Personal Data (Privacy) Ordinance

CODE OF PRACTICE ON

HUMAN RESOURCE MANAGEMENTApril 2016 (First Revision)

1

Introduction Interpretation Using this Code

1 General Requirements

1.1 Introduction 1.2 NotificationRequirementsonCollectionofPersonalData StatementstobeMadeonorbeforeCollectingEmployment-relatedPersonalData PurposeStatement:PurposeforwhichPersonalDataaretobeUsed TransfereeStatement:ClassesofTransferees OptionalorObligatoryProvisionofData DataAccessandCorrectionRights Employment-relatedPersonalDataCollectedbeforetheOrdinancecameintoEffect1.3 AccuracyandRetentionofEmployment-relatedPersonalData AccuracyofEmployment-relatedData RetentionofEmployment-relatedData1.4 SecurityMeasurestoProtectEmployment-relatedData MeasurestoEnsureIntegrity,PrudenceandCompetenceofEmployees SecuritythroughControlledAccesstoEmployment-relatedPersonalData PrecautionsandOtherMattersRegardingInternetUsage1.5 ComplyingwithDataAccessandCorrectionRequests DataAccessRequestsofEmployment-relatedData DataCorrectionRequestsofEmployment-relatedData1.6 Employer’sLiabilityforWrongfulActsorPracticesbyEmployeesorAgents1.7 OtherMatters StatutoryRequirementsinRelationtoEmployment-relatedData InformationaboutPoliciesandPracticestobemadeAvailable MattersConcerningtheHongKongIdentityCardNumberinEmployeeRecords

2 Recruitment

2.1 IntroductionPracticalGuidanceonRecruitment-relatedPractices2.2 CollectionofPersonalDatafromJobApplicants2.3 AdvertisingofJobVacancies2.4 EmploymentAgencies/ExecutiveSearchCompany2.5 InternalRecordsaboutJobApplicants2.6 ReceivingandProcessingApplicationsforEmployment2.7 SeekingInformationforSelectionAssessment2.8 SeekingPersonalReferencesofJobApplicants2.9 AcceptancebyCandidates2.10 UnsuccessfulCandidates2.11 DataAccessandCorrectionRequestsbyJobApplicants

445

6

6667789999

10101011121212141415151515

16

161616181920202122222323

Table of Contents

2

3 Current Employment

3.1 IntroductionPracticalGuidanceonEmployment-relatedPractices3.2 PersonalDatainrelationtotheTermsandConditionsofEmployment CompensationandBenefits IntegrityChecking/DeclarationofConflictofInterest MedicalCheckingandHealthData3.3 DisciplinaryProceedings3.4 PerformanceAppraisal3.5 StaffPlanning3.6 PromotionPlanning3.7 ProvidingJobReferencesforEmployees3.8 DataAccessandCorrectionRequestsbyEmployees RelevantProcessExemption TransitionalProvisionExemption3.9 AccuracyandRetentionofEmployment-relatedData3.10 UseofEmployment-relatedDataofExistingEmployees3.11 DisclosureorTransferofEmployment-relatedData TransfertoOutsideProfessionalServices OutsourcingofHumanResourceDataProcessing Sub-contractingoutEmployees’ServicetoOtherOrganisations TransfertoaPlaceoutsideHongKong TransfertoOtherOfficeswithintheOrganisation Mergers,Acquisitions,andAssociatedDueDiligenceExercises3.12 MattersConcerningtheEngagementofSubcontractStaff

4 Former Employees’ Matters

4.1 IntroductionPracticalGuidanceonFormerEmployees’Matters4.2 ContinuedRetentionofPersonalDataofFormerEmployees4.3 AccuracyofFormerEmployees’PersonalData4.4 SecurityofFormerEmployees’PersonalData4.5 ProvidingJobReferencesforFormerEmployees4.6 PublicAnnouncementsaboutFormerEmployees4.7 ErasureofFormerEmployees’PersonalData4.8 Retirement4.9 DeathofanEmployee

AppendixI-OrdinanceDefinition,PrinciplesandKeySections

25

252525262626272829293030303031323434343435353636

38

38383839404040414141

42

3

Introduction

THISCODEOFPRACTICE(“theCode”)hasbeenissuedbythePrivacyCommissionerforPersonalData,HongKong(“theCommissioner”)intheexerciseofthepowersconferredonhimbyPart3ofthePersonalData(Privacy)Ordinance(Cap.486“theOrdinance”).Section12(1)oftheOrdinanceempowerstheCommissionertoissuecodesofpractice“forthepurposeofprovidingpracticalguidanceinrespectofanyrequirementsunderthisOrdinanceimposedondatausers.”

ThisCodewasfirstnotifiedbyGazetteoftheHongKongSARGovernmenton22September2000.TherelatedGazetteNotice,asrequiredbysection12(2)oftheOrdinance,specifiedthattheCodetookeffecton1April2001andwasapprovedinrelationtothefollowingrequirementsoftheOrdinance:Sections18,19,20,22,23,24,25,26andthesixDataProtectionPrinciplesinSchedule1.

ThisCodewas revisedandnotifiedbyGazette inApril 2016. The revisionwasnecessitatedby theamendmentsoftheOrdinanceandtoupdatetheprovisionsoftheCodethatwerespentofeffect.

TheprimarypurposeofthisCodeistoprovidepracticalguidancetoemployersandtheirstaffonhowtoproperlyhandlepersonaldatathatrelatetoeachphaseoftheemploymentprocess.FailuretoabidebythemandatoryprovisionsofthisCodewillweighunfavorablyagainstthedatauserconcernedinanycasethatcomesbeforetheCommissioner.WhereanydatauserfailstoobserveanyofthemandatoryprovisionsofthisCode,acourt,amagistrate,theAdministrativeAppealsBoardorthechairmanoftheAdministrativeAppealsBoard,isentitledtotakethatfactintoaccountwhendecidingwhethertherehasbeenacontraventionoftheOrdinance.

ThisCodeisdesignedtogivepracticalguidancetodatauserswhohandlepersonaldatainperforminghumanresourcemanagementfunctionsandactivities.Itdealswithissuesconcerningcollection,holding,accuracy,useandsecurity,anddatasubjectaccessandcorrectioninrelationtothepersonaldataofprospective,currentandformeremployees.

The provisions of the Code apply to data users who are employers of individuals relating to theirprospective,currentorformeremploymentwiththeemployersconcerned.

Interpretation

Unlessthecontextotherwiserequires,thetermsusedintheCodehavethefollowingmeanings:

“DPP”meansadataprotectionprincipleinSchedule1totheOrdinance.

“Employer”means anypersonwhohas entered into a contractof employment to employanyotherpersonasanemployeeandthedulyauthorisedagentofsuchfirstmentionedperson.

“Employment”isdeemedtoincludetheengagementofanindividualwhoseserviceisprocuredthroughacontractwithathirdpartywhichemployssuchindividual,andtheterms“employ”,“employer”and“employee”aretobeconstruedaccordingly.

“Ordinance”meansthePersonalData(Privacy)Ordinance.

4

“Personal Information Collection Statement” (“PICS”) means a statement made to an individual inrespectofwhompersonaldataiscollectedbythepersonprovidingthestatementincompliancewiththerequirementsofDPP1(3).

“Permittedpurpose”inrelationtopersonaldatameansalawfulpurposedirectlyrelatedtoanemployer’sfunctionsoractivitiesforwhichthedatawastobeusedatthetimeoftheircollection;adirectly-relatedpurposeforwhichthedatawasorisused;thefulfillmentofarelevantstatutoryrequirement;orapurposeforwhichthedatawasorisusedwherethedatasubjecthasgivenexpressconsenttothatuse.

“Practicable”meansreasonablypracticable.

“Prescribed consent” is the express consent of the person1 given voluntarily, which has not beenwithdrawnbynoticeinwriting.

Using this Code

It is recommended that readers begin by carefully reading the Code as a whole to understand allelementsofitsuseasitappliestothepersonaldataofjobapplicants,employeesandformeremployees.Subsequently,whenaspecificquestionneedstobeansweredinrelationtoamattercoveredbytheCode,thereadershouldfirstrefertoSection1whichcontainsgeneralrequirementsforhandlingemployment-relatedpersonaldata,andthentheparticularsubsequentsectiondealingwiththespecificareaofinterest.Ifthisapproachisused,thereadershouldacquireabetterunderstandingofthematter.

Inthisdocument,thecontentsoftheCodearearrangedtoindicatewhichpartsofthetextaremandatory,andwhichareillustrativeorexplanatoryasfollows:

ThemandatoryprovisionsoftheCodeareprintedinnormaltypeface.

Thesectionsingreenboxesgivegeneralexplanatorynotes,examplesandspecifygoodpractices.ThesesectionsamplifytheCodetoassistthereaderincomplyingwiththemandatoryprovisionsoftheCode.

ThefootnotesprovidespecificreferencestotheprovisionsoftheOrdinanceorothersourcesthatprovidethestatutorybasise.g.othercodesofpractice,fortheparticularrequirementsoftheCode.

1UnderDPP3(2),arelevantpersonmaygiveprescribedconsentonbehalfofadatasubjectwhencertainconditionsarefulfilled.

5

2DPP1(3)

1 General Requirements

1.1 Introduction

Section1reviewsarangeoftopicsrelatingtothegeneralpracticesandpoliciesthatanemployershould give consideration to when collecting, processing and handling employment-relatedpersonaldata.Othermattersrelatingtospecificaspectsofhumanresourcemanagement,suchasrecruitment,currentandformeremployees’mattersaredealtwithinsubsequentsections.

Morespecifically,thissectiondetailsthefollowing:

1.1.1 Notificationrequirementsoncollectionofpersonaldata-PICS. 1.1.2 Issuespertainingtotheaccuracyandretentionofemployment-relatedpersonaldata. 1.1.3 Securitymeasuresforprotectionofemployment-relatedpersonaldata. 1.1.4 Dataaccessandcorrectionrequestsconcerningrecruitment-relatedoremployment-

relatedpersonaldata. 1.1.5 Employer’sliabilitypertainingtothewrongfulconductofitsstafforanappointedagent

inhandlingpersonaldata.

1.2 Notification Requirements on Collection of Personal Data

StatementstobeMadeonorbeforeCollectingEmployment-relatedPersonalData

1.2.1 Whenanemployercollectspersonaldatafromajobapplicantoremployee,theemployershouldtakeallpracticablestepstoexplicitlyinformtheindividualonorbeforecollectingthedataofthefollowinginformation:2

1.2.1.1 thepurposeforwhichthedataistobeused; 1.2.1.2 theclassesofpersonstowhomthedatamaybetransferred;and 1.2.1.3 whetheritisobligatoryorvoluntaryfortheindividualtosupplythedataunlessthisis

obviousfromthecircumstances.

Onorbeforeusingthedata,anemployershouldexplicitlyprovidethefollowinginformationtotheindividualconcerned:

1.2.1.4 the rightsof the individual to request access to, andcorrectionof,hispersonaldata and thenameor job title,andaddress,of theperson towhomsuch requests should bemade.

Asamatterofgoodpractice,anemployershouldcomplywiththeabovenotificationrequirementsbymeansofawrittenPICS.Thisstatementmay,forexample,beattachedto,orbeprintedasanintegralpartofstandardemploymentformsusedtocollectdatae.g.ajobapplicationform.

Thefollowinglistprovidesexamplesofoccasionswhenitwouldbeappropriatetomakesuchstatements.

6

3DPP1(3)(b)(i)(A)4DPP1(3)(b)(i)(B)

Inrecruitmentadvertisementswhereanemployerrequeststhatrésumés,orotherpersonaldata,besubmittedbyjobapplicants.

OnanInternetpagewhereanemployerinvitesjobapplicantstocompleteaformandsubmitonline.

Onanemployer’sprintedjobapplicationformoranyotherdatacollectionformsspecifiedbytheemployerthatrequirestheprovisionofpersonaldata.

PurposeStatement:PurposeforwhichPersonalDataistobeUsed

1.2.2 Anemployermaystatethepurposesforwhichemployment-relatedpersonaldataistobeusedingeneralorspecificterms.3

Manyofthepurposesforwhichpersonaldataistobecollectedarecommontomostemployers.Examples of commonpurposes forwhichpersonal data is collected fromemployees includeinformation required: to pay employees and tomake compensation, benefits and awards, tocontactemployeeswhenabsentfromtheoffice,tomaketaxreturns,toassessemployees’traininganddevelopmentneeds, toplanpromotionand to administer a retirementorprovident fundschemetowhichemployeescontributeandfromwhichtheymaybenefit.

Theaccompanyingexamplesmaybeusedasastartingpointfromwhichemployersmaypreparemorespecificstatementsofpurposes,adaptedtotheirownneeds,tobeincludedintheirPICS.

Purpose of Collection – Job Applicants

Toassessthesuitabilityofcandidatesforavacancywithintheorganisation,andtonegotiatewithandmakeoffersofemploymenttoselectedapplicants.

Purpose of Collection – Employees

For the supervision, management and payment of employees, to develop and maintainthe employment relationship between the employer and the individual, and to support theorganisation’sdevelopment.

For any residual employment-related activities of an employer in respect of an employee,includingtheprovisionofjobreferences,processingofapplicationsforre-employmentandanymatterrelatingtopensionorretirementschemepayments.

TransfereeStatement:ClassesofTransferees

1.2.3 Anemployershouldexplicitlyinformjobapplicantsoremployeesoftheclassesofthirdpartiestowhichanyoftheirpersonaldatamaybetransferred.Anemployermustdothisonorbeforecollectingthedata.4

7

Examplesof commonclassesof transferees include theemployer’s insurers,bankers,medicalpractitionersprovidingmedicalservicesforemployees,staffunionsandprovidentfundmanagers.Beforecollectingtherelevantpersonaldataitisnecessaryforanemployertoinformstaffofsuchpossibletransfers.Governmentdepartmentstowhichanemployerisrequiredbylawtotransferrelevantpersonaldata,forexampletheInlandRevenueDepartment,neednotbeincludedinastatementofsuchthirdparties.

Itshouldbenotedthatanemployershouldstatethatanytransferofemployment-relatedpersonaldatatooneofthenamedclassesofpossibletransfereeswillbeforoneorotherofthepurposesstatedinthePurposeStatement,oradirectlyrelatedpurpose.Becausethetransfernotificationrequirementsonlyapplytotransferstothirdpartiesoutsidetheemployingorganisation,thereisnorequirementforemployerstonameotherinternaldepartmentsoremployeesoftheemployertowhompersonaldatamaybetransferredforthepurposesofemployment.

Classes of Transferee

Thedatathatyouhavesuppliedforthepurposeofemploymentmaybepassedtotheemployer’sinsurers,bankers,medicalpractitionersprovidingmedicalservicestoemployees,anyrelevantstaffunionandprovidentfundmanagers.

OptionalorObligatoryProvisionofData

1.2.4 Unlessitisobviousfromthecircumstances,anemployershouldexplicitlyinformjobapplicantsoremployees,whetheritisobligatoryorvoluntarytosupplypersonaldata.5Theconsequencesof not providing such data should also be stated explicitly unless this is obvious from thecircumstances.6

Anemployerneedsnotprovideanoticeofwhetheritiscompulsorytoprovidepersonaldataifitisobviousfromthecircumstancesthatalltheemployment-relatedpersonaldatasoughtinaformusedbyanemployermustbeprovidedandthatifanyitemisnotprovidedthematterconcernedwillnotbeprocessedfurther.

Forexample,onastaffleaveapplicationform,itisnotnecessaryforanemployertostatethatitiscompulsorytoprovidepersonaldatasuchasthedaysofintendedabsenceinorderfortheapplicationtobeprocessedandapproved.

Omission of Personal Data

Theprovisionoffullandcompleteinformationinsupportofajobapplicationisnecessaryforselectionpurposes.Failuretoprovideanyofthedatamayaffecttheprocessingandoutcomeoftheapplication.

5DPP1(3)(a)(i)6DPP1(3)(a)(ii)

8

DataAccessandCorrectionRights

1.2.5 Anemployer,onorbeforethefirstuseoftheemployment-relateddata,shouldexplicitlyprovideinformationof an individual’s rights of access to, an correctionof, his personal data and thecontactdetailsofthepersontowhomanysuchrequestmaybemade.7

TheOrdinanceconfersuponanindividualwhosepersonaldataisheldbyanemployerarightto request a copyof suchdata. Subsequently, the individual concerned is entitled to requestcorrectionofanyinaccuratedataprovidedincompliancewithsucharequest.

Anemployer shouldalso include thenameor job titleandaddressofaperson towhomtherequestmaybemade.

Data Access & Correction Rights

YouhavearightundertheOrdinancetomakeadataaccessorcorrectionrequestconcerningyourpersonaldata.YoumaymakesuchrequestsbyapplyingtothePrivacyComplianceOfficerintheHumanResourcesDepartment.

Employment-relatedPersonalDataCollectedbeforetheOrdinanceCameintoEffect

1.2.6 An employer may continue to use employment-related personal data collected before 20December19968aslongasthepurposesforwhichthedataisusedcomewithinthereasonablescopeofthepurposesforwhichthedatawasoriginallycollected.Anyuseofsuchdataoutsidetheoriginalscopeofcollectionwillrequiretheprescribedconsentoftheindividualconcerned.9

Employment-related data collected prior to 20December 1996may be used for the implicitpurpose forwhich itwascollected,whichmaybe inferred from thenatureof the transactioninvolvede.g.recruitmentoradministeringtheemploymentoftheindividualwhoprovidedthedata.Asamatterofgoodpractice,anemployershouldconsiderprovidinganemployeewithitsPICSatthefirstopportunitywherenewdataiscollectedfromtheemployee.

