Date: 12 June 2018
Response to Media Enquiry on the Suspected Employee Monitoring on Social Media Platforms by Galaxy Entertainment Group and YouFind
Thank you for your email enquiry. While it would not be appropriate for us to comment on individual cases or a specific practice before looking into the details of the specific circumstances, our general observations from the perspective of personal data privacy are as follows:
-
The Personal Data (Privacy) Ordinance (the Ordinance) applies where collection of personal data is involved. Generally speaking, if a data user controls the collection, holding, processing or use of personal data in or from Hong Kong, he must comply with the requirements under the Ordinance, including the six Data Protection Principles (DPPs). The Ordinance governs all public and private organisations in Hong Kong, including government departments. Where employee monitoring is undertaken and results in collection of personal data of employees, the employer shall ensure that such practice complies with the DPPs.
-
According to the Ordinance, personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user (e.g. an employer). Data subjects (e.g. employees) must be notified of the purpose and the classes of persons to whom the data may be transferred.
-
Before embarking on any employee monitoring exercise involving collection of personal data, an employer are recommended to carry out a privacy impact assessment, taking into account at least the following factors:
-
Assessment of the risks that employee monitoring seeks to manage and the benefits to be derived from applying it to those risks, having regard to the purpose(s) that relate to the business functions or activities of the employer;
-
Alternatives to employee monitoring and a consideration of the range of options open to the employer that may be equally cost effective and practical in their application, yet less privacy intrusive; and
-
Accountability of the employer in those circumstances in which employee monitoring results in the collection of personal data of employees. It is the responsibility of the employer to implement privacy compliant data management practices in the handling of personal data obtained from employee monitoring.
-
Employers who have decided to monitor employees at work should accept responsibility and be accountable for the proper conduct and operation of their monitoring activities. Specifically, they have a responsibility to ensure that :
(a) a privacy policy pertaining to employee monitoring is developed and brought to the notice of employees before the monitoring is introduced and
(b) privacy compliant measures are developed to protect the personal data of employees that may be collected in the course of monitoring.
-
The Ordinance also provides that when an employer engages a data processor (the digital marketing agency in the cited case could be a data processor), whether within or outside Hong Kong, to process personal data on the employer’s behalf, contractual or other means must be adopted to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, or unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. An employer, as a data user, will be liable for the acts done by its authorised data processor.
The
“Guidance on Use of Personal Data Obtained from the Public Domain” was also issued to assist employers to comply with the requirements under the Ordinance when collecting and using personal data from the public domain.
The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong.