At a time when workplace privacy issues are receiving increased publicity, advanced countries including Australia, Canada and Britain are updating their data protection laws to cope with the rapid transformation of global business and the growing vulnerability of personal data to this transformation, namely, the growth of the Internet. Even the USA, which is reluctant to introduce comprehensive privacy legislation, has sector-specific measures, which protect workplace privacy against abuses of employee data.
"Surprisingly, Hong Kong isn't much behind these countries in this branch of the law," says Judith Wong, Legal Advisor of Allen & Overy (Hong Kong), an international law firm offering expert advice on employment matters and other areas.
The Code of Practice on Human Resource Management (the Code), which is based on the Personal Data (Privacy) Ordinance (PD(P)O), reiterates that Hong Kong employees have the right to be informed of the use of their personal data and to expect that the data is up-to-date, secure, and kept no longer than necessary, Ms Wong explains, while summing up the Government's current attitude towards workplace privacy as "balancing employees' personal rights against employers' business interests."
Contrary to common belief, the Code does not serve as a versatile guidebook that explains all the scenarios of employee data use in human resource management. Nor does it aim to simplify employers' obligations concerning privacy protection. Rather, it provides practical examples, and aims to elaborate on a range of foreseeable circumstances where complicated issues concerning the use of employee data might arise and where the laws - i.e. the requirements of the PD(P)O - should be abided by in relation to human resource practices.
"...This [the Code] is useful because in the past, while employers were aware of the restrictions in transferring employee data to third parties, they were not sure, for example, as to whether such information could be provided to, say, a prospective purchaser in a proposed acquisition, [for] it was uncertain as to whether such transfer would be regarded as for a purpose directly related to that for which the data was initially collected," says Ms. Wong. "Now, with the clarification provided by the Code, employers can be assured of their rights and limitations."
Ms Wong adds that the Code can help small companies in particular, as well as companies that hire no specialized human resource personnel, to ease their financial burdens in having to comply with the requirements. It can also help raise employees' awareness of the standard of employee data protection, as those who are not specifically trained in the field may lack the knowledge required to secure compliance with some lesser known requirements, she says, immediately citing an example: "Even making a verbal reference based on a personal record, whether it be printed or electronic, you would first need to obtain the prescribed consent of the data subject concerned!"
Some companies may opt to engage a Privacy Compliance Officer (or Data Protection Officer) to oversee their data protection matters on an on-going basis, although the PD(P)O does not in any way make such a hiring mandatory for employers. The responsibilities of this type of officer can vary widely depending on the power and role conferred upon him/her in an organization. Some officers may simply be confined to process data access and correction requests, while others may be charged with handling everything from the collection of employee data to the security of its transmission and storage, and policy implementation.
Nevertheless, any officer with the authority to handle employee data would need to comply with the Code, or else be liable to contravene its requirements, possibly leading to a breach of the PD(P)O as well. "It doesn't matter whether or not that person is specifically given the title of Privacy Compliance Officer," says Ms. Wong. "He or she would be personally liable for the breach [if any], together with the company, should there be an agency or employment relationship found between them."
Asked if the Code also applies to contexts other than that of employment, Ms. Wong replies that section 52 of the PD(P)O provides a general exemption for persons who hold personal data merely for domestic and recreational purposes. That is to say, where no employer-employee relationship exists, a person who gathers data solely for the purpose of administering his/her personal and family affairs is generally exempt from the requirements of the Code/PD(P)O. However, there is no such exemption applicable in the educational context, she says.
Typically, a person can file a complaint to the office of the Privacy Commissioner in case of a contravention of the Code. In some cases, where, say, a data user has disclosed personal data of a data subject imparted to him in confidence, the PD(P)O entitles the aggrieved person to seek compensation for damage, even for injury to feelings.
"Although non-compliance with the Code itself does not automatically amount to a breach of the PD(P)O, such non-compliance could be taken into account by the court or the Administrative Appeals Board as evidence in deciding whether the PD(P)O has been breached," says Ms Wong adding, however, that the decision will always depend on the circumstances of the case.
For further details about the PD(P)O and new amendments, please refer to the Hong Kong Department of Justice website at www.justice.gov.hk.