-
A1 What is a "blind" recruitment advertisement in the context of the Code of Practice on Human Resource Management ("the Code")?
Generally speaking, a "blind" recruitment advertisement is one that does not identify either the employer or the employment agency acting on its behalf.
-
A2 Under what circumstances can job applicants be asked in a recruitment advertisement to submit personal data?
An employer or recruitment agency who clearly indicates its identity may ask job applicants to submit personal data in a recruitment advertisement, provided that the data are adequate but not excessive in relation to the purpose of recruitment and are to be used lawfully (section 2 of the Code).
-
A3 Why is an employer required to identify itself in recruitment advertisements that solicit personal data from job applicants?
An employer who collects personal data from job applicants without identifying itself, or an appointed recruitment agency, might have engaged in an act of unfair collection of personal data contrary to the requirement of Data Protection Principle 1(2) of the Ordinance ("DPP1(2)"). DPP1(2) provides that personal data should be collected by means which are fair in the circumstances of the case. It would generally not be fair for persons collecting personal data not to identify themselves when collecting personal information from job applicants since the latter will not know to whom they are providing their personal data when making a job application.
Secondly, personal data collected from job applicants is subject to access and correction by the person concerned. Unless exempted from doing so under the Ordinance, an employer is required to provide a copy of the data no later than 40 days after receiving a data access request. Job applicants would not be able to exercise their data access rights if the identity of the organisation which collected their personal data is not disclosed in the advertisement (clause 2.11 of the Code).
If an employer finds it necessary to conceal its identity in a recruitment advertisement, it may provide contact information in the advertisement for further enquiries or provide job applicants, upon request, with an application form that bears the employer’s identity. Alternatively, the employer may engage a recruitment agency and reveal its identity in the advertisement.
-
A4 Some employers provide their fax number, postal address or e-mail address in a recruitment advertisement without explicitly asking job applicants to submit their personal data. Is this practice acceptable under the Code?
No. The practice of employers providing a fax number, postal address or e-mail address in a recruitment advertisement is perceived as a way of inviting job applicants to submit their personal data and is not permissible under the provisions of the Code.
-
A5 A company’s job application form includes questions about the occupations of the applicant’s spouse and children, the sole purpose of which is to ascertain whether any relative of the applicant works for its competitors. Is this acceptable?
The key question here is whether the data collected is necessary for the specific purpose of determining whether an applicant’s relative is employed by a competitor. To serve this purpose, a prospective employer may only need to ask the applicant whether he is related to anyone who works in the same or a similar field. If the answer is in the affirmative, then further inquiries can be made to assess whether this creates potential concerns for the prospective employer. However, if the applicant has no relative who works for a competitor, the employer does not need to know about the actual occupations of the relative(s) and should not collect this data.
-
A6 For how long should an employer keep the personal data of former employees and unsuccessful job applicants?
DPP 2(2) requires all practicable steps to be taken to ensure that personal data is not kept longer than is necessary to fulfil the purpose (including any directly related purpose) for which the data is or is to be used. In addition, section 26 of the Ordinance also requires a data user to take all practicable steps to erase personal data no longer required for use, unless doing so is prohibited under the law or it is in the public interest (including historical interest) for the data not to be erased. In general, an employer should not retain the personal data of a former employee for more than seven years.
However, some exceptions may justify a longer period of retention, such as the administration of remaining duties to former employees in relation to pension, superannuation, or mandatory provident fund schemes; or the retention of evidence in relation to legal action brought under the Employees’ Compensation Ordinance.
When a job application is unsuccessful, the applicant’s personal data should not be retained for more than two years from the date of rejection, bearing in mind possible discrimination claims or complaints that may be lodged by an aggrieved applicant. The retention period may exceed two years if there is a reason that obligates the employer to do so, or if the applicant has given the prescribed consent (i.e. express consent given voluntarily) for the data to be retained beyond this period.
-
A7 Must an employer obtain consent from the relevant employee before giving an employment reference to another employer?
Yes, an employer should obtain the prescribed consent (i.e. express consent given voluntarily) from an employee or former employee before giving an employment reference. This consent should preferably be given in writing. The reason for this is that the disclosure of an employee’s or former employee’s employment records (including performance assessment) to another party constitutes a change in the purpose for which the data is used at the time of collection and no longer directly relates to the original employment purpose.
-
A8 If an employer needs to retain the personal data of a former employee, is the employer required to update the data regularly or keep it as is?
DPP 2(1) requires a data user to take all reasonably practicable steps to ensure that personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used. Whether or not the employer needs to update the data depends on the purpose for which the data is kept. For example, an employer may need to update the records of a former employee to administer pension funds and make monthly payments. Where the personal data of a former employee is retained only for record-keeping purposes or for future job references, the employer is under no duty to update records that are meant to be static after the cessation of the employment relationship.
-
A9 The overseas head office regularly accesses personnel information related to salaries, bonuses, ex-gratia payments, and similar information pertaining to the staff members employed by its Hong Kong branch. Would such practice constitute a contravention of the Ordinance?
