Guidance Notes
Guidance Notes
Fact Sheet No. 2, May 1997
Application of the Personal Data (Privacy) Ordinance
Human Resources Management : Some Common Questions
Data Protection Principle 3 : Use of Personal Data (DPP 3)
11. Must we obtain consent from an employee or ex-employee before giving an employment reference to another employer?
As the information you have about an employee or ex-employee was collected for your human resources management purposes, not those of the other employer, the individual should give consent before a reference is supplied. It would be acceptable for the consent to be given via the other employer.
12. Should the personnel department obtain consent from the employees if their staff files are requested by internal auditors for internal auditing?
DPP 3 provides that personal data may only be used for a purpose for which the data were to be used at the time of collection, or a directly related purpose. If an organisation wishes to use personal data for a different purpose, it is required to seek the express consent of the individual concerned. Generally speaking, personal data in staff files collected for personnel management purposes may be used for internal auditing without the consent of the employees because this activity is directly related to the personnel management function. To avoid disputes, the data user could include this purpose in the personal information collection statement communicated to the employee on collection of the personal data.
13. Should the personnel department obtain consent from employees if their supervisors want to access the employees' personal information for appraisal purposes?
As indicated in the answer to Question 12, personal data may be used for purposes that are consistent with the purposes for which the data were to be used when collected. It follows that supervisors may access the personal information of employees for appraisal purposes if the information was collected for that purpose, or a purpose directly related to it.
14. Our company keeps personal data in a computerised human resources management system. Line managers have access to the computer system, with security protection by passwords and user identity, to carry out their personnel management functions. Is this a contravention of the Ordinance?
There would be no contravention of DPP 3 if the line managers only use the personal data for the purposes for which the data were to be used when they were collected, e.g. carrying out personnel management functions. Attention should also be paid to the security of the personal data. Data Protection Principle 4 provides that all reasonably practicable steps should be taken to ensure that personal data are protected from unauthorised access, processing, erasure or other use. The level of security needed to meet this requirement increases with the sensitivity of personal data concerned. The use of passwords and user identity will probably be sufficient for routine employment-related personal data. However, you should consider excluding sensitive employee data, e.g. sensitive medical information, from an on-line system of this sort without additional security measures to protect it from unauthorised access.
15. When we disclose employment appraisal information to an appraisee, do we need to obtain consent from the appraiser first?
The contents of the appraisal is not personal data of the person carrying out the appraisal. This is because the person who carried out the appraisal is not the subject of the appraisal. Accordingly, the appraiser has no right of veto over disclosure of the appraisal to the individual who is the subject of it.
16. Does Inland Revenue Department have the right to access employee personal data such as address and bank account number?
Disclosing employee personal data to Inland Revenue Department that were not collected for this purpose, without the individuals' consent, is contrary to DPP 3. However, the Ordinance provides that where the application of DPP 3 would prejudice the assessment or collection of any tax, there is an exemption from the principle. If Inland Revenue Department requests such information from a company and that company has a reasonable belief that failure to disclose it would prejudice the assessment or collection of any tax, it may disclose the information to Inland Revenue Department even if the individual concerned does not give consent for this.
17. Our overseas head office has a practice of accessing personnel information in relation to salaries, bonuses, merit increases etc. Is this a contravention of the Ordinance?
Whether or not the practice is a contravention of the Ordinance depends on the purpose for which the head office wishes to use the personnel information concerned. If the purpose is one which is consistent with the purpose for which the local company collected the data, then such access is not a contravention of the Ordinance. If the head office wishes to use it for a different purpose, the express consent of the individual concerned would be required first.
