The Background
In recent times, there have been a lot of attention-grabbing headlines on companies’ obligations to protect personal data relating to customers and clients. The obligations on companies to protect data relating to employees, however, are often overlooked.
Personal data protection is an increasingly critical issue for businesses. The exponential growth in the volume of personal data used in business has led to new laws and regulations across Asia – broadly in line with a larger global trend. In many cases, these laws restrict the ways it can be used, processed and stored.
Generally, companies should think of “personal data” as any information from which a living person can be identified. As such, regulations restricting its use can have far reaching consequences.
Since 2010, personal data protection legislation has been introduced in mainland China, Hong Kong, Singapore, Malaysia, South Korea and Taiwan to protect employee rights. Bosses who breach privacy regulations can face severe penalties such as fines and, in some cases, criminal sanctions. This is even before issues of reputation and morale.
As is so often the case in legal matters, prevention is better than cure. There’s no way companies can avoid the necessity of holding employee data, but there are steps they can take to minimise the risk of breaches. While the rules vary from place to place, there are basic things employers should consider doing.
The Key Steps
Employers should restrict the type of data that they collect about employees. With every piece of data an employer requests, the employer should ask itself if it is essential to the business. If the answer is no, it should consider whether the data needs to be collected at all.
Data should only be used for the purpose for which it was collected. If an employer intends to use personal information for any other purpose, the consent of the relevant employee(s) should be obtained.
Access should be tightly controlled. Suitable security measures should be in place for both physical and electronic storage. Employers should check whether there are any legal restrictions as to who can access the data.
Transfer to third parties must be severely restricted. In most cases, employee consent is required before any personal data is transferred to a third party and there may be a question as to whether a general consent, obtained at the start of employment, will suffice.
Employers also need to ensure that any third party to whom data is transferred will also comply with strict data protection standards. In this sense, companies can find themselves responsible for the actions of their suppliers. Most often, this will apply when data is transferred to group companies or to external service providers such as payroll administrators or IT support providers.
Restrictions also apply in relation to the transfer from one jurisdiction to another