1.3 Accuracy and Retention of Employment-related Personal Data

AccuracyofEmployment-relatedData

1.3.1 Anemployershouldtakeallpracticablestepstoensurethattheemployment-relateddataitholdsaboutemployeesis:

1.3.1.1 accuratehavingregardtothepurposeforwhichthedataisused;10 or 1.3.1.2 notusedforthepurposewheretherearereasonablegroundsforbelievingthatthedatais

inaccuratewhenusedforthatpurpose,unlessanduntilsuchinaccuraciesarerectified.11

1.3.2 Anemployerwhodisclosesortransfersemployment-relateddatatoathirdpartyonorafter20

7DPP1(3)(b)(ii)(A)andDPP1(3)(b)(ii)(B)8ThedatetherelevantprovisionsoftheOrdinancefirstcameintoeffect.9DPP3

10DPP2(1)(a)11DPP2(1)(b)

9

December1996shouldtakeallpracticablestepstoensurethat:

1.3.2.1 thedata therebydisclosedor transferred isaccuratehavingregard to thepurpose forwhichthedataisdisclosedortransferred;and

1.3.2.2 whereitispracticableinallcircumstancestoknowthatthedatawasinaccurateatthetimeofsuchdisclosureor transfer, the recipient is informedof the inaccuracyand isprovidedwithsuchparticularsaswillenabletherecipienttorectifythedata.12

RetentionofEmployment-relatedData

1.3.3 Anemployershouldimplementawrittendataretentionpolicythatspecifiesaretentionperiodof:

1.3.3.1 nolongerthantwoyearsinrespectofrecruitment-relateddataheldaboutajobapplicantfromthedateofrejectingtheapplicant;

1.3.3.2 nolongerthansevenyearsinrespectofemployment-relateddataheldaboutanemployeefromthedatetheemployeeleavesemployment;

Unless

1.3.3.3 the individualconcernedhasgivenexpressconsent for thedata tobe retained foralongerperiod;or

1.3.3.4 there is a subsisting reason that obliges the employer to retain the data for a longerperiod.

The provisions of the four anti-discrimination ordinances - the Disability DiscriminationOrdinance, the FamilyDiscriminationOrdinance, the SexDiscriminationOrdinance and theRaceDiscriminationOrdinancepermitanindividualtomakeaclaimtotheDistrictCourtagainstanotherpersonforanactofdiscriminationagainsthimbeforetheendoftheperiodoftwoyearsbeginning(a)whentheactcomplainedofwasdone;or(b)ifthereisarelevantreportinrelationtotheact,thedayonwhichthereportispublishedormadeavailableforinspection.

FurtherguidanceinrespectoftheaboverequirementsisgiveninSection2onRecruitmentandinSection4onFormerEmployees’Matters.

1.4 Security Measures to Protect Employment-related Data

MeasurestoEnsureIntegrity,PrudenceandCompetenceofEmployees 1.4.1 An employer should take reasonably practicable measures to ensure that staff handling

employment-relatedpersonaldataare trainedtoobservetheemployer’spersonaldataprivacypolicies,exerciseduediligenceintheapplicationofthosepolicies,andaresubjecttoproceduresdesignedtoensuretheircompliancewiththosepolicies.13

Employees play the principal role in implementing an employer’s policies on the security ofpersonaldata.Securitypracticesarethereforeavitalpartofanyhumanresourcespolicywithregardtoprivacyofpersonaldata.

12DPP2(1)(c)13DPP4(1)(d)

10

Inevaluatinginternalprocedurespertainingtothesecurityofemployment-relatedpersonaldata,employersshoulddeterminetheextenttowhichtheirpoliciessatisfythefollowingcriteria:

Policyrelatingtothesecurityofemployment-relatedpersonaldataissystematicallyandregularlycommunicatedtostaffauthorisedtoaccessandprocessthatdata.

Theemployercommitsto,andprovides,on-goingtrainingtostaffonmattersrelatingtopersonaldata protection.

Newrecruitstotheorganisationareprovidedwithtrainingonpersonaldataprotectionaspartoftheir induction into the organisation.

Employer’spolicymanuals,trainingmaterials,andemployeehandbookareperiodicallyreviewedtoensurethattheyareconsistentwiththerequirementsundertheOrdinanceandanycodesofpracticeinforce.

In-housepolicyistorestrictaccessto,andprocessingof,personaldataona“need-to-know”and“need-to-use”basis.

Asamatterofprotocol,staffinvolvedinaccessingandprocessingemployment-relatedpersonaldataarerequiredtosignasecrecyorconfidentialitystatementthatclearlyspecifiesoperationalexpectationsintheserespects.

Appropriateinvestigativeproceduresareengagedshouldsuchprotocolsbebreachedandactiontakenagainststafffoundtohaveviolatedthetermsandconditionsoftheconfidentialitystatement.

Randomchecksaremadetoensurethatthereiscompliancewithestablishedprocedures.

SecuritythroughControlledAccesstoEmployment-relatedPersonalData

1.4.2 Ifanemployermakesanyemployment-relateddataavailableinternally,itshouldtakeappropriatemeasurestoprotectthedataagainstunauthorisedoraccidentalaccess,processing,erasure,lossoruseofthatdata.14

Asamatterofgoodpractice,employersshouldensurethataccesstopersonaldataheldonanautomatedsystemisregulatedbysecurityfeatures.Forexample,suchfeaturesmayincludetheuseofaccountnamesandpasswords;dedicatedterminals;anaudittrailorinstalledwarningfeaturethatcandetectunsuccessfulattemptstoaccessdata;andautomaticlog-offafteratimedperiodofinactivity.Furtherprecautionsmayincludeprohibitingunauthorisedcopiesofemployment-relatedpersonaldatafrombeingestablishedondistributedcomputers,suchasstandalonePCs,thatarenotsubjecttothecontrolsappliedtoauthorisedcopies.

1.4.3 Ifanemployerengagesathirdpartytoperformanyofitshumanresourcemanagementfunctions,itmustadoptcontractualorothermeanstoensurethatthethirdpartyappliesappropriatesecurityprotectiontotheemployment-relateddata.15

ItshouldbenotedthattheOrdinanceimposeslegalliabilityonanemployerinrelationtoanywrongfulactsorpracticesdonebya thirdpartywhere the thirdparty isengagedasanagentactingonbehalfoftheemployer.16Forexample,anemployerwithoutsuitablestorageordisposalfacilitiesmay arrange for large volumes of employment-related personal data to be stored ordestroyedbyareputablestorageorwastedisposalcompany.Theemployershouldincludeinitsagreementwithsuchacompanyappropriateprecautionscontrollingthehandlingofthematerialsincluding,inparticular,conditionsthatensuresecurityandconfidentiality.

14DPP4(1)15DPP4(2)16Section65(2) 11

1.4.4 Anemployershouldensurethatthephysicaldestructionofdocumentscontainingemployment-relateddataheldonpaperorothernon-erasablemediaisundertakenwithappropriatesecurityprecautions,toavoidtheirinadvertentdisclosureto,oraccessby,unauthorisedpartiespriortodestruction.

Asamatterofgoodpractice,anemployershouldnotethatthedestructionofpersonaldatathatisnolongerrequiredwillgenerallynecessitatespecialarrangementstobeputinplacewithintheorganisationforthecollectionandconsolidationofsuchdatapriortoitsdisposal.Forexample,wasteforsecuredisposalmaybecollectedinspecialcontainersinacontrolledareaaccessibleonlytostaffauthorisedtohandlepersonaldataofthetypebeingdisposedof.

PrecautionsandOtherMattersRegardingInternetUsage

1.4.5 Anemployershouldtakeallpracticablestepstoimplementappropriatedataprotectionmeasurestoensurethesecuretransmissionofemployment-relateddataonapublicnetworksuchastheInternet.17

DatatravellingontheInternetisvulnerabletounauthorisedinterceptionoraccess.Dependingonthesensitivityofthedatatobetransmitted,appropriatesecurityprotectionsoftwareshouldbeinstalledtoenhancetheintegrityofdata.Forexample,softwareencryptionordigitalsignatureusedinemailtransmissionwouldbeanacceptableformofprotectiontosafeguarddataintegrityandauthentication. Inaddition, securityprotectionmeasures shouldalsobe implementedoncomputersthatareusedforsendingorreceivingemailcontainingpersonaldata.Staffshouldberemindedtoensureallcopiesofemailareheldsecurelytopreventaccidentalorunauthorisedaccess.

1.4.6 IfanemployerprovidesInternetaccessfacilities,includingemail,fortheuseofitsemployees,itshouldinformtheemployeesofitswrittenpolicyontheuseofthesystem.

Asamatterofgoodpractice,thepolicyreferredtoaboveshouldincludematterssuchas:

Whethertheuseoftheemailsystembyemployeesforsendingandreceivingpersonalemailispermittedandanyspecialarrangementsthatemployeesshouldadoptforsegregatingpersonalemailfromwork-relatedemail.

Whethertheemployerreservestherighttoaccessandreademailsentandreceivedbyemployeesusingtheemailsystem.

Specific rules thatapply to thedistributionof incomingoroutgoingemailand theerasureofunnecessaryemailthatcontainpersonaldataorhaveanattachmentthatincludessuchdata.

1.5 Complying with Data Access and Correction Requests

DataAccessRequestsofEmployment-relatedData 1.5.1 Anindividualwhosepersonaldataisheldbyhisemployerisentitledtorequesttobegivenacopy

ofsuchdata.18UnlessexemptedfromdoingsoundertheOrdinance,theemployerisrequiredtoprovideacopyoftherequesteddatawithin40daysafterreceivingadataaccessrequest.19 In

17DPP4(1)(e)18 Section 1819Section19(1)12

theeventofanemployerbeingunabletoprovidethecopywithinthe40-daylimit,theemployermustcommunicatethatfactinwritingtothepersonmakingtherequestbeforetheexpiryofthatperiodandmustprovidethecopyassoonaspracticablethereafter.20

1.5.2 Anemployerrespondingtoadataaccessrequestfromajobapplicant,currentorformeremployeemustnotdisclosetotheindividualseekingaccessanydataidentifyinganyotherindividualunlessthatotherindividualconsents.21

1.5.3 Whereonedocumentcontainsthepersonaldataoftwoormoreindividuals,anemployermaynotrefusetocomplywithadataaccessrequestfromoneormoreindividualswhereitispossiblenottodisclosetheidentitiesoftheothersbytheomissionofnamesorotheridentifyingparticulars.22

Forexample,anemployeewhoisthesubjectofadisciplinaryproceedinghasarighttorequesta copyof thedisciplinary records suchasadisciplinaryboard’sminutesof ameeting that isconductedforthepurposeofthedisciplinaryinvestigation.Theemployercannotrelyonthefactthatthedocumentcontainspersonaldataofathirdparty,otherthantheemployee,torefusetoprovideacopyoftheminutes.Inthiscircumstance,theemployershouldeditouttheinformationrelatingtothethirdpartybeforeprovidingacopytotheemployeeifnoconsentisgivenbythethirdpartyconcernedofitsdisclosure.Similarly,itisnotavalidreasonfortheemployertorefuseaccesstoapromotionboardreportmerelybecausethedocumentcontainsacomparisonoftwoormoreemployeeswhereitispossibletoconcealtheidentitiesoftheothersbytheomissionofnamesorotheridentifyingparticulars.

As amatter of good practice employers should implementmeasures to ensure that they cancomplywithadataaccessrequestmadebyajobapplicant,currentorformeremployee.Thosemeasuresshouldseektosatisfythefollowingcriteria:

Theemployerhasestablishedtrackingprocedurestomonitortheprogressofcompliancewithdataaccessrequests.

Incomplyingwithadataaccessrequesttheemployershould:

notwithholdanypersonaldataoftherequestorunlessalawfulexemptionappliestothe circumstancesofthecase;

replytothedataaccessrequestinwritingwithin40daysofreceiptoftherequest; clearlyspecifywhatfees,ifany,willbechargedforprovidingtherequestorwithacopy

ofhis/herrecordofpersonaldata; providetherelevantdatainaformthatisintelligibletothedatasubject; erasefromthecopyanyreferenceofpersonaldataofathirdpartyindividualunlessthat

thirdpartyhasconsentedtoitsdisclosure; erasefromthecopyallnamesorotheridentifyingparticularsthatexplicitlyidentifya

thirdpartyindividualasthesourceofthepersonaldatarelatingtotherequestor.

Wheretheemployerisunabletocomplywiththedataaccessrequestwithin40daysheshould,beforethattimehaselapsed:

complywiththedataaccessrequestinpart,sofarasitispracticabletodoso;

20Section19(2)21Section20(1)(b)and20(2)(a)22Section20(1)(b)and20(2) 13

informtherequestorinwriting,explainingwhyheisunabletocomplyfullywiththe request;

fullycomplywiththerequestassoonaspracticablethereafter.

DataCorrectionRequestsofEmployment-relatedData

1.5.4 An employeewho has been providedwith a copy of personal data held by his employer incompliancewithadataaccessrequestisentitledtorequesttheemployertomakethenecessarycorrectioninrespectofanydatathattheemployeeconsiderstobeinaccurate.23Ifsatisfiedthatthedata is indeed inaccurate, theemployer is required tomake thenecessarycorrectionandprovidetheemployeewithacopyofthecorrecteddatawithin40daysofreceivingtherequest.24

1.5.5 Anemployerwho,pursuanttoapermittedcircumstanceundertheOrdinance,refusestomakethenecessarycorrectioninrelationtoadatacorrectionrequest,shouldinformtherequestorinwritingoftherefusalandthereasonsforsuchrefusal.25

Forexample,ifthecorrectionrequestedrelatestodata,whetherafactoranexpressionofopinionandtheemployerisnotsatisfiedthatthedataisinaccurate,itmayrefusetomakethecorrection.An“expressionofopinion”includesanassertionoffactthatisunverifiableor,inallcircumstancesofthecase,isnotpracticabletoverify.However,theemployershouldinformtherequestorinwritingoftherefusalandthereasonsforsuchrefusal.Inthecaseofthedatabeinganexpressionofopinion,thewrittenrefusalshouldbeaccompaniedbyacopyofanotecontainingmattersreferredto in thecorrectionrequest.Thisnoteshouldbeannexedto thefileof the individualconcernedsothatanyonehavingaccesstoitmayhavethecontentsofthenotebroughttotheirattention.

1.6 Employer’s Liability for Wrongful Acts or Practices by its Employees or Agents

1.6.1 AnemployerisliableincivilproceedingsforanyactorpracticerelatingtopersonaldatathatisundertakenbyitsemployeesinthecourseoftheiremploymentthatiscontrarytotheprovisionsoftheOrdinance,eveniftheemployeesundertooktheactorengagedinthepracticewithouttheemployer’sknowledgeorapproval.26

1.6.2 Anemployerisliableincivilproceedingsforanywrongfulactsorpracticesdonebyathirdpartywherethethirdpartyisengagedasanagentactingwithauthority(whetherexpressorimplied,andwhetherprecedentorsubsequent)onbehalfoftheemployer.27

1.6.3 Theemployermayavoidliabilityonlyiftheemployerisabletoprovethatittooksuchstepsaswerereasonablypracticabletopreventthewrongfulactsundertakenorpracticesengagedinbyitsemployeewhoactedonitsbehalf.28

Forexample,ifanemployeedisclosedemployment-relatedpersonaldatatoathirdpartycontrarytoDPP3,theemployermaybeabletoavoidliabilityforthewrongfuldisclosureifitcanprovethattheemployeehadignoredadepartmentalpolicythatprohibiteddisclosuretoathirdparty.

23Section22(1)24Section23(1)25Sections24(3)and25(1)(a)

26Section65(1)27Section65(2)28Section65(3)14

1.7 Other Matters

StatutoryRequirementsinRelationtoEmployment-relatedData

1.7.1 WhereordinancesotherthantheOrdinanceimposeuponanemployerobligationstokeepcertainemployment-related information, and to disclose such information to the relevant authoritieswhenrequired,theemployershouldcomplywiththeobligationasstated.

Forexample,undertheImmigrationOrdinanceanemployerisrequiredtokeeparecordofthetypeofidentificationdocumentheldbyanemployeebyvirtueofwhichtheemployeeislawfullyemployable,andthenumberofthatidentificationdocument.Theemployerisalsorequiredtodisclosesuchinformationwhenrequestedbyalabourinspector.

InformationaboutPoliciesandPracticestobeMadeAvailable

1.7.2 Anemployershouldtakeallpracticablestepstoensurethatthepublicatlargeanditsemployeescanbeprovidedwithacopyofitspoliciesandpracticesinrelationtopersonaldata.29

Asamatterofgoodpractice,anemployershouldcomplywiththeaboverequirementbymeansofawrittenPrivacyPolicyStatement(“PPS”)thatdetailsitspersonaldatamanagementpoliciesandpractices.ThePPSshouldincludealistofthekindsofpersonaldataheldbytheemployeraswellas themainpurposes forwhichsuchdata isused.Theemployershouldalsoconsiderincludingotherdataprotectionpoliciesandpracticessuchasitsdataretentionpolicyandsecurityprotectionpolicy.

MattersConcerningtheHongKongIdentityCardNumberinEmployeeRecords

1.7.3 TheCodeofPracticeontheIdentityCardNumberandOtherPersonalIdentifiers(“thePICode”)makesprovisionswherebyanemployermay:

1.7.3.1 collecttheHongKongIdentityCardnumberofajobapplicantwhencertaincriteriaaremet;30

1.7.3.2 collectacopyoftheHongKongIdentityCardofaselectedcandidateatthetimethecandidateacceptsanofferofemployment;

1.7.3.3 collecttheHongKongIdentityCardnumberandcopyoftheHongKongIdentityCardofanemployee;31 or

1.7.3.4 useHongKongIdentityCardnumbersinacomputerormanualsystemtolink,retrieveorotherwiseprocessrecordsofemployment-relateddatawithintheorganisation.32

1.7.4 AnemployermustcheckanycopyoftheHongKongIdentityCardagainsttheoriginalcard33 and markitwiththeword“COPY”acrosstheentireimageoftheHongKongIdentityCard.34 Such a copycollectedbefore19June1998needsnotbesomarkeduntilitisfirstusedafterthatdate.

1.7.5 Anemployerissuingstaffcards,pensioner’scards,employeeclubcardsetc.toitsemployeesorformeremployees,shouldnotissueanysuchcardsbearingtheholder’sHongKongIdentityCardnumber.35

29DPP530Paragraph2.3.1ofthePIcode31Paragraphs2.3.1and3.2.2.1ofthePIcode

32Paragraph2.6.3ofthePIcode33Paragraph3.5ofthePIcode34Paragraph3.9ofthePIcode

35Paragraph2.8ofthePIcode

15

2 Recruitment

2.1 Introduction

2.1.1 Employersoftencommencetherecruitmentprocessbyspecifyingajobdescriptionorcandidatespecification.Various means may be employed in the collection of personal data from jobapplicants.Thesemayinclude:

2.1.1.1 Requiringjobapplicantstofillinajobapplicationform. 2.1.1.2 Invitingjobapplicantstosubmitanapplicationinresponsetoajobadvertisement. 2.1.1.3 Obtainingjobapplicants’personaldataviaemploymentagenciesoranexecutivesearch

company. 2.1.1.4 Relyingonjobapplicationsthatarecollectedinthecourseofapreviousrecruitment

exercise.

2.1.2 Anemployermayhaveapracticeofinvitingjobapplicantstosubmitapplicationsinresponsetoajobadvertisementpostedontheemployer’swebsitebyfillinginanonlinedatacollectionformorbyemail.Inthesecircumstances,theemployeralsoengagesinapracticethatamountstothecollectionofpersonaldatafromapplicants.

2.1.3 Inadditiontothedatacollectedthroughtheoriginalapplication,anemployermay,inthecourseof the recruitment selection process, compile additional information about job applicants toassessthesuitabilityofcandidatesforthejob.Suchinformationmayinclude:

2.1.3.1 Awrittenassessmentofthecandidaterecordedinaselectioninterview. 2.1.3.2 Anassessmentreportofanyteststhatthecandidateisrequiredtoundertake,suchas

psychologicaltests. 2.1.3.3 Personalreferencesobtainedfromthecandidate’scurrentorformeremployersorother

sources.

2.1.4 TheOrdinancerequiresanemployertotakeallpracticablestepstoensurethatjobapplicantsareinformed,onorbeforecollection,ofcertainmattersrelatingtothecollectionoftheirpersonaldata.36Thisrequirementappliestoparagraphs2.1.1.1,2.1.1.2,2.1.2and2.1.3.Thenotificationrequirement can be made in the form of a written PICS, either as a separate statement forrecruitment,orasanintegralpartofamoredetailedPICSpertainingtoemployment.

Practical Guidance on Recruitment-related Practices

2.2 Collection of Personal Data from Job Applicants

2.2.1 Anemployershouldnotcollectpersonaldatafromjobapplicantsunlessthepurposeforwhichthedataistobeusedislawful.37

Forexample,anemployershouldnotuseavacancynoticetosolicitthesubmissionofpersonaldatabycandidatesforthepurposeofunlawfullydiscriminatingagainstthemongroundsofgenderormaritalstatuswiththeintentionofexcludingfemaleemployeesfromsupervisorypositions.

36DPP1(3)37DPP1(1)(a)

16

2.2.2 Anemployershouldnotcollectpersonaldatafromjobapplicantsunlessthedataisadequatebutnotexcessiveinrelationtothepurposeofrecruitment.38

Indeterminingwhichdataisregardedasrelevant,anemployershouldbemindfuloftheneedto demonstrate that the prescribed personal data is indeed directly related to the purpose ofidentifying suitable candidates. Careful selection of relevant data in the job description orcandidatespecificationwillminimisethelikelihoodofpersonaldatabeingcollectedfromjobapplicantsthatisexcessivefortherecruitmentpurpose.

Forexample,thejobdescriptionorspecificationshouldberestrictedtothecollectionofpersonaldatarelevanttotherecruitmentexercise,andforthepurposeofidentifyingsuitablecandidatesforthejob.Generally,thesemayincludeworkexperience,jobskills,competencies,academic/professionalqualifications,goodcharacterandotherattributesrequiredforthejob.

2.2.3 AnemployermaycollecttheHongKongIdentityCardnumberofajobapplicantonlyifallofthefollowingrequirementsaresatisfied: 39

2.2.3.1 theemployerhasageneralpolicy to retain theHongKong IdentityCardnumbersofformeremployeesandunsuccessfuljobapplicantsforacertainperiod;

2.2.3.2 the employer collectsHong Kong Identity Card numbers because it is necessary forthecorrectidentificationofindividualsorforthecorrectattributionofrecordsitholdsrelatingtotheapplicants;

2.2.3.3 theemployerconductschecksofwhetheranyparticularjobapplicanthasappliedforapositionwithitbefore,orisaformeremployee,andalargenumberofapplicantsorformeremployeesmaybeinvolved;and

2.2.3.4 thereisnolessprivacy-intrusiveandpracticablealternativeofcorrectlyidentifyingorattributingrecordstosuchindividuals.

2.2.4 AnemployershouldnotcollectacopyoftheHongKongIdentityCardofajobapplicantduringtherecruitmentprocessunlessanduntiltheindividualhasacceptedanofferofemployment.40

Paragraph3.3.2ofthePICodeprohibitsadatauserfromcollectingacopyoftheHongKongIdentityCardofanindividualmerelyinanticipationofaprospectiverelationshipbetweenthedatauserandtheindividual.

2.2.5 An employermay collect personal data concerning a job applicant’s familymembers, if thepersonaldata:

2.2.5.1relatetoemploymentcircumstancesoftheapplicant’sfamilymembersonlytotheextentnecessaryforassessingwhetheranyconflictofinterestmightariseshouldtheapplicantbeofferedthejob;and

2.2.5.2areadequatebutnotexcessiveinrelationtothispurpose.

For example, if an employer wishes to knowwhether a job applicant’s familymembers arecurrentlyemployedbyacompetitor,itshouldconfineitselftoaskingwhetherthisisthecaseandmakingfurtherenquiriesonlyinrelationtoanyfamilymembersthataresoemployed.Asamatter

38DPP1(1)(c)39PICode40Paragraph3.3.2ofthePICode 17

ofgoodpractice,anemployer shouldconsidercollecting thedatanoearlier thanat the timewhentheapplicantisconsideredasapotentialcandidateforappointment.

2.2.6 Whereanemployerrequiresjobapplicantstofillinajobapplicationform,eitherinapaperformatoronlineonawebpageoftheemployer’swebsite,itshouldensurethatthePICSnotificationrequirementmentionedinparagraph2.1.4iscompliedwith.41

ApracticalwaytocomplywiththenotificationrequirementistoprintthePICSasanintegralpartofthepaperapplicationformordisplayitaspartofthetextoftheonlineform.Alternatively,thePICSmaybeattachedasaseparatesheettothepaperapplicationform.Inthecaseoftheonlineform,thiscanbedonebydisplayingthePICSasalinkedpagetotheonlineformorasa“pop-up”screenwhena“confirm”buttonispressedpriortothetransmissionoftheonlineform.

2.3 Advertising of Job Vacancies

2.3.1 Anemployerwhoadvertisesanemploymentvacancyinavacancynoticethatdirectlysolicitsthesubmissionofpersonaldatabyinterestedindividualstherebystartstheprocessofcollectingpersonaldataofthoseindividuals.Accordingly,therequirementsmentionedinparagraphs2.2.1to2.2.5wouldapplyforthepurposeofthissection.

It should be noted that if the vacancy noticemerely invites interested individuals to contactanemployer, there isnodirect solicitationofpersonaldata.Anexamplewouldbewhereanemployeradvertisesthejobvacancyrequirementsandinvitesinterestedindividualstowriteintoobtainanapplicationforminrelationtothevacancy.

2.3.2 Whereanemployeradvertisesavacancyinavacancynoticethatdirectlysolicitsthesubmissionof personal data by job applicants, it should ensure that the PICS notification requirement,mentionedinparagraph2.1.4,iscompliedwithintheadvertisement42unless:

2.3.2.1 theadvertisementinvitesjobapplicantstorespondbyfillinginajobapplicationformspecifiedbytheemployerthatprescribesthePICSnotification;or

2.3.2.2 theadvertisement expressly identifies thecontactperson fromwhomapplicantsmayobtainacopyofthePICS.

Forexample,anemployermaystateinthevacancynoticethetelephonenumber,nameortitleoftheemployer’snominatedpersonfromwhomacopyofthePICSpertainingtorecruitmentmaybeobtained.Astatementtothefollowingeffectshouldbeincluded-“Personaldataprovidedbyjobapplicantswillbeusedstrictlyinaccordancewiththeemployer’spersonaldatapolicies,acopyofwhichwillbeprovidedimmediatelyuponrequest.”

2.3.3 Anemployerwhodirectly,orthroughitsagent,advertisesavacancythatsolicitsthesubmissionofpersonaldatabyjobapplicantsshouldprovideameansfortheapplicanttoidentifyeithertheemployeroritsagent.43

Ablindadvertisement isonethatprovidesnomeansof identifyingeither theemployeror theemploymentagencyactingonitsbehalf.However,theadvertisementmayormaynotdirectly

41DPP1(3)42DPP1(3)43DPP1(2)18

solicitpersonaldatafromjobapplicants.Ablindadvertisementispermittedprovidedthatthereisnodirectsolicitationofpersonaldatafromjobapplicants.

Forexample,anemployershouldnotuseavacancynoticetosolicitthesubmissionofpersonaldatabyapplicantsthatgivesonlyaPostOfficeBoxNumber.However,shouldanemployernotwishtodiscloseitsidentityinavacancynotice,itmayrequestinterestedindividualstosubmitawrittenrequesttoaPostOfficeBoxNumberforanapplicationformforthevacancythatidentifiestheemployer.Alternatively,theemployermayusearecruitmentagencyidentifiedinthevacancynoticetoreceivethepersonaldatasolicitedfromtheapplicants.Inthiscase,theadvertisementisrequiredtoidentifytheagency.

2.3.4 Anemployershouldnotsolicitthesubmissionofpersonaldataofindividualsbymeansofajobadvertisementunlessthereareoneormorepositionsofemploymentwhicharepresently,ormaybecome,unfilled.44

Forexample,anemployershouldnotplaceanadvertisementjusttotestthejobmarketsituationortoputpressureonexistingstaffmembersand,inthatprocess,solicitthesubmissionofpersonaldata.Obtainingpersonaldatabymisrepresentingthepurposeofcollectionmayamounttoanactofcollectionbymeansthatareunfairinthecircumstances.

2.4 Employment Agencies/Executive Search Company

2.4.1 Anemployerwhoengagesanemploymentagencytosolicit theprovisionofpersonaldatabyjobapplicantstherebycollectspersonaldataofthoseapplicants.Accordingly,therequirementsmentionedinparagraphs2.2.1to2.2.5wouldapplyforthepurposeofthissection.

2.4.2 Whereanemployerreceivesunsolicitedpersonaldataofanindividual,whetherdirectlyfromtheindividualseekingajobopportunitywiththeemployerorofferedbyanemploymentagencyaboutitsjob-seekers,theemployershould:

2.4.2.1 useonlysuchdataasmaybenecessaryfor,ordirectlyrelatedto,itspurposeofassessingthesuitabilityoftheindividualforemployment45;and

2.4.2.2 notusethedataforanewpurposeunlesstheprescribedconsentfromtheindividualisobtained.46

Itisverycommonforanemployertoreceivepersonaldatafromanindividualwhoissearchingforajobopportunity.Anemploymentagencymayalsoreferits job-seeker’sinformationtoanemployer.Informationreceivedinthismannerisoftenexcessiveforrecruitmentpurposesbytheemployer.Theemployershoulddisregardanypersonaldataprovidedwhichisirrelevanttotherecruitmentprocess.

2.4.3 Anemployerwhoengagesathirdpartyasanagentwithexpressauthoritytoperformspecifiedrecruitmentfunctionsfor,andonbehalfof,theemployershouldtakeallpracticablestepstoensurethatthethirdpartywillnotactincontraventionoftherequirementsundertheOrdinance.47

44DPP1(2)45DPP1(1)(b)46DPP3(1)andDPP3(4)

47Section65,DPP2(3)andDPP2(4),DPP4(2)andDPP4(3)

19

TheOrdinanceimposeslegalliabilityonanemployerinrelationtoanywrongfulactsorpracticesdonebyathirdpartywherethethirdpartyisengagedasanagentonbehalfoftheemployer.Forexample,anemployercouldrequestdetailsofthethirdparty’spersonaldataprivacypoliciesandpracticestoverifythattheappropriatestandardshavebeenadopted.Alternatively,anemployermayconsiderhavinginplaceanagreementbetweenthepartiesthatincorporatesclausesrequiringcertainprocedurestobecompliedwith.Forexample,theemployershouldclearlyidentifythesetsofpersonaldataneededtofacilitatetheselectionprocessundertakenbytheagent,andtheagentshouldagreetorestrictthecollectionofpersonaldatatothesetsspecified.

2.5 Internal Records about Job Applicants

2.5.1 Anemployermayusepersonaldataofajobapplicantwhosedataiscollectedduringthecourseofarecruitmentexerciseforuseinalaterexerciseofthisnature,providedthat:

2.5.1.1 theemployerhasageneralpolicytoretainthedataforsuchapurpose; 2.5.1.2 theemployerhasastipulatedretentionperiodofkeepingsuchdata;and 2.5.1.3 theapplicanthasnototherwiseobjectedtotheuseofhisdataforsuchapurpose.

Asamatterofgoodpracticeanemployershouldtakestepstoinformjobapplicantsaboutitsretentionpolicyofpersonaldatacollectedinthecourseofarecruitmentexercise.Itshouldalsoprovideanopportunityforunsuccessfulapplicantstorequestthedestructionofthedataiftheapplicantdoesnotwishittobeusedforasubsequentrecruitmentexercise.

2.5.2 An employer who, pursuant to paragraph 2.5.1, uses personal data collected on a previousoccasion for thepurposeof identifyingsuitablecandidates should refrain fromusing thedatauntilsuchtimeasthedatahasbeenupdatedshouldtherebereasonablegroundstobelievethatsuchdatahasbecomeinaccuratesinceitwascollected.48

2.5.3 Anemployerwhohasretainedpersonaldataofjobapplicantsthathasbeencollectedduringthecourseofarecruitmentexerciseforuseinalaterexerciseshould:

2.5.3.1 onlyusethedataforsuchpurposeoradirectlyrelatedpurposeunlesstheapplicanthasgivenhisprescribedconsenttotheuseinsomeotherpurposes;49 and

2.5.3.2 takeallpracticablestepstoensurethatthedataisretainedsecurelyandisaccessibletoauthorisedpersonnelona“need-to-know”basis.50

Itshouldbenotedthattherequirementsmentionedinparagraphs2.5.1to2.5.3alsoapplytoanemploymentagencythatholdspersonaldataprovidedbyindividualssearchingforjobs.

2.6 Receiving and Processing Applications for Employment

2.6.1 Anemployershouldtakeallpracticablestepstoensurethat,havingregardtotheirconfidentialnature,thepersonaldataofjobapplicantsiscollected,processedandstoredsecurely,irrespectiveofwhetherthedataisstoredinelectronic,photographicorhardcopyformat.51

48DPP2(1)(b)49DPP3(1)andDPP3(4)50DPP4(1)

51DPP4(1)

20

For example, an employer that asks candidates to supply data in hard copy format shouldrequestthatcandidatesplacetheirapplicationsinasealedenvelopemarkedinsomewaysuchas “Confidential. For the attention of the Human Resources Department (or of the relevantemployee)”.Mailroomandreceptionstaffshouldbeinstructedtodeliversuchlettersunopened.

Asamatterofgoodpractice,databasescomprisingpersonaldataof jobapplicantsshouldbeaccessibleonlytoauthorisedstaffusingsecurepasswordsona“need-to-know”basis.Hardcopydatashouldbelocatedinsecureareas.Personaldatarelatingtojobapplicantsstoredonphysicalmediasuchaspaperormicrofilmshouldbestoredinlockedcabinetsinasecureroom.Intheeventofsuchinformationbeinganalysedorreviewed,thecontentsofthatdatashouldnotbeleftunattendedby,oroutofthecontrolof,theauthorisedpersons.

2.6.2 Anemployershouldtakeallpracticablestepstoensurethatstaffauthorisedtoaccesspersonaldatahavetheappropriatequalitiesofintegrity,prudenceandcompetence.52

Forexample,anemployermayimplementtrainingprogrammestoensurethatstaffmemberswhohave responsibility for recruitment-relatedmattersaremadeawareof theemployer’spersonaldatahandlingpolicyandpractices,andcarryoutsupervisorycheckstoensurecompliancewithpolicyrequirements.

2.7 Seeking Information for Selection Assessment

2.7.1 Anemployermaycompileinformationaboutajobapplicant,tosupplementotherdatacollectedatthetimeoftheoriginalapplication,toassessthesuitabilityofpotentialcandidatesforthejobprovidedthatitdoesnotintheprocesscollectpersonaldatathatareexcessiveinrelationtothepurpose.53

Generally, itwouldnotbeexcessivetocollectdatatoincreaseanemployer’sknowledgeofacandidate’sskills,goodcharacter,competenciesorabilities,providedthisknowledgewasrelevantinrelationtothenatureofthejob.Acommonselectiontechniqueisbymeansofaselectionintervieworbyrequiringapplicantstoundertakeawrittenskill test.Dependingonthenatureofthejob,otherselectiontechniquesmayinvolveanapplicantinpsychologicaltests,securityvettingor integrity checkingprocedures.These selection techniques often entail collectionofadditionalpersonaldatafromapplicants.

For example, an employer may use a security vetting procedure to establish the securitycredentialsofapotentialcandidateforasecurityguard’spositionifsuchknowledgeiscrucialpriortotheemployer’sconsiderationtoofferthejobtothecandidate.However,recordingthedetailsofacandidate’soutsideactivitiesandinterestsmightbeexcessiveunlesstheemployercandemonstratethatsuchdetailisrelevanttotheinherentrequirementsofthejob.

Toensuretheimpartialityofthepostholderandtoavoidanyconflictofinterestthatmayariseinrespectofthecapacitytowhichthepotentialcandidateisappointed,integritycheckingmaybenecessary.However,theemployermustbeabletodemonstratethatthecollectionofpersonaldata,suchasthecandidate’sinvestmentsorotherfinancialmatters,arerelevantitemsessentialforassessingtheintegrityoftheindividualconcerned.

52DPP4(1)(d)53DPP1(1)(c)

21

2.7.2 Anemployerwhocompilesinformationaboutajobapplicantpursuanttoparagraph2.7.1shouldensurethattheselectionmethodsoemployeddoesnotinvolvethecollectionofpersonaldatabymeansthatareunfair.54

Asamatterofgoodpractice,anemployershould informa jobapplicantbefore theselectionmethodisusedofitsrelevancetotheselectionprocessandthepersonaldatatobecollectedbythechosenmethod.

2.8 Seeking Personal References of Job Applicants

2.8.1 An employerwhowishes to obtain references from a potential candidate’s current or formeremployersorothersourcesshouldensurethatsuchreferencesareprovidedwiththeconsentofthe candidate concerned.

TheOrdinance requires the candidate’s current or former employers to have the candidate’sconsentinprovidingreferences.Suchconsentmaybegivenorallyorinwriting.Asamatterofgoodpractice, theprospectiveemployer shouldconsider seekingconsent from thecandidatepriortoapproachingthecandidate’scurrentorpastemployersorothersourcesforareference.Ifthisisthecase,theprospectiveemployershould,whenrequestingforthereference,notifythesourcethatprovidesthereferencethatconsentofthecandidatehasbeengiven.Ifindoubt,thecurrentorpastemployershouldseekevidenceofsuchconsentfromtherequestingparty,orverifythiswiththecandidate.

2.9 Acceptance by Candidates

2.9.1 Anemployermay,noearlierthanatthetimeofmakingaconditionalofferofemploymenttoaselectedcandidate,collectpersonaldataconcerning thehealthconditionof thecandidatebymeansofapre-employmentmedicalexamination,providedthat:

2.9.1.1 thepersonaldatadirectlyrelatestotheinherentrequirementsofthejob; 2.9.1.2 theemploymentisconditionaluponthefulfilmentofthemedicalexamination;and 2.9.1.3 thepersonaldataiscollectedbymeansthatarefairinthecircumstances55 and are not

excessive56inrelationtothispurpose.

Forexample,anemployermayhaveapolicyrequiringasuitablecandidatetoundertakeapre-employmentmedicalcheckbyanominatedmedicalboardtoconfirmwhetherthecandidateisfitforemployment.Inthiscircumstance,theemployerneedsonlytobeprovidedwiththeminimuminformationaboutthecandidate’shealthconditionthatsupportsthemedicalpractitioner’sopinionthatheorsheisfitforemployment.Detailsofthecandidate’smedicalhistoryandtreatmentmightberelevantforthemedicalboardwhenconductingthemedicalcheckwiththecandidate,butthesedetailsneednotbecollectedbytheemployer.

2.9.2 Anemployermay,atthetimewhenaselectedcandidateacceptsanofferofemployment,collectadditionalpersonaldataof thecandidateandhis familymembers,providedthat thepersonaldatais:

54DPP1(2)55DPP1(2)56DPP1(1)(c)22

2.9.2.1 necessaryforthepurposeofemploymentinrelationtothejob57forwhichthecandidateisappointed;or

2.9.2.2 necessaryforapurposepursuanttoalawfulrequirementthatregulatestheaffairsoftheemployer.

For example, after the acceptance of an offer of employment, it would be necessary for theemployer to collect personal data relating to the new employee such as bank details for thepaymentofsalary.Otherexamplesareinformationconcerningthecandidate’sfamilymembersthat are needed for the administration of any benefits an employer provides for such familymembers.However,itwouldbeexcessivetocollectpersonaldatasuchasthecandidate’soutsideinterestsunlesssuchinformationisnecessaryfor,ordirectlyrelatedto,theinherentrequirementsofthejobforwhichtheemployeehasbeenappointed.

2.9.3 An employermay, at the timewhen the selected candidate accepts an offer of employment,collectacopyoftheHongKongIdentityCardofthecandidate.58

2.9.4 Anemployershouldobtain theprescribedconsentofanappointeebeforepubliclydisclosinganypersonaldataoftheappointeeinrelationtotheappointmentunlesssuchpublicdisclosureisrequiredbylaworbyanystatutoryauthorities.59

2.10 Unsuccessful Candidates

2.10.1Anemployerwhohasageneralpolicyofretainingpersonaldataofanunsuccessfuljobapplicantforfuturerecruitmentpurposesshouldnotretainsuchdataforaperiodlongerthantwoyearsfromthedateofrejectingtheapplicantunless:

2.10.1.1there is a subsisting reason that obliges the employer to retain the data for a longer period;or

2.10.1.2theapplicanthasgivenprescribedconsentforthedatatoberetainedbeyondtwoyears.

As a matter of good practice, an employer wishing to retain personal data relating to anunsuccessful jobapplicant, for thepurposeof future recruitmentexercises, should inform thecandidateoftheperiodforwhichtheemployerwillnormallyretainsuchdata.Itisalsoagoodpracticetoprovideunsuccessfuljobapplicantswiththeopportunitytorequestthedestructionoftheirdataiftheydonotwishthemtobeusedforthispurpose.Generallyspeaking,actualorpotentiallegalproceedingsmayconstituteasubsistingreasonforpersonaldataofunsuccessfulapplicantsbeingretainedforlongerthantwoyears.

2.11 Data Access and Correction Requests by Job Applicants

2.11.1Personaldatacollectedfromjobapplicantsinrespectofjobrecruitmentandotherdatacompiledaboutapplicantsinthecourseofarecruitmentselectionprocessmentionedinparagraphs2.1.1-2.1.3aresubjecttoaccessandcorrectionbytheapplicants.Accordingly,requirementsmentionedinSection1-ComplyingwithDataAccessandCorrectionRequests,shouldbecompliedwithforthepurposeofthissectionunlessthereisanapplicableexemptionprovidedforundertheOrdinance.

57DPP1(1)(b)58Paragraph3.2.2.1ofthePICode59DPP3(1),DPP3(4)andsection60B(a) 23

2.11.2Anemployermayrefusetocomplywithadataaccessrequestmadebyajobapplicantpursuanttoparagraph2.11.1if:

2.11.2.1theemployerhasreceivedtherequestpriortoitmakingadecisiononfillingthevacancyforwhichthejobapplicanthasapplied;and

2.11.2.2the recruitment is a processwhereby the applicant has a right to appeal against theappointmentdecision.60

Itshouldbenotedthatarecruitmentprocessfallsoutsidethemeaningofa“relevantprocess”undertheOrdinanceifitisaprocesswherenoappealmaybemadeagainstanysuchdeterminationof the process (as most recruitment processes probably are). Furthermore, the exemption inrelationtoarelevantprocessisonlyapplicablefortheperioduntilthecompletionofthatprocess.Completion,inrelationtoarecruitmentprocessthatfallswithinthemeaningofarelevantprocess,meansthemakingof thedeterminationonthesuitabilityof jobapplicants foremploymentorappointment to office.The availability of an appeal governswhether the recruitment processamountstoarelevantprocessanddoesnotmeanthattheappealperiodispartoftherecruitmentprocessperiod.Hence,anemployerwhoreceivesadataaccessrequestbyajobapplicantafterthedeterminationoftherecruitmentprocessiscompletedshouldcomplywiththerequest.

2.11.3Anemployer,whoholdspersonaldatathatconsistsofapersonalreferencegivenbyathirdpartyindividualotherthanintheordinarycourseofhisoccupation,mayrefusetocomplywithadataaccessrequestmadebyajobapplicantpursuanttoparagraph2.11.1if:

2.11.3.1inanycase,unless that thirdparty individualhasgivenhisconsent inwriting to theemployerforthedisclosureofthereference;or

2.11.3.2in the case of a reference given on or after 20December 1996, until the applicantconcerned has been informed in writing that he has been accepted or rejected foremploymentinrespectofthejobheapplies.61

Ifthethirdpartygivesconsentfordisclosureofthereferencebeforetheapplicantisinformedoftheemployer’sdecision,theemployermightconsidergrantingaccesstothedataconcerned.

60 Section 55 61 Section 56

24

3 Current Employment

3.1 Introduction

3.1.1 Onappointment,anemployermayretainpersonaldataoftheappointeeforthepurposeoftheemployment.Examplesof theseare thedataprovidedbytheappointeeat thetimeof thejobapplicationandotherdatacompiledabouttheappointeeinthecourseoftherecruitmentprocessasmentionedinparagraph2.1.3.

3.1.2 Inaddition,anemployermaycollectsupplementarypersonaldata fromtheemployee for thepurposesofemploymentandother relatedhuman resourcemanagement functions.Examplesofthesedatawouldinclude,bankdetailsforthepaymentofsalaryandinformationonfamilymembersof theemployee thatareneeded for theadministrationofanybenefitsanemployerprovides for familymembers.A furtherexamplewouldbe information that is requiredby theemployer tofulfilcertainlegalobligations,suchaspersonaldataabout thespouseofmarriedemployeesforthepurposeoffilingreturnsundertheInlandRevenueOrdinance.

3.1.3 In thecourseof employmentof theemployee,anemployermay furthercompile informationabouttheemployee.Suchinformationmayinclude:

3.1.3.1 Recordsofremunerationandbenefitspaidtotheemployee. 3.1.3.2 Recordsofjobpostings,transferandtraining. 3.1.3.3 Recordsofmedicalchecks,sickleaveandothermedicalclaims. 3.1.3.4 Writtenrecordsofdisciplinaryproceedingsinvolvingtheemployee. 3.1.3.5 Performanceappraisalreportsoftheemployee. 3.1.3.6 Writtenreportsofstaffplanningexercisesinvolvingtheemployee. 3.1.3.7 Writtenreportsofpromotionexercisesinvolvingtheemployee.

3.1.4 TheOrdinancerequiresanemployertotakeallpracticablestepstoensurethatemployeesareinformedofcertainmattersinrelationtothecollectionoftheirpersonaldata.62Thisrequirementappliestosituationsmentionedinparagraphs3.1.2to3.1.3wherethepersonaldataiscollecteddirectlyfromtheemployee.ThisnotificationrequirementcanbemadeintheformofawrittenPICSpertainingtoemployment.Asapracticalguidance,anemployershouldprovidethePICSnotificationatthetimewhentheemployeeacceptstheofferofemploymentorduringinduction.

Practical Guidance on Employment-related Practices

3.2 Personal Data in relation to the Terms and Conditions of Employment

3.2.1 Anemployermay,pursuanttoparagraph3.1.2,collectpersonaldatafromanemployeeandhisfamilymembersprovidedthatthecollectionofthedatais:

3.2.1.1 necessaryforordirectlyrelatedtoahumanresourcefunctionoftheemployer63;or 3.2.1.2 pursuanttoalawfulrequirementthatregulatestheaffairsoftheemployer;and 3.2.1.3 bymeansthatarefairinthecircumstances64andthedataisnotexcessiveinrelationto

the purpose.65

62DPP1(3)63DPP1(1)(b)64DPP1(2)

65DPP1(1)(c)

25

CompensationandBenefits

3.2.2 Anemployermaycollectpersonaldataofanemployeeandhisfamilymembersinrelationtoitsprovisionofcompensationandbenefitstotheemployeeprovidedthat:

3.2.2.1 therequirementsmentionedinparagraph3.2.1arecompliedwith;and 3.2.2.2 thedataisnecessarytoascertaintheeligibilityoftheemployee’sclaimforcompensation

orbenefits.

Anemployermayprovidemedical,housingorotherbenefits to itsemployeesor their familymembers.Inadministeringtheprovisionofthesebenefits,theemployermayhaveapolicythataimstopreventtheprovisionofdoublebenefitstoemployeesortheirfamilymembers.Inthiscircumstance,theemployermayrequireemployeestoprovideevidentialproofaboutclaimsmadeinrelationtotheirfamilymembers.Inprocessingstatutoryorcontractualclaimsofcompensation,anemployermayalsorequireanemployeetoprovideevidentialprooftosubstantiatepaymentofsuchclaims.

IntegrityChecking/DeclarationofConflictofInterest

3.2.3 An employermay collect personal data of an employee to facilitate integrity checking or todetermineanyconflictofinterestbytheemployee,providedthat:

3.2.3.1 therequirementsmentionedinparagraph3.2.1arecompliedwith; 3.2.3.2 thedata is important to theemployer inrelationto theinherentnatureof thejobfor

whichtheemployeeisappointed;and 3.2.3.3 the employer has a policy covering such practices, prior notice of which has been

broughttotheattentionoftheemployeeconcerned.

An employermay have a policy requiring its employees to disclose their private investmentsbymeansofadeclaration submitted to theemployer.Thepractice isusuallyconcernedwithensuringtheimpartialityofthepostholderandtoavoidanyconflictofinterestthatmayariseinrespectofthecapacitytowhichtheemployeeisappointed.However,theemployermustbeabletodemonstratethatthepersonaldatacollectedrelatingtotheemployee,hisfamilymembers,oranythirdpartyindividualactingonhisbehalf,arerelevantitemsessentialforthesaidpurposes.

MedicalCheckingandHealthData

3.2.4 Anemployermaycollectpersonaldatarelatingtothehealthconditionofanemployeeprovidedthatthecollectionisforapurpose:

3.2.4.1 directly related to the assessment of the suitability of the employee’s continuance inemployment;or

3.2.4.2 directly related to the employer’s administration of medical or other benefits orcompensationprovidedtotheemployee.

26

Forexample,wherethenatureofapostrequiresthemaintainingofacertainlevelofhealth,anemployermay, by contract or statutory requirement, require an employee to undergo regularmedical checking for consideration of his suitability for continuance in employment. In thiscircumstance, theemployerneedsonlybeprovidedwith theminimuminformationnecessarytodeterminewhether theemployee isfit for furtheremployment.Similarly,anemployermayonly need theminimum information about a sick leave applicationof an employee to verifyor calculate theentitlement to sick leaveandother relatedbenefitsbutnot thedetailsof thetreatmentprescribedforthemedicalconditionafflictingtheemployee.

3.2.5 Anemployerwho,pursuanttoparagraph3.2.4,collectspersonaldataofanemployeeshouldensurethat:

3.2.5.1 therequirementsmentionedinparagraph3.2.1arecompliedwith;and 3.2.5.2 theemployerhasapolicycoveringmedicalchecking,priornoticeofwhichhasbeen

broughttotheattentionoftheemployeeconcerned.

Inmostcases,detailsofmedicalhistoryarenotnecessaryforthepurposesconcernedunlessthecollectionofthesedetailsarerequiredinordertofulfilcertainlegalrequirementsonthepartoftheemployer,forexample,forthepurposeofprocessingstatutoryorcontractualmedicalclaims.

3.2.6 Anemployershouldtakeallpracticablestepstoensurethatpersonaldatacollectedpursuanttoparagraphs3.2.1to3.2.4iskeptsecurehavingregardtothegenerallysensitivenatureofthedataconcerned.66

As amatter of good practice, personal data held in relation to employees on an automatedsystemshouldbeaccessibleonlytoauthorisedstaffusingappropriatesecurityprocedures.Suchproceduresmight includesecure terminals,accessprotocols,audit trail software, loggingandcompliancechecks.Ifsuchdataisinhardcopyform,itshouldbeheldinasecureareaaccessibleonlytoauthorisedpersonnelona“need-to-know”basis.

3.3 Disciplinary Proceedings

3.3.1 Anemployerwhoconductsadisciplinaryinvestigationagainstanemployeeforabreachofthetermsandconditionsofemploymentshouldtakeallpracticablestepstoensurethatthepersonaldatacompiledabouttheemployeeconcernedis:

3.3.1.1 accurateforthepurposeuponwhichdisciplinarydecisionsaretaken;67 and 3.3.1.2 heldsecurelyandaccessibleonlybyauthorisedpersonnelona“need-to-know”basis.68

Forexample,anemployermay,inthecourseofdisciplinaryproceedings,compileinformationaboutanemployeewhoisthesubjectofallegationsofimproperbehaviourthatmaybeacauseforhisremovalfromemploymentoroffice.Inthiscircumstance,thesensitivityofsuchinformationrequirestheemployertotakeeffectivemeasurestoensurethat theinformationisaccuratefordecisionmakingpurposes.Correspondinglyeffectivesecuritymeasuresshouldalsobeadoptedtopreventtheinformationfrombeingaccessedbyunauthorisedpersons.

66DPP4(1)67DPP2(1)68DPP4(1) 27

3.3.2 Anemployerwhoholdspersonaldataaboutanemployeeobtainedinthecourseofdisciplinaryproceedings, including information collected from third party sources about the employeeconcerned,should:

3.3.2.1 only use the data for a purpose directly related to the investigation of suspectedwrongdoings;and

3.3.2.2 notdiscloseor transfer thedata to a thirdpartyunless the thirdpartyhas legitimatereasonsforgainingaccesstothedata.

Generally,anemployer shouldnotpubliclydiscloseanydisciplinaryfindings that lead to thedisclosureoftheidentityoftheemployeeconcernedunlesssuchdisclosureisincompliancewithDPP3.Forexample,ifanemployerwishestomakeaninternalannouncementofadisciplinaryfindingtoallstaffmembers,itshouldtakeintoaccountthepossibleharmthatmightbecausedto the employee concerned and consider removing from the announcement any identifiableparticularsthatrelatetotheemployee.

3.4 Performance Appraisal

3.4.1 Anemployerwhohasapolicyofconductingperformanceappraisalsmaycompilepersonaldataabouttheemployeeprovidedthatthedataistobeusedforthepurposeof:

3.4.1.1 assessingtheemployee’sperformance; 3.4.1.2 assessingtheemployee’ssuitabilityforadvancement; 3.4.1.3 determiningtheemployee’scontinuanceinemployment;or 3.4.1.4 determiningtheemployee’sjobpostingortrainingneeds.

