Skip to content

Case Notes

Case Notes

This case related to DPP2 - Accuracy and duration of retention of personal data , DPP6 - Access to personal data , Code of Practice on Human Resource Management

Case No.:2015E01

A company received a DAR lodged by a former employee (the “Employee”) who had left the company for 15 years, requesting for copies of his payroll information during his employment (the “Requested Data”). The company checked and confirmed that they were still holding the Requested Data. Knowing that the Code of Practice on Human Resource Management (the “Code”) issued by this Office requires an employer to retain ex-employees’ personal data for not more than 7 years, the company wished to be advised on whether they should comply with the DAR by providing a copy of the Requested Data to the Employee, or destroy the Requested Data to comply with the requirements of the Code.

Relevant Provisions of the Ordinance and the Code

Section 18(1)(a) of the Ordinance stipulates that an individual can request a data user to confirm whether it holds his personal data. Section 18(1)(b) of the Ordinance further stipulates that the individual can request the data user to provide him with a copy of such data. Section 19(1) of the Ordinance requires the data user to comply with the request within 40 days after receiving it.

Concerning the continued retention of personal data of former employees, paragraph 4.2.3 of the Code stipulates that an employer should not retain the personal data of a former employee for a period longer than 7 years from the date the former employee ceases employment with the employer.

Our Comment

As long as a data user is in possession of the data requested by a data requestor at the time the request is received, the data user should comply with the data access request by providing the requestor with a copy of the requested data. In this regard, the employer should comply with the DAR by providing the employee with a copy of the Requested Data, then comply with the Code by destroying the Requested Data in their possession. The employer should also devise procedures on data destructions to make sure the retention requirement under the Code will be fully complied with in the future.

(Uploaded in October 2015)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :