Podcast S3E4 | Data Privacy: Personal Data in the Workplace

subscribe to our podcast

Podcast S3E4 | Data Privacy: Personal Data in the Workplace

Podcast S3E4 | Data Privacy: Personal Data in the Workplace 1200 675 Hugill & Ip
Reading Time: 13 minutes

Carmen Tang and Carly Fan discuss key issues related to personal data within the workplace, including practical advice for employers and employees which span from the recruiting process to monitoring employees’ activities – from collecting, sharing and updating data to complying with data access requests. They also give an overview about data privacy issues affected by the COVID-19 pandemic.

Show Notes
00:43 Recruitment process and personal data
06:09 Data access requests
09:26 Monitoring of employees’ activities
10:15 The 3 As: Assessment – Alternative – Accountability
12:34 The 3 Cs: Clarity – Communication – Control
13:47 Suspicion of unlawful activities
16:25 Time limits for keeping data
18:25 COVID-19 and employees’ data


Welcome to Series 3 of The HIP Talks podcast: a series of discussions on legal issues hosted by Hugill & Ip Solicitors. The firm provides high quality legal services with integrity, professionalism and respect for its clients and the community. An outstanding team of lawyers who have achieved exceptional results and recognition in the areas of Dispute ResolutionCorporate & CommercialPrivate ClientFamilyEmployment & Business Immigration and Data Privacy.

Carly Fan  00:30
Hello, everyone, I am Carly Fan from Hugill & Ip. Today I have the pleasure to discuss the topic Data Privacy and Employment matters with our firm’s partner, Carmen Tang.

Carmen Tang  00:42
Hello everyone.

Carly Fan  00:43
As an employee, we would inevitably go through the following stages. For example, when we apply for a job, and then we get an offer, and when the company finds us suitable and then sooner or later, we may leave and work for another company due to better career prospects or personal reasons. So, you see, at various stages, employers would have to collect, retain and use personal data of an employee for various means. Employees should be aware of their rights, and employers should also keep themselves updated about data privacy rules and guidelines. To start off, Carmen, could you first share with us some key points to keep in mind regarding the recruitment stage?

Carmen Tang  01:24
Thank you, Carly. As everyone knows, when you apply for a job, it is common for the employer to collect various types of personal data from a job applicant. And the employer should be reminded that before they start collecting any data from the job applicant or candidate, they should inform them the following details. First, the purpose for which the personal data is to be used. Second, the clauses of persons to whom the data may be transferred. And third, whether it is obligatory or voluntary for the job applicants to supply the data, unless it is obvious from the circumstances. So as a matter of good practice, an employer should provide applicants with a copy of the personal information collection statement. So, what is meant by personal information collection statement, it actually contains the information that I have just mentioned. And those statements can actually be attached or printed as an integral part of a job application form.

Carly Fan  02:23
I see. So that means employers should include this personal information collection statement, for example, in recruitment advertisements where an employer request for a CV or other personal data to be submitted by job applicants, or maybe on an internet page, where the employer invites job applicants to complete a job application form and submit it online. What about other types of personal data? Can an employer ask about say my marital status, my sexual orientation or the number of children I have?

Carmen Tang  03:00
Well, employers should not collect excessive personal data from applicants for recruitment purpose. For example, the job description or specifications should be restricted to collection of personal data relevant to the recruitment exercise, and for the purpose of identifying suitable candidates for the job. This may normally include work experience, job skills, competencies, academic or professional qualifications, good character and other attributes required for the job. So, if a job requires an employee to work night shifts, for example, frequently, then it may be reasonable for the employer to ask if you have any children, or you have to take care of any elderly. However, in any event, it would be irrelevant and excessive for the employer to ask about your sexual orientation. Another thing is that the employer should not use a vacancy notice to solicit the submission of personal data by candidates for the purpose of unlawfully discriminating against them on grounds of gender or marital status.

Carly Fan  04:00
I’m curious to know how an employer deals with the personal data of unsuccessful applicants. Is an employer allowed to retain personal data of an unsuccessful job applicant for future recruitment purposes?

Carmen Tang  04:14
An employer could retain personal data of unsuccessful job applicants but should not retain such data for a period longer than two years from the date of rejecting the applicant, unless first, there is subsiding reason that a large employer to retain the data for a longer period or the applicant has given prescribed consent for the data to be retained or beyond two years. So as a matter of good practice, all employers should inform the candidate of the period for which the employer will normally retain such data.

Carly Fan  04:44
I see. Let’s move on to the next stage after recruitment, having decided to hire the candidate, most employers will then require supplementary data from the employee for the purpose of Human Resources management functions. For example, bank details for the payment of salary and information on family members of the employee that are needed for the administration of benefits.

Carmen Tang  05:07
True, an employer may collect personal data from an employee and his family members, provided that the collection of the data is necessary for or directly related to Human Resources function of the employer or pursuant to a lawful requirement that regulates the affairs of the employer. And it means that are fair in the circumstances. That means an employer may collect further data from the employee in relation to for example, the provision of compensation and benefits, conducting integrity or conflict checking, medical checking and health data, performance appraisals, staff planning and appraisal planning.

Carly Fan  05:44
That’s helpful. And as an employee, I may want to gain access to my personal files, such as employment terms, records of disciplinary proceedings, my performance appraisals, my medical insurance records and other benefits or compensation details. If I would like to obtain my personal data that is retained by my employer, am I only allowed to do so under specific circumstances?

Carmen Tang  06:09
The concept of making a Data Access Request is that your access to your own personal data should be allowed and as of right, this means that you have the right to look at your own personal data that has been collected and to request for correction of the data if it is inaccurate. So unless exempted from doing so, under the Personal Data Privacy Ordinance, the employer is required to provide a copy of the requested data within 40 days after receiving a Data Access Request. In the event of an employee being unable to provide a copy within the 40 days limit, the employee must communicate the fact in writing to the person making the request before the expiry of that period and must provide a copy as soon as practicable thereafter. Also, employers however, can rely on the fact that they are not supplied with for example, adequate information, as the employer reasonably requires to locate the relevant data, or that a third party actually controls the use of the data in a way that prohibits the employer from complying with the data access request. Another thing to remind employers is that when an employer is responding to a Data Access Request from a job applicant, current or former employee, he must not disclose to the individual seeking access any data identifying any other individual, unless that other individual consents.

Carly Fan  07:31
I see. So, for example, an employee who is subject to disciplinary proceedings has a right to request a copy of the disciplinary records, such as board minutes of a meeting that is conducted for the purpose of the disciplinary investigation. The employer cannot rely on the fact that the document contains personal data of a third party to refuse to provide a copy of the minutes. Is this correct?

Carmen Tang  07:57
Yes, in these circumstances, the employer should add all the information relating to the third party before providing a copy of the data to the employee, if no consent is given by the third party concerned of its disclosure. Similarly, it is not a valid reason for the employer to refuse access to a promotion board report nearly because the document contains a comparison of two or more employees where it is possible to conceal the identities of the others by omitting the names and other identifying particulars.

Carly Fan  08:29
I also know that employers should not transfer employees’ personal data to third parties. However, what if there’s a situation like this, an employer is considering promotion of a certain employee, and in order to consult all staff within the company about the work performance of this employee, the full CV and date of birth of this employee is disclosed. Is this appropriate?

Carmen Tang  08:53
An employer should not disclose employment related data of employees to any third party without first obtaining the employee’s express and voluntary consent, unless the disclosure is for purpose directly related to employment or required by the law. So even if the data is transferred to a third party, disclosure of data and in excess of what is necessary for the purpose should be avoided. In this case, disclosing the full CV would be excessive and the day of birth is as well. It’s also irrelevant to assessing the work performance of the said employee.

Carly Fan  09:26
Speaking of performance appraisal, I’m wondering, can employers assess the performance of employees by way of monitoring. For example, monitoring and recreating telephone calls and voicemails made or received by employees on telecommunications equipment, including, say mobile phones made available by the employer. There could also be monitoring of email sent and received on computers provided by the employer, as well as the web browsing activities on company computers. There might even be instances of video monitoring where employees work activities and behaviors are recorded by CCTV, or other video recording equipment. What should employers bear in mind when considering the legitimacy of their monitoring methods?

Carmen Tang  10:15
I believe the following three A‘s are helpful as a guideline. That is first Assessment. Second, Alternative and third Accountability. In relation to assessment whether the particular method of staff monitoring is necessary, employers should also consider if a balance can be struck between the protection of the company’s interests and the privacy of the employees. For example, some employers may conduct video monitoring on employees’ work, like at home directed at the domestic helper. The discriminative use of video cameras at home to monitor the employee’s activity is by nature itself an intrusion upon privacy. Employers should assess the reasonableness of the manner in which monitoring is carried out. And even if video monitoring is inevitable, for example, where families have to leave the babies and children with the helpers, while the parents are at work. No cameras hidden or not should capture images showing activities inside a toilet, bathroom or private area for rest. Second, it’s alternative, which means whether there are any less intrusive means which can achieve the same purpose of staff monitoring. For example, when assessing the intrusiveness, employers need to question to what extent will personal data relating to private life of an employee be monitored. It is not uncommon for employers to be able to access and monitor the email inbox of their employees. If the employer considers monitoring the employees email content is necessary. The concern is whether the message being monitored is work related or purely private in nature, and emails that are clearly unrelated to employees’ performance at work, for example, the content of a personal email sent by an employee to his spouse during a lunch break will likely be characterized as incurring a great sense of intrusiveness. And third, it’s about accountability. employees should communicate with employees explaining to them why a particular method of staff monitoring is adopted.

Carly Fan  12:19
After personal data of employees have been collected by the employer, how should employees assess whether their personal data is being properly managed by their employer? Do you have any tips in relation to management of employees’ personal data?

Carmen Tang  12:34
When employers are designing monitoring policies and data management practices, they are encouraged to adopt a systematic process, which can be referred to as the three C’s. That is first Clarity, second Communication, third Control. For clarity, employers should have a clear policy in relation to staff monitoring an employee’s privacy. The policy should set out the purposes of the staff monitoring measures, the rights of the employees in conducting various means of staff monitoring, giving examples of the prohibited acts and consequences of a breach of the privacy policy. Second communication, employers should consult and communicate with their employees, conduct regular training and review of the policy to suit the changing work environment. For example, if there was any form of monitoring such as CCTV recording at the workplace, employees should be informed about the presence of monitoring equipment. Third is control. Employees should ensure the security of the employees’ personal data collected during the course of staff monitoring, use such personal data for the specified and related purposes only. And employees should also have the right to access their personal data collected by the employers.

Carly Fan  13:47
As you’ve explained just now, it is important for there to be clear policy and communication to employees about the employers’ monitoring policies. However, there are instances where employers may have reasonable suspicion to believe that an unlawful activity is being committed, then it may be necessary to resort to covert monitoring to detect or collect evidence of that unlawful activity.

Carmen Tang  14:10
True. So, where an employer has reasonable cause to suspect that there is an unlawful activity taking place in the workplace, for example, like theft of company confidential data by employees, it may not be feasible using overt monitoring or other reasonable measures for the employer to obtain conclusive evidence that would identify the parties concerned. So, in such circumstances, and as a last resort, the employer may consider covert monitoring for the express purpose of identifying those parties and for no other purpose. Having identified any culprit, the covert monitoring should be stopped immediately. And in principle covert monitoring that make use of video recording devices, such as a pinhole camera at locations where employees have a reasonable expectation of privacy should be avoided. For example, liking changing rooms and toilets.

Carly Fan  15:03
Thanks for the helpful tips. It is important for there to be constant and effective communication between employers and employees to ensure sufficient personal data protection policies to be in place. Moving on, employees may leave an employer by transferring to another company, resigning or because of termination of employment as a result of disciplinary action, redundancy, retirement, or maybe even death. Despite so, employers may still be required to fulfill its obligations to the former employee and its legal obligations under some circumstances.

Carmen Tang  15:38
True, for example, sometimes the employer must still need those data for like to meet statutory requirements. These may relate to the retention of salaries, tax records, business records, sick leave records. Sometimes our employees also need to administer other remaining duties in respect of former employees or their family, for example, like for the purpose of administering the pension, MPF scheme, and sometimes, the organization may actually be sued by former employees, so say they may need the data to defend in any civil suit or criminal prosecution. And there are other circumstances for example, they may need to provide job references at the request of the employee.

Carly Fan  16:25
So, expanding on what you’ve said, Is there a period limit as to how long an employer can retain the personal data of a former employee?

Carmen Tang  16:33
An employee shall retain the personal data of a former employee for a period of longer than seven years from the date the former employee ceases employment, unless first there is a subsiding reason that obliges the employer to retain the data for a longer period or the former employee has given prescribed consent for the data to be retained beyond the seven years. So generally, an employee is permitted to retain personal data where there’s ongoing litigation, or where there are contractual obligations on the part of the employer to retain the data, or actually there is public interest for the data not to be erased.

