Date:26 August 2020
PCPD Releases Inspection Report on
Personal Data System of a Data User in the Food and Beverage Industry
The office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) today released an inspection report (Report) about the employment-related personal data system of a sizable company in the food and beverage industry (Data User). The findings revealed that the Data User had devoted efforts in privacy management, complied with most of the requirements under the Code of Practice on Human Resource Management (Code) and adopted some good practices. No material deficiencies were found, although some areas might be improved.
The Acting Privacy Commissioner for Personal Data, Hong Kong, Mr Tony LAM, said, “The findings and recommendations made in the Report would serve as reference to the food and beverage industry and other employers, assisting them in better management of personal data privacy of prospective, current and former employees.”
As part of its ongoing initiative to promote data governance, the PCPD has always strongly encouraged all data users to adopt a
privacy management programme (PMP). Adoption of a PMP not only effectively helps employers manage their employees’ and customers’ personal data, but also assists data users in building trust with stakeholders including employees and customers and in enhancing their reputation as well as goodwill.
Findings and Recommendations
Good Practices
The PCPD was pleased with the Data User’s compliance with most of the requirements of the Code and some good practices as shown below:
-
Notifying job applicants of the data retention period;
-
Providing sample questions to interviewers to avoid collecting excessive personal data;
-
No input of unsuccessful job applicants’ personal data into the Human Resources system; and
-
Security measures to protect employment-related data, including:
-
certification of ISO/IEC 27001 in its information management system;
-
robust password management; and
-
rigorous access right control.
Areas for Improvement and Recommendations
The PCPD identified some areas that might be improved on the part of the Data User. These recommendations are generally applicable to the food and beverage industry and other employers:
-
To cease the practice of collecting partial Hong Kong Identity (HKID) Card number of job applicants and to completely obliterate such previously collected data;
-
To ensure that each HKID Card copy of employees collected and held is marked with the word “COPY” across the entire image of the HKID Card;
-
To ensure that all job applicants are provided with (a) Personal Information Collection Statement (PICS) if a job advertisement placed by an employer directly solicits personal data from job applicants, or (b) the identity of the contact person in the job advertisements from whom the job applicants may obtain a copy of the PICS;
-
To conduct timely erasure of job applicants’ personal data collected through instant messaging applications;
-
To ensure consistency of the retention period of employees’ personal data as stated in the online privacy policy and the employment application form;
-
To conduct regular data protection training for all employees and to regularly update related training materials; and
-
To incorporate more safeguarding clauses in the agreement with contractors (e.g. paper disposal contractor) and other contractors handling employees’ personal data, such as restricting sub-contracting and notifying data users of data leakage (if any).
Download the Inspection Report “Personal Data System of a Data User in the Food and Beverage Industry”
Background of the Inspection
Employers in the food and beverage industry in Hong Kong collect and handle a massive volume and a broad range of personal data, given that more than 220,000 persons were employed by the industry. It would therefore be in the public interest to carry out an inspection to review the employment-related personal data system of a sizable company in the food and beverage industry pursuant to section 36 of the Personal Data (Privacy) Ordinance (Ordinance), which empowers the Privacy Commissioner to carry out the inspection to ascertain information to assist him in making recommendations relating to the promotion of compliance with the provisions of the Ordinance to a data user and the class of data users to which the data user belongs.
The Code
The Report also includes the salient points of the Code
Note which all employers in Hong Kong should follow. The Code provides practical guidance to employers and their staff on how to properly handle personal data of prospective, current and former employees during each phase of the employment process. Examples of the areas covered in the Code are PICS in job advertisements, collection of HKID card number and copies of HKID card, health-related data, data compiled in disciplinary investigation, engagement of third-party organisations to perform employment-related functions, retention of former employees’ data, etc. The Code can be downloaded
here.
Professional Workshop on “Data Protection in Human Resource Management
The PCPD regularly organises Professional Workshop on “
Data Protection in Human Resource Management” to help employers and human resource practitioners manage personal data in an ethical, smart and lawful way in the entire employment process from cradle to grave. The upcoming Workshop will be held on 6 October 2020. Accredited with three points of Continuous Professional Development, the Workshop enables participants to have a thorough understanding of the requirements of the Ordinance and the Code. The proper ways to handle requests from prospective, current and former employees for access to their personal data will be explained in detail. Topical issues such as how to tackle employees’ personal data privacy issues arising from COVID-19 will also be discussed.
Note The Code has been issued by the Privacy Commissioner in the exercise of the powers conferred on him by Part 3 of the Ordinance. Section 12(1) of the Ordinance empowers the Privacy Commissioner to issue codes of practice for the purpose of providing practical guidance in respect of any requirements under the Ordinance imposed on data users. Failure to abide by the mandatory provisions of the Code will weigh unfavorably against the data user concerned in any case that comes before the Privacy Commissioner. Where any data user fails to observe any of the mandatory provisions of the Code, a court, a magistrate, the Administrative Appeals Board or the chairman of the Administrative Appeals Board, is entitled to take that fact into account when deciding whether there has been a contravention of the Ordinance.
-End-