Applying Hong Kong's Personal Data (Privacy) Ordinance to Employee Monitoring

Applying Hong Kong's Personal Data (Privacy) Ordinance to Employee Monitoring

Third Asian Privacy Scholars Network ConferenceThe University of Hong Kong, 8 to 9 July 2013

Eric A. SzwedaManaging Partner, Hong Kong OfficeTroutman Sanders

2013 Troutman Sanders, Eric A. Szweda

2

About the Author / Troutman Sanders

Eric SZWEDA, a Hong Kong qualified solicitor and also admitted to practice law in the United States, is the Managing Partner of the Hong Kong office of Troutman Sanders, a global law firm. Eric practiced law in the United States for fifteen years, before re-locating to Hong Kong in 2005. Additionally, Eric is Head of the Firm’s International Arbitration and Dispute Resolution Team. Eric is a graduate of Cornell University’s School of Industrial and Labor Relations (B.S. 1987) and Vanderbilt University’s School of Law (J.D. 1990).

Troutman Sanders is an international law firm with offices across the United States and China, with offices in Hong Kong, Beijing and Shanghai.


3

Table of Contents

I. OVERVIEW

A. Summary of Presentation

7

II. Statutory and Regulatory Framework

A. The Personal Data (Privacy) Ordinance

9

B. Regulatory Guidance

10

C. Other Laws

11


4

Table of Contents (...cont’d)

III. Determining Whether and How Monitoring Can Be Conducted

A. Employee Monitoring Recognized as Proper and Required in Many Circumstances

13

B. Importance of Preventive Monitoring on Rise

15

C. Is the Ordinance Triggered: Assessing Whether There is Collection of Personal Data

16

D. The Balance of Interests: Collection of Data Must Be Lawful and Fair in the Circumstances

19

E. EAS Monitoring Analysis Flowchart

21

F. Assessing Need to Monitor

22

G. Assessing Options and Alternatives

23

H. Managing Notice, Managing Expectations and the Role of Consent

26


5

Table of Contents (...cont’d)

I. Assessing Whether Covert Monitoring is Justifiable

28

J. Managing Access and Correction of Errors

29

K. Managing Use and Handling of Data

30

L. Managing Retention and Purging of Data

31


6

I. OVERVIEW


7

8

A. Summary of Presentation

Changes in the ways we work and communicate increasingly challenge the ability of organizations to evaluate performance and control conduct. Monitoring personnel in some form or fashion, which increasingly means the monitoring of communications, as well as conduct occurring outside of the traditional workplace, is necessary. However, the scope and methods can present difficult questions due to a variety of considerations, which sometimes conflict. Developing a monitoring plan that balances the various considerations has never been more difficult. In this paper, these issues are evaluated under the legal landscape in Hong Kong. Regulatory codes, guidance and investigation reports, as well as administrative appeal decisions, court cases, and commentary bearing on these issues, are compiled and assessed. The author in turn attempts to charm out a useful construct, to be used as a tool for decision-making in connection with the development of a workplace monitoring plan compliant with Hong Kong’s Personal Data (Privacy) Ordinance.


9

II. Statutory and Regulatory Framework


10

A. The Personal Data (Privacy) Ordinance

“The Personal Data (Privacy) Ordinance, Cap. 486, seeks to protect the privacy of all persons in relation to information personal to them. If an employer (a data user) wishes to collect in a recorded form personal data of its employees (data subjects), it may only do so to the extent provided for, and in a manner specified, in the Ordinance.”1

Section 4 of the Ordinance directs that when an employer collects and uses its employees’ personal data, it must do so in accordance with the Ordinance’s enumerated Data Protection Principles.

Employers often need to exercise considerable judgment as to how to comply with the Ordinance. This creates uncertainty and in turn risk, but the upside of the design is that organizations possess the ability to tailor privacy compliant policies to their needs.

_______________1 Cathay Pacific Airways Ltd. v. Administrative Appeals Board and Privacy Commissioner for Personal Data, HCAL 50/2008, page 2, paragraph 1 (28 August 2008).


11

B. Regulatory Guidance

Office of the Privacy Commissioner for Personal Data (the “Commissioner”) has published:

1) Code of Practice on Human Resource Management (“HRM Code”), September 2000

2) Privacy Guidelines: Monitoring and Personal Data Privacy at Work (“Monitoring Guidelines”), December 2004

3) Guidance on Collection of Fingerprint Data (hereinafter “Guidance on Fingerprint Data”), amended in May 2012

As with the Ordinance itself, these documents generally are not intended to provide definitive guidance for particular situations.

The HRM Code and Monitoring Guidelines likely are losing some usefulness given technological change.


12

C. Other Laws

Apart from statutory law and regulations, under the common law employers must act in good faith in discharging their duties.2 The Commissioner has stated that the Monitoring Guidelines “do not affect the application of the common law duty of confidence that may arise in relation to employee monitoring.”3 The Basic Law, essentially Hong Kong’s constitution, also sets forth a right to privacy in communications.4

_______________2 See Sujal v. Cathay Pacific Airways Ltd., HCA2220/2005, page 31 (8 July 2008).

3 Monitoring Guidelines, page 7.

4 “The freedom of privacy of communication of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communication of residents except that the relevant authorities may inspect communication in accordance with legal procedure to meet the needs of public security or of investigation into criminal offences.” Article 30, Basic Law; see also Bill of Rights Ordinance.


13

III. DETERMINING WHETHER AND HOW MONITORING CAN BE CONDUCTED


14

A. Employee Monitoring Recognized as Proper and Required in Many Circumstances

The Privacy Commissioner recognizes “many legitimate reasons for monitoring employees” including specifically:

•managing workplace productivity

•controlling for service or quality

•enforcing of company policies

•protecting the safety of employees

•protecting business assets, intellectual property or other propriety rights

•preventing vicarious liability where the employer assumes legal responsibility for the actions and behaviors of employees

•complying with statutory or regulatory obligations that provide or give reasonable cause for preventive monitoring of employees


15

A. Employee Monitoring Recognized as Proper and Required in Many Circumstances (...cont’d)

In a 2011 household survey conducted in Hong Kong, fifty percent of the respondents agreed with the statement: “As a whole, my company has benefitted from workplace surveillance.”5

_______________5 HKU Privacy Awareness Survey, page 4.


16

B. Importance of Preventive Monitoring on Rise

The changing nature of work occurring with technological change along with an expanding array of legal obligations necessitates greater monitoring to ensure legal compliance.

•The U.K.’s Financial Services Authority in December 2012 fined UBS £160,000,000 finding that: “UBS, because of a poor culture in its interest rate derivatives trading business and weak systems and controls, failed to prevent the deliberate, reckless and frequently blatant actions . . . .”6

•The U.K.’s Bribery Act criminalizes the “failure of a commercial organization to prevent bribery.” An organization has a possible defence, however, if it can demonstrate it had implemented controls designed to prevent bribery.

•“Linguistic analysis software, which initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations, and can be tailored for particular types of employees, such as traders.”

_______________6 FSA’s Final Notice, paragraph 189 (19 December 2012).

7 J. Thompson, “Rogues Revealed By Bad Language,” Financial Times, page 13 (7 January 2013).


17

C. Is the Ordinance Triggered: Assessing Whether There is Collection of Personal Data

The Ordinance’s obligations are triggered only if there is collection of personal data. In other words, the Ordinance protects a person’s privacy to the extent it involves the “collection” of “personal data.” It is necessary to pay particular attention to the definition of terms used in the Ordinance.

The Commissioner has given examples of monitoring activities not constituting “collection” of data and thereby not falling under the Ordinance, including:

•real time viewing of closed circuit television images, if not recorded

•incidental recording of employees by a CCTV system installed for general security purposes

•recorded customer telephone conversations, if sole purpose is to create record of a customer transaction

•fingerprint data stored on a smart card and held only by the employee.8

_______________8 Monitoring Guidelines; see also Fingerprint Guidance.


18

C. Is the Ordinance Triggered: Assessing Whether There is Collection of Personal Data (...cont’d)

In the Ordinance, Personal Data is defined to mean any data:

(a) relating directly or indirectly to a living individual;

(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(c) in a form in which access to or processing of the data is practicable.


19

C. Is the Ordinance Triggered: Assessing Whether There is Collection of Personal Data (...cont’d)

Collection is not a defined term in the Ordinance, but its meaning was litigated in the case of Eastweek Publisher Limited and Privacy Commissioner for Personal Data.9

The Hong Kong Court of Appeals ruled that the Ordinance does not apply to collection of data unless the data sought is being collected about a person the collector has identified or intends to identify.

_______________9 CACV 331/1999.


20

D. The Balance of Interests: Collection of Data Must Be Lawful and Fair in the Circumstances

Under the Data Protection Principles, the means by which data is collected must be “lawful” and “fair in the circumstances.”10

Compliance with the Data Protection Principles requires organizations engage in an analysis designed to produce measures proportionate to the risk, taking into consideration the impact on those affected, and a plan that can be managed properly across the life cycle of the collected data.11

_______________10 See Data Protection Principle 1. Also, in the Monitoring Guidelines, the Commissioner sets forth a process, including a number of factors, that should be evaluated by employers in deciding upon whether an employee monitoring plan constitutes a “fair practice.” (Monitoring Guidelines, Section 2.2.8.)

11 Monitoring Guidelines, Section 2.2.4, pages 9 to 10; see also Office of the Privacy Commissioner for Personal Data, Hong Kong, “Collection of Employees’ Personal Data by Covert Recording Device by Hong Yip Service Company Limited,” Report No.: R12-4839 (14 February 2012) at paragraph 29, page 9.


21

D. The Balance of Interests: Collection of Data Must Be Lawful and Fair in the Circumstances (...cont’d)

“In exercising employee monitoring, employers should seek to strike a balance between the pervasiveness of monitoring and the magnitude of the employers’ risk that the monitoring aims to reduce. The issue therefore is deciding what constitutes an acceptable level of monitoring.”12

The following flowchart is merely the author’s construct, derived from his reading of the Ordinance, regulatory guidance, and administrative and court rulings. As such, different people could develop different tools for applying the Ordinance.

_______________12 Monitoring Guidelines, Section 2.2.7, page 12.


22

E. EAS Monitoring Analysis Flowchart


IF YES

Develop and communicate proper notice

Assess whether there is ajustifiable need to monitor

Determine potential means, as well as alternatives to monitoring

IF YES

Do not monitor

IF NO

Will there be “collection” of “personal data”? The Ordinance is not triggered if there is no “collection” of “personal data”

Consider selection ofleast intrusive means, taking into consideration employee

expectations and likely adverse impacts on employees

Is the collection and use of the subject personal data prohibited by other laws?

Conform conduct to other laws, or do not collect or use the subject personal data

Can monitoring be made known to employees?

Covert monitoring allowed only in “special circumstances”

Develop procedures for protecting collected data, providing proper access, and purging data

Use collected data for intended purposes only and curtail monitoring when need no longer exists

IF YES

IF YES

IF NO

IF NO

IF NO

Purge data (unless constrained by other laws)

23

F. Assessing Need to Monitor

The Commissioner recommends that “[i]n assessing the risks that are to be managed, employers should not only identify the risks but also justify, in a realistic manner, the existence and extent of those risks.”13

The greater the risk of harm from failing to monitor, especially to the public, the greater the ambit of the employer to obtain and assess sensitive personal information.14

Question: As we move into the era of “big data” – the aggregation of increasingly large volumes of data that can be mined and analyzed electronically – does this impact the analysis?

_______________13 Id. at Section 2.2.2.

14 See Cathay Pacific Airways Ltd. v. Administrative Appeals Board and Privacy Commissioner for Personal Data, HCAL 50/2008 (28 August 2008).


24

G. Assessing Options and Alternatives

Once a legitimate organizational need has been established, monitoring options as well as alternatives should be assessed. Monitoring should be narrowly tailored to the need.

The Commissioner also urges that the assessment of options include an analysis of likely adverse impacts of those affected, including potential risks of mismanagement or misuse of the data collected as part of what is sometimes referred to as a privacy impact assessment.15

The Commissioner further urges that the expectations of employees should be taken into consideration, including possibly doing so through a consultative process.16

_______________15 Id. See also A. Chiang, Keynote Speech, Hong Kong Institute of Certified Accountants IT Conference 2010: Information Highway – Linking Hong Kong to the Global Village and How Accountants Add Value, page 7 (27 November 2010).

16 See, for example, Hong Yip Report at paragraph 29, page 9 (footnote 11).


25

G. Assessing Options and Alternatives (...cont’d)

As to the analysis of adverse impacts, the Commissioner suggests that employers evaluate the potential intrusiveness on an employee’s privacy by addressing the following:

i) To what extent will personal data relating to an employee’s private life be monitored?

ii) What categories of personal data will be collected? Will the personal data privacy of third persons be affected?

iii) What harm may be inflicted upon employees as a result of improper management of personal data?

iv) To what extent will the mutual trust essential for good employee relations, be affected?


26

G. Assessing Options and Alternatives (...cont’d)

As to alternatives to, or otherwise limiting the scope or extent of monitoring, the Commissioner suggests the following factors be evaluated:

i) Can monitoring be confined to areas of high risk?

ii) Can monitoring be restricted to certain personnel if there is a reasonable suspicion of seriously improper conduct?

iii) Would selective or random checking, rather than continuous monitoring, be sufficiently effective?

iv) Can communications monitoring be restricted to the log records rather than the contents of communications?


27

H. Managing Notice, Managing Expectations and the Role of Consent

“Where employee monitoring is to be undertaken, reasonable practicable steps should be taken to formulate and communicate a clear privacy policy statement (preferably in written form) to persons affected by the monitoring activity.”17

Data Protection Principle No. 1(3) provides that “all practicable steps” must be taken to ensure that the data subject is explicitly or implicitly informed, on or before collecting the data as to whether it is obligatory or voluntary for him or her to supply the data and if obligatory, the consequences for failing to supply the data. As to the content of notice, DPP 1(3) further provides that the data subject be explicitly informed of the purpose for which the data is to be used and the classes of persons to whom the data may be transferred, and informed of his or her access rights.18

_______________17 See Office of the Privacy Commissioner for Personal Data, Hong Kong, Report Published Under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 484), Report No. R05-7230 (8 December 2005), paragraph 16.

18 See also HRM Code, Section 1.2; see also Cathay Pacific Airways Ltd., paragraphs 51 to 52; see further Section f of this article.


28

H. Managing Notice, Managing Expectations and the Role of Consent (...cont’d)

The Commissioner has explained that employers can manage expectations by communicating a privacy policy pertaining to employee monitoring, such that its employees should expect that certain activities will be monitored. It is in the employer’s interest to provide robust notice if at all possible.

Also, proper consent, meaning informed and freely given, may eliminate issues as to whether the collection of data was “fair in the circumstances” under Data Protection Principle No. 1. “General speaking, if a data subject agrees to the collection of his personal data, the means of collection appears to be fair on the face of it.”19

_______________19 Office of the Privacy Commissioner, Report No. R09-7884, paragraph 19, pages 7 to 8 (Issued 13 July 2009); see also Cathay Pacific Airways Ltd. v. Administrative Appeals Board, paragraphs 41 to 42.


29

I. Assessing Whether Covert Monitoring is Justifiable

“Owning to its highly intrusive nature, covert monitoring should not be adopted unless it is justified by the existence of relevant special circumstances.”20

To this end, the Commissioner suggests consideration of the following factors:

i) Is there a reasonable suspicion of unlawful activity occurring, or likely to occur?

ii) Is covert monitoring absolutely necessary given the circumstances?

iii) Is overt likely to prejudice the detection or successful gathering of evidence?

iv)Can covert be limited in scope, both in terms of area and time?21

_______________20 Monitoring Guidelines, Section 2.3.3.

21 Monitoring Guidelines, Section 2.3.3.


30

J. Managing Access and Correction of Errors

“An employee who is the subject of monitoring has a right to request access to his or her personal data derived from monitoring records under section 18 of the PD(P)O. Unless exempted or prohibited from doing so under the PD(P)O, the employer is required to provide a copy no later than 40 days after receiving a data access request from the employee. In the event of the employer being unable to provide the copy within the 40-day limit, the employer must communicate that fact and the reasons in writing to the employee concerned before the expiry of that period and must provide the copy as soon as practicable thereafter.”22

“The entitlement is to a copy of the data, it is not an entitlement to see every document which refers to a data subject.”23

_______________22 Monitoring Guidelines, Section 3.4.7, Explanatory Notes.

23 Wu Kit Ping v. Administrative Appeals Board [2007] HCAL60/2007, paragraph 32 (31 October 2007).


31

K. Managing Use and Handling of Data

Under Data Protection Principles No. 4, “all practical steps” must be taken to protect against unauthorized or accidental access, processing or erasure. As such, organizations must develop sophisticated internal procedures and systems to safely handle data. Personnel entrusted with handling personal data should possess adequate training. For example, strategies may include delinking databases or collection systems to reduce risk of improper disclosure or taking of data.24 The Commissioner urges that “regular privacy compliance assessments should be carried out throughout the lifetime of the project to ensure continuous compliance with the data protection principles.”25

Separately, under Data Protection Principle 3, personal data cannot, without consent, be used for any purpose other than identified at time of collection or directly related thereto.

_______________24 R. Woo, Challenges Posed by Biometric Technology on Data Privacy Protection and the Way Forward, paragraph 14(4) (undated).

25 A. Chiang, Keynote Speech, page 8.


32

L. Managing Retention and Purging of Data

Under DPP 2(2), “[p]ersonal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data are or are to be used.”


33

Final Thought: Has this dog been allowed enough chain to get into a space, but not enough leeway to harm the cat?

34

Thank You

Eric A. SzwedaManaging Partner, Hong Kong Office

Head, International Arbitration and Dispute Resolution Team

TROUTMAN SANDERSSOLICITORS AND INTERNATIONAL LAWYERS

34th Floor, Two Exchange Square, 8 Connaught Place, Central, Hong KongTel: (852) 2533 7888 ▪ Fax: (852) 2533 7898

[email protected] ▪ www.troutmansanders.com

These materials are written as a general guide for teaching and discussion purposes only. It is not a comprehensive treatment of the subject. Any of the statements made herein may be subject to modification depending on the facts of a particular situation and the applicable law. These materials were used in conjunction with an oral presentation that helped to explain, qualify, and otherwise provide more context for the statements made herein. The views expressed herein are those of the author alone, and should not be attributed to others.


Documents

Applying Hong Kong's Personal Data (Privacy) Ordinance to Employee Monitoring