Date: 25 March 2022
PCPD Issues Guidance for Employers on Collection and Use of Personal Data of Employees during the Fifth Wave
Since the onset of the fifth wave in early 2022, organisations in Hong Kong have been deploying epidemic prevention and control measures in the workplace to ensure the health and safety of employees. Health data of employees is normally collected by employers with a view to introducing effective anti-epidemic measures to reduce the risk of transmission of coronavirus variants in the workplace. From 1 January to 18 March this year, the Office of the Privacy Commissioner for Personal Data (PCPD) received 157 enquiries relating to the collection of employees’ health data. Against this background, the PCPD today (25 March) issued the “Guidance for Employers on Collection and Use of Personal Data of Employees during COVID-19 Pandemic” to help employers and employees to understand the employers’ obligations under the Personal Data (Privacy) Ordinance when it comes to the collection and use of employees’ health data in the context of the pandemic.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “In view of the unprecedented severity of the COVID-19 pandemic brought by the more contagious variant Omicron, Hongkongers have been standing united to fight the pandemic. To safeguard the health of employees during the pandemic, collection of COVID-19 related health data from employees by employers (as data users) can generally be regarded as collecting data for a lawful purpose related to the functions of the employers, but employers are also required to comply with the relevant requirements of the privacy law. Personal Data irrelevant to or not strictly necessary for the prevention or control of COVID-19 in the workplace should not be collected.”
In particular, the Guidance provides the following recommendations:
-
Necessity: Employers should only collect health data that is necessary for and directly related to the purpose(s) of data collection. Personal data irrelevant to or not strictly necessary for the prevention or control of COVID-19 in the workplace should not be collected. Under most circumstances, collection of the health data of an employee’s family member(s), such as their vaccination records, will not be considered necessary or proportionate.
-
Data minimisation: The data collected by employers should be adequate but not excessive in relation to the purpose(s) for which it is collected. The least privacy intrusive measures should be adopted.
-
Transparency: Employers should clearly convey all the requisite information to employees, such as by presenting a Personal Information Collection Statement.
-
Retention and erasure: Employers should not retain the health data of employees for a period longer than is necessary. When the purpose of collection is fulfilled, the employer should permanently destroy that data.
-
Accuracy: Employers should ensure that policies and systems be in place to maintain accurate and up-to-date vaccination information and test results of employees.
-
Security: Employers should take all practicable steps to protect the health data collected against unauthorised or accidental access, processing, erasure, loss or use, such as by locking paper records, encrypting electronic records, and limiting data access to authorised personnel on a need-to-know basis.