The Hong Kong branch has to ascertain the purpose of collection of such personal data by its overseas head office. If it is collecting the personal data for purposes directly related to the purpose for which the data was to be used at the time of the collection of the data (e.g., to properly discharge human resource administration functions), then the Hong Kong branch may provide such personal data to its overseas head office. However, the Hong Kong branch should, through the “Personal Information Collection Statement”, clearly inform its employees that the overseas head office is included among the classes of transferees of their data.
-
A10 An employee who had left the company for over ten years made a data access request to the employer for the payroll records during his employment. The employer found that it retained the relevant records, but realised that the retention period exceeded the seven-year period as stipulated under the Code. Should the employer destroy the records immediately, or comply with the data access request?
If the data user possesses the requested personal data at the time of receiving the data access request, the data user should provide the relevant data to the requestor unless otherwise exempted under the Ordinance. In this regard, the employer should first comply with the former employee’s request by providing him with the requested data, and subsequently delete all the data that has been retained longer than is necessary as soon as practicable.
-
A11 Employers required employees to submit their sick leave application documents to the Human Resources Department through their immediate supervisors and the General Manager. If an employee did not want his direct supervisor and the General Manager to know about his illness, could he submit the documents directly to the Human Resources Department?
Generally speaking, employers may only need the minimum information about a sick leave application of an employee (such as the cause of illness and the number of sick days recommended by a doctor) to verify his entitlement to sick leave, and should only make it available to authorised personnel on a "need to know" basis. As for the process of submitting sick leave application documents, each company has its own administrative arrangements under unique circumstances, and there is no generalisation.
That said, it is generally necessary for the company's management and the employee's immediate supervisor to know the employee's health condition in order to make arrangements for work assignments and manpower deployment.
-
A12 An employer required an employee to provide detailed medical records on the grounds that the employee applied for sick leave more than other colleagues. The employer indicated that the employee might be dismissed if he refused to accede to the request. Did the employer contravene the provisions of the Ordinance?
Each case turns on its own facts and should be determined individually. In a precedent case, the court held that it was reasonable for employers to collect detailed medical records from employees who applied for relatively more sick leave as their health conditions might affect the services provided to clients. In that case, the employer informing the employee of the consequences of not providing such data (such as facing a disciplinary proceedings, etc.) was in compliance with DPP 1(3) of the Ordinance.
-
A13 An employee would like to resign and leave the company as soon as possible to take care of his sick father. The employer agreed to waive the payment in lieu of notice if the employee could present medical proof showing that his father was in need of care due to illness. Could the employer collect the said medical proof?
The employer requested medical proof for the purpose of reviewing whether the payment in lieu of notice should be exempted, which was related to the employer's functions and activities in employment matters. Hence the employer's request would not contravene the requirements under the Ordinance.
-
A14 The employer did not issue a reference letter when the employee resigned from the company. Could the employee request the employer to provide a reference letter by exercising the right of data access request?
An employee has the right to request a copy of his personal data held by his employer by making a data access request. However, if the employer had never issued a reference letter for the employee, it is not necessary for the employer to produce a reference letter for complying with the employee’s data access request.
-
A15 Can an employer include photos of an employee in its publications?
If the photo (such as photo of company activities and group photo, etc.) is not coupled with other identifying particulars of an employee (such as name), and it is not practicable to ascertain the employee’s identity from the photo alone, it does not amount to disclosure of "personal data".
On the contrary, if it is practicable to ascertain the employee’s identity from the photo and its caption (for example, a photo of an employee winning an award in a competition, etc.), the employer should only use the employee’s personal data for a purpose for which the data is to be used at the time of collection, or a directly related purpose. If publishing the relevant information would constitute a “new purpose”, the employer should first obtain the employee's consent before publishing the information.
To learn more:
-
A16 Can employers review the information uploaded by their employees on social platforms, and if any inappropriateness is found, punish or even dismiss the employee?
-
In terms of collection of personal data –
-
DPP 1 stipulates that data users (such as employers) must collect personal data in a lawful and fair way, for legitimate purposes directly related to their functions or activities; the data collected is necessary and sufficient for the purpose, but not excessive.
-
In the interest of transparency, where the personal data is collected directly from the data subject, the data user should inform the data subject whether it is obligatory for him to supply the data, the purpose of collection of the data and the classes of person to whom the data may be transferred. The data user should also inform the data subject of the right and means to request access to and correction of his personal data.
-
In terms of use and disclosure of personal data –
-
DPP 3 states that personal data shall not be used for a “new purpose”, i.e. a purpose other than that for which it was originally collected or for a directly related purpose, unless the data subject has given express and voluntary consent. The data subject has the right to withdraw his consent previously given by written notification.
-
Exemptions
-
The interests protected under PDPO have to be balanced against other legitimate interest. The Ordinance provides a number of exemptions from some compliance requirements under particular circumstances. Among other things, personal data used for the purpose of detection and remedying of seriously improper conduct is exempted from DPP 3 by virtue of section 58 of the Ordinance.
-
In addition, employers should consider the requirements of professional codes issued by relevant professional bodies and employment laws.