John is currently working in the customer service department of an SME (small or medium-sized enterprise) and his job responsibilities include answering questions from customers as well as handling complaints. He has Internet access on his office computer and an email account provided by his employer. Up to now, his employer has issued no specific policies on the use of his email account or on surfing the Web.
John was recently shocked to discover that his employer routinely monitors telephone conversations with customers and sometimes even records them. He suspects that his emails and the websites he visits while in the office are also being regularly checked.
Is it legal for an employer to do this? In many cases, the answer is yes, particularly if a member of staff is using the employer's computer and network to send emails and access the Internet. However, the employer also has clear obligations under the Personal Data (Privacy) Ordinance (PDPO) in relation to the collection and use of employees' personal data, including any data collected while monitoring staff. In addition, the Office of the Privacy Commissioner for Personal Data has recently issued comprehensive guidelines concerning monitoring and personal data privacy at work (the Guidelines).
These are intended to assist employers in taking steps to assess whether employee monitoring is necessary and, if so, to ensure that practices are compliant with Hong Kong's data protection legislation. The Guidelines apply only to employee monitoring activities by means of which personal data is collected in a recorded form.
Although the Guidelines are not binding, the PDPO is. For example, under the PDPO, employers (and others) have an obligation to be entirely open about the employee monitoring policies that they adopt. Therefore, the Office of the Privacy Commissioner strongly encourages all employers who monitor staff to make use of the Guidelines in order to strike a balance between employees' right to privacy and the employer's legitimate business needs.
Because John's job involves handling telephone calls from customers, his employer is keen to ensure that any questions are answered accurately, promptly and politely. The employer considers monitoring calls to be an effective way of verifying the necessary level of quality control. Under the Guidelines, this type of monitoring is likely to be acceptable, especially if it is random. However, it would not be appropriate for every call to be recorded unless the company was in an industry that required this.
|Q & A on the monitoring of employees in the workplace |
|Q1 ||What types of employee monitoring do the Guidelines apply to?|
|A1 ||The Guidelines apply to employee monitoring activities which collect employees' personal data in recorded form. This can apply to the monitoring of telephone calls, email traffic, Internet usage, and the use of video cameras. |
|Q2 ||What are the main principles of the Guidelines?|
|A2 ||The Guidelines use three As and three Cs to help both employers and employees understand their obligations and rights: |
Assessment - Employers must assess the risks that they seek to manage by monitoring staff and balance those against the benefits that may be derived from doing so.
Alternatives - If there is an alternative to employee monitoring that would achieve the same goals but be less intrusive, the employer should consider such an option.
Accountability - When monitoring staff results in the collection of personal data, the employer must implement data management practices that are compliant with privacy obligations.
Clarity - The development and implementation of monitoring policies must be clear. Employers must specify the purpose that monitoring serves, the circumstances in which it may take place, and the purpose for which any personal data that is collected through monitoring may be used.
Communication - Employers must communicate with employees to explain the reasons for and the nature of the employer's decision to monitor them. This must be done before the monitoring takes place.
Control - Employers have a duty to ensure the security of any personal data that they hold about their employees. They must therefore control the holding, processing and use of any records of monitoring.