Hong Kong SAR

Article 29 of the Basic Law establishes the basic principle that homes of Hong Kong citizens are “inviolable.”

Article 30 of the Basic Law established the basic principle that the freedom and privacy of communication of Hong Kong residents is protected by law. No one shall infringe on the rights and freedom of privacy in communication except in accordance with legal requirements for protection of public security and the investigation of criminal offenses.

Personal Data (Privacy) Ordinance (“PDPO”) came into effect in 1996, with the exception of the provisions concerning the transfer of data outside of Hong Kong and data matching.

PDPO adopted six fair information practices to regulate notice, collection, accuracy, use, security and access regarding personal data which is defined as “any representation of information (including an expression of opinion) in any document, and includes a personal identifier.” The ordinance applies to public and private “data users” and to manual and electronic records.

1. Violations of the Ordinance can be either civil or criminal offenses.
2. The Office of the Privacy Commission has issued a number of codes of conduct, including the Privacy Guidelines: Monitoring and Personal Data Privacy at Work (the “Guidelines”).

The Privacy Guidelines: Monitoring and Personal Data Privacy at Work provide guidance for assessing whether employee monitoring is appropriate and to determine how employers can develop privacy compliant practices in the management of personal data obtained form employee monitoring.

The Office of the Privacy Commissioner initially planned on releasing a statutory code of practice. However, strong opposition to the draft by employers made the PCO proceed with non-binding guidelines.

The Guidelines verify that the PDPO applies to employee monitoring activities whereby personal data of employees is collected in recorded form.

Guidelines seek to offer practical guidance on the steps that should be taken by employers when they monitor employees using the following methods: telephone monitoring, Internet monitoring, video monitoring, and email monitoring.

Guidelines recognize that an employer has the right to direct employees’ work activities and to reasonably monitor such activities; however, monitoring should be balanced against the employees’ right to privacy.

Guidelines provide that monitoring should take into account the following:

• Legitimate Purpose: Monitoring should serve a legitimate purpose that relates to a given function and should be confined to include only the activities of the employees at work.
• Least Intrusive Method: Monitoring should be carried out by the least intrusive means and with the least harm to the privacy interests of employees.
• Transparency: Employers are encouraged to document the evaluation process they have undertaken and share it with their employees, in order to indicate transparency and inform employees of the rationale behind the monitoring.
• Targeted: Monitoring should be confined as much as possible to include only high risk areas of the business and conducted selectively at certain times (rather than on a perpetual basis).
• Stated Purpose: Monitoring should be conducted in an overt manner and for reasons identified in advance of monitoring.
• Limitations: Monitoring should not take place in areas that contain a reasonable expectation of privacy (i.e., washroom).

Employers who monitor are accountable for properly conducting their monitoring activities, including the creation of a privacy policy pertaining to employee monitoring. The policy should be given to employees before monitoring is introduced.

Employers are liable for the provisions of the PDPO for the proper management of personal data collected while conducting employee monitoring. The legal obligation extends to acts and practices undertaken by a third party acting on behalf of the employer.

Employers should be aware that their employee monitoring practices may be subject to investigation by the Commissioner in any alleged breach of the PDPO. Investigation would ask employer to provide evidence of the following:

• Monitoring is only carried out to the extent necessary to deal with the legitimate business purpose of the employer.
• Personal data collected in the course of monitoring is kept to an absolute minimum and is collected by means that are fair in the circumstances.
• A written policy showing that employee monitoring has been implemented and that steps have been taken to communicate that policy to employees in advance of monitoring.
• Additional best practices, including designation of personnel authorized to conduct monitoring, criteria for accessing monitoring records, retention period for holding recorded information, security measures regarding storage of records and the location and effective times associated with how the monitoring will occur.
• Employees should be informed of the consequences associated with any breach of the employer’s policy.
• Employers should ensure that their employees are able to exercise their right to access their own personal data collected in the course of employee monitoring, subject to the provisions of the PDPO.
• Personal data should not be used for any purpose other than the purpose identified at the time of collection.
• All practical steps should be taken to ensure that personal data held is protected against unauthorized access.

Section 33 of the Ordinance prohibits the transfer of personal data to places outside of Hong Kong unless one of a number of conditions is met. Section 33 covers two situations, namely transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user. The place to which the data are transferred has in force "any law which is substantially similar to, or serves the same purposes as, this Ordinance".

The Privacy Commissioner may specify a place satisfying this requirement by publishing notice in Hong Kong's gazette.

The data subject has consented in writing to the transfer.

The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; if it is not practicable to obtain the data subject's consent, but if practicable, such consent would be given.

The data are exempt from the data protection principle 3 by virtue of an exemption under "Part VII-Exemptions" of the Ordinance.

The data user has taken "all reasonable precautions and exercised all due diligence to ensure" that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.

The Commissioner has also prepared a Model Contract for use in transferring personal data out of Hong Kong.

The sanctions for breaches of privacy law in Hong Kong are contained in the Personal Data (Privacy) Ordinance (PDPO). Schedule 1 of the PDPO incorporates six data protection principles (DPPs) to which users of personal data must comply.

Where there is a contravention of a DPP, the Privacy Commissioner can, if it deems appropriate, issue an enforcement notice to the user of the personal data, requiring them to take specific action in order to ensure future compliance with the DPP. Failure to comply with this enforcement notice does constitute a criminal offence which will render the non-compliant party liable to 2 years imprisonment, and a HKD 50 000 fine (USD 6,500). If the offence is of a continuing nature an additional fine of HKD 1000 (USD 130) per day will also apply.

Section 66 of the PDPO provides that an individual who suffers damage, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.