Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hong Kong Privacy Code on Human Resource Management

Similar presentations

Presentation on theme: "Hong Kong Privacy Code on Human Resource Management"— Presentation transcript:

1 Hong Kong Privacy Code on Human Resource Management
Tony LAM Deputy Privacy Commissioner for Personal Data Hong Kong SAR Asian Data Privacy Forum March Privacy Commissioner’s Office, Hong Kong SAR

2 Employment-related Complaints
Out of 2,015 complaints received by PCO up to 28 February 2001, 226 cases (11%) related to alleged practices of employers that may be in breach of the Personal Data (Privacy) Ordinance 75 cases were found substantiated. Of these, 25 cases (33%) relate to the employer’s failure to comply with data access requests made by staff Three enforcement notices and 37 warning notices were issued as a result of investigation

3 Coverage of the Code Provide practical guidance to employers and human resource practitioners on the application of the Personal Data (Privacy) Ordinance relating to employment-related personal data Apply to employers in their management of personal data in three stages of the employment process: Recruitment, Current employment and Former employees’ matters

4 Effective Date of the Code
Approved by the Privacy Commissioner and was notified in the Gazette of the Hong Kong SAR Government on 22 September 2000 Requirements of the Code to take effect on 1st April 2001 Non-compliance with the Code will give rise to a presumption against the employer in any proceedings involving an alleged breach of the Ordinance

5 Key Compliance Requirements
- Recruitment - Current Employment - Former Employees’ Matters

6 Recruitment Advertisement
Should not use a “blind” advertisement, e.g. that gives only a PO Box number, to solicit personal data directly from job applicants Alternatives Request applicants to write to the PO Box to obtain an application form that bears the employer’s identity Use a recruitment agency identified in the recruitment advertisement to receive resumes of job applicants

7 Examples of “blind” Advertisement
Company Assistant - Form 5 or above - Knowledge of company secretarial duties Please send resume to PO Box 100 Company Assistant - Form 5 or above - Knowledge of company secretarial duties Interested parties please contact Miss Chan on 2808-xxxx Submission of personal data by job applicants No identity of the employer provided No notification of purpose of use of the data Job applicants are denied of data access rights No submission of personal data by job applicants Contact person provided from whom applicants: - may seek to identify the employer - may seek information about purpose statement

8 Notification in Recruitment Advertisements
Recruitment advertisements that directly ask job applicants to provide their personal data should include a Personal Information Collection Statement (“PICS”) Alternatives Invite job applicants to respond by filling in the employer’s job application form that prescribed the PICS notification Give a contact person from whom applicants may obtain a copy of the PICS

9 Other Requirements during Recruitment
Should not collect a copy of the applicant’s identity card unless and until the individual has accepted an offer of employment Should limit original job application to data relevant for identifying suitable candidates, e.g. work experience, competencies, job skills, academic/professional qualifications, and other relevant attributes May collect supplementary information about potential candidates that are relevant to the nature of the job, e.g. to establish security credentials or integrity

10 Other Requirements during Recruitment
May collect the health condition of a selected candidate by means of a pre-employment medical examination if the data directly relate to the inherent requirements of the job the employment is conditional upon the fulfillment of the medical examination Must obtain an applicant’s consent before seeking references from his/her current or former employers or other sources May retain personal data of unsuccessful applicants for a period of up to two years

11 Current Employment Should provide employees with a Personal Information Collection Statement (“PICS”) pertaining to employment e.g. at the earliest opportunity when the employee accepts the offer of employment Should not issue staff card that bears the employees’ ID card number and name together

12 Current Employment Employees and their family members
for purposes directly related to the employment, e.g. claim of compensation or benefits, declaration of conflict of interest, health condition for assessment of continuance in employment to fulfil lawful requirements that regulate the affairs of the employer Disciplinary proceedings, performance appraisal or promotion planning for purposes directly related to the process concerned should not be disclosed to a third party unless the third party has legitimate reasons for gaining access to the data

13 Current Employment Should not disclose employment-related data of an employee to a third party unless the employee has consented the disclosure is directly related to the employment required by law or by statutory authorities there is an applicable exemption under the PD(P)O Where disclosure to a third party is permitted avoid disclosure of data in excess of that necessary for the purpose of use by the third party implement measures to ensure the third party protects the data

14 Former Employees’ Matters
Relevant personal data of a former employee may be retained for a period of up to seven years from the date the employee ceases employment unless deletion of the data is prohibited by law there are contractual or legal obligations on the part of the employer, e.g ongoing litigation, administration of retirement plan it is in the public interest for the data not to be deleted the employee has given consent for the data to be retained beyond seven years

15 Former Employees’ Matters
In any termination notice about a former employee having left employment, an employer should not disclose the identity card number of the employee should include only the minimum information required to identify the employee concerned Before providing a reference concerning a former employee to a third party, an employer should obtain the prior consent of the employee; or satisfy itself that the third party requesting the reference has obtained the consent of the employee

16 Employer’s Liability Should take all practicable steps to ensure
staff handling employment-related data are well trained, have the appropriate qualities of integrity, prudence and competence adequate security measures are implemented so that all personal data are collected, processed and stored securely its Privacy Policy Statement concerning personal data management practices can be made available to all staff Must comply with a data access/correction requests within 40 days upon receipt of the request provide the requestor reasons of refusal within 40 days

17 Employer’s Liability An employer is liable in civil proceedings for any act or practice relating to personal data that is undertaken by its employees in the course of their employment that is contrary to the provisions of the PD(P)O, even if the employees undertook the act or engaged in the practice without the employer’s knowledge or approval An employer is liable in civil proceedings for any wrongful acts or practices done by a third party where the third party is engaged as an agent acting with authority

Download ppt "Hong Kong Privacy Code on Human Resource Management"

Similar presentations

Ads by Google