The Personal Data (Privacy) Ordinance (PD(P)O) deals with the collection, use, security and retention of personal data. The Ordinance comprises six data protection principles, which are expressed in fairly vague and loose language. The Office of the Privacy Commissioner for Personal Data (PCO) does, from time to time, provide practical guidance for people to deal with specific issues in certain circumstances within the privacy regime. For example, the recently released draft Code by the PCO offers practical guidance on the treatment of such grey areas as continuous monitoring, monitoring of domestic workers and the practice of monitoring without collection of personal data.
As discussed last week, proportionality and transparency are the two main principles underlying the draft provisions of the Code. But "application is a matter of concern," says Tony Lam, Deputy Privacy Commissioner for Personal Data.
"Take continuous monitoring as an example. Such a practice can rarely be justified unless absolute security is needed. In most cases, carrying out spot checks should suffice to serve the purpose(s) concerned. A bank, for instance, that deals with its clients over the phone doesn't need to monitor every call made, or received by its employees, provided that its objective is to ensure service quality..."
Mr. Lam argues that employers should always ask whether the result(s) would justify the means by which to monitor their employees. "The draft Code is not meant to tell you the dos and don'ts, but rather to set out the conditions under which a decision can flexibly be made in response to a specific need," he said, adding that he would prefer a less intrusive monitoring technique to a more intrusive one.
Interestingly enough, despite the fact that the PD(P)O has provided the statutory basis for personal data privacy protection, the draft Code now also suggests good practices that cover situations in which no record of personal data is kept. An example of this would be a security camera that scans an area of commercial premises, while keeping no record on tape or disk simultaneously. "It shouldn't be ruled out that this kind of monitoring practice exists out there in the real world," Mr. Lam stresses.
He further points out: "Privacy is an important value in its own right."
"...We [the PCO] believe therefore that a responsible employer should always respect the dignity and privacy rights of the employee whether or not personal data collection is involved."
Another issue that has been raised in the draft Code for public consultation is the practice of monitoring of domestic workers. A number of provisions have been proposed to give coverage to the practice of monitoring involving domestic staff. For example, employers of domestic workers should indicate clearly in their employment contracts any monitoring equipment installed in their premises at the time of appointment, and ensure that no monitoring should take place in secluded areas such as the bedroom, toilet and bathroom.
According to Mr Lam, while there should be an expectation of respect for domestic workers' privacy behaviour, it is acknowledged that there are a number of justifiable grounds - e.g. child abuse - for some level of monitoring on the part of the household employer. "The same principles [proportionality and transparency], which apply to the business sector, are also relevant to the private domain," he said.
"The question is: how can there be a balance between the interests of one party and the privacy rights of the other? We believe the draft Code will provide some insight."
Finally, Mr. Lam advises that privacy legislation is an inevitable trend. Particularly in the business world where constant changes have become a fact of life, drawing attention to privacy management issues as soon as possible can give a company a competitive edge from the perspective of the customer, and the employee. For regulatory and business reasons, it may well be time to become acquainted with the requirements of the PD(P)O, as well as its latest provisions.
Views are currently invited on issues concerning exceptional circumstances to which monitoring practices may be subject. The submission deadline is 7th June, 2002. For more information on the PD(P)O and the consultation paper of the draft Code, see http://www.pco.org.hk.