An employer disclosed to all staff the personal data of staff members who were considered for promotion - Data Protection Principle (DPP) 3
The complainant was considered for promotion by his employer. In addition to setting up a selection board for considering the suitability of the complainant, the employer also consulted all staff about the work performance of the complainant and disclosed the full resume and date of birth of the complainant to them for reference.
The complainant was dissatisfied that the employer recklessly disclosed his personal data without obtaining his prior consent. Hence, he made a complaint to PCPD.
The employer claimed that the disclosure of the complainant’s personal data to all staff was to seek their comments on the complainant’s work performance for consideration of promotion. However, the employer might only consult staff members directly related to the post of the complainant (e.g. the complainant’s supervisor and teammates) to achieve such purpose. There is no actual need to disclose the complainant’s full resume and date of birth to all staff. Hence, PCPD considered that such act as a contravention of DPP3.
After PCPD’s intervention, the employer amended the procedure for considering staff promotion and undertook that, it would not disclose the full resume and date of birth of staff being considered for promotion to all staff except the selection board in future. Moreover, the employer apologized to the complainant and requested other staff members to destroy the complainant’s personal data.
According to PCPD’s Code of Practice on Human Resource Management, an employer should not disclose employment-related data of employees to a third party without first obtaining the employees’ express and voluntary consent unless the disclosure is for purposes directly related to the employment, or such disclosure is required by law or by statutory authorities. Moreover, when employment-related data is transferred or disclosed to a third party, an employer should avoid disclosure of data in excess of what is necessary for the purpose of use by the third party.
While organisations need to use personal data for human resource management, they should comply with the PDPO and the Code of Practice on Human Resource Management. Apart from customers’ personal data, organisations are also responsible for the protection of employees’ personal data in order to create a working environment and operational model under personal data privacy protection. This helps to build a culture of respecting and protecting personal data privacy in the development of a smart city in Hong Kong.
(Uploaded in September 2020)