Employment Agency and Data Protection: A Hong Kong Perspective

While cybersecurity threats and the need for better data protection across industries has become a more pervasive global issue than ever before, this is no exception in the employment agency industry in Hong Kong.

At the time of writing, there are currently 3,148 licensed placement agencies (“licensed placement agencies”) registered with the Department of Labor in Hong Kong. Many of these licensees may not be aware of or understand the importance of personal data protection and how it may affect their business.

This article aims to fill this gap by providing a brief overview of Hong Kong’s personal data protection laws, particularly in the context of the employment agency industry, and the common issues they may face in their day-to-day operation. .

Data Protection Laws and Employment Agencies in Hong Kong

In Hong Kong, personal data is protected by the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) which came into force in 1996, and it covers both private and public stakeholders.

The PDPO’s Six Data Protection Principles (DPPs) provide guidance to data users on how to handle personal data throughout the data lifecycle[1].

Although a mere violation of the DPPs is not in itself an offence, the Commissioner for Personal Data Protection (PCPD) may issue an “enforcement notice” to a data user in the event of a serious data breach or violation of PPDs. Failure to comply with an “enforcement notice” is an offense under the PDPO and may result in a fine of HK$50,000 and imprisonment for 2 years.[2].

In addition to the enforcement notice violation offense, the PDPO creates other criminal offenses, such as disclosing personal data without the consent of the data subject (i.e. data subject), where psychological harm may have been inflicted. A person who commits such an offense is liable, upon conviction, to a fine of HK$1,000,000 and imprisonment for 5 years.[3].

In the context of an employment agency, the Employment Ordinance (Cap. 57) (“EO”) contains the main legal provisions relating to the protection of the personal data of an employment agency and its connected persons. .[4].

For example, under the EO, a licensed employment agency must maintain a register of all job applicants (i.e. data subjects), and the register must contain, among other things, the data following personal:

  • name and address of job seeker;
  • Hong Kong Identification Number (or in the case of a non-resident, their passport number);
  • fees and commissions received;
  • Hiring date; and
  • name and address of the employer[5].

The EO also requires that these records be retained for a period of at least 12 months after the expiration of each fiscal year, so that the records are available for inspections by the Department of Labor.[6].

More importantly, the Department of Labor may refuse to issue, renew, or revoke a license if it is satisfied, on reasonable grounds, that the licensed employment agency, or person intending to so request, has failed to comply with the code(s) of practice” issued by the Commissioner of Labor under section 62A(1) of the EO.

The main relevant code which provides guidance on the practice and operation of employment agencies is the Employment Agencies Code of Practice (the “Code”). The code sets out the legislative requirements in the OE and provides the minimum standards the commissioner of labor expects of the licensee.

Failure to comply with the code may allow the commissioner of labor to deny or renew the licensed employment agency’s license, or he may even revoke the license under section 53(1) of the EO[7]. In addition, the Commissioner of Labor may send warning letters to the licensee if they have violated Code requirements and, in an effort to protect the public interest, publish such information as they deem appropriate.[8].

Questions relating to data protection and employment agencies in Hong Kong

There are many issues related to the protection of personal data in the context of employment agencies. Here are a few selected to illustrate some of the challenges of personal data protection in this sector and the key issues that deserve greater attention.

A. The growing complexity of different sources of personal data and consents

One of the most common problems that licensed employment agencies often face is that they have now adopted multiple channels through which to acquire personal data from different sources, such as public career/job websites. job search, personal interviews, WhatsApp/text messages and/or emails, etc.

Each type of source can have a different type of consent mechanism. For example, an employment agency may use public job search/career websites to obtain personal data about potential candidates (i.e. data subjects). These public career/job search websites would often allow data users to download CVs or other personal data from their website without the data subject having to give specific consent.

In the absence of “direct consent” from the data subject, employment agencies rely on “indirect consent” from the public career/job search website(s). This can be problematic in situations where the employment agency later discovers that the website does not have an adequate privacy policy in place, or that the data subject does not actually consent to other users upload their personal data.

It is therefore important that licensed placement agencies and their recruitment consultants and staff check the privacy policy and personal information collection statement (PICS) of the public career/job search website(s) before to collect personal data on it, in order to ensure that the data subjects have given their consent for the users of the website to upload their personal data and allow them to use their personal data for recruitment purposes.

B. Lack of clarity in the Personal Information Collection Statement (PICS)

Another common problem is that some of the approved employment agencies do not expressly state that they would pass on the personal data collected to third parties, i.e. potential employers, in their PICS, and they often do not state not the retention period of the data.

It is essential, according to the ‘Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement‘ (July 2013) published by the PCPD, that the PICS should declare the categories of individuals whose personal data collected may be transferred or disclosed. This is no exception for placement agencies, and placement agencies should draft clear PICS to inform data subjects of the purpose of the collection and for how long their personal data will last. It is also important that the persons concerned check and confirm this with their employment office.

Employment agencies these days also tend to write PICS that are deliberately too broad in scope, so they can include every nameable goal as their “collection goal.” Placement agencies should be aware of these practices, as the PCPD or the court may likely interpret the PICS, and may rule against the licensed placement agency, as violating the principle of “fair or lawful collection of data from personal character” (DPP1). We therefore recommend that Licensees revise their PICS in a very precise manner.

C. Code Compliance

Similar to the EO, the Code provides that a licensed placement agency must keep a register showing the details of each job seeker[9]and below, a sample of the record sheet is stipulated in appendix 1 of the code.

However, we have seen cases where the licensed employment agency has not kept such a record. In addition, in some cases, the approved employment agency did not follow the sample file stipulated in appendix 1 of the code. Although the Code does not expressly state that it must strictly follow the sample record sheet provided in Appendix 1, it is strongly recommended to do so in order to avoid unnecessary non-compliance.

Employment agencies in Hong Kong are required to manage various consent mechanisms for different sources of personal data. #privacy #datarespectClick to tweet

It is also important to note that under the DPPs and the Code, licensed employment agencies must only collect personal data that is necessary and not excessive to achieve the purpose of the collection, and that they must maintain a security and data protection policy in place to ensure their staff are informed and meet the standards prescribed by the PDPO, EO and Code.

Final remarks

To conclude, employment agencies in Hong Kong are not only required to comply with the PDPO, but also with the EO and the Code, which adds an additional layer of complexity when it comes to data-related compliance issues. personal. This may be necessary as cybersecurity and personal data protection become a “major threat” for organizations and business entities, not to mention that the cost of preventive compliance is much lower than the cost of dealing with a security incident. data breach. Therefore, we foresee a growing demand for data protection and cybersecurity expertise in Hong Kong as businesses recognize the importance and benefits of PDPO, EO and Code compliance.

[1] PDPO Annex 1
[2] art. PDPO 50A
[3] art. 64 of the PDPO
[4] We will not discuss the Employment Agencies Regulations (Cap. 57A) (“EAR”) further, as they only deal with the administrative procedures and requirements for applying for the issue or renewal of an employment license. employment agencies.
[5] art. 56 from EO
[6] paragraph 56(1)(b) of the EA
[7] Para. 1.3 of the Code
[8] Para. 4.1.3 of the Code
[9] Para. 3.4.2 of the Code