Employment and Data Protection Agency: A Hong Kong Perspective



While cybersecurity threats and the need for better data protection across industries have become a more prevalent global problem than ever before, this is no exception in the employment agency industry in Hong Kong.

At the time of writing, there are currently 3,148 Approved Employment Agencies (“Approved Employment Agencies”) registered with the Hong Kong Department of Labor. Many of these licensees may not have the knowledge or understanding of the importance of protecting personal data and how it may affect their business.

This article aims to fill that gap by providing a brief overview of Hong Kong’s personal data protection laws, particularly in the context of the employment agency industry, and the common issues they may face in their day-to-day operation. .

Data Protection Laws and Employment Agencies in Hong Kong

In Hong Kong, personal data is protected by the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) which came into force in 1996, and it covers both private and public actors.

The Six Data Protection Principles (DPP) of the PDPO provide guidance to the data user on how to handle personal data throughout the data lifecycle[1].

While the mere violation of the DPP is not in itself an offense, the Personal Data Protection Commissioner (PCPD) may issue a ‘fulfillment notice’ to a data user in the event of a serious data breach or breach. of DPP. Violation of an “execution notice” is an offense under the PDPO and may result in a fine of HKD 50,000 and imprisonment for up to 2 years.[2].

In addition to the offense of violation of the notice of execution, the PDPO creates other criminal offenses, such as the disclosure of personal data without the consent of the data subject (i.e. the data subject), when psychological harm may have been inflicted. A person who commits such an offense is liable on conviction to a fine of HKD 1,000,000 and imprisonment for 5 years.[3].

In the context of the employment office, the Employment Ordinance (Chap. 57) (“EO”) contains the main legal provisions which are relevant for the protection of personal data of an agent for the employment and its related persons[4].

For example, under the OE, a licensed employment agency must keep a record of all job applicants (i.e. those affected), and the record must contain, among other things , the following personal data:

  • name and address of the candidate for employment;
  • Hong Kong identification number (or in the case of a non-resident, their passport number);
  • fees and commissions received;
  • Hiring date; and
  • name and address of the employer[5].

The IB also requires that these records be kept for a period of at least 12 months after the expiration of each financial year, so that the records are available for inspections by the Ministry of Labor.[6].

More importantly, the Ministry of Labor can refuse to issue, renew or revoke a license if it is satisfied, on reasonable grounds, that the authorized employment agency, or the person intending to request, did not comply with the code (s) of practice ”issued by the labor commissioner under section 62A (1) of the OE.

The main relevant code which provides guidance on the practice and operation of the employment agency is the Code of Practice for the Employment Agency (the “Code”). The code sets out the legislative requirements of the EO and provides the minimum standards that the labor commissioner expects from the licensee.

Failure to comply with the code may allow the labor commissioner to refuse or renew the license of the approved employment agency, or he may even revoke the license under Section 53 (1) of the OE.[7]. In addition, the labor commissioner may send warning letters to the licensee if he has violated the requirements of the Code and, in order to protect the public interest, publish this information if he deems it appropriate.[8].

Data protection issues and employment agencies in Hong Kong

There are many issues related to the protection of personal data within the framework of the employment office. Here are a few selected examples to illustrate some of the challenges of personal data protection in this industry and key issues that deserve further attention.

A. The growing complexity of different sources of personal data and consents

One of the most common issues that licensed employment agencies often face is that today they have adopted multiple channels to acquire personal data from different sources, such as public career / development websites. job search, personal interviews, WhatsApp / text messages and / or emails, etc.

Each type of source may have a different type of consent mechanism. For example, an employment agency may use public job / career search websites to obtain personal data of potential applicants (i.e. data subjects). These public employment / job search websites would often allow Data Users to upload CVs or other personal data from their website without the data subject having given specific consent.

In the absence of “direct consent” from the data subject, employment agencies rely on “indirect consent” from the public job search / job website (s). This can be problematic in situations where the employment office later finds out that the website does not have an adequate privacy policy in place, or the data subject does not actually consent to other users. upload their personal data.

It is therefore important that licensed employment agencies and their recruitment consultants and staff first check the privacy policy and the Personal Information Collection Statement (PICS) of the public career website (s) / website (s). job search before collecting personal data, in order to ensure that data subjects have given their consent for website users to upload their personal data and allow them to use their personal data for recruitment purposes .

B. Lack of clarity in the Personal Information Collection Statement (PICS)

Another common problem is that some licensed employment agencies do not expressly indicate that they will pass the collected personal data on to third parties, i.e. potential employers, in their PICS, and they often do not indicate not the retention period of the data.

It is essential, according to the ‘Advice on preparing the personal information collection statement and privacy policy statement‘(July 2013) published by the PCPD, that PICS should declare the categories of persons to whom the personal data collected may be transferred or disclosed. This is no exception to employment offices, and employment offices should draw up precise PICS to inform data subjects of the purpose of the collection and the duration of their personal data. It is also important that those affected check and confirm this with their employment agent.

Nowadays, employment offices also tend to write PICS that are deliberately too broad in scope, so that they can include each nominable goal as its “collection goal”. Employment agencies should be aware of these practices, as the PCPD or the court can likely interpret PICS and rule unfavorably against the licensed employment agency, as being in violation of the principle of “fair or lawful collection. of personal data ”(DPP1). We therefore recommend that Licensees reformulate their PICS very precisely.

C. Code Compliance

Similar to the OE, the Code provides that a licensed employment agency must keep a record showing the details of each job seeker.[9], and below it, a sample of the recording sheet is stipulated in Annex 1 of the Code.

However, we have seen cases where the approved employment agency has not kept such a file. In addition, in some cases, the approved employment agency did not follow the example file stipulated in Annex 1 of the code. Although the Code does not expressly state that it must strictly follow the example record sheet provided in Annex 1, it is strongly recommended that it be done in order to avoid unnecessary non-compliance.

Hong Kong employment agencies are required to manage various consent mechanisms for different sources of personal data. #privacy #respectdataClick to Tweet

It is also important to note that under the DPP and the Code, licensed employment agencies should only collect personal data that is necessary and not excessive to achieve the purpose of collection, and that they should maintain a Security and data protection policy in place to ensure their staff is informed and complies with the standards prescribed by the PDPO, the OE and the Code.

Final remarks

To conclude, employment agencies in Hong Kong are not only required to comply with the PDPO, but also the OE and Code, which adds an extra layer of complexity when it comes to compliance issues. concerning personal data. This may be necessary as cybersecurity and the protection of personal data is becoming a “major threat” to organizations and business entities, not to mention the fact that the cost of preventive compliance is far less than the cost of processing a data breach incident. Therefore, we anticipate an increasing demand for data protection and cybersecurity expertise in Hong Kong as companies recognize the importance and benefits of complying with the PDPO, OE and Code.

[1] Annex 1 of the PDPO
[2] s.50A of the PDPO
[3] Article 64 of the PDPO
[4] We will not discuss the Employment Agencies Regulation (Cap. 57A) (“EAR”) further, as it simply deals with the administrative procedures and requirements for applying for the issue or renewal of a license for employment agencies.
[5] art.56 of the OE
[6] paragraph 56 (1) (b) of the EA
[7] Para. 1.3 of the Code
[8] Para. 4.1.3 of the Code
[9] Para. 3.4.2 of the Code



Comments are closed.