Hong Kong new privacy guidelines

19 January 2005

Edward Alder

Background

Back in March 2002 the Hong Kong Office of the Privacy Commissioner for Personal Data (the PCO) released a Consultation Paper on a draft ‘Code of Practice’ under Section 12 of the Personal Data (Privacy) Ordinance to seek the public’s views on the issue of regulating monitoring of employees.

The purpose of the Code was to provide practical guidance to employers who wished to engage in monitoring of their workforce and office infrastructure. The Code covered the topical issues of email and Internet usage monitoring, as well as telephone and CCTV monitoring.

Nearly a year ago, in December 2003, the PCO released a Report on the Consultation. The Report summarised the many and wide ranging views that had been submitted to the PCO in connection with the proposed Code.

On the whole, individuals tended to be strongly in favour of the proposed Code, while employers tended to be strongly against it.

Employers raised a number of objections, including that the proposed Code was a “solution seeking a problem”, that it overlooked employers’ “absolute right” to control their property, that it potentially deprived employees of personal use benefits of technology and that it could create unnecessary workplace tensions.

As a result of the Consultation, the PCO decided against the introduction of the Code or even an amended version of it and opted instead to issue best practice ‘Guidelines’ under Section 8 of the PDPO rather than a formal Code under Section 12.

The Guidelines

Last month in December 2004 the PCO finally released the Guidelines.

As Guidelines, rather than a formal Code, a failure to comply does not carry the evidential consequences that result from a breach of Code under Section 13 of the PDPO.

They are intended to “offer a practical solution in terms of balancing the legitimate business interests of employers and the personal data privacy rights of employees”. They are not definitive statements of law, but rather “constitute an approach that should be seen to be illustrative of best practices” in the area.

The Guidelines follow a fairly predictable course in urging employers:

  • to evaluate the need for any proposed monitoring and its impact on privacy issues
  • to assess the appropriateness of particular monitoring activity in view of the matter to be investigated or risk to be mitigated
  • always to consider alternatives to monitoring
  • to follow the PDPO in dealing with data obtained through monitoring

Application

As pointed out in Section 1.3 of Code, not all monitoring of office systems by employers involving employees will amount to the collection of personal data of employees at all.

The Code draws attention to the ruling of Ribeiro, JA in Eastweek Publisher Limited & Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83 which involved the taking of random photographs of passers-by in the street. He held that where information involving persons is accumulated, there is no act of collection of “personal data” unless the collector is compiling information “about” and “attaching to” an individual whom he has “identified or intends or seeks to identify and that his identity is an important item of information”.

This requirement that aggregated information be in some way “about” a person before it will be considered personal data of that person is, in some ways, similar to the requirement in Durant v FSA [2003] EWCA Civ 1746 that business documents involving references to a person must be “biographical” of the person before they will be the personal data of that person.

The upshot is that records generated, for example, to evidence customer transactions will not be affected by the Guidelines even though of necessity they involve the monitoring of a particular employee.

Implementation issues

There are two quite separate matters that employers need to keep in mind as regards monitoring.

The main one is, of course, the nature and scope of the monitoring itself, which is the focus of the Guidelines. The other, and logically prior, issue is that of taking steps in compliance with Data Principles 1 (purpose and manner of collection of personal data) and 5 (information to be generally available) to inform employees:

  • that the employer may monitor in connection with employment
  • the circumstances in which the employer may exercise the right to monitor and its policies in that respect
  • that the employee has certain rights in connection with data collected under monitoring