Compounded by the advent of information technology and the widespread use of the Internet, workplace privacy will continue to pose a challenge to employers for a considerable time to come. Yet, the introduction of the Code of Practice on Human Resource Management (the Code), which officially took effect on 1 April 2001, allows employers to face the challenge with improved clarity of in-house policies and enhance compliance with the requirements of the Personal Data (Privacy) Ordinance (PD(P)O).
The net results of these changes are "reduced turnover rates, more satisfied employees and customers and, hopefully, sustainable competitive advantage," says Albert Wong, Personnel Manager responsible for strategy and relations development at Cathay Pacific Airways Ltd., which is now enjoying its nascent success in implementing a strict policy on employee data protection. "Still, the real dilemma is how best to promote the free flow of information while protecting employees from managers who may cross the line into the realm of invasion of personal privacy."
Document for guidance
The Code addresses a variety of issues concerning the collection, use, disclosure, and custody of employee data at different stages of the employment process - which range broadly from recruitment exercises to performance appraisals, medical check-ups, and employee terminations.
The Code revolves around the six data protection principles that are currently adopted in the PD(P)O. These principles concern the purpose and manner of the collection of personal data, the accuracy and the duration of its retention, its use, the security of personal data, the availability of information, and access to it. Based on these principles, the Code stipulates a set of general requirements that aims to provide employers with practical guidance on handling employee data and protect the privacy rights of employees.
"However practical it might seem, the Code remains a document for guidance that must be constantly interpreted and reinterpreted by employers in accordance with their changing circumstances," says Mr Wong. "No doubt its generality brings about a certain degree of freedom in application, but the onus is still on the employer to put the Code to good use."
Cathay has taken a series of measures to comply with the data requirements as spelt out in the Code. One of these measures, according to Mr Wong, has been to lay down a set of written procedures for allowing employees, whether prospective or existing, to obtain their personal information when they need it, provided that such requests are made by employees on whom personal records are held. All of such procedures are also available in an electronic format, and thus can be retrieved for reference at any time through the company's Intranet.
"Cathay is serious about workplace privacy," says Mr Wong. "Our data protection officers are charged with processing and validating every data access request, and ensuring each is accepted only on condition that it is legitimate or reasonable. But the key question remains, what is a legitimate, or reasonable condition? For Cathay, as for other employers, I think the answer to this question would always be a constant balancing act to maintain data security, staff productivity, and, above all, compliance with privacy laws."
The role of human resources
To mitigate uncertainty about some of the Code requirements, which often adds layers of complexity to implementation, the human resources (HR) function is absolutely crucial. Successful implementation of data protection policy hinges on the ability of the HR manager to communicate to all his employees a consistent message about the correct attitude towards workplace privacy. That is to say, the role of the HR manager must be "to put an overriding interpretation on the Code in a manner compatible with the company's objectives, and communicate this interpretation consistently to all his employees," Mr Wong says.
"For instance, the Code suggests that employers should collect personal data only when it is necessary for them to do so. For the HR manager, the job is to provide an interpretation of this requirement and translate it into a policy for others to follow. In this way, the interpretation would serve as a basis for future applications of similar requirements. Of course, in order to achieve a high level of consistency, some form of training must also be provided to continuously educate employees on the preferred line of thought."
So vital is the HR function, says Mr Wong, that not only can it assist employees with learning the right perspective on the Code, but also, first and foremost, allow them to judge independently by considering what is genuinely necessary or reasonable for themselves in dealing with sensitive data.
"Since ultimately the protection of workplace privacy must rest upon employees' shoulders through self-discipline, the HR function must attempt to motivate them to think along the lines of respecting privacy rights in the workplace," he stresses.
In the Information Age, the bricks-and-mortar assets have increasingly given way to the human factor -- i.e. knowledge, inventiveness, loyalty, etc. -- as the key driver for profit. Employers are actively developing strategies of investments in intangibles to attract and motivate talented people. "It would be hard to imagine any employee's goodwill in an environment where the fear of invasion of workplace privacy is a major issue," Mr Wong says. "Clearly, workplace privacy has now become one of the important intangibles that must be addressed in order to achieve a sustainable return on investment."