Carly Fan  17:11
I see. So, you have said that the personal data of a former employee can be retained for up to seven years. But what happens if I am a former employee, and the particulars of my personal data has changed? Should my former employer update my personal data information?

Carmen Tang  17:27
Yes, an employee should take all practicable steps to maintain the accuracy of personal data retained for purposes that continue after the employee has left employment. Generally, this requirement could be met by updating the data when the former employee informs employer of a change, and where an employer has reasonable grounds for believing that the personal data of a former employee is inaccurate. Having regard to the purpose of his retention, the employee should not use such data unless and until those grounds cease to be applicable. For example, an employer may need to regularly mail documents relating to a personal employees benefit payments. If the employer repeatedly received return mails, indicating wrong delivery, this will suggest that the contact address of the former employee was inaccurate. And in these circumstances, the employer should avoid using the address for further mailing of benefit payments until the former employee’s address can be verified.

Carly Fan  18:25
So, as we all know, now the ongoing outbreak of COVID-19 has created concerns for employers, and many employers want to know if they are permitted to collect health data about the employees.

Carmen Tang  18:38
Yeah, while there is legitimate basis for employers to collect additional data of employees to help control the spread of the disease, the collection and processing of employees’ personal data should be specifically related to and used for the purposes in relation to public health. Additional data to be collected must still adhere to the usual principles, such as minimization, purpose specification and use limitation, it must be necessary, appropriate and proportionate to the purpose to be achieved.

Carly Fan  19:07
And now as we all know, we’re all concerned about COVID-19 symptoms, so can an employer collect current temperature measurements or other health data from his employees as well.

Carmen Tang  19:19
These days employers have legal and corporate responsibilities to protect the health of their employees and visitors and in times of COVID-19, it is generally justifiable for employers to collect relevant medical data, such as temperature measurements, or limited medical symptoms of COVID-19 information of employees and visitors solely for the purposes of protecting the health of those individuals.

Carly Fan  19:43
And really speaking, I guess a self-reporting system is preferred to across-the-board mandatory system where health data is collected indiscriminately. For example, with the COVID-19 vaccines in place, it is recommended that employers would ask for a self-reporting system to take note of which employee has received the COVID-19 vaccines, and these records should only be used internally within the firm or the company. And employers should also spell out to the employees how the data collected would be handled.

Carmen Tang  20:18
Sure, I think most employees and individuals are willing to provide such information for the purpose of protecting the health for the individuals and also everyone in the world. But of course, if the collection of such data is not covered by the existing privacy policies, a fresh personal information collection statement must be provided when or before the data collection to inform the employees of the data collected and the purposes.

Carly Fan  20:46
How about travel history, since nowadays, the travel history can also be quite sensitive information in relation to the spread of COVID-19, can employers ask for the travel data of the employees?

Carmen Tang  21:00
The personal data privacy ordinance does not prohibit any organization from collecting one’s travel data, giving the escalating number of confirmed cases of COVID-19 locally and globally, and the legal and corporate responsibilities of employees to provide a safe working environment, it is justifiable for employers to ask for travel data from employees who have actually returned from overseas, especially from those high-risk areas.

Carly Fan  21:25
Thank you, Carmen, so much for sharing with us on data privacy issues in relation to employment matters. I’m sure both employees and employers can benefit from learning more about their rights and obligations in relation to personal data privacy.

Tune in and listen to more episodes of The HIP Talks podcast by checking the insights section at our website at www.hugillandip.com and our channels on Apple PodcastsSpotifyGoogle Podcasts and Stitcher. They are also available on Hugill & Ip’s YouTube channel. You can send comments and feedback to our email address hello@hugillandip.com. If you found the hip talks interesting, please share them with friends, family and business associates.


This podcast is for informational purposes only. Its contents do not constitute legal or professional advice.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

For performance and security reasons we use Cloudflare
Google Analytics tracking code disabled/enabled
Google Fonts disabled/enabled
Google Maps disabled/enabled
video embeds (e.g. YouTube) disabled/enabled
View our Privacy Policy
We don't eat shark fin but our website does use cookies, mainly for analytics and provision of content from other websites. Define your Privacy Preferences and agree to our use of cookies. Privacy Policy