Hong Kong Privacy Code on Human Resource Management Tony LAM Deputy Privacy Commissioner for Personal Data Hong Kong SAR Asian Data Privacy Forum March 27 2000 Privacy Commissioner’s Office, Hong Kong SAR

Employment-related Complaints Out of 2,015 complaints received by PCO up to 28 February 2001, 226 cases (11%) related to alleged practices of employers that may be in breach of the Personal Data (Privacy) Ordinance 75 cases were found substantiated. Of these, 25 cases (33%) relate to the employer’s failure to comply with data access requests made by staff Three enforcement notices and 37 warning notices were issued as a result of investigation

Coverage of the Code Provide practical guidance to employers and human resource practitioners on the application of the Personal Data (Privacy) Ordinance relating to employment-related personal data Apply to employers in their management of personal data in three stages of the employment process: Recruitment, Current employment and Former employees’ matters

Effective Date of the Code Approved by the Privacy Commissioner and was notified in the Gazette of the Hong Kong SAR Government on 22 September 2000 Requirements of the Code to take effect on 1st April 2001 Non-compliance with the Code will give rise to a presumption against the employer in any proceedings involving an alleged breach of the Ordinance

Key Compliance Requirements - Recruitment - Current Employment - Former Employees’ Matters

Recruitment Advertisement Should not use a “blind” advertisement, e.g. that gives only a PO Box number, to solicit personal data directly from job applicants Alternatives Request applicants to write to the PO Box to obtain an application form that bears the employer’s identity Use a recruitment agency identified in the recruitment advertisement to receive resumes of job applicants

Examples of “blind” Advertisement Company Assistant - Form 5 or above - Knowledge of company secretarial duties Please send resume to PO Box 100 Company Assistant - Form 5 or above - Knowledge of company secretarial duties Interested parties please contact Miss Chan on 2808-xxxx Submission of personal data by job applicants No identity of the employer provided No notification of purpose of use of the data Job applicants are denied of data access rights No submission of personal data by job applicants Contact person provided from whom applicants: - may seek to identify the employer - may seek information about purpose statement

Notification in Recruitment Advertisements Recruitment advertisements that directly ask job applicants to provide their personal data should include a Personal Information Collection Statement (“PICS”) Alternatives Invite job applicants to respond by filling in the employer’s job application form that prescribed the PICS notification Give a contact person from whom applicants may obtain a copy of the PICS

Other Requirements during Recruitment Should not collect a copy of the applicant’s identity card unless and until the individual has accepted an offer of employment Should limit original job application to data relevant for identifying suitable candidates, e.g. work experience, competencies, job skills, academic/professional qualifications, and other relevant attributes May collect supplementary information about potential candidates that are relevant to the nature of the job, e.g. to establish security credentials or integrity

Other Requirements during Recruitment May collect the health condition of a selected candidate by means of a pre-employment medical examination if the data directly relate to the inherent requirements of the job the employment is conditional upon the fulfillment of the medical examination Must obtain an applicant’s consent before seeking references from his/her current or former employers or other sources May retain personal data of unsuccessful applicants for a period of up to two years

Current Employment Should provide employees with a Personal Information Collection Statement (“PICS”) pertaining to employment e.g. at the earliest opportunity when the employee accepts the offer of employment Should not issue staff card that bears the employees’ ID card number and name together

Current Employment Employees and their family members for purposes directly related to the employment, e.g. claim of compensation or benefits, declaration of conflict of interest, health condition for assessment of continuance in employment to fulfil lawful requirements that regulate the affairs of the employer Disciplinary proceedings, performance appraisal or promotion planning for purposes directly related to the process concerned should not be disclosed to a third party unless the third party has legitimate reasons for gaining access to the data

Current Employment Should not disclose employment-related data of an employee to a third party unless the employee has consented the disclosure is directly related to the employment required by law or by statutory authorities there is an applicable exemption under the PD(P)O Where disclosure to a third party is permitted avoid disclosure of data in excess of that necessary for the purpose of use by the third party implement measures to ensure the third party protects the data

Former Employees’ Matters Relevant personal data of a former employee may be retained for a period of up to seven years from the date the employee ceases employment unless deletion of the data is prohibited by law there are contractual or legal obligations on the part of the employer, e.g ongoing litigation, administration of retirement plan it is in the public interest for the data not to be deleted the employee has given consent for the data to be retained beyond seven years

Former Employees’ Matters In any termination notice about a former employee having left employment, an employer should not disclose the identity card number of the employee should include only the minimum information required to identify the employee concerned Before providing a reference concerning a former employee to a third party, an employer should obtain the prior consent of the employee; or satisfy itself that the third party requesting the reference has obtained the consent of the employee

Employer’s Liability Should take all practicable steps to ensure staff handling employment-related data are well trained, have the appropriate qualities of integrity, prudence and competence adequate security measures are implemented so that all personal data are collected, processed and stored securely its Privacy Policy Statement concerning personal data management practices can be made available to all staff Must comply with a data access/correction requests within 40 days upon receipt of the request provide the requestor reasons of refusal within 40 days

Employer’s Liability An employer is liable in civil proceedings for any act or practice relating to personal data that is undertaken by its employees in the course of their employment that is contrary to the provisions of the PD(P)O, even if the employees undertook the act or engaged in the practice without the employer’s knowledge or approval An employer is liable in civil proceedings for any wrongful acts or practices done by a third party where the third party is engaged as an agent acting with authority