Fact Sheet No. 2, May 1997
Application of the Personal Data (Privacy) Ordinance
Human Resources Management : Some Common Questions
This Fact Sheet aims to assist human resources practitioners in complying with the requirements of the Personal Data (Privacy) Ordinance. It comprises commonly-asked questions on the application of the Ordinance to human resources management practices. At the core of the Ordinance are six data protection principles, which govern the collection, holding and use, including disclosure and transfer of personal data. To facilitate easy understanding of the application of these principles, the questions and answers are grouped under each data protection principle. The data protection principles in detail are also set out at the end of this Fact Sheet.
Data Protection Principle 1 : Purpose and Manner of Collection of Personal Data (DPP 1)
1. Can an employer ask job applicants whether they have any criminal record?
DPP 1 stipulates that only personal data that are necessary for the purposes for which the data are to be used should be collected. Further, it requires that the data collected should be adequate for those purposes, but not excessive. No hard and fast rules can be laid down as to what data are necessary for human resources management purposes and what are not. This will depend on the facts of the individual case. For some jobs, it may be necessary to ask whether or not an applicant has a criminal record. For example, where the employment position involves the control of valuable items. In deciding whether it is necessary to collect a particular item of information, data users should consider whether the purpose for which the data are being collected can be reasonably carried out if the particular information is not collected.
2. Following commencement of the Personal Data (Privacy) Ordinance, should an employer get consent from an employee to use personal data collected in the past?
There is no requirement to obtain consent from individuals (data subjects) in order to use personal data collected before the Ordinance came into force so long as the purposes for which the data are used correspond, or are directly related, to the purposes for which the data were to be used when originally collected. It is of course likely that personal data already held when the Ordinance was brought into force were collected without the subject being informed of the purposes of collection because there was no requirement to do so at that time. Nevertheless, when data users collected personal data in the past, they did so for certain purposes. So long as the purposes are considered reasonable by reference to the functions and activities of the data user concerned and the reasonable expectations of the individuals who provided the data, data users may continue to use the personal data concerned for those purposes without obtaining the consent of the individuals concerned.
3. Should the employer be identified in a job advertisement?
A requirement of DPP 1 is that personal data should be collected by means which are fair in the circumstances of the case. It would generally not be fair for persons collecting personal data not to identify themselves or give false or misleading information about their identity or purpose in collecting personal information. If follows that an employer should identify itself in job advertisements. Where an agency is engaged to undertake a recruitment service, it would be sufficient for the agency only to be identified in the job advertisement.
4. Should an employer inform job applicants the purposes for collecting their personal data?
DDP 1 requires that a data user should take all practicable steps to ensure that the individual from whom personal data is collected is informed of the purposes for collecting the data, to whom the data may be transferred, the right of the individual to request access to his/her personal data and the name and address of the individual to whom such requests may be made. This can be done by including a personal information collection statement setting out these matters in a job application form or orally informing the individuals of them. Where a job advertisement solicits the direct submission of personal data, it should include such a statement.
5. On our company's job application form, there is a column requesting personal data on the applicant's spouse/children's occupation. The purpose of this is to ascertain whether the relative works for one of its competitors. Is this acceptable?
The test is whether the data collected are necessary to fulfil your purpose of ascertaining whether a relative works for a competitor. To find this out, it is only necessary to ask whether or not the relatives work in the same or a similar field. If they do, further questions could be asked to ascertain whether this should be a source of concern. But if they do not, you do not need to know what their actual occupation is and hence you should not collect this information.
6. Is the practice of sending pre-employment health screening report to the employer considered an infringement of privacy?
Pre-employment medical check constitutes one of the employment procedures. As long as the candidate has given prior consent to releasing the results to the employer, this practice is acceptable under the Ordinance. On the other hand, an issue could arise on what scope of health data should be collected for such a medical check. There could be objections against the use of certain tests, e.g. genetic testing, in such a context on the ground that this is collection of excessive data. In this respect, employers can also make references to the Codes of Practice on Employment under the Disability Discrimination Ordinance and the Sex Discrimination Ordinance issued by the Equal Opportunities Commission.
Data Protection Principles