Data: 26 June 2018
Response to Media Enquiry on the Suspected Employee Monitoring on Social Media Platforms by Galaxy Entertainment Group and YouFind
Thank you for your email enquiry.
-
The Privacy Commissioner has initiated a compliance check on this case under the Personal Data (Privacy) Ordinance (Cap. 486, Laws of Hong Kong) (the Ordinance). It would not be appropriate for us to offer any comments at this stage before looking into the details of the specific circumstances.
-
The Privacy Commissioner will also consider taking appropriate actions including approaching the relevant data protection authorities for follow-up actions pursuant to enhanced interoperability and cooperation among different jurisdictions.
-
Our general observations from the perspective of personal data privacy are as follows:
-
An employer is usually a data user. The Ordinance applies where a data user (an organisation) controls the collection, holding, processing or use of personal data in or from Hong Kong. The Ordinance governs all public and private organisations in Hong Kong, including government departments. If employee monitoring is undertaken and results in collection of personal data of employees, the employer shall ensure that such practice complies with the requirements set out in the Ordinance, including the Data Protection Principles (DPPs).
-
According to the Ordinance, personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user (e.g. an employer). Data subjects (e.g. employees) must be notified of the purpose and the classes of persons to whom the data may be transferred.
-
If a company chooses to conduct any employee monitoring, before embarking on such exercise involving collection of personal data, an employer is recommended to carry out a privacy impact assessment, taking into account at least the following factors:
-
Assessment of the risks that employee monitoring seeks to manage and the benefits to be derived from applying it to those risks, having regard to the purpose(s) that relate to the business functions or activities of the employer;
-
Alternatives to employee monitoring and a consideration of the range of options open to the employer that may be equally cost effective and practical in their application, yet less privacy intrusive; and
-
Accountability of the employer in those circumstances in which employee monitoring results in the collection of personal data of employees. It is the responsibility of the employer to implement privacy compliant data management practices in the handling of personal data obtained from employee monitoring.
-
Employers who have decided to monitor employees at work should accept responsibility and be accountable for the proper conduct and operation of their monitoring activities. Specifically, they have a responsibility to ensure that :
-
a privacy policy pertaining to employee monitoring is developed and brought to the notice of employees before the monitoring is introduced; and
-
privacy compliant measures are developed to protect the personal data of employees that may be collected in the course of monitoring.
-
The Ordinance also provides that when an employer engages a data processor (the digital marketing agency in the cited case could be a data processor), whether within or outside Hong Kong, to process personal data on the employer’s behalf, contractual or other means must be adopted to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, or unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. An employer, as a data user, will be liable for the acts done by its authorised data processor.
-
If anyone suspects that his privacy rights relating to personal data are being encroached or abused, he should nevertheless consider raising the concern with the individuals / organisations that are suspected of abusing his personal information. Invariably, he could lodge a complaint with the PCPD. Upon receipt of the complaint, the PCPD will take appropriate follow-up action.
The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong.