Following is a question by the Hon Kenneth Leung and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Raymond Tam, in the Legislative Council today (June 18)
It has been reported that some employers collect employees' biometric information, such as fingerprints and genetic data derived from blood samples, for internal investigation or security purposes. The Office of the Privacy Commissioner for Personal Data, Hong Kong (OPCPD) has pointed out that such practices allegedly constitute improper collection of personal data and serious invasion of employees' privacy. There are comments that the Personal Data (Privacy) Ordinance (Cap. 486) has failed to effectively regulate employers' collection, holding, processing and use of employees' personal data, resulting in inadequate protection of employees' privacy. In this connection, will the Government inform this Council:
(1) whether it knows the number of complaints received by OPCPD in each of the past three years about improper collection of employees' personal data by employers, and the outcome of the handling of such cases by OPCPD;
(2) given that the Government indicated in its Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance published in October 2010 that it did not intend to subject sensitive personal data (particularly biometric information) to more stringent regulation, but proposed in the Report that the protection of such data be enhanced, of the details of the efforts made so far by the authorities and OPCPD in promoting the protection of sensitive personal data;
(3) given that with technology advances, biometric systems, which capture physiological attributes of individuals, are increasingly used for identification and authentication purposes, whether the authorities and OPCPD have plans to enact laws or draw up codes of practice/guidelines to step up the regulation of the collection and use of biometric information; if so, of the details; if not, the reasons for that; and
(4) whether it knows, in respect of some employers requiring their employees to undergo comprehensive pre-employment physical check-ups (including the collection of biometric information), if OPCPD has taken any corresponding actions to protect employees' privacy and to ensure that the recruitment activities concerned are conducted without unreasonable and excessive collection of personal data, and that adequate protection of the personal data concerned is provided in the course of the collection, processing and storage of such data; if so, of the details and the effectiveness of such actions; if not, the reasons for that?
Reply to the different parts of the question is as follows:
(1) The number of complaints received by the Office of the Privacy Commissioner for Personal Data (PCPD) in the past three years about improper collection of personal data of employees (including prospective, current and former employees) by employers, and the outcome of the handling of such cases by PCPD are shown in Annex.
(2) and (3) In 2009 to 10, the Administration conducted a comprehensive review of the Personal Data (Privacy) Ordinance (the Ordinance) and consulted the public. One of the issues included in the review and consultation was whether sensitive personal data should be subject to more stringent control. The outcome of the consultation showed that there were no mainstream views in the community on the coverage of sensitive personal data, the regulatory model or sanctions. Therefore, the Administration decided not to introduce more stringent regulation in this regard.
Notwithstanding the above, in order to promote awareness of personal data protection and enhance understanding of, and compliance with the Ordinance, PCPD organises on a regular basis professional workshops and public seminars, issues guidance notes and information leaflets as well as organises other promotional and educational events. PCPD also releases reports on investigations to deter malpractices and promote compliance.
On the handling of sensitive personal data such as biometric information, PCPD has issued the Guidance on Collection of Fingerprint Data to provide data users who intend to collect fingerprint data with practical guidance. The Guidance also serves as reference for data users who collect other kinds of biometric information. PCPD will continue to keep in view developments in biometric technologies and issue further guidance as and when necessary.
(4) Pursuant to the Ordinance, PCPD issued the Code of Practice on Human Resource Management to provide practical guidance on how to properly handle personal data in each phase of the employment process. According to the Code, an employer offering conditional employment to a candidate may collect personal data concerning the latter's health condition by means of a pre-employment medical examination provided that (i) such data directly relates to the inherent requirements of the job; (ii) the employment is conditional upon the passing of the medical examination; and (iii) the data is collected by means which are fair in the circumstances and the data collected is not excessive in relation to the purpose of collection.
Moreover, PCPD organises regular professional seminars on Data Protection in Human Resource Management for human resource practitioners to discuss with them how to properly handle employees' personal data and explain to them relevant codes of practices and guidelines issued by PCPD so as to equip them with knowledge as to the proper ways of handling personal data and complying with the Ordinance.
So far PCPD has not received any complaint relating to medical examination.
Ends/Wednesday, June 18, 2014