Fact Sheet No. 2, May 1997
Application of the Personal Data (Privacy) Ordinance
Human Resources Management : Some Common Questions
Data Protection Principle 4 : Security of Personal Data (DPP 4)
18. When we provide personal references to another company, must we mark the envelope "confidential"?
The level of security adopted in relation to personal data depends on a variety of factors as set out in DPP 4. When considering the transmission of personal data, a key consideration is the nature of the information contained in the communication and the harm that could result if there was unauthorised or accidental access to it. Accordingly, the greater the sensitivity of the information in the personal reference, the higher the level of security should be. As a general rule, it would be desirable to mark the envelope in such a way that it would only be opened by the staff dealing with personnel matters in the recipient organisation. Marking the envelope "confidential" would be appropriate where the information being communicated includes matters that extend beyond simple factual information about the employment history of the individual concerned.
Data Protection Principle 5: Information to be Generally Available (DPP 5)
19. Does an employee have the right to know the kind of personal data held by the company including sensitive and confidential data?
One of the requirements of DPP 5 is that all practicable steps should be taken to ensure that a person can be informed of the kind of personal data held by a data user. Therefore, the employer is obliged to disclose to employees the kind of personal data held including sensitive and confidential information.
Data Protection Principle 6 - Access to Personal Data (DPP 6)
20. Do employees have the right to obtain a copy of their personal record including appraisal report?
DPP 6 stipulates that an individual has the right to ascertain whether a data user holds personal data about him/her and to request access to such data. It follows that an employee has the right to obtain a copy of his/her personal record including appraisal report. However, the Ordinance provides for the following exemptions from the right of access for employment-related data:
It should be noted that the use of any exemption is discretionary, not mandatory. In other words, an employer can still choose to comply with access requests to personal data irrespective of the exemptions above.
Other Common Questions
21. How is "data user" defined, e.g. is it the employer, department head or the staff of HR department?
A data user is defined as a person who controls the collection, holding, processing or use of personal data. In the private sector, it is the company, as a legal person, that does this. Accordingly, it is normally the company that is the data user, not a department within the company or a particular staff member or group of staff members.
22. Who is liable for a contravention of the Ordinance in relation to employment-related personnel data: the employer or the human resources manager?
This depends on the offence in question. Section 64 of the Ordinance specifies a number of offences, some of which may be committed by data users, i.e. organisations such as companies, and others may be committed by "persons", i.e. organisations or individuals. Under the Criminal Procedure Ordinance, where a statutory offence has been committed by a company which can be both a "person" or a "data user" under the Personal Data (Privacy) Ordinance, and it is proved that the offence was committed with the "consent or connivance" of a director or other officer concerned in the management of the company, that director or other officer is personally liable. Accordingly, in principle, both the employer and the human resources manager could be liable for a contravention of the Ordinance in relation to employment-related personal data.
In practice, where the human resources manager acts in accordance with the instructions of the employer, the efforts of the Office of the Privacy Commissioner for Personal data at enforcing compliance would normally be directed at the employer. On the other hand, if the employer has taken all reasonable practical steps to ensure compliance with the Ordinance and the human resources manager has contravened the Ordinance by acting in a manner contrary to company policies and practices, enforcement action of our Office would be more appropriately directed at the manager.