rule of law or court order in Hong Kong. For example, the Securities and Futures Commission might issue a notice to an organisation under the Securities and Futures Ordinance requesting the organisation to produce certain documents that contain its customers’ personal data. In such a case, the disclosure of the personal data by the organisation would be exempted from DPP3 by reason that it is authorised under the Securities and Futures Ordinance. 

Cybersecurity  

Legislative enactments relating to cybersecurity in Hong Kong are dealt with by both the PDPO and the criminal law. The Computer Crimes Ordinance was enacted in 1993, and it has, through the amendment of the Telecommunications Ordinance, the Crimes Ordinance and the Theft Ordinance expanded the scope of existing criminal offences to include computer related criminal offences. These include unauthorised access to any computer, damage or misuse of property (computer program or data), making false entries in banks’ books of accounts by electronic means, obtaining access to a computer with intent to commit an offence or with dishonest intent, and unlawfully altering, adding or erasing the function or records of a computer.

Data breaches 

The PCPD published Guidance on Data Breach Handling and the Giving of Breach Notifications, which provides data users with practical steps in handling data breaches and to mitigate the loss and damage caused to the individuals involved. In particular, after assessing the situation and the impact of the data breach, the data users should consider whether the following persons should be notified as soon as practicable: 

  • the affected data subjects; 
  • the law enforcement agencies; 
  • the Privacy Commissioner (a data breach notification form is available from the PCPD’s website); 
  • any relevant regulators; or
  • other parties who may be able to take remedial actions to protect the personal data privacy and the interests of the data subjects affected (for example, internet companies such as Google and Yahoo might assist in removing the relevant cached link from their search engines).

Recent trend in Hong Kong clearly shows a stricter privacy regulatory regime in Hong Kong with closer scrutiny and increased enforcement actions by the Privacy Commissioner. There is also a growing public concern over privacy and data protection and a rising public expectation that organisations should adopt policies and procedures to protect their personal information. It is therefore crucial for organisations doing business in Hong Kong to ensure that they establish robust data privacy compliance programmes to meet the growing requirements and to conduct regular reviews and audits of their data privacy policies to keep pace with the legislative and technological developments. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics