Skip to content

Case Notes

Case Notes

This case related to Code of Practice on Human Resource Management

Case No.:2008E04

Supervisors requiring sick staff to provide a copy of the check-up cards for file record.

Q: There are concerns from the staff about the practice of supervisors requiring the subordinates to provide a copy of the check-up cards. The purpose is to show the date and time of medical appointments for record purpose. However, the health status of a staff member will also be revealed by such a copy. Given that the staff member can produce the check-up card for inspection by the supervisor, the question is whether the said practice contravenes the Personal Data (Privacy) Ordinance ("the Ordinance")?

A: Data protection principle ("DPP") 1(1) in Schedule 1 to the Ordinance provides that personal data shall not be collected unless the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data; the collection of the data is necessary for or directly related to that purpose; and that the data are adequate but not excessive in relation to that purpose. According to paragraph of the Code of Practice on Human Resource Management ("the Code"), an employer may collect personal data relating to the health condition of an employee provided that the collection is for a purpose directly related to the employer’s administration of medical or other benefits or compensation provided to the employee. One cannot dispute that medical information of an individual is considered extremely sensitive and demands a high level of protection. Any act of collection of such data must be fully justified in the particular circumstances of the case. In the circumstances, an employer may only need the minimum information about a sick leave application of an employee to verify or calculate the entitlement to sick leave and other related benefits but not the details of the health status of the employee.

Even the collection of the employee’s medical information is not in contravention of DPP1(1), the employer should still be minded that such collection is also allowed under DPP1(2). DPP1(2) of the Ordinance provides that personal data shall be collected by means which are lawful and fair in the circumstances of the case. In this premise, the employer should provide to the employee all necessary information which could enable him/her to exercise his/her free will in determining whether to give the medical information to the employer. Any collection by means of threat or coercion will be deemed as collection by unfair means contrary to DPP1(2).

uploaded on web in February 2009

Category : Provisions/DPPs/COPs/Guidelines :