The Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) governs the handling of personal data. Personal data refers to any data “relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable”.
Any person or organization dealing with personal data must comply with six Data Protection Principles, which concern 1) Purpose and Manner of Collection, 2) Accuracy and Duration of Retention, 3) Use of Data, 4) Data Security, 5) Openness and Transparency, and 6) Access and Correction.
Employers may refer to various Codes of Practice, including 1) the Code of Practice on the Identity Card Number and Other Personal Identifiers, 2) the Code of Practice on Human Resource Management, 3) the Code of Practice on Consumer Credit Data, and 4) Privacy Guidelines: Monitoring and Personal Data Privacy at Work.
Contravention of data protection principles or the Codes of Practice is not an offence. However, contravention of certain provisions of the Ordinance is.
Employers should be aware of the following three areas:
- Current employment
- Former employee matters
Personal data collected from job applicants should be relevant to recruitment purposes and not be excessive.
An employer should not collect a copy of the HKID of a job applicant during the recruitment process before the individual has accepted an offer of employment.
Recruitment advertisements should include a statement informing applicants about the purposes for which their personal data is to be used, e.g. “Personal data collected will be used for recruitment purposes only”, or “Personal data provided by job applicants will be used strictly following the employer’s personal data policies, a copy of which will be provided immediately upon request”.
Personal data of unsuccessful applicants may be kept for a period of up to 2 years from the date of rejecting applicants and should be then destroyed, unless the employer is required to keep the data for more than 2 years, or that consent is given by the applicants.
2. Current employment
On or before collection of personal data from an employee, an employer should provide the employee with a Personal Information Collection Statement to inform the employee about 1) the purposes for which the data is to be used, 2) the classes of persons to whom the data may be transferred, 3) the rights of the employee to make data access and correction requests, and 4) the name or job title, and address, of the person to whom the employee can make such request.
An employer should not disclose employment-related data of employees to a third party without first obtaining the employee’s consent.
3. Former employee matters
An employer must ensure that only relevant and necessary information of the former employee is kept after the employment relationship ends.
Personal data of a former employee may be kept for a period of up to 7 years from the date of the former employee is no longer employed, unless the employer is required to keep the data for more than 7 years.