Skip to content

Case Notes

Case Notes

This case related to DPP1 - Purpose and manner of collection of personal data

Case No.:2024E03

A school collecting and using teachers’ travel information.

The Enquiry

Prior to long holidays, a school required teachers to submit a travel form declaring their respective travel dates, destinations, and emergency contact numbers. Subsequently, the school disseminated a list of teachers who had submitted the travel forms with their travel dates via email to all staff members.

The enquirer would like to know whether teachers were required to declare their travel plans to the school before long holidays, and if it was necessary for the school to promulgate the information to all staff members.

Our Response

The employer, as a data user, is required to comply with the requirements under the Ordinance, including the Data Protection Principles (DPPs) of Schedule 1 to the Ordinance and the “Code of Practice on Human Resource Management” (the Code) upon collection and use of personal data of employees.

Collection of Personal Data

Generally speaking, an employer, as a data user, should only collect personal data where it is adequate but not excessive for a lawful purpose directly related to its function or activity, and that the data must be collected in a fair and lawful manner. All practicable steps shall be taken to ensure that the employee is informed, on or before collecting the data, of whether it is obligatory or voluntary for him to supply the data and the consequences of not supplying the data, and the purpose for which the data is to be used and the classes of persons to whom the data may be transferred.

Pursuant to paragraph 3.2.1 of the Code, an employer may collect personal data from an employee provided that the collection of the data is necessary for or directly related to a human resource function of the employer; or pursuant to a lawful requirement that regulates the affairs of the employer; and by means that are fair in the circumstances and the data is not excessive in relation to the purpose.

Use of Personal Data

DPP3 prohibits the use of personal data for any new purpose, unless with the data subject’s express and voluntary consent. Besides, paragraph 3.10.1 of the Code provides that an employer should not use or disclose employment-related data of an employee for any purpose other than the purpose directly related to the employment of the employee unless:

  1. the employee has given his prescribed consent to such other use or disclosure;
  2. the purpose is directly related to the purpose for which the data was collected;
  3. such use or disclosure is required by law or by statutory authorities; or
  4. there is an applicable exemption provided for under the Ordinance.

Even if the personal data of an employee is disclosed to other employees of the employing organisation for purposes directly related to the employment of employees, the employer is still required to observe the requirements under paragraph 3.11.6 of the Code, which stipulates that the personal data should only be disclosed on a “need-to-know” basis to employees who require such data to perform their job duties.

(Uploaded in August 2024)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :