Applying Hong Kong's Personal Data (Privacy) Ordinance to Employee Monitoring

1
Applying Hong Kong's Personal Data (Privacy)
Ordinance to Employee Monitoring Third Asian
Privacy Scholars Network Conference The
University of Hong Kong, 8 to 9 July 2013
Eric A. SzwedaManaging Partner, Hong Kong
Office Troutman Sanders
? 2013 Troutman Sanders, Eric A. Szweda
2
About the Author / Troutman Sanders
Eric SZWEDA, a Hong Kong qualified solicitor and
also admitted to practice law in the United
States, is the Managing Partner of the Hong Kong
office of Troutman Sanders, a global law firm.
Eric practiced law in the United States for
fifteen years, before re-locating to Hong Kong in
2005. Additionally, Eric is Head of the Firms
International Arbitration and Dispute Resolution
Team. Eric is a graduate of Cornell Universitys
School of Industrial and Labor Relations (B.S.
1987) and Vanderbilt Universitys School of Law
(J.D. 1990). Troutman Sanders is an international
law firm with offices across the United States
and China, with offices in Hong Kong, Beijing and
Shanghai.
? 2013 Troutman Sanders, Eric A. Szweda
3
Table of Contents

• I. OVERVIEW
• A. Summary of Presentation 7
• II. Statutory and Regulatory Framework
• A. The Personal Data (Privacy) Ordinance 9
• B. Regulatory Guidance 10
• Other Laws 11

? 2013 Troutman Sanders, Eric A. Szweda
4
Table of Contents (...contd)
III. Determining Whether and How Monitoring Can
Be Conducted A. Employee Monitoring Recognized as
Proper and Required in Many Circumstances 13 B. Im
portance of Preventive Monitoring on
Rise 15 C. Is the Ordinance Triggered Assessing
Whether There is Collection of Personal
Data 16 D. The Balance of Interests Collection
of Data Must Be Lawful and Fair in the
Circumstances 19 E. EAS Monitoring Analysis
Flowchart 21 F. Assessing Need to
Monitor 22 G. Assessing Options and
Alternatives 23 H. Managing Notice, Managing
Expectations and the Role of Consent 26
? 2013 Troutman Sanders, Eric A. Szweda
5
Table of Contents (...contd)

• I. Assessing Whether Covert Monitoring is
  Justifiable 28
• J. Managing Access and Correction of Errors 29
• K. Managing Use and Handling of Data 30
• Managing Retention and Purging of Data 31

? 2013 Troutman Sanders, Eric A. Szweda
6
I. OVERVIEW
? 2013 Troutman Sanders, Eric A. Szweda
7
(No Transcript)
8
A. Summary of Presentation
Changes in the ways we work and communicate
increasingly challenge the ability of
organizations to evaluate performance and control
conduct. Monitoring personnel in some form or
fashion, which increasingly means the monitoring
of communications, as well as conduct occurring
outside of the traditional workplace, is
necessary. However, the scope and methods can
present difficult questions due to a variety of
considerations, which sometimes conflict.
Developing a monitoring plan that balances the
various considerations has never been more
difficult. In this paper, these issues are
evaluated under the legal landscape in Hong Kong.
Regulatory codes, guidance and investigation
reports, as well as administrative appeal
decisions, court cases, and commentary bearing on
these issues, are compiled and assessed. The
author in turn attempts to charm out a useful
construct, to be used as a tool for
decision-making in connection with the
development of a workplace monitoring plan
compliant with Hong Kongs Personal Data
(Privacy) Ordinance.
? 2013 Troutman Sanders, Eric A. Szweda
9
II. Statutory and Regulatory Framework
? 2013 Troutman Sanders, Eric A. Szweda
10
A. The Personal Data (Privacy) Ordinance
The Personal Data (Privacy) Ordinance, Cap. 486,
seeks to protect the privacy of all persons in
relation to information personal to them. If an
employer (a data user) wishes to collect in a
recorded form personal data of its employees
(data subjects), it may only do so to the extent
provided for, and in a manner specified, in the
Ordinance.1 Section 4 of the Ordinance directs
that when an employer collects and uses its
employees personal data, it must do so in
accordance with the Ordinances enumerated Data
Protection Principles. Employers often need to
exercise considerable judgment as to how to
comply with the Ordinance. This creates
uncertainty and in turn risk, but the upside of
the design is that organizations possess the
ability to tailor privacy compliant policies to
their needs. _______________ 1 Cathay Pacific
Airways Ltd. v. Administrative Appeals Board and
Privacy Commissioner for Personal Data, HCAL
50/2008, page 2, paragraph 1 (28 August 2008).
? 2013 Troutman Sanders, Eric A. Szweda
11
B. Regulatory Guidance
Office of the Privacy Commissioner for Personal
Data (the Commissioner) has published 1) Code
of Practice on Human Resource Management (HRM
Code), September 2000 2) Privacy Guidelines
Monitoring and Personal Data Privacy at Work
(Monitoring Guidelines), December
2004 3) Guidance on Collection of Fingerprint
Data (hereinafter Guidance on Fingerprint
Data), amended in May 2012 As with the Ordinance
itself, these documents generally are not
intended to provide definitive guidance for
particular situations. The HRM Code and
Monitoring Guidelines likely are losing some
usefulness given technological change.
? 2013 Troutman Sanders, Eric A. Szweda
12
C. Other Laws
Apart from statutory law and regulations, under
the common law employers must act in good faith
in discharging their duties.2 The Commissioner
has stated that the Monitoring Guidelines do not
affect the application of the common law duty of
confidence that may arise in relation to employee
monitoring.3 The Basic Law, essentially Hong
Kongs constitution, also sets forth a right to
privacy in communications.4 _______________ 2 Se
e Sujal v. Cathay Pacific Airways Ltd.,
HCA2220/2005, page 31 (8 July 2008). 3 Monitoring
Guidelines, page 7. 4 The freedom of privacy of
communication of Hong Kong residents shall be
protected by law. No department or individual
may, on any grounds, infringe upon the freedom
and privacy of communication of residents except
that the relevant authorities may inspect
communication in accordance with legal procedure
to meet the needs of public security or of
investigation into criminal offences. Article
30, Basic Law see also Bill of Rights Ordinance.
? 2013 Troutman Sanders, Eric A. Szweda
13
III. DETERMINING WHETHER AND HOW MONITORING
CAN BE CONDUCTED
? 2013 Troutman Sanders, Eric A. Szweda
14
A. Employee Monitoring Recognized as Proper and
Required in Many Circumstances

• The Privacy Commissioner recognizes many
  legitimate reasons for monitoring employees
  including specifically
• managing workplace productivity
• controlling for service or quality
• enforcing of company policies
• protecting the safety of employees
• protecting business assets, intellectual property
  or other propriety rights
• preventing vicarious liability where the employer
  assumes legal responsibility for the actions and
  behaviors of employees
• complying with statutory or regulatory
  obligations that provide or give reasonable cause
  for preventive monitoring of employees

? 2013 Troutman Sanders, Eric A. Szweda
15
A. Employee Monitoring Recognized as Proper and
Required in Many Circumstances (...contd)
In a 2011 household survey conducted in Hong
Kong, fifty percent of the respondents agreed
with the statement As a whole, my company has
benefitted from workplace surveillance.5 __
_____________ 5 HKU Privacy Awareness Survey,
page 4.
? 2013 Troutman Sanders, Eric A. Szweda
16
B. Importance of Preventive Monitoring on Rise

• The changing nature of work occurring with
  technological change along with an expanding
  array of legal obligations necessitates greater
  monitoring to ensure legal compliance.
• The U.K.s Financial Services Authority in
  December 2012 fined UBS 160,000,000 finding
  that UBS, because of a poor culture in its
  interest rate derivatives trading business and
  weak systems and controls, failed to prevent the
  deliberate, reckless and frequently blatant
  actions . . . .6
• The U.K.s Bribery Act criminalizes the failure
  of a commercial organization to prevent bribery.
  An organization has a possible defence, however,
  if it can demonstrate it had implemented controls
  designed to prevent bribery.
• Linguistic analysis software, which initially
  protects employee anonymity, can flag
  uncharacteristic changes in tone and language in
  electronic conversations, and can be tailored for
  particular types of employees, such as traders.
• _______________
• 6 FSAs Final Notice, paragraph 189 (19 December
  2012).
• 7 J. Thompson, Rogues Revealed By Bad Language,
  Financial Times, page 13 (7 January 2013).

? 2013 Troutman Sanders, Eric A. Szweda
17
C. Is the Ordinance Triggered Assessing Whether
There is Collection of Personal Data

• The Ordinances obligations are triggered only if
  there is collection of personal data. In other
  words, the Ordinance protects a persons privacy
  to the extent it involves the collection of
  personal data. It is necessary to pay
  particular attention to the definition of terms
  used in the Ordinance.
• The Commissioner has given examples of monitoring
  activities not constituting collection of data
  and thereby not falling under the Ordinance,
  including
• real time viewing of closed circuit television
  images, if not recorded
• incidental recording of employees by a CCTV
  system installed for general security purposes
• recorded customer telephone conversations, if
  sole purpose is to create record of a customer
  transaction
• fingerprint data stored on a smart card and held
  only by the employee.8
• _______________
• 8 Monitoring Guidelines see also Fingerprint
  Guidance.

? 2013 Troutman Sanders, Eric A. Szweda
18
C. Is the Ordinance Triggered Assessing Whether
There is Collection of Personal Data (...contd)
In the Ordinance, Personal Data is defined to
mean any data (a) relating directly or
indirectly to a living individual (b) from which
it is practicable for the identity of the
individual to be directly or indirectly
ascertained and (c) in a form in which access to
or processing of the data is practicable.
? 2013 Troutman Sanders, Eric A. Szweda
19
C. Is the Ordinance Triggered Assessing Whether
There is Collection of Personal Data (...contd)
Collection is not a defined term in the
Ordinance, but its meaning was litigated in the
case of Eastweek Publisher Limited and Privacy
Commissioner for Personal Data.9 The Hong Kong
Court of Appeals ruled that the Ordinance does
not apply to collection of data unless the data
sought is being collected about a person the
collector has identified or intends to
identify. _______________ 9 CACV 331/1999.
? 2013 Troutman Sanders, Eric A. Szweda
20
D. The Balance of Interests Collection of Data
Must Be Lawful and Fair in the Circumstances
Under the Data Protection Principles, the means
by which data is collected must be lawful and
fair in the circumstances.10 Compliance with
the Data Protection Principles requires
organizations engage in an analysis designed to
produce measures proportionate to the risk,
taking into consideration the impact on those
affected, and a plan that can be managed properly
across the life cycle of the collected
data.11 _______________ 10 See Data Protection
Principle 1. Also, in the Monitoring Guidelines,
the Commissioner sets forth a process, including
a number of factors, that should be evaluated by
employers in deciding upon whether an employee
monitoring plan constitutes a fair practice.
(Monitoring Guidelines, Section
2.2.8.) 11 Monitoring Guidelines, Section 2.2.4,
pages 9 to 10 see also Office of the Privacy
Commissioner for Personal Data, Hong Kong,
Collection of Employees Personal Data by Covert
Recording Device by Hong Yip Service Company
Limited, Report No. R12-4839 (14 February 2012)
at paragraph 29, page 9.
? 2013 Troutman Sanders, Eric A. Szweda
21
D. The Balance of Interests Collection of Data
Must Be Lawful and Fair in the Circumstances
(...contd)
In exercising employee monitoring, employers
should seek to strike a balance between the
pervasiveness of monitoring and the magnitude of
the employers risk that the monitoring aims to
reduce. The issue therefore is deciding what
constitutes an acceptable level of
monitoring.12 The following flowchart is merely
the authors construct, derived from his reading
of the Ordinance, regulatory guidance, and
administrative and court rulings. As such,
different people could develop different tools
for applying the Ordinance. _______________ 12
Monitoring Guidelines, Section 2.2.7, page 12.
? 2013 Troutman Sanders, Eric A. Szweda
22
E. EAS Monitoring Analysis Flowchart
? 2013 Troutman Sanders, Eric A. Szweda
23
F. Assessing Need to Monitor
The Commissioner recommends that in assessing
the risks that are to be managed, employers
should not only identify the risks but also
justify, in a realistic manner, the existence and
extent of those risks.13 The greater the risk of
harm from failing to monitor, especially to the
public, the greater the ambit of the employer to
obtain and assess sensitive personal
information.14 Question As we move into the era
of big data the aggregation of increasingly
large volumes of data that can be mined and
analyzed electronically does this impact the
analysis? _______________ 13 Id. at Section
2.2.2. 14 See Cathay Pacific Airways Ltd. v.
Administrative Appeals Board and Privacy
Commissioner for Personal Data, HCAL 50/2008 (28
August 2008).
? 2013 Troutman Sanders, Eric A. Szweda
24
G. Assessing Options and Alternatives
Once a legitimate organizational need has been
established, monitoring options as well as
alternatives should be assessed. Monitoring
should be narrowly tailored to the need. The
Commissioner also urges that the assessment of
options include an analysis of likely adverse
impacts of those affected, including potential
risks of mismanagement or misuse of the data
collected as part of what is sometimes referred
to as a privacy impact assessment.15 The
Commissioner further urges that the expectations
of employees should be taken into consideration,
including possibly doing so through a
consultative process.16 _______________ 15 Id.
See also A. Chiang, Keynote Speech, Hong Kong
Institute of Certified Accountants IT Conference
2010 Information Highway Linking Hong Kong to
the Global Village and How Accountants Add Value,
page 7 (27 November 2010). 16 See, for example,
Hong Yip Report at paragraph 29, page 9 (footnote
11).
? 2013 Troutman Sanders, Eric A. Szweda
25
G. Assessing Options and Alternatives (...contd)
As to the analysis of adverse impacts, the
Commissioner suggests that employers evaluate the
potential intrusiveness on an employees privacy
by addressing the following i) To what extent
will personal data relating to an employees
private life be monitored? ii) What categories of
personal data will be collected? Will the
personal data privacy of third persons be
affected? iii) What harm may be inflicted upon
employees as a result of improper management of
personal data? iv) To what extent will the mutual
trust essential for good employee relations, be
affected?
? 2013 Troutman Sanders, Eric A. Szweda
26
G. Assessing Options and Alternatives (...contd)
As to alternatives to, or otherwise limiting the
scope or extent of monitoring, the Commissioner
suggests the following factors be
evaluated i) Can monitoring be confined to areas
of high risk? ii) Can monitoring be restricted to
certain personnel if there is a reasonable
suspicion of seriously improper
conduct? iii) Would selective or random checking,
rather than continuous monitoring, be
sufficiently effective? iv) Can communications
monitoring be restricted to the log records
rather than the contents of communications?
? 2013 Troutman Sanders, Eric A. Szweda
27
H. Managing Notice, Managing Expectations and the
Role of Consent
Where employee monitoring is to be undertaken,
reasonable practicable steps should be taken to
formulate and communicate a clear privacy policy
statement (preferably in written form) to persons
affected by the monitoring activity.17 Data
Protection Principle No. 1(3) provides that all
practicable steps must be taken to ensure that
the data subject is explicitly or implicitly
informed, on or before collecting the data as to
whether it is obligatory or voluntary for him or
her to supply the data and if obligatory, the
consequences for failing to supply the data. As
to the content of notice, DPP 1(3) further
provides that the data subject be explicitly
informed of the purpose for which the data is to
be used and the classes of persons to whom the
data may be transferred, and informed of his or
her access rights.18 _______________ 17 See
Office of the Privacy Commissioner for Personal
Data, Hong Kong, Report Published Under Section
48(2) of the Personal Data (Privacy) Ordinance
(Cap. 484), Report No. R05-7230 (8 December
2005), paragraph 16. 18 See also HRM Code,
Section 1.2 see also Cathay Pacific Airways
Ltd., paragraphs 51 to 52 see further Section f
of this article.
? 2013 Troutman Sanders, Eric A. Szweda
28
H. Managing Notice, Managing Expectations and the
Role of Consent (...contd)
The Commissioner has explained that employers can
manage expectations by communicating a privacy
policy pertaining to employee monitoring, such
that its employees should expect that certain
activities will be monitored. It is in the
employers interest to provide robust notice if
at all possible. Also, proper consent, meaning
informed and freely given, may eliminate issues
as to whether the collection of data was fair in
the circumstances under Data Protection
Principle No. 1. General speaking, if a data
subject agrees to the collection of his personal
data, the means of collection appears to be fair
on the face of it.19 _______________ 19 Offic
e of the Privacy Commissioner, Report No.
R09-7884, paragraph 19, pages 7 to 8 (Issued 13
July 2009) see also Cathay Pacific Airways Ltd.
v. Administrative Appeals Board, paragraphs 41 to
42.
? 2013 Troutman Sanders, Eric A. Szweda
29
I. Assessing Whether Covert Monitoring is
Justifiable

• Owning to its highly intrusive nature, covert
  monitoring should not be adopted unless it is
  justified by the existence of relevant special
  circumstances.20
• To this end, the Commissioner suggests
  consideration of the following factors
• i) Is there a reasonable suspicion of unlawful
  activity occurring, or likely to occur?
• ii) Is covert monitoring absolutely necessary
  given the circumstances?
• iii) Is overt likely to prejudice the detection
  or successful gathering of evidence?
• Can covert be limited in scope, both in terms of
  area and time?21
• _______________
• 20 Monitoring Guidelines, Section 2.3.3.
• 21 Monitoring Guidelines, Section 2.3.3.

? 2013 Troutman Sanders, Eric A. Szweda
30
J. Managing Access and Correction of Errors
An employee who is the subject of monitoring has
a right to request access to his or her personal
data derived from monitoring records under
section 18 of the PD(P)O. Unless exempted or
prohibited from doing so under the PD(P)O, the
employer is required to provide a copy no later
than 40 days after receiving a data access
request from the employee. In the event of the
employer being unable to provide the copy within
the 40-day limit, the employer must communicate
that fact and the reasons in writing to the
employee concerned before the expiry of that
period and must provide the copy as soon as
practicable thereafter.22 The entitlement is to
a copy of the data, it is not an entitlement to
see every document which refers to a data
subject.23 _______________ 22 Monitoring
Guidelines, Section 3.4.7, Explanatory
Notes. 23 Wu Kit Ping v. Administrative Appeals
Board 2007 HCAL60/2007, paragraph 32 (31
October 2007).
? 2013 Troutman Sanders, Eric A. Szweda
31
K. Managing Use and Handling of Data
Under Data Protection Principles No. 4, all
practical steps must be taken to protect against
unauthorized or accidental access, processing or
erasure. As such, organizations must develop
sophisticated internal procedures and systems to
safely handle data. Personnel entrusted with
handling personal data should possess adequate
training. For example, strategies may include
delinking databases or collection systems to
reduce risk of improper disclosure or taking of
data.24 The Commissioner urges that regular
privacy compliance assessments should be carried
out throughout the lifetime of the project to
ensure continuous compliance with the data
protection principles.25 Separately, under Data
Protection Principle 3, personal data cannot,
without consent, be used for any purpose other
than identified at time of collection or directly
related thereto. _______________ 24 R. Woo,
Challenges Posed by Biometric Technology on Data
Privacy Protection and the Way Forward, paragraph
14(4) (undated). 25 A. Chiang, Keynote Speech,
page 8.
? 2013 Troutman Sanders, Eric A. Szweda
32
L. Managing Retention and Purging of Data
Under DPP 2(2), personal data shall not be
kept longer than is necessary for the fulfillment
of the purpose (including any directly related
purpose) for which the data are or are to be
used.
? 2013 Troutman Sanders, Eric A. Szweda
33
Final Thought Has this dog been allowed enough
chain to get into a space, but not enough leeway
to harm the cat?
34
Thank You Eric A. Szweda Managing Partner,
Hong Kong Office Head, International Arbitration
and Dispute Resolution Team TROUTMAN
SANDERS SOLICITORS AND INTERNATIONAL LAWYERS 34th
Floor, Two Exchange Square, 8 Connaught Place,
Central, Hong Kong Tel (852) 2533 7888 ? Fax
(852) 2533 7898 eric.szweda_at_troutmansanders.com ?
www.troutmansanders.com These materials are
written as a general guide for teaching and
discussion purposes only. It is not a
comprehensive treatment of the subject. Any of
the statements made herein may be subject to
modification depending on the facts of a
particular situation and the applicable law.
These materials were used in conjunction with an
oral presentation that helped to explain,
qualify, and otherwise provide more context for
the statements made herein. The views expressed
herein are those of the author alone, and should
not be attributed to others.
? 2013 Troutman Sanders, Eric A. Szweda