In the digital age, data protection is a topical, sensitive and increasingly regulated area. This also applies to the workplace and interactions between companies and their staff. Mathew Durham Shanghai-based partner at Simmons & Simmons asks; what should employers have on their radar in Hong Kong, Singapore and Mainland China? With contributions by Simmons & Simmons lawyers in Hong Kong and Singapore.
Each of these three jurisdictions has its own specific laws and requirements relating to data privacy. In Hong Kong, this means primarily the Personal Data (Privacy) Ordinance (PDPO). The equivalent in Singapore is the Personal Data Protection Act (PDPA). The regime in China is more fragmented, but the Labour Contract Law provides basic principles for employers and the Cybersecurity Law contains more detailed requirements. Nevertheless, there are many common themes, whether legal requirements or best practices.
None of the jurisdictions expressly requires an employer to obtain an employee’s consent in order to collect, use or transfer personal data. However, employers should notify employees regarding the purpose of collection and the classes of people to whom data may be transferred. The collection of data should be necessary in the context of the employment relationship.
Employees have the right to request access to data held by the employer and to request that data relating to him/her is corrected. Employers should also take all reasonable steps to ensure and maintain the accuracy of data.
Employers should take all practicable steps to ensure that data is kept secure and not subject to unauthorised access. This includes checking security arrangements of and having appropriate contractual obligations with any third parties to whom data will be transferred.
Companies should retain data only as long as needed for the purpose for which collected.
Employers should pay special attention to restrictions on the cross-border transfer of data. In China, in certain circumstances, an official security assessment may be required. In Singapore, employers must ensure that a transferee is legally bound to provide a level of protection comparable to that required under the PDPA. The PDPO in Hong Kong has a provision which, if it becomes effective, will also limit transfers to situations in which employee consent has been obtained or adequate security and protections are in place covering the transferee.
There is specific sensitivity regarding the monitoring of employees using the company’s network. The PDPA in Singapore requires express notification to and consent from employees regarding monitoring, especially if this includes private correspondence and information. In Hong Kong, the privacy commissioner has issued guidelines with recommendations regarding the appropriate purpose of monitoring.
It is important for employers to stay abreast of specific data protection laws and their own internal practices. This is a fast-moving area and failure to meet requirements may result in not only regulatory or legal issues but also reputational implications.
The June 2018 issue of Human Resources magazine is a special edition, bringing you interviews with 12 HR leaders, with their predictions on the future of HR.