3.4.2 Anemployerwhocompilesperformanceappraisalinformationaboutanemployeeshouldcollectpersonaldatathatisnotexcessiveinrelationtothepurposeandbymeansthatarefairinthecircumstances.69

Forexample,itwouldnotbefairtorecordanemployee’swork-relatedtelephoneconversationsaspartofaperformanceappraisalprocessunlessthereisnootherreasonablypracticablewayofmonitoringtheemployee’sperformance,andpriornotificationisgivenofsuchapractice.Itmaynotbefairtouseelectronicsurveillanceofemployeesatwork,suchastheuseofafinger-scansystem,tomonitorstaffattendanceatworkunlessthereisnootherlessprivacy-intrusivemeansofdoingso.Asamatterofgoodpractice,employeesshouldbeservednoticeinwritingifspecifictechniquesaretobedeployedtomonitortheirperformance.

3.4.3 Anemployerwhoholdspersonaldataaboutanemployeecompiledinthecourseofperformanceappraisal,should:

3.4.3.1 onlyusethedataforapurposementionedinparagraph3.4.1;and 3.4.3.2 notdiscloseor transfer thedata to a thirdpartyunless the thirdpartyhas legitimate

reasonsforgainingaccesstothedata.

69DPP1(1)(c)andDPP1(2)

28

Forexample,iftheperformanceappraisalreportcompiledaboutanemployeerequiresfollow-upactionbyathirdparty,e.g.byathirdpartyauthority,thenthereportcanbereferredtothethirdpartyforthepurposeofcompletingtheappraisal.Asamatterofgoodpractice,anemployershouldinviteemployeestocommentonallassessmentsthataremadeandrecordsuchcommentsontheappraisalform.

3.5 Staff Planning

3.5.1 Anemployer,whoholdspersonaldatathatconsistsofinformationrelevanttoanystaffplanningproposalmaywithholdsuchdatafromanemployeerequestingaccess.70Staffplanningproposalsconsistofplanstofillaseriesofemploymentpositions,i.e.twoormoresuchpositions,orthecessationoftheemploymentofagroupofemployees.

Examples of activities thatwould be considered to be staff planningwould be restructuring,reorganising,redundancyorsuccessionplansinvolvingagroupofemployees.Normally,suchplanningwouldresult in theadditionor removalofpositions inanorganisation. It shouldbenotedthatarecruitmentprocessdoesnotfallwithinthemeaningofstaffplanning.Similarly,aperformanceappraisalreportpreparedinthecourseofanormalhumanresourcemanagementfunctionwouldnotbecovered.

Neither promotion planning nor career development planning of employees amount to staffplanningundersection53oftheOrdinanceastheydonotresultintheadditionorremovalofpositions in an organisation.

3.6 Promotion Planning

3.6.1 Anemployerwhocompilesinformationaboutanemployeeforthepurposeofdetermininganindividual’ssuitabilityforpromotionshouldcollectpersonaldatathatisnotexcessiveinrelationto the purpose71andbymeansthatarefairinthecircumstances.72

Promotionplanning refers to theprocessof assessingan individual’s readiness to assume thedutiesofamoreseniorpositionwithintheorganisation.Asamatterofgoodpractice,anemployershouldrestricttheuseofpsychologicaltests,assessmentrole-plays,simulationsandotherrelatedtechniques so that only those skills, abilities and attitudes relevant to the advancement areassessed.

3.6.2 Anemployerwhoholdspersonaldataaboutanemployeecompiledinthecourseofpromotionplanning,includinginformationcollectedfromthirdpartysourcesabouttheemployeeconcerned,should:

3.6.2.1 onlyusethedataforapurposedirectlyrelatedtoitspromotionplanningprocess;and 3.6.2.2 notdiscloseor transfer thedata to a thirdpartyunless the thirdpartyhas legitimate

reasonsforgainingaccesstothedata.

70 Section 5371DPP1(1)(c)72DPP1(2) 29

Forexample,anemployermayhaveapolicythatrequiresathirdpartyauthoritytoendorseorconfirmrecommendationsmadebyaselectionboardinrespectofapromotionplanningexercise.Inthiscircumstance,thetransferoftheinformationtothethirdpartyconcernedispermissibleonlyiftheuseofthedatabytheotherpartydirectlyrelatestomattersconcerningthepromotionplanning.

3.7 Providing Job References for Employees

3.7.1 Anemployershouldnotprovideareferenceconcerninganemployeeorformeremployeetoathirdpartywithouttheemployee’sprescribedconsentunlesstheemployerissatisfiedthatthethirdpartyrequestingthereferencehasobtainedthepriorconsentoftheemployeeconcerned.73Such consentmeanstheexpressconsentoftheemployeegivenvoluntarily.74

The consentmaybe givenby the employeedirectly to the employer ormaybe given to thethirdpartyseekingthereference.Inthelattercase,thethirdpartyseekingthereferenceshouldnotifytheemployerthathehasdocumentaryevidenceoftheconsentoftheemployeetorequestthereferenceandispreparedtofurnishacopyofthatevidenceuponrequest.Ifindoubt,theemployermayverify thiswith the employee concernedbefore releasing any reference to therequestingparty.

3.8 Data Access and Correction Requests by Employees

3.8.1 Personaldatacollectedfromemployeesandotherdatacompiledaboutemployeesinthecourseof theiremploymentmentioned inparagraphs3.2 to3.7aresubject toaccessandcorrectionbytheemployees.75Accordingly,requirementsmentionedinSection1-ComplyingwithDataAccessandCorrectionRequests,shouldbecompliedwithforthepurposeofthissectionunlessthereisanapplicableexemptionprovidedforundertheOrdinance.

RelevantProcessExemption76

3.8.2 Anemployerwhoholdspersonaldata that is the subjectof a relevantprocessmaywithholdsuchdatafromanemployeerequestingaccessforaslongastheprocessisinprogressanduntila determinationhas beenmade regarding the relevant process.A relevant processmeans anemployment-relatedevaluativeprocesswherebytheemployeeconcernedhasarighttoappealagainstanysuchdetermination.

For example, disciplinary proceedings conducted against an employee for a breach of thetermsandconditionsofemploymentwouldfallwithinthemeaningofarelevantprocessiftheproceedingsconsistofaprocesswherebytheemployeemayappealagainstanydeterminationofthedisciplinaryactiontaken.Otherexamplesincludepromotionexercisesorevaluativeprocessesconcerninganemployee’scontinuanceinemploymentorremovalfromemploymentwheretheemployeehasarightofappealagainstthedecisionmade.

It shouldbenoted that the relevantprocessexemption isonlyapplicable for theperioduntilthecompletionofthatprocess.Completion,inrelationtoarelevantprocess,meansthemaking

73DPP3(1)andDPP3(4)74Section2(3)(a)75 Sections 18 and 22

76 Section 55

30

ofthedeterminationofactiontaken.Theavailabilityofanappealgovernswhetheraparticularprocessamountstoarelevantprocessanddoesnotmeanthattheappealperiodispartoftheprocessperiod.Hence,anemployerwhoreceivesadataaccessrequestbyanemployeeafterthedeterminationoftherelevantprocessiscompletedshouldcomplywiththerequest.

As a matter of good practice, employers should have a written policy that documents theproceduresandpersonaldatacollected for thepurposeofconductingarelevantprocess.Thepolicyshouldstipulateanyrightofappealagainstthedecisionoftheprocessandanyconditionspertaining to that right.

TransitionalProvisionExemption

3.8.3 [Omittedasspenton3August2002]

3.8.4 Anemployeewhohasbeenprovidedwithacopyofpersonaldatabytheemployerincompliancewithadataaccessrequestisentitledtorequesttheemployertomakethenecessarycorrectioninrespectofanydatathattheemployeeconsiderstobeinaccurate.77 Ifsatisfiedthatthedataisindeedinaccurate,theemployerisrequiredtocomplywiththerequest.78

Anemployerisrequiredtomakethenecessarycorrectionifitissatisfiedthatthepersonaldatatowhichtherequestrelatesisinaccurate.Thisshouldbemadewithin40daysuponreceivingtherequestfromtheemployeeandtheemployershouldprovidetheemployeewithacopyofthecorrecteddatawithin the same time limit.However, if thecorrection requested relates todata,whetherafactoranexpressionofopinion,andtheemployerisnotsatisfiedthatthedataisinaccurate,itmayrefusetomakethecorrection.An“expressionofopinion”includesanassertionoffactthatisunverifiableorinallcircumstancesofthecase,isnotpracticabletoverify.Furtherguidance on handling data correction requests is given in Section 1 - ComplyingwithDataAccessandCorrectionRequests.

3.9 Accuracy and Retention of Employment-related Data

3.9.1 Anemployershouldtakeallpracticablestepstoensurethattheemployment-relateddataitholdsaboutemployeesisaccuratehavingregardtothepurposeforwhichthedataisused.79

An employermay implement a reminder system to ask employees to report changes of theirpersonaldatasothatanychangesinpersonalcircumstancesconcerningtheemployeescouldbemade.Asamatterofgoodpractice,anemployermayconsiderprovidingemployeeswithcopiesofemployment-relateddataatregularintervalsandinvitethemtoreportonanychangesthatneedtobemade.Forexample,medicalbenefitrecordsmayrequireupdatingtoincludeinformationonanemployee’sspouse,iftheemployeehasmarriedduringthecourseoftheemployment,sothatmedicalbenefitsmaybeextendedtocoverthespouse.

3.9.2 Anemployershouldtakeallpracticablestepstoensurethatinformationaboutitspoliciesandpracticesinrelationtopersonaldatacanbemadeavailabletoitsemployees.80

77Section22(1)78Section23(1)79DPP2(1)(a)

80DPP5

31

For example, an employer may comply with this requirement by preparing a written PPSconcerningitspersonaldatahandlingpoliciesandpractices.ThePPSshouldincludealistofthekindsofemployment-relateddataheldbytheemployer,andthemainpurposesforwhichthedataisused.Asamatterofgoodpractice,thePPSshouldalsoincludearetentionpolicycoveringemployment-relateddataandbecirculatedtoemployeesatregularintervals.

3.10 Use of Employment-related Data of Existing Employees

3.10.1Anemployershouldnotuseordiscloseemployment-relateddataofanemployeeforanypurposeotherthanthepurposedirectlyrelatedtotheemploymentoftheemployeeunless:

3.10.1.1theemployeehasgivenhisprescribedconsenttosuchotheruseordisclosure;81

3.10.1.2thepurposeisdirectlyrelatedtothepurposeforwhichthedatawascollected;82

3.10.1.3suchuseordisclosureisrequiredbylaworbystatutoryauthorities;83 or 3.10.1.4thereisanapplicableexemptionprovidedforundertheOrdinance.

Forexample,anemployermaywishtoenterintoanagreementwithacreditcardcompanytoofferacreditcardwithspecialtermsandconditionsforitsemployees.Insuchacase,theemployershouldnotusetheemployees’dataandpassittothecreditcardcompanyformarketingofthecardwithoutfirstobtainingtheprescribedconsentoftheemployees.Alternatively,theemployermayusetheaddressdataofemployees,whichwascollectedtofacilitatecommunicationwiththeemployer,tonotifytheemployeesdirectlyoftheservice.

However, an employermay transferdocuments regardinganemployee’smedical claim to itsinsurerwhoprovidesemployeemedicalcovertoeffecttheclaim.Thiswouldbeapurposedirectlyrelatedtotheoriginalpurposeforwhichtheclaimdocumentsarecollected.Asamatterofgoodpractice, anemployercould remind the recipient toconfine itsuseof thedata toonly thosepurposesthataredirectlyrelatedtothepurposeofthedisclosure.Intheexampleoftheinsurergivenabove,theemployermayincludeinitsinstructiontotheinsurerastatementtotheeffectthat“Theemployment-relatedpersonaldataattachedshouldonlybeused toeffect insurancecoverunderthetermsandconditionsofourEmployeeMedicalInsurancepolicieswithyou.”

Anexampleofstatutoryrequirementfordisclosurewouldbethedisclosureofemployment-relateddatatopublicauthoritiesthatareauthorisedbylawtorequiretheproductionofpersonaldata.Forexample,thereportingofemployment-relateddataofemployeesintheannualEmployer’sReturnofRemunerationandPensionstotheInlandRevenueDepartment.

3.10.2Anemployerwho,pursuanttoparagraph3.10.1,disclosesemployment-relateddatatoathirdpartyshouldtakeallpracticablestepstoensurethat:

3.10.2.1thedatatherebydisclosedisaccuratehavingregardtothepurposeforwhichthedataisdisclosed;84 and

3.10.2.2whereitispracticableinallcircumstancestoknowthatthedatawasinaccurateatthetimeofsuchdisclosure,therecipientisinformedoftheinaccuracyandisprovidedwithsuchparticularsaswillenabletherecipienttorectifythedata.85

81DPP3(1)82DPP3(1)andDPP3(4)83Section60B(a)

84DPP2(1)(a)85DPP2(1)(c)

32

Asamatterofgoodpractice,anemployershouldalsoavoiddisclosureofdatainexcessofthatisnecessaryforthepurposeofusebytherecipient.Forexample,employment-relatedrecordsheldonacomputershouldnotbeprintedinfullandpassedontoaninsurerwithoutconsiderationoftheinsurer’sneeds.Onlytheinformationreasonablyrequiredtoeffectthetypeofinsurancepolicybeingwrittenshouldbetransferredtotheunderwriterorinsuranceagency.

3.10.3Anemployershouldtakeallpracticablestepstoensurethatthemeansoftransferringemployment-relatedpersonaldatatoathirdpartyaresecure,havingregardtothesensitivityofthedatatherebydisclosedandtheharmthatcouldresultifunauthorisedoraccidentalaccessshouldoccur.86

Forexample,inmailingoutdocumentscontainingemployment-relateddata,anemployermayconsiderputtingthedocumentsinasealedenvelopeaddressedtotherecipientandmarked“PrivateandConfidential”ontheenvelope.Ifawindowenvelopeisused,careshouldbetakennottomakevisiblethroughthewindowopeningpersonaldataotherthanthatnecessaryforthepurposeofpostaldelivery.Itshouldbenotedthatemailtransmissionisinsecureunlesssecurityprotectionsoftwareisused.Dependingonthelevelofsensitivityofdatatobetransmitted,anemployermayconsiderimplementingappropriatesecurityprotectionsoftwarebeforeemployment-relateddataisallowedtobetransferredviaemail.

3.10.4Anemployermay,withouttheconsentoftheemployee,discloseemployment-relateddataoftheemployeetoathirdpartyprovidedthat:

3.10.4.1suchdisclosureconcernsdatathatisnecessaryforapurposethatfallswithintheambitofsection58(1)oftheOrdinance;and

3.10.4.2theemployerhasreasonablegroundsforbelievingthatnon-disclosurewouldbelikelytoprejudicesuchpurposes.87

Thepurposes referred to in section58(1)of theOrdinance include, inter alia, purposesusedfor the prevention or detection of crime, the prevention, preclusion or remedying (includingpunishment)ofunlawfulorseriouslyimproperconduct,dishonestyormalpracticebyindividuals.Thewords“unlawfulorseriouslyimproperconduct”extendbeyondcriminalconducttoincludecivilwrongs.88Hence,anemployermaydiscloseemployment-relateddataofanemployeetoathirdpartyifithasreasonablegroundsforbelievingthatthedatatherebydisclosedwillbeusedbythethirdpartyincivilproceedingsandnon-disclosureofthedatawouldbelikelytoprejudicetheprevention,preclusionorremedyingofacivilwrongbytheemployee.

However,itshouldbenotedthattherequirementisfortheemployertohavereasonablegroundsfor holding the belief referred to above and theOrdinance does not oblige the employer toaccedetosucharequestfordisclosurebythethirdparty.Forexample,ifemployment-relateddataofanemployeeisrequestedwithoutawarrantbythePoliceinconnectionwithacriminalinvestigation,thePolicewillneedtosatisfytheemployerthatinvestigationwouldbeprejudicedbya failure todisclose thedatabeingsought. If thedata is soughtpursuant toawarrant, theemployermayrelyonthewarrantasprovidingsufficientgroundsforprovidingthePolicewithsuchinformationeventhoughsuchadisclosurewasnotoneofthepurposesforwhichthedatawascollected.

86DPP4(1)(e)87Section58(2)88CourtofFirstInstanceincaseHCPI828/97 33

3.11 Disclosure or Transfer of Employment-related Data

TransfertoOutsideProfessionalServices

3.11.1Anemployerwhoseeksprofessionalservicesofthirdpartiesonmattersthatinvolvethedisclosureortransferofemployment-relateddatashouldensurethatthedataislimitedtothatrequiredforthespecificservicesthattheyaretoprovide.

An employer may employ external professional services, such as legal representatives orconsultantstoadviseonhumanresourcemanagementmatters.Indoingso,theemployershouldavoiddisclosureofdatainexcessofthatisnecessaryforthepurposeofusebytherecipientinproviding the service.Forexample,data suchashomeaddressordetailed salarypaymentofindividualemployeeswouldgenerallybeunnecessaryforusebyamanagementconsultantwhoisengagedtodeviseacareerdevelopmentplanforemployees.

Anemployermayusetheservicesofanexternalauditorforthepurposeofcarryingoutafinancialaudit.Suchaccesstoemployment-relateddatabytheauditorisinaccordancewithsection412oftheCompaniesOrdinance(Cap.622).Externalauditors’requirementsforaccesswillgenerallybelimitedtoinformationsuchasemoluments,taxationandpersonalexpenses,sightorcopiesofanycontractbetweenemployerandemployee,oremployerandcontractor,anddocumentsrelating to termination of employment where these are required to substantiate the terms ofrelevanttransactions.

OutsourcingofHumanResourceDataProcessing

3.11.2Anemployerwhoout-sourcesorcontractsoutitshumanresourceprocessingtoanexternalagencyshouldtakeallpracticablestepstoensurethattheprocessingagencyprotectstheemployment-relateddataagainstunauthorisedoraccidentalaccessordisclosure.

ItshouldbenotedthattheOrdinanceimposeslegalliabilityonanemployerinrelationtoanywrongfulactsorpracticesdonebyathirdparty89wherethethirdpartyisengagedasanagentonbehalfoftheemployer.Forexample,anagreementmaybedrawnupcontrollinghowthedataaretransmittedorprocessedandrequiringtheprocessingagencytotakestepstoensuretheintegrity,prudenceandcompetenceofitsstaffhavingaccesstothedata90.

Sub-contractingoutEmployees’ServicetoOtherOrganisations

3.11.3Anemployermaydiscloseortransferemployment-relateddataofanemployeeforapurposeofsub-contractingtheserviceoftheemployeetoathirdpartyorganisationprovidedthat:

3.11.3.1such sub-contracting arrangement relates to a function or activity that the employerengagesin;or

3.11.3.2theuseoftheemployee’sdataforsuchapurposeisoneofthepurposesforwhichtheemployeeissoemployed.

89Section65(2)90ReferencecanbemadetotheInformationLeaflet:OutsourcingtheProcessingofPersonalDatatoDataProcessorsissuedbytheCommissioner.

34

Mostsub-contractingarrangementsaregovernedbyanagreementbetweentheemployerandthethirdpartyorganisation.Theemployeristheprimecontractorasapartytotheagreementandtheemployeesconcernedareassignedtoworkonthejobcontractedfor.Forexample,theemployerhassuccessfullywonaprojectinatenderwiththethirdpartyandtheemployeeisassignedasoneoftheprojectmembers.Inthissituation,theemploymentrelationshipremainsbetweentheemployeeandhisemployeralthoughthethirdpartymighthavesupervisoryresponsibilityovertheemployeeintermsofthejob.

3.11.4Anemployerwho,pursuanttoparagraph3.11.3,disclosesortransfersemployment-relateddatatoathirdpartyorganisationshouldensurethatthepersonaldatadisclosedis:

3.11.4.1relevant to the inherent requirements of the job as specified in the third party’s jobdescription;

3.11.4.2adequatebutnotexcessiveinrelationtothepurposeofthesub-contractingservice;and 3.11.4.3limitedtoemployment-relateddataoftheemployeeconcerned. Inasub-contractingarrangement,theemployermayberequiredbytheotherpartytoprovide

personal data of its employees for selection purposes. For example, it may be necessary toincludeinaprojectproposalinformationabouttheemployeetodemonstratehisqualificationsandsuitability for theproject tendered for.Theemployee’sdata,suchashiscurriculumvitae,iscollectedprimarily for thepurposeofemploymentwith theemployer. In so faras thedatais disclosed for a purpose of inclusion in a project proposal that the employer engages in,thedisclosureofsuchdatacouldberegardedasapurposedirectlyrelatedtothepurposeforwhichthedataiscollected.However,thedatatherebydisclosedshouldbelimitedtotheskills,competencies,abilitiesandworkexperienceof theemployeethatarerelevanttotheinherentrequirementsofthejobtowhichtheemployeemaybeassigned.

TransfertoaPlaceoutsideHongKong

3.11.5Employment-relatedpersonaldatamaybetransferredtoarelatedofficeoftheorganisationoutsideHongKongprovidedthatsuchatransferisforapurposedirectlyrelatedtotheemploymentofemployeesandthedataisadequatebutnotexcessiveinrelationtothatpurpose.

Forexample, transferofemployment-relatedpersonaldataoutsideHongKong toanoverseasheadofficemaybedoneforapermittedpurpose,suchasforapurposerelatingtoanintendedpostingofstafftoanoverseasoffice.ItshouldbenotedthattheOrdinanceprovidesforspecificcontrolsonthetransferofpersonaldataoutsideHongKong.91

TransfertoOtherOfficeswithintheOrganisation

3.11.6Employment-related personal data may be transferred within the employing organisation forpurposesdirectlyrelatedtotheemploymentofemployeesprovidedthatthedataisadequatebutnotexcessiveinrelationtothepurposeofusebythepartytowhomitistransferred.

91Section33.ThissectionoftheOrdinanceisnotcurrentlyinforce.ReferencecanbemadetotheGuidanceonPersonalDataProtectioninCross-borderDataTransferissuedbytheCommissioner.

35

Forexample,staffoftheemployer’saccountingdepartmentneednotbeprovidedwithdatathatis irrelevant for itsuse incalculating salarypayment toanemployee, suchas theemployee’sperformance appraisal report. Similarly, internal auditors of the organisation should not haveaccesstoemployment-relateddatathatisnotnecessaryinperforminganinternalaudit.

Mergers,Acquisitions,andAssociatedDueDiligenceExercises92

3.11.7Whereanemployertransfersemployment-relateddatatoanoutsidepartyinvolvedinamerger,acquisitionorduediligenceexercise,suchdatashouldbelimitedtothatisreasonablyrequiredtomakeadecisiononthequalityofpersonnelemployedbytheorganisation,orotherreasonablemattersrelatingtotheacquisitionormerger93.

Partieswishing toacquirea substantial share inacompany,ororganisationscontemplatingamerger,mayrequestthatemployment-relatedpersonaldataofthekeyofficersbetransferredtothem.Examplesofrelevantdatamightbesalary,jobtitle,lengthofservice,promotionhistory,qualifications, achievements andassessmentof strengths andweaknesses. It is reasonable foremployees toexpect that if theorganisationforwhichtheyworkisa target foracquisitionbyanother, or is actively considering amerger, certain employment datamight be disclosed ortransferredtotheotherparty.

3.11.8Anemployermaytransferemployment-relateddatatointermediateparties inanytransactionsrelating in any way to mergers, acquisitions and due diligence including financial advisors,bankers and lawyers provided that they use the data only on behalf of the employer for thepurposeoffacilitatingthemergeroracquisition94.

Asamatterofgoodpractice,theemployershouldobtainanundertakingfromsuchpartiesthattheywouldkeepthedatasecureandcomplywithallotherrelevantprovisionsoftheOrdinance.Ifitbecomesclearthatacontemplatedmergeroracquisitionwillnottakeplace,theotherparty,andanyagentactingontheirbehalf,shouldforthwithdestroyorreturntotheemployerconcernedany employment-relatedpersonal data received for thepurposeof considering themerger oracquisition95.

3.11.9Anemployermaycontinuetousetheemployment-relateddataofemployeesforpurposesdirectlyrelatedtotheiremployment,notwithstandinganyacquisition,inpartorwhole,oftheemployingorganisationbyanotherparty.

Forexample,wheretwoormoreorganisationsmerge,theresultingemployermaycontinuetouseemploymentdataofemployees inrelationto theircontinuedemployment.Asamatterofgoodpractice,theemployershouldensurethatasinglesetofprivacypoliciesandpracticesaredevelopedforthecombinedemployment-relatedpersonaldataofthemergedorganisations.

3.12 Matters Concerning the Engagement of Subcontract Staff

3.12.1Anemployer,whoengagesindividualsonasubcontractbasis,shouldnotcollectpersonaldataaboutthemthatisexcessiveforthepurposeofcarryingouttheemployer’sfunctionsandactivities

92Section63B93Section63B(1)&63B(2)(a)94Section63B(4)(a)

95Section63B(4)(b)

36

inemployingsuchindividuals.96

For thepurposeof this section, subcontract staff include staff employed througha thirdpartysuchasanemploymentagency,workersemployedbyonecompanybutwhoundertakeworkonbehalfofanothercompany,orstaffwhoareself-employed.Inthesecircumstances,theemployerdoesnothaveadirectemploymentcontractwiththeindividualsconcerned.

Ingeneral, anemployerwouldneed tocollect lesspersonaldata relating to subcontract staffcomparedwithdatacollected inrespectofemployees.Forexample, theemployerwouldnotnormallycollectpersonaldatainrelationtosubcontractstaffsuchasdetailsoftheirbankaccountsandfamilymembers.However,anemployermayneedtocollectdataofnextofkinincasethereisanemergencyatwork.

3.12.2Anemployerwhoengagessubcontractstaffmayretainpersonaldatathatitholdsinrespectofsuchstaffonlyforsolongasthedataisrequired:

3.12.2.1forcarryingoutthepurposes(oranydirectlyrelatedpurposes)forwhichthedatawascollected;97 or

3.12.2.2wherethereisareasonablelikelihoodthatsuchstaffmaybere-engagedonsubsequentwork.

Forexample, theemployermayretainpersonaldatarelating tosubcontractstaffwhere this isnecessaryforthepurposeofdealingwithpossibleworkdisputesarisingfromtheperformanceofsubcontractstaff.Inthecasewheresubcontractstaffmaybere-engagedforsubsequentwork,theemployermayretainthedataofsubcontractstafffortwoyearsafterthecompletionofthecurrentormostrecentcontract.Oncethetwo-yearperiodhaselapsedthedatamayonlyberetainedifthestaffconcernedhavegivenprescribedconsenttoanextension.

3.12.3An employer who holds employment-related data of subcontract staff should observe therequirementsmentionedinparagraph3.11inrelationtothedisclosureortransferofsuchdata.

It is very common for a property management company to act as an agent of the Owners’Incorporationof abuildingandhandleall affairs relating to themanagement and securityofthe building. In doing so, the propertymanagement companymay sub-contract the securitymanagementdutytoathirdpartysecuritycompanywhoemployssecurityguardsorcaretakerstoworkinthebuildingpremises.

ThesubcontractedsecuritycompanymaybeaskedtoprovideremunerationdetailsofsecurityguardstothepropertymanagementcompanyforthepurposesofaccountauditingbytheOwners’Incorporation. In this circumstance, the security companywho is the employerof the guardsshouldtakespecialcareinpreparingtheinformationrequestedasitmayinvolveadisclosureofthedatanotonlytothepropertymanagementcompanybutalsotheOwners’Incorporation.Generally,itwouldbeadequatetoprovidetherequestedremunerationdatawithoutdisclosingtheidentityoftheindividualguardsconcerned.

96DPP1(1)(c)97DPP2(2)

37

4 Former Employees’ Matters

4.1 Introduction

4.1.1 Employeesmayleaveanemployerbytransferringtoanothercompany,resigning,orbecauseofterminationofemploymentasaresultofdisciplinaryaction,redundancy,retirement,invalidity,or death.

4.1.2 Relevantpersonaldatapertainingtoaformeremployeemayberequiredbyanemployertofulfilitsobligationstotheformeremployeeanditslegalobligationsundercertainordinances.Thedatamayberequiredto:

4.1.2.1 meetstatutoryrequirements–thesemayrelatetotheretentionofsalaries’taxrecords,businessrecords,andsickleaverecords;

4.1.2.2 administeranyremainingdutiesinrespectofformeremployeesortheirfamilymembersunderapension,superannuation,orMPFscheme;

4.1.2.3 defend the organisation in any civil suit or criminal prosecution – in cases wherelegal action may be brought under, for example, legislation such as the EmployeesCompensationOrdinance;

4.1.2.4 defend the organisation against any claim for damages resulting from a purportedmedicalconditionorinjuryallegedlysustainedduring,and/orresultingfrom,theperiodofemployment;

4.1.2.5 re-employa formeremployee if there isa reasonable likelihoodof the individual re-applyingforemployment;or

4.1.2.6 providejobreferencesattherequestoftheemployee.

4.1.3 Forexample,theEmploymentOrdinance98requiresanemployertoretainwageandemploymentrecords of employees covering the period of their employment during the preceding twelvemonths.Suchrecordsshouldbekeptforsixmonthsaftertheyceaseemployment.

4.1.4 Personaldataofformeremployeesretainedbyanemployerforpurposesmentionedinparagraph4.1.2issubjecttoaccessandcorrectionbytheemployee.Accordingly,requirementsmentionedinSection1-ComplyingwithDataAccessandCorrectionRequests,shouldbecompliedwithforthepurposeofthissectionunlessthereisanapplicableexemptionprovidedforundertheOrdinance.Whererelevant,attentionshouldbepaidtoobservingtherequirementsmentionedinparagraphs3.10and3.11inrelationtoUse,DisclosureandTransferofEmployment-relateddatathatmaybeapplicabletoformeremployees.

Practical Guidance on Former Employees’ Matters

4.2 Continued Retention of Personal Data of Former Employees

4.2.1 Anemployermayretainpersonaldataofaformeremployeeforpurposesmentionedinparagraph4.1.2orotherpurposesprovidedthatsuchotherpurposesare:

4.2.1.1 necessaryfortheemployertofulfilitscontractualorlegalobligations; 4.2.1.2 directlyrelatedtothepurposeofmanagingtherelationshipbetweentheemployerand

theformeremployee;or

98Section49AoftheEmploymentOrdinance(Cap.57)refers.

38

4.2.1.3 thosethattheformeremployeehasgivenprescribedconsent.

4.2.2 An employer may retain a former employee’s Hong Kong Identity Card number for linking,retrievingorprocessingrecordsheldbyitconcerningtheemployee.

For example, paragraph 2.6.4 of the PICodemakes provision for an employee’sHongKongIdentityCardnumbertobeusedforlinkingtheemployee’srecordsheldbydifferentdatausersundertheMandatoryProvidentFundsystem.

4.2.3 Anemployershouldnotretainthepersonaldataofaformeremployeeforaperiodlongerthansevenyearsfromthedatetheformeremployeeceasesemploymentwiththeemployerunless:

4.2.3.1 there is a subsisting reason that obliges the employer to retain the data for a longerperiod;99 or

4.2.3.2 the formeremployeehasgivenprescribedconsent for thedata toberetainedbeyondsevenyears.

Generally, an employer is permitted to retain personal datawhere the erasure of the data isprohibitedunderanylaw,wherethereisongoinglitigation,wheretherearecontractualobligationson thepartof theemployer to retain thedata,orwhere it is in thepublic interest (includinghistoricalinterest)forthedatanottobeerased.

Theemployermust takeallpracticablestepsat theearliestopportunityuponthedepartureofanemployeetoensurethatonlyrelevantinformationof theemployeeisretainedtosatisfyitsretention requirements. For example, a summary of service records or testimonial about theserviceofa formeremployeecanbecompiled for thepurposeofproviding jobreferencesorprocessingapplicationsforre-employmentrelatingtotheformeremployeeinsteadofkeepingfulldetailsthatmayotherwisebeunnecessaryforthepurpose.

4.3 Accuracy of Former Employees’ Personal Data

4.3.1 Anemployershouldtakeallpracticablestepstomaintaintheaccuracyofpersonaldataretainedforpurposesthatcontinueaftertheemployeehasleftemployment.100

Generally,thisrequirementcouldbemetbyupdatingthedatawhentheformeremployeeinformstheemployerofachange,orwhendataisabouttobeusedwhereanyinaccuraciesofthedatawouldhaveamaterialeffectontheuseofthedata.

4.3.2 Whereanemployerhasreasonablegroundsforbelievingthatpersonaldataofaformeremployeeisinaccurate,havingregardtothepurposeofitsretention,theemployershouldnotusesuchdataunlessanduntilthosegroundsceasetobeapplicable.101

Forexample,anemployermayneedtoregularlymaildocumentsrelatingtoaformeremployee’sbenefit payments. If the employer repeatedly received returnmail, indicatingwrongdelivery,this would suggest that the contact address of the former employee was inaccurate. In thiscircumstance,theemployershouldavoidusingtheaddressforfurthermailingofbenefitpaymentsuntiltheformeremployee’saddresscanbeverified.

99 Section26(1)(a)and26(1)(b)100DPP2(1)(a)101DPP2(1)(b) 39

4.3.3 Anemployerwhoengagesathirdpartytoadministeranypost-employmentmattersthatconcernformeremployees,suchasaprovidentfundscheme,shouldtakeallpracticablestepstoensurethat:

4.3.3.1 thedatatransferredisaccuratehavingregardtothepurposeforwhichthedataisused;102 and

4.3.3.2 whereitispracticableinallcircumstancestoknowthatthedatawasinaccurateatthetimeofsuchtransfer,therecipientisinformedoftheinaccuracyandisprovidedwithsuchparticularsaswillenabletherecipienttorectifythedata.103

4.4 Security of Former Employees’ Personal Data

4.4.1 An employer should take all practicable steps to ensure secure protection measures areimplementedinlocations,eitheron-siteattheemployer’spremiseoroff-siteonotherpremises,topreventunauthorisedoraccidentalaccesstotheretainedpersonaldataofformeremployees.104

Asamatterofgoodpractice,wherethepersonaldataofformeremployeesisretainedincomputerorpaperfiles,suchfilesshouldbekeptseparatelyfromthefilesofexistingstafftoenhancetheirsecurity.Ifanemployerretainsformeremployees’datainalow-coststoragefacility,thisshouldbereasonablysecure.

4.5 Providing Job References for Former Employees

4.5.1 Anemployershouldensurethat formeremployeeshavegiventheirprescribedconsentbeforegivingareferenceonthemtoathirdparty.105

Veryoften,athirdpartymayrequestajobreferenceaboutaformeremployeeoftheemployerwhentheemployeeappliesforajobwiththethirdparty.Beforedoingthis,theemployershouldobtaintheconsentoftheemployeeconcernedorrequestthethirdpartytoprovideproofthattheconsentoftheemployeehasbeenprovided.Itshouldbenotedthatanindividualprovidinganoralpersonalreferencebaseduponpersonaldatafromwrittenorcomputerrecordsisdisclosingpersonaldataandshouldthereforehavetheprescribedconsentreferredtoaboveoftheindividualconcerned.

4.6 Public Announcements about Former Employees

4.6.1 An employer who finds it necessary to announce publicly that a former employee has leftemployment,andnolongerrepresentsit,shouldincludeonlytheminimuminformationrequiredtoidentifytheemployeeconcerned.

In any announcement regarding a former employee thatmay bemade public, the employershouldtakecarenottodisclosetheHongKongIdentityCardnumberoftheemployee.Generally,theindividual’sfullname,formerjobtitleandnameoftheorganisationwouldbesufficientforthepurpose.Normally,anemployermakinganannouncementforsuchpurposesneednotstatethereasonfortheformeremployehavinglefttheorganisation.Ifitisnecessarytodisclosethereason,

102DPP2(1)(a)103DPP2(1)(c)104DPP4(1)

105DPP3(1)andDPP3(4)

40

theemployer shouldconsiderobtainingprior consentof the individual concernedunless theemployerhasreasonablegroundstobelievethatsuchdisclosuretoanewsorganisationwouldbeinthepublicinterest.

4.7 Erasure of Former Employees’ Personal Data

4.7.1 Anemployerwhohas retainedpersonaldataof formeremployees forpurposesmentioned inparagraph4.2.1shouldensurethat,ifthedataisnolongernecessaryforsuchpurposespriortotheexpiryofthepermittedretentionperiodunderparagraph4.2.3,thedataisnotusedforanypurposesandiserasedattheearliestpracticableopportunity.106

Veryoften,recordscontainingpersonaldataof formeremployeesaremaintainedinastoragemediumotherthanpaperfiles,e.g.microficheormicrofilm.Ifthisisthecase,itmightnotbepracticabletodeleteindividualdataitemsfromtherecordswhenthedataneedstobeerased.However,where the recordsarekeptonphysicalpaperfiles, then itwouldbepracticable todestroyrecordsthatarenolongernecessaryforthepurposeconcerned.Suchdestructionmighttakeplaceonthenextoccasionthatthefileisaccessedforaparticularpurpose,oratthenextscheduledtimeoftheemployer’sfile“weedingprogramme”.

Asamatterofgoodpractice,anemployershoulddevelopapersonaldatamanagementpolicythatwillresultintheimplementationofadatadisposalprogrammetofacilitatedeletionofthoseclassesofdatathatarenolongernecessary.Thispolicyshouldalsospecifyscheduledintervalsforrecorddestructionanddisposal.

4.7.2 Therequirementmentionedinparagraph4.7.1alsoappliestopersonaldataoffamilymembersoftheformeremployeeheldbytheemployer.

4.8 Retirement

4.8.1 Anemployermayretainrelevantpersonaldataofretiredemployees,ortheirfamilymembers,solongasthereisanobligationonthepartoftheemployertoadministeranyaffairsrelatingtotheretirementplanofemployees.107

Generally,anemployermayneedtoretainthename,contact,andperhapsbankdetailsofthoseformeremployeesortheirdependentsentitledtoreceiveanybenefitsundertheretirementplan.Toensuretheaccuracyofpersonaldatarelatingtoformeremployees,anemployershouldrequireformeremployeestonotifyitofanychangesintheirpersonalcircumstances,orthoseoftheirfamilymembers(ifrelevant),thatwouldnecessitateupdatingofthedata.

4.9 Death of an Employee

4.9.1 Datarelating toa formeremployeewhohasdiedarenotsubject to thecode.However, ifanemployerretainspersonaldatarelatingtoalivingrelativeofadeceasedemployee,suchdataissubjecttothecode.108

Forexample,anemployermayneedtoretainpersonaldataoftherelativesofdeceasedemployeesforthepurposesofadministeringacompanyretirementfund.Suchdataissubjecttothecode.

106DPP2(2)107DPP2(2)108Definitionof“personaldata”inSection2 41

Appendix I - Ordinance Definition, Principles and Key Sections

Ordinance Definitions

“data” means any representation of information (including an expression of opinion) in anydocument,andincludesapersonalidentifier;

“dataaccessrequest”meansarequestundersection18;

“datacorrectionrequest”meansarequestundersection22(1);

“document”includes,inadditiontoadocumentinwriting- (a) adisc,tapeorotherdeviceinwhichdataotherthanvisualimagesareembodiedsoasto

becapable,withorwithouttheaidofsomeotherequipment,ofbeingreproducedfromthedisc,tapeorotherdevice;and

(b) afilm,tapeorotherdeviceinwhichvisualimagesareembodiedsoastobecapable,withorwithouttheaidofsomeotherequipment,ofbeingreproducedfromthefilm,tapeorotherdevice;

“employment”meansemploymentunder- (a) acontractofserviceorofapprenticeship;or (b) acontractpersonallytoexecuteanyworkorlabour, andrelatedexpressionsshallbeconstruedaccordingly;

“personaldata”meansanydata- (a) relatingdirectlyorindirectlytoalivingindividual; (b) fromwhichitispracticablefortheidentityoftheindividualtobedirectlyorindirectly

ascertained;and (c) inaforminwhichaccesstoorprocessingofthedataispracticable;

“personalidentifier”meansanidentifier- (a) thatisassignedtoanindividualbyadatauserforthepurposeoftheoperationsofthe

user;and (b) thatuniquelyidentifiesthatindividualinrelationtothedatauser, butdoesnotincludeanindividual’snameusedtoidentifythatindividual;

“use”inrelationtopersonaldata,includesdiscloseortransferthedata.

Data Protection Principles

1 Principle 1 - Purpose and Manner of Collection of Personal Data

(1) Personaldatashallnotbecollectedunless- (a) thedataiscollectedforalawfulpurposedirectlyrelatedtoafunctionoractivityofthe

datauserwhoistousethedata; (b) subjecttoparagraph(c),thecollectionofthedataisnecessaryforordirectlyrelatedto

thatpurpose;and

42

(c) thedataisadequatebutnotexcessiveinrelationtothatpurpose.

(2) Personaldatashallbecollectedbymeanswhichare- (a) lawful;and (b) fairinthecircumstancesofthecase.

(3) Where the person fromwhom personal data is or is to be collected is the data subject, allpracticablestepsshallbetakentoensurethat-

(a) heisexplicitlyorimplicitlyinformed,onorbeforecollectingthedata,of- (i)whetheritisobligatoryorvoluntaryforhimtosupplythedata;and (ii)whereitisobligatoryforhimtosupplythedata,theconsequencesforhimifhefails

tosupplythedata;and (b) heisexplicitlyinformed- (i)onorbeforecollectingthedata,of- (A)thepurpose(ingeneralorspecificterms)forwhichthedataistobeused;and (B)theclassesofpersonstowhomthedatamaybetransferred;and (ii)onorbeforefirstuseofthedataforthepurposeforwhichitwascollected,of- (A)hisrightstorequestaccesstoandtorequestthecorrectionofthedata;and (B)thenameor jobtitle,andaddress,of theindividualwhois tohandleanysuch

requestmadetothedatauser, unlesstocomplywiththeprovisionsofthissubsectionwouldbelikelytoprejudicethepurpose

forwhich thedatawascollectedand thatpurpose is specified inPart8of thisOrdinanceasapurpose inrelation towhichpersonaldata isexempt fromtheprovisionsofdataprotectionprinciple6.

2 Principle 2 - Accuracy and Duration of Retention of Personal Data

(1) Allpracticablestepsshallbetakentoensurethat- (a) personaldataisaccuratehavingregardtothepurpose(includinganydirectlyrelated

purpose)forwhichthepersonaldataisoristobeused; (b) wheretherearereasonablegroundsforbelievingthatpersonaldataisinaccuratehaving

regardtothepurpose(includinganydirectlyrelatedpurpose)forwhichthedataisoristobeused-

(i)the data is not used for that purpose unless and until those grounds cease to beapplicabletothedata,whetherbytherectificationofthedataorotherwise;or

(ii)thedataiserased; (c) whereitispracticableinallthecircumstancesofthecasetoknowthat- (i)personaldatadisclosedonorafter theappointedday toa thirdparty ismaterially

inaccuratehavingregardtothepurpose(includinganydirectlyrelatedpurpose)forwhichthedataisoristobeusedbythethirdparty;and

(ii)thatdatawasinaccurateatthetimeofsuchdisclosure. thatthethirdparty- (A)isinformedthatthedataisinaccurate;and (B)isprovidedwithsuchparticularsaswillenablethethirdpartytorectifythedata

havingregardtothatpurpose.

(2) Allpracticablestepsmustbetakentoensurethatpersonaldataisnotkeptlongerthanisnecessary

43

forthefulfilmentofthepurpose(includinganydirectlyrelatedpurpose)forwhichthedataisoristobeused.

(3) Withoutlimitingsubsection(2),ifadatauserengagesadataprocessor,whetherwithinoroutsideHongKong,toprocesspersonaldataonthedatauser’sbehalf,thedatausermustadoptcontractualorothermeanstopreventanypersonaldatatransferredtothedataprocessorfrombeingkeptlongerthanisnecessaryforprocessingofthedata.

(4) Insubsection(3)— data processormeansapersonwho- (a) processespersonaldataonbehalfofanotherperson;and (b) doesnotprocessthedataforanyoftheperson’sownpurposes.

3 Principle 3 – Use of Personal Data

(1) Personaldatashallnot,without theprescribedconsentof thedatasubjectbeused foranewpurpose.

(2) A relevantperson in relation toadata subjectmay,onhisorherbehalf, give theprescribedconsentrequiredforusinghisorherpersonaldataforanewpurposeif—

(a)thedatasubjectis— (i)aminor; (ii)incapableofmanaginghisorherownaffairs;or (iii)mentally incapacitated within the meaning of section 2 of the Mental Health

Ordinance(Cap.136); (b) thedatasubjectisincapableofunderstandingthenewpurposeanddecidingwhetherto

givetheprescribedconsent;and (c) therelevantpersonhasreasonablegroundsforbelievingthattheuseofthedataforthe

newpurposeisclearlyintheinterestofthedatasubject.

(3) A data usermust not use the personal data of a data subject for a new purpose even if theprescribed consent for so using that data has been given under subsection (2) by a relevantperson,unlessthedatauserhasreasonablegroundsforbelievingthattheuseofthatdataforthenewpurposeisclearlyintheinterestofthedatasubject.

(4) Inthissection— new purpose,inrelationtotheuseofpersonaldata,meansanypurposeotherthan— (a) thepurposeforwhichthedatawastobeusedatthetimeofthecollectionofthedata;

or (b) apurposedirectlyrelatedtothepurposereferredtoinparagraph(a).

4 Principle 4 - Security of Personal Data

(1) Allpracticablestepsshallbetakentoensurethatpersonaldata(includingdatainaforminwhichaccesstoorprocessingofthedataisnotpracticable)heldbyadatauserareprotectedagainstunauthorisedoraccidentalaccess,processing,erasure,lossorusehavingparticularregardto-

44

(a) thekindofdataandtheharmthatcouldresultifanyofthosethingsshouldoccur; (b) thephysicallocationwherethedataisstored; (c) anysecuritymeasuresincorporated(whetherbyautomatedmeansorotherwise)intoany

equipmentinwhichthedataisstored; (d) anymeasures taken for ensuring the integrity, prudence and competence of persons

havingaccesstothedata;and (e) anymeasurestakenforensuringthesecuretransmissionofthedata.

(2) Withoutlimitingsubsection(1),ifadatauserengagesadataprocessor,whetherwithinoroutsideHongKong,toprocesspersonaldataonthedatauser’sbehalf,thedatausermustadoptcontractualorothermeanstopreventunauthorisedoraccidentalaccess,processing,erasure,lossoruseofthedatatransferredtothedataprocessorforprocessing.

(3) Insubsection(2)— data processorhasthesamemeaninggivenbysubsection(4)ofdataprotectionprinciple2.

5 Principle 5 - Information to be Generally Available

Allpracticablestepsshallbetakentoensurethatapersoncan- (a) ascertainadatauser’spoliciesandpracticesinrelationtopersonaldata; (b) beinformedofthekindofpersonaldataheldbyadatauser; (c) beinformedofthemainpurposesforwhichpersonaldataheldbyadatauserisoristo

beused.

6 Principle 6 - Access to Personal Data

Adatasubjectshallbeentitledto- (a) ascertainwhetheradatauserholdspersonaldataofwhichheisthedatasubject; (b) requestaccesstopersonaldata- (i)withinareasonabletime; (ii)atafee,ifany,thatisnotexcessive; (iii)inareasonablemanner;and (iv)inaformthatisintelligible; (c) begivenreasonsifarequestreferredtoinparagraph(b)isrefused; (d) objecttoarefusalreferredtoinparagraph(c); (e) requestthecorrectionofpersonaldata; (f) begivenreasonsifarequestreferredtoinparagraph(e)isrefused;and (g) objecttoarefusalreferredtoinparagraph(f).

Key Sections Referred to in the Text of the Code

2 Interpretation

(1) “relevantperson”,inrelationtoanindividual(howsoevertheindividualisdescribed),means– (a) wheretheindividualisaminor,apersonwhohasparentalresponsibilityfortheminor; (b) wheretheindividualisincapableofmanaginghisownaffairs,apersonwhohasbeen

appointedbyacourttomanagethoseaffairs;

45

(c) wheretheindividualismentallyincapacitatedwithinthemeaningofsection2oftheMentalHealthOrdinance(Cap.136)–

(i)apersonappointedundersection44A,59Oor59Qof thatOrdinance tobe theguardianofthatindividual;or

(ii)iftheguardianshipofthatindividualisvestedin,orthefunctionsoftheappointedguardianaretobeperformedby,theDirectorofSocialWelfareoranyotherpersonundersection44B(2A)or (2B)or59T(1)or (2)of thatOrdinance, theDirectorofSocialWelfareorthatotherperson.

(3) WhereunderthisOrdinanceanactmaybedonewiththeprescribedconsentofaperson(andhowsoeverthepersonisdescribed),suchconsent-

(a) meanstheexpressconsentofthepersongivenvoluntarily; (b) doesnotincludeanyconsentwhichhasbeenwithdrawnbynoticeinwritingservedon

thepersontowhomtheconsenthasbeengiven(butwithoutprejudicetosomuchofthatactthathasbeendonepursuanttotheconsentatanytimebeforethenoticeissoserved).

17A Interpretation of Part 5

Withoutlimitingthedefinitionofrelevant personinsection2(1),inthisPart- relevant person,inrelationtoanindividual,alsoincludesapersonauthorisedinwritingbythe

individualtomake,onbehalfoftheindividual- (a) adataaccessrequest;or (b) adatacorrectionrequest.

18 Data Access Request

(1) Anindividual,orarelevantpersononbehalfofanindividual,maymakearequest-

(a) tobeinformedbyadatauserwhetherthedatauserholdspersonaldataofwhichtheindividualisthedatasubject;

(b) ifthedatauserholdssuchdata,tobesuppliedbythedatauserwithacopyofsuchdata.

(2) Adataaccessrequestunderbothparagraphsofsubsection(1)shallbetreatedasbeingasinglerequest,andtheprovisionsofthisOrdinanceshallbeconstruedaccordingly.

(3) Adataaccessrequestunderparagraph(a)ofsubsection(1)may,intheabsenceofevidencetothecontrary,betreatedasbeingadataaccessrequestunderbothparagraphsofthatsubsection,andtheprovisionsofthisOrdinance(includingsubsection(2))shallbeconstruedaccordingly.

(4) Adatauserwho,inrelationtopersonaldata- (a) doesnotholdthedata;but (b) controlstheuseofthedatainsuchawayastoprohibitthedatauserwhodoeshold

thedatafromcomplying(whetherinwholeorinpart)withadataaccessrequestwhichrelatestothedata,

shallbedeemedtoholdthedata,andtheprovisionsofthisOrdinance(includingthissection)shallbeconstruedaccordingly.

46

(5) Apersoncommitsanoffenceiftheperson,inadataaccessrequest,suppliesanyinformationwhichisfalseormisleadinginamaterialparticularforthepurposesofhavingthedatauser-

(a) informthepersonwhetherthedatauserholdsanypersonaldatawhichisthesubjectoftherequest;and

(b) ifapplicable,supplyacopyofthedata.

(6) Apersonwhocommitsanoffenceundersubsection(5)isliableonconvictiontoafineatlevel3andtoimprisonmentfor6months.

19 Compliance with Data Access Request

(1) Subjecttosubsection(2)andsections20and28(5),adatausermustcomplywithadataaccessrequestwithin40daysafterreceivingtherequestby-

(a) ifthedatauserholdsanypersonaldatawhichisthesubjectoftherequest- (i)informingtherequestorinwritingthatthedatauserholdsthedata;and (ii)supplyingacopyofthedata;or (b) if thedatauserdoesnotholdanypersonaldatawhich is the subjectof the request,

informingtherequestorinwritingthatthedatauserdoesnotholdthedata.

(1A) Despitesubsection(1)(b),if- (a) adataaccessrequestismadetotheHongKongPoliceForceastowhetheritholdsany

recordofcriminalconvictionofanindividual;and (b) itdoesnotholdsuchrecord, itmustcomplywiththerequestbyinformingtherequestororally,within40daysafterreceiving

therequest,thatitdoesnotholdsuchrecord.

(2) Adatauserwhoisunabletocomplywithadataaccessrequestwithintheperiodspecifiedinsubsection(1)or(1A)shall-

(a) beforetheexpirationofthatperiod- (i)bynoticeinwritinginformtherequesterthatthedatauserissounableandofthe

reasonswhythedatauserissounable;and (ii)complywiththerequesttotheextent,ifany,thatthedatauserisabletocomplywith

therequest;and (b) assoonaspracticableaftertheexpirationofthatperiod,complyorfullycomply,asthe

casemaybe,withtherequest.

20 Circumstances in which Data User shall or may Refuse to Comply with Data Access Request

(1) Adatausershallrefusetocomplywithadataaccessrequest- (a) ifthedatauserisnotsuppliedwithsuchinformationasthedatausermayreasonably

require- (i)inordertosatisfythedatauserastotheidentityoftherequester; (ii)wheretherequesterpurportstobearelevantperson,inordertosatisfythedatauser- (A)astotheidentityoftheindividualinrelationtowhomtherequesterpurportsto

besuchaperson;and

47

(B)thattherequesterissuchapersoninrelationtothatindividual; (b) subject to subsection (2), if the data user cannot comply with the request without

disclosingpersonaldataofwhichanyotherindividualisthedatasubjectunlessthedatauserissatisfiedthattheotherindividualhasconsentedtothedisclosureofthedatatotherequester;or

(c) inanyothercase,ifcompliancewiththerequestisforthetimebeingprohibitedunderthisoranyotherOrdinance.

