Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

9.11

In facilitating compliance with the requirements of the Ordinance by the employer as

data user and in exercise of the Commissioner’s powers under section 8(5) of the

Ordinance, the Commissioner issued in December 2004 the Privacy Guidelines:

Monitoring and Personal Data Privacy at Work.

Where employee monitoring is justified

for legitimate business purposes, an employer should take practicable steps to formulate

and make known its monitoring policy and due regard should be given to the legitimate

expectation of the employees of personal data privacy. It is generally accepted that by

entering into employment relationships, the employees, though submitting themselves to

the lawful instructions to be given by the employer, do not thereby forsake all their rights

to personal data privacy. The employees’ legitimate expectation of privacy should

extend to cover such matters as the installation of CCTV in toilets or changing rooms, the

indiscriminate collection of the contents of their personal emails or the recording of

private calls without proper justification. The transparency of actions expressed through

a clearly written and communicated PPS is indicative of the employer’s accountability

for its monitoring policies and practices and is conducive to building mutual trust

between employers and employees.

9.12

In a complaint that came before the Commissioner, a public organisation was found to

have installed covert pinhole cameras for detecting theft of its property believed to be

committed by its staff. Upon investigation, it was found that the use of pinhole cameras

was extensive and out of proportion in relation to the objective of gathering evidence of

crime and the means adopted were unfair. In view of the monitoring activities carried

out by the organisation and the number of employees affected, the organisation was

found not to have taken reasonably practicable steps (such as considering adoption of

less privacy-intrusive means) to comply with DPP5 and failed to have in place a

monitoring policy.

9.13

In another complaint in relation to the collection of fingerprint data by an employer

from its employees for the purpose of monitoring attendance,

the Commissioner found

that the employer’s assertion that “all fingerprint records will be handled according to

the Privacy Ordinance and will not be leaked” without giving further particulars on how

the records would be handled was plainly insufficient to make known its policies and

practices in collecting the employees’ fingerprint data.

In the Guidelines (available on the Website:

, the 3As concept (i.e. Assessment, Alternatives and Accountability) in assessing the

appropriateness of employee monitoring and the 3Cs approach (i.e. Clarity, Communication and Control) were

introduced in relation to the handling of personal data collected during monitoring. The DPP5 requirements were

expounded in the Clarity and Communication concepts in devising and making known a Monitoring Policy. Employers

are encouraged to follow the recommended good practices mentioned in the Guidelines.

See Investigation Report No. R05-7230, available on the Website:

See Investigation Report No. R09-7884, available on the Website: