In practice, it is relatively uncommon for Asia-Pacific employers (or would-be employers) to encounter resistance from job-seekers and employees in respect of a request for consent to the processing of their personal data.
The real issues are whether there are limits to that consent which was given in the first instance, as HR processes evolve over time, and what will happen when consent is withdrawn further down the line in the employment cycle.
A recent headline in the Straits Times[1] read: "The age of artificial intelligence: Staff planning to quit? System in Singapore can tell." According to the commentary that followed, even before an employee at DBS Bank signals his intention to quit, the Bank's human resources system will already know of his intention. The Bank's predictive algorithm analyses as many as 600 data points – from absenteeism, salary increases and rates of promotion, to the birth of children and training modules attended.
This begs the question – while the Bank's employees would no doubt have been asked to sign a personal data consent statement at the start of their employment indicating that they agreed to the Bank processing their personal data for all manner of HR-related purposes, how realistic was it to expect that the Bank's employees had consented to (or would consent to) their personal data being processed in a way that enabled the Bank to know in advance that they intended to resign? Employees consenting to employers measuring their workplace satisfaction levels is one thing, but to go further and predict the risk of employee resignation is likely to make any employee feel uncomfortable. Simply put, nobody wants their employer to think (or know) that they are looking elsewhere until they formally resign.
Taking things a step further, one of the exceptions to the consent requirement in the Singapore Personal Data Protection Act 2012 was whether data processing was reasonable for the purpose of "managing and terminating an employment relationship" (the "Managing & Terminating Employment Exception"). This raises the question of whether data processing for the purpose of predicting resignation risk can be considered reasonable. It is not difficult to see why processing HR data for the purposes of administering employee benefits, payroll processing, background and health checks is reasonable – such processing is necessary to ensure that employees get paid, benefit from their insurance coverage and club memberships, and employers have a legal and commercial interest (sometimes, even a duty) to make sure that whoever they are hiring is physically fit and professionally qualified. However, we might ask ourselves what exactly an employer's interest is in predicting resignation risk given that, any kind of pre-emptive "response" (upon finding out that an employee intends to resign) is likely to expose an employer to the risk of constructive dismissal or, in some cases, wrongful or unfair dismissal.
The Singapore Personal Data Protection Act, Personal Data (Privacy) Ordinance 1997 and the PRC Cybersecurity Law allow employees to withdraw consent at any time upon giving reasonable notice to an employer. However, the permitted consequences of withdrawal of consent are unclear, which poses a question: is termination of employment arising from withdrawal of consent justifiable?
In a recent Australian decision[2], it was held that an employer's decision to dismiss an employee due to his refusal to provide his fingerprints for the employer's new fingerprint scanning system (to track site attendance) was unfair under s.385 of the Fair Work Act 2009. Fingerprints fall within the category of "Sensitive Information" under the Australian Privacy Act, which meant that the employee's consent was an essential requirement. It was therefore unlawful for the employer to demand that the employee provide his consent to the processing of his biometric data.
What about jurisdictions such as Singapore and Hong Kong, whose laws do not provide for or recognise special categories of sensitive personal data that must be treated with additional scrutiny, or which prohibit the practice of requiring consent as a condition to ongoing employment – would termination of employment potentially be a legally permitted consequence in the event that an employee says "no" to the processing of their personal data? Although there is no relevant case law yet in Hong Kong, the Guidance on the Collection and Use of Biometric Data ("Guidance Note") issued by the Privacy Commissioner suggests that employees cannot be dismissed in such circumstances. The Guidance Note provides that in order to collect biometric data, collection must be for a lawful purpose, must be necessary and not excessive, and that a data subject's free and voluntary consent must be obtained. The Guidance Note also stipulates that the use of the data should, as far as practicable, provide each individual with "the free choice of a less privacy intrusive alternative" to the collection of their biometric data. The requirement to obtain voluntary consent and to provide a less privacy-intrusive alternative indicate that employers cannot dismiss their employees on account of their refusal to provide biometric data – if employers were able to dismiss their employees in such circumstances, it would wholly undermine the obligation to obtain consent.
The Singapore position gives employers slightly more leeway. Under the Managing & Terminating Employment Exception, the employer (arguably) does not require employee consent to introduce a fingerprint scanning system – on balance, scanning fingerprints to log attendance and enhance site security will likely be considered to be (broadly) part of "managing" the employment of employees. That leaves a final question of whether fingerprint collection is reasonable and appropriate in the circumstances; this would likely depend on the nature of the workplace, e.g. in financial institutions where access to vaults is highly restricted, or in medical laboratories, which require enhanced security by means of personal identity verification to a high degree of fidelity. While the Personal Data Protection Commission has not specifically addressed the issue of biometric data by way of guidelines, following the publishing of the 2018 guidelines on the collection of National Registration Identity Cards, it is only a matter of time before they do.
[1] The English language daily in Singapore. The article in question was published on 11 August 2019.
[2] Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946.
