Guidance Notes
Guidance Notes
Fact Sheet No. 2, May 1997
Application of the Personal Data (Privacy) Ordinance
Human Resources Management : Some Common Questions
Data Protection Principle 2 : Accuracy and Duration of Retention of Personal Data (DPP 2)
7. If a staff member intentionally provides out-dated information to the human resources manager for the employee record, would the employer be liable under DPP 2?
A requirement of DPP 2 is that data users should take all reasonable practicable steps to ensure that personal data are accurate having regard to the purposes for which they are to be used. Clearly, where personal data are collected from the individual concerned, it is reasonable to rely on the individual to provide accurate information. It would generally not be reasonable to expect employers to perform checks on the accuracy of such data, although they may choose to do so in relation to key items such as academic qualifications. Furthermore, in civil proceedings by an individual who suffers damage as a result of inaccurate personal data, the Ordinance provides that it is a defence to show that the data were provided in that inaccurate form by the data subject or a third party. That said, employers should of course put in place appropriate systems for updating information about employees. For example, periodic circulation of reminders to employees to provide updates of the information they have previously provided when their personal circumstances change.
8. If an unsuccessful applicant for an employment position asks to have his or her personal resume returned, does the company have to do so?
A data user may continue to retain personal information for as long as it is still needed by the data user for one or other of the purposes for which it was to be used when it was collected, or a directly related purpose, or a purpose for which the data subject has given express consent subsequent to its collection. Only where the data are not needed for such purposes can the individual point to the requirements of DPP 2 that such data should not be retained any longer. If the data user declines to abide by this requirement, the individual can complain to the Privacy Commissioner who has power to enforce it by requiring that the data be erased. However, there is no right under the Ordinance to require that personal data be returned.
9. If we need to keep personal data of past employees, are we required to update the data regularly or keep them as they were when the staff left the company?
The accuracy requirement of DPP 2 is that all reasonably practicable steps should be taken to ensure that personal data are accurate in relation to the purposes for which they were collected. Whether or not you need to update the data depends on the purpose for which the data are kept. If the data are kept in order to maintain contact with employee, clearly the contact details should be updated if they change. On the other hand, if the data are kept as a historical record for, say, taxation purposes, the data should be accurate in relation to the time to which it relates and the need to update the data does not arise.
10. How long should we keep the personal data of ex-employees and unsuccessful job candidates?
As indicated in the answer to question 8, DPP 2 requires that personal data should not be kept for any longer than is necessary to fulfil the purposes for which the data were to be used, or a directly related purpose. In addition, Section 26 of the Ordinance provides that personal data may be retained where erasure is prohibited under any law or it is in the public interest (including historical interest) for the data not to be erased. On this basis, personal data may be retained at least for as long as there is a statutory requirement to do so.
Whether it should be retained beyond the statutory requirement will depend on whether or not the purposes for which the data were collected have already been exhausted or whether there are any public interest reasons for keeping the data. It is necessary for each data user to consider carefully what periods are reasonable for retaining the different types of personal data they collect. Such consideration should have reference, in particular, to the purposes for which they were collected. In determining such periods, the data user should have regard to its own experience in relation to the usefulness of keeping the type of data concerned. For example, if it is found that past employees generally cease to seek references after, say, 6 months, then this period can be considered as an appropriate retention period in relation to that purpose.
As regards unsuccessful candidates for employment positions, there is no set period prescribed under the Ordinance. The Equal Opportunities Commission's Codes of Practices on Employment recommend retention of employment application records for at least one year. The Privacy Commissioner considers this retention period to be reasonable for the purpose of responding to any claim of discrimination.
