What should I Consider for Data Privacy Issues in Employment?

In Hong Kong, regulatory requirements on personal data are governed by the Personal Data (Privacy) Ordinance (Cap. 486), with the objective of protecting privacy of individuals, not just employees, in relation to personal data.

Cap 486

As an employer, it is not unreasonable to implement monitoring procedures to ensure interest of the company, both tangible or intangible, is well protected, and also to ensure no unlawful activity is committed at work by any of your employees.

In general, employee monitoring should be conducted in overt manner instead of covert manner, unless it is well justified that the use of overt manner will distort the findings of such monitoring, and only the adoption of monitoring in covert manner can observe the unlawful activity being reasonably suspected.

Ask Google What do we mean by overt and covert?


In addition to the adoption of "overt manner" approach, before implementing an employee monitoring system you can also refer to principle of "3As - Assessment, Alternatives and Accountability" to assess if the proposed monitoring process is the best of a range of options:

3As - Assessment, Alternatives and Accountability

  1. Assessment - Is the monitoring necessary to address certain justifiable risks relating to the business, and beneficial to the business, eg, productivity?

  2. Alternatives - Is there any less privacy intrusive alternative than the proposed monitoring system?

  3. Accountability - Employer will be responsible for having privacy policy in place and accept the responsibility and hold accountable for the operation of the monitoring activities.

    The above does not preclude any monitoring procedure, but the table below demonstrates how we can determine whether the common types of monitoring procedures are appropriate:

Telephone Record CCTV Monitoring Web-Browsing Record Email
Assessment Is it too instrusive if private conversation is recorded? Employees are expected to conduct private conversation on their mobile? If dangerous behaviour must be monitored, then it may be necessary. Is it the visiting of selected websites the company wants to avoid, or downloading of prohibited items?
Alternatives Include selected conversations only according to regulatory requirement, company's guideline or phone number list only? Which physical area of the company, the whole company? How about filtering websites the company deems inappropriate? How about installing software to detect email with virus if this is the purpose of monitoring?

After implementation, you can refer to the principle "3Cs - Clarity, Communication and Control" to ensure the data management procedure, applicable to the data collected by the monitoring process, is adequate:

3Cs - Clarity, Communication and Control

  1. Clarity - Your monitoring policy should explicitly explain the business purposes of monitoring, the circumstances under which monitoring takes place, the personal data you collect, and purpose of the collected data.
  2. Communication - You should ensure the policy is well noted by the employees, for example, by incorporating the policy in training or orientation program, or even part of the employment agreement.
  3. Control - You should stick to the purposes stated in the monitoring policy for the use of personal data. Also, in general data should not be retained for more than six months.

Take a look at the reference issued by Privacy Commissioner for Personal Data of Hong Kong