(2) Subsection(1)(b)shallnotoperate- (a) sothatthereferenceinthatsubsectiontopersonaldataofwhichanyotherindividual

isthedatasubjectincludesareferencetoinformationidentifyingthatindividualasthesourceofthepersonaldatatowhichthedataaccessrequestconcernedrelatesunlessthatinformationnamesorotherwiseexplicitlyidentifiesthatindividual;

(b) soastoexcuseadatauserfromcomplyingwiththedataaccessrequestconcernedtotheextentthattherequestmaybecompliedwithwithoutdisclosingtheidentityoftheotherindividual,whetherbytheomissionofnames,orotheridentifyingparticulars,orotherwise.

22 Data Correction Request

(1) Subjecttosubsections(1A)and(2),where- (a) acopyofpersonaldatahasbeensuppliedbyadatauser incompliancewithadata

accessrequest;and (b) theindividual,orarelevantpersononbehalfoftheindividual,whoisthedatasubject

considersthatthedataisinaccurate, thenthatindividualorrelevantperson,asthecasemaybe,maymakearequestthatthedatauser

makethenecessarycorrectiontothedata.

(1A) Ifapersonisarelevantpersoninrelationtoanindividualonlybecausethepersonhasbeenauthorisedinwritingbytheindividualtomakeadataaccessrequestonbehalfoftheindividual,thepersonisnotentitledtomakeadatacorrectionrequest.

(2) Adatauserwho,inrelationtopersonaldata- (a) doesnotholdthedata;but (b) controlstheprocessingofthedatainsuchawayastoprohibitthedatauserwhodoes

holdthedatafromcomplying(whetherinwholeorinpart)withsection23(1)inrelationtoadatacorrectionrequestwhichrelatestothedata,

shallbedeemedtobeadatausertowhomsucharequestmaybemade,andtheprovisionsofthisOrdinance(includingsubsection(1))shallbeconstruedaccordingly.

(3) Withoutprejudicetothegeneralityofsections23(1)(c)and25(2),ifadatauser,subsequenttothereceiptofadatacorrectionrequestbutbeforecomplyingwiththerequestpursuanttosection24orrefusingtocomplywiththerequestpursuanttosection25,disclosestoathirdpartythepersonaldatatowhichtherequestrelates,thentheusershalltakeallpracticablestepstoadvisethethirdpartythatthedataisthesubjectofadatacorrectionrequeststillunderconsiderationbytheuser(orwordstothelikeeffect).

48

23 Compliance with Data Correction Request

(1) Subjecttosubsection(2)andsection24,adatauserwhoissatisfiedthatpersonaldatatowhichadatacorrection request relates is inaccurate shall,not later than40daysafter receiving therequest-

(a) makethenecessarycorrectiontothedata; (b) supplytherequestorwithacopyofthedataassocorrected;and (c) subjecttosubsection(3),if- (i)the data has been disclosed to a third party during the 12months immediately

precedingthedayonwhichthecorrectionismade;and (ii)the data user has no reason to believe that the third party has ceased using the

dataforthepurpose(includinganydirectlyrelatedpurpose)forwhichthedatawasdisclosedtothethirdparty,

takeallpracticablestepstosupplythethirdpartywithacopyofthedataassocorrected accompaniedbyanoticeinwritingstatingthereasonsforthecorrection.

(2) Adatauserwhoisunabletocomplywithsubsection(1)inrelationtoadatacorrectionrequestwithintheperiodspecifiedinthatsubsectionshall-

(a) beforetheexpirationofthatperiod- (i)bynoticeinwritinginformtherequestorthatthedatauserissounableandofthe

reasonswhythedatauserissounable;and (ii)complywiththatsubsectiontotheextent,ifany,thatthedatauserisabletocomply

withthatsubsection;and (b) assoonaspracticableaftertheexpirationofthatperiod,complyorfullycomply,asthe

casemaybe,withthatsubsection.

24 Circumstances in which Data User shall or may Refuse to Comply with Data Correction Request

(3) Adatausermayrefusetocomplywithsection23(1)inrelationtoadatacorrectionrequestif- (a) therequestisnotinwritingintheChineseorEnglishlanguage; (b) the data user is not satisfied that the personal data to which the request relates is

inaccurate; (c) thedatauserisnotsuppliedwithsuchinformationasthedatausermayreasonablyrequire

toascertaininwhatwaythepersonaldatatowhichtherequestrelatesisinaccurate; (d) thedatauser isnotsatisfiedthat thecorrectionwhich is thesubjectof therequest is

accurate;or (e) subjecttosubsection(4),anyotherdatausercontrolstheprocessingofthepersonaldata

towhichtherequestrelatesinsuchawayastoprohibitthefirst-mentioneddatauserfromcomplying(whetherinwholeorinpart)withthatsection.

25 Notification of Refusal to Comply with Data Correction Request, etc.

(1) Adatauserwhopursuant to section24 refuses tocomplywith section23(1) in relation toadatacorrectionrequestshall,assoonaspracticablebut,inanycase,notlaterthan40daysafterreceivingtherequest,bynoticeinwritinginformtherequestor-

(a) oftherefusalandthereasonsfortherefusal;and

49

(b) where section24(3)(e) is applicable,of thenameandaddressof theotherdatauserconcerned.

(2) Withoutprejudicetothegeneralityofsubsection(1),where- (a) thepersonaldatatowhichadatacorrectionrequestrelatesisanexpressionofopinion;

and (b) thedatauserconcernedisnotsatisfiedthattheopinionisinaccurate,thenthedatausershall- (i)makeanote,whetherannexedtothatdataorelsewhere- (A)ofthemattersinrespectofwhichtheopinionisconsideredbytherequestertobe

inaccurate;and (B)insuchawaythatthatdatacannotbeusedbyaperson(includingthedatauser

anda thirdparty)without thenotebeingdrawnto theattentionof,andbeingavailableforinspectionby,thatperson;and

(ii)attachacopyofthenotetothenoticereferredtoinsubsection(1)whichrelatestothatrequest.

(3) Inthissection,“expressionofopinion”includesanassertionoffactwhich- (a) isunverifiable;or (b) inallthecircumstancesofthecase,isnotpracticabletoverify.

26 Erasure of Personal Data no Longer Required

(1) Adatausermusttakeallpracticablestepstoerasepersonaldataheldbythedatauserwherethedataisnolongerrequiredforthepurpose(includinganydirectlyrelatedpurpose)forwhichthedatawasusedunless-

(a) anysucherasureisprohibitedunderanylaw;or (b) itisinthepublicinterest(includinghistoricalinterest)forthedatanottobeerased.

(2) Fortheavoidanceofdoubt,itisherebydeclaredthat- (a) adatausermust takeallpracticablesteps toerasepersonaldata inaccordancewith

subsection(1)notwithstandingthatanyotherdatausercontrols(whetherinwholeorinpart)theprocessingofthedata;

(b) thefirst-mentioneddatausershallnotbeliableinanactionfordamagesatthesuitofthesecond-mentioneddatauserinrespectofanysucherasure.

53 Employment-staff Planning

(1) Personaldatawhichconsistsofinformationrelevanttoanystaffplanningproposalto- (a) fillanyseriesofpositionsofemploymentwhicharepresently,ormaybecomeunfilled;

or (b) cease any group of individuals’ employment, is exempt from the provisions of data

protectionprinciple6andsection18(1)(b).

55 Relevant Process

(1) Personaldatathesubjectofarelevantprocessisexemptfromtheprovisionsofdataprotectionprinciple6andsection18(1)(b)untilcompletionofthatprocess.

50

(2) Inthissection– “completion”,inrelationtoarelevantprocess,meansthemakingofthedeterminationconcerned

referredtoinparagraph(a)ofthedefinitionof“relevantprocess”;“relevantprocess”-

(a) subjecttoparagraph(b),meansanyprocesswherebypersonaldataisconsideredbyoneormorepersonsforthepurposeofdetermining,orenablingtheretobedetermined-

(i)thesuitability,eligibilityorqualificationsofthedatasubjectfor- (A)employmentorappointmenttooffice; (B)promotioninemploymentorofficeorcontinuanceinemploymentoroffice; (C)removalfromemploymentoroffice;or (D)the awarding of contracts, awards (including academic and professional

qualifications),scholarships,honoursorotherbenefits; (ii)whetheranycontract,award(includingacademicandprofessionalqualifications),

scholarship, honour or benefit relating to the data subject should be continued,modifiedorcancelled;or

(iii)whetheranydisciplinaryactionshouldbetakenagainstthedatasubjectforabreachofthetermsofhisemploymentorappointmenttooffice;

(b) doesnotincludeanysuchprocesswherenoappeal,whetherunderanOrdinanceorotherwise,maybemadeagainstanysuchdetermination.

56 Personal References

Personaldataheldbyadatauserwhichconsistsofapersonalreference— (a) givenbyanindividualotherthanintheordinarycourseofhisoccupation;and (b) relevanttoanotherindividual’ssuitabilityorotherwisetofillanypositionofemployment

orofficewhichispresently,ormaybecome,unfilled, isexemptfromtheprovisionsofdataprotectionprinciple6andsection18(1)(b)— (i)inanycase,unlesstheindividualreferredtoinparagraph(a)hasinformedthedata

userinwritingthathehasnoobjectiontothereferencebeingseenbytheindividualreferredtoinparagraph(b)(orwordstothelikeeffect);or

(ii)in the caseof a referencegivenonor after thedayonwhich this sectioncomesintooperation,untiltheindividualreferredtoinparagraph(b)hasbeeninformedinwritingthathehasbeenacceptedorrejectedtofillthatpositionoroffice(orwordstothelikeeffect),

whicheverfirstoccurs.

58 Crime, etc.

(1) Personaldataheldforthepurposesof- (a) thepreventionordetectionofcrime; (b) theapprehension,prosecutionordetentionofoffenders; (c) theassessmentorcollectionofanytaxorduty; (d) theprevention,preclusionorremedying(includingpunishment)ofunlawfulorseriously

improperconduct,ordishonestyormalpractice,bypersons; (e) thepreventionorpreclusionofsignificantfinanciallossarisingfrom- (i)anyimprudentbusinesspracticesoractivitiesofpersons;or (ii)unlawfulorseriouslyimproperconduct,ordishonestyormalpractice,bypersons;

51

(f) ascertainingwhetherthecharacteroractivitiesofthedatasubjectarelikelytohaveasignificantlyadverseimpactonanything-

(i)towhichthedischargeofstatutoryfunctionsbythedatauserrelates;or (ii)whichrelatestothedischargeoffunctionstowhichthisparagraphappliesbyvirtue

ofsubsection(3);or (g) dischargingfunctionstowhichthisparagraphappliesbyvirtueofsubsection(3), is exempt from the provisions of data protection principle 6 and section 18(1)(b) where the

applicationofthoseprovisionstothedatawouldbelikelyto- (i)prejudiceanyofthemattersreferredtointhissubsection;or (ii)directlyorindirectlyidentifythepersonwhoisthesourceofthedata.

(1A) Insubsection(1)(c),“tax”includesanytaxofaterritoryoutsideHongKongif– (a) arrangementshavingeffectundersection49(1A)oftheInlandRevenueOrdinance(Cap.

112)aremadewiththegovernmentofthatterritory;and (b) that tax is the subject of a provision of the arrangements that requires disclosure of

informationconcerningtaxofthatterritory.

(2) Personaldataisexemptfromtheprovisionsofdataprotectionprinciple3inanycaseinwhich- (a) theuseofthedataisforanyofthepurposesreferredtoinsubsection(1)(andwhether

ornotthedataisheldforanyofthosepurposes);and (b) theapplicationofthoseprovisionsinrelationtosuchusewouldbelikelytoprejudice

anyofthemattersreferredtointhatsubsection, andinanyproceedingsagainstanypersonforacontraventionofanyofthoseprovisionsitshall

beadefencetoshowthathehadreasonablegroundsforbelievingthatfailuretosousethedatawouldhavebeenlikelytoprejudiceanyofthosematters.

(6) Inthissection— crimemeans— (a) anoffenceunderthelawsofHongKong;or (b) ifpersonaldataisheldorusedinconnectionwithlegalorlawenforcementcooperation

betweenHongKongandaplaceoutsideHongKong,anoffenceunderthelawsofthatplace;

offendermeansapersonwhocommitsacrime.

60A Self Incrimination

(1) If,asaresultofcomplyingwitharequestunderaprovisionofdataprotectionprinciple6orsection18(1)(b)inrelationtoanypersonaldata,adatausermightbeincriminatedinanyproceedingsforanyoffenceotherthananoffenceunderthisOrdinance,thedataisexemptfromthatprovisionorsection.

60B Legal Proceedings etc

Personaldataisexemptfromtheprovisionsofdataprotectionprinciple3iftheuseofthedatais– (a) requiredorauthorisedbyorunderanyenactment,byanyruleoflaworbyanorderof

acourtinHongKong; (b) requiredinconnectionwithanylegalproceedingsinHongKong;or

52

(c) requiredforestablishing,exercisingordefendinglegalrightsinHongKong.

63B Due Diligence Exercise

(1) Personaldatatransferredordisclosedbyadatauserforthepurposeofaduediligenceexercisetobeconductedinconnectionwithaproposedbusinesstransactionthatinvolves—

(a) atransferofthebusinessorpropertyof,oranysharesin,thedatauser; (b) achangeintheshareholdingsofthedatauser;or (c) anamalgamationofthedatauserwithanotherbody, isexemptfromtheprovisionsofdataprotectionprinciple3ifeachoftheconditionsspecifiedin

subsection(2)issatisfied.

(2)Theconditionsare— (a) thepersonaldatatransferredordisclosedisnotmorethannecessaryforthepurposeof

theduediligenceexercise; (b) goods,facilitiesorserviceswhicharethesameasorsimilartothoseprovidedbythe

datausertothedatasubjectaretobeprovidedtothedatasubject,oncompletionoftheproposedbusinesstransaction,byapartytothetransactionoranewbodyformedasaresultofthetransaction;

(c) itisnotpracticabletoobtaintheprescribedconsentofthedatasubjectforthetransferordisclosure.

(3) Subsection(1)doesnotapplyiftheprimarypurposeoftheproposedbusinesstransactionisthetransfer,disclosureorprovisionforgainofthepersonaldata.

(4) Ifadatausertransfersordisclosespersonaldatatoapersonforthepurposeofaduediligenceexercise to be conducted in connection with a proposed business transaction described insubsection(1),theperson—

(a) mustonlyusethedataforthatpurpose;and (b) must,assoonaspracticableafterthecompletionoftheduediligenceexercise— (i)returnthepersonaldatatothedatauser;and (ii)destroyanyrecordofthepersonaldatathatiskeptbytheperson.

(5) Apersonwhocontravenessubsection(4)commitsanoffenceandisliableonconvictiontoafineatlevel5andtoimprisonmentfor2years.

(6) Inthissection— due diligence exercise, inrelationtoaproposedbusiness transaction,meanstheexamination

ofthesubjectmatterofthetransactiontoenableapartytodecidewhethertoproceedwiththetransaction;

provision for gain,inrelationtopersonaldata,meansprovisionofthedatainreturnformoneyorotherproperty,irrespectiveofwhether-

(a) thereturniscontingentonanycondition;or (b) thepersonwhoprovidesthedataretainsanycontrolovertheuseofthedata.

53

65 Liability of Employers and Principals

(1) Anyactdoneorpracticeengagedinbyapersoninthecourseofhisemploymentshallbetreatedfor thepurposesof thisOrdinanceasdoneorengagedinbyhisemployeraswellasbyhim,whetherornotitwasdoneorengagedinwiththeemployer’sknowledgeorapproval.

(2) Anyactdoneorpracticeengagedinbyapersonasagentforanotherpersonwiththeauthority(whetherexpressorimplied,andwhetherprecedentorsubsequent)ofthatotherpersonshallbetreatedforthepurposesofthisOrdinanceasdoneorengagedinbythatotherpersonaswellasbyhim.

(3) InproceedingsbroughtunderthisOrdinanceagainstanypersoninrespectofanactorpracticeallegedtohavebeendoneorengagedin,asthecasemaybe,byanemployeeofhisitshallbeadefence for thatperson toprove thathe tooksuchstepsaswerepracticable toprevent theemployeefromdoingthatactorengaginginthatpractice,orfromdoingorengagingin,inthecourseofhisemployment,actsorpractices,asthecasemaybe,ofthatdescription.

(4) Fortheavoidanceofdoubt,itisherebydeclaredthatthissectionshallnotapplyforthepurposesofanycriminalproceedings.

54

Copyright

ThispublicationislicensedunderaCreativeCommonsAttribution4.0International(CCBY4.0)licence.Inessence,youarefreetoshareandadaptthispublication,aslongasyouattributetheworktotheOfficeofthePrivacyCommissionerforPersonalData,HongKong.Fordetails,pleasevisitcreativecommons.org/licenses/by/4.0.

DisclaimerThe information provided in this publication is for general reference only. It does not provide anexhaustiveguidetotheapplicationofthePersonalData(Privacy)Ordinance(the“Ordinance”).Foracompleteanddefinitivestatementoflaw,directreferenceshouldbemadetotheOrdinanceitself.ThePrivacyCommissionerforPersonalData(the“Commissioner”)makesnoexpressorimpliedwarrantiesofaccuracyorfitnessforaparticularpurposeorusewithrespecttotheaboveinformation.TheabovesuggestionsprovidedwillnotaffectthefunctionsandpowerconferredupontheCommissionerunderthe Ordinance.

FirstpublishedinSeptember2000(effectiveon1April2001)April2016(FirstRevision)

55

Enquiry Hotline : (852) 2827 2827Fax : (852) 2877 7026Address : 12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong KongEmail : enquiry@pcpd.org.hk

56