Skip to content

Newspaper Column

PCPD in Media

"Protecting Personal Data Privacy When Using Instant Messaging Apps in Human Resources Management: Recommendations from the Office of the Privacy Commissioner for Personal Data" – Senior Legal Counsel of the PCPD's article contribution at HR e-Journal (Apr 2024)

In today’s digital world, the use of instant messaging in HR management is prevalent. Instant messaging is a real-time and direct channel for HR-related discussions and updates and enables efficient communication within and outside organisations. However, the increasing reliance on instant messaging apps in HR management raises concerns about the protection of personal data privacy.

Accordingly, this article highlights the importance of protecting personal data privacy when using instant messaging apps; outlines recommendations for HR practitioners concerning their roles in protecting personal data privacy; and introduces our recently updated information leaflet, “Human Resource Management: Common Questions,” [1] which aims to promote good practice by HR practitioners to better protect personal data privacy at work.


The Need to Protect Personal Data in Instant Messaging Apps

Personal data are a valuable asset of every organisation that require protection to ensure privacy and prevent misuse. Instant messaging apps often contain a wealth of personal information, such as contact details and conversations, and may contain sensitive data, such as medical data. Therefore, it is essential for all HR practitioners to place a strong emphasis on the protection of personal data in instant messaging apps.

Compliance with Data Protection Regulations

Organisations are obliged to comply with the requirements under the Personal Data (Privacy) Ordinance (the PDPO), including in the use of instant messaging apps in HR contexts.

A recent report [2] published by the Office of the Privacy Commissioner for Personal Data (the PCPD) notes that two organisations were found to have contravened the requirements under the PDPO. Specifically, the organisations had disclosed their staff members’ personal data in instant messaging app chat groups for new purposes different from the original purpose of collection and without the relevant staff members’ consent. As a result, these organisations have been served enforcement notices that direct them to remedy the breaches and prevent the recurrence of their respective contraventions. Failure to comply with an enforcement notice is an offence and is liable on conviction to imprisonment for 2 years and a fine. 

Due to the ease and convenience of their use, instant messaging apps are frequently used by organisations. Moreover, the exchange of messages and information via instant messaging apps in organisations is on the rise, such that the risk of personal data leakage via these apps is also significantly increasing. Therefore, HR practitioners should exercise due care in deploying instant messaging apps to mitigate potential penalties or legal repercussions.

Data Breach Prevention

Instant messaging apps may exhibit vulnerabilities that can be exploited by cybercriminals seeking to gain unauthorised access to personal data. However, by implementing robust security measures, such as end-to-end encryption, two-factor authentication, access controls, and regular security audits, HR practitioners can significantly reduce the risk of unauthorised access to sensitive employee information.

Specifically, by proactively implementing the above-mentioned protective measures, organisations create a secure environment for employee personal data in instant messaging apps. This reduces the likelihood of data breaches and unauthorised disclosure of sensitive information, allowing organisations to safeguard employee privacy, maintain regulatory compliance, and protect their reputation.

Employee Privacy and Trust

HR practitioners are responsible for handling sensitive employee information, such as performance evaluations, medical records, and payroll details. Ensuring the confidentiality and security of these data in instant messaging conversations helps maintain trust between HR and employees. Employees who are confident that their personal information is handled securely are more willing to engage in open and honest communication with HR practitioners. Such trust is crucial for maintaining a positive work environment and strong employee relations.

Privacy Commissioner’s recommendations for HR practitioners

The PCPD recognises the importance of data protection in the workplace. Below are several recommendations for HR practitioners seeking to enhance personal data privacy protection when utilising instant messaging apps.

Establish Clear Policies

Organisations are advised to develop clear policies and guidelines regarding the use of instant messaging apps in the workplace. These policies should comprehensively explain the relevant legislative requirements, describe the data protection measures and procedures adopted by organisations, outline employees’ responsibilities in protecting personal data, and provide clear guidance on the secure usage of personal data.

Foster Transparency and Open Communication

Organisations should ensure that employees are fully informed about and provided with clear explanations of the collection and processing of their personal data through instant messaging apps. It is important that employees understand the purpose and scope of data collection and how their data will be used. In addition, organisations should adopt a data minimisation approach, that is, collect only necessary personal data through instant messaging apps. Unnecessary data should not be collected or stored in such apps, thereby reducing the risks associated with data breaches and unauthorised access.

Think Twice Before Sharing

HR practitioners should think twice before sharing or disclosing personal data through instant messaging apps, thereby mitigating the risk of unintended disclosure. Once personal data have been disclosed, they may be forwarded to other irrelevant parties and permanently retained by others, leading to a loss of control over data access. As such, it is essential to carefully consider the sensitivity and relevance of data being shared to ensure compliance with data protection regulations.


[1] https://www.pcpd.org.hk/english/resources_centre/publications/files/Some_Common_Question_Eng.pdf
[2] https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r23_18465_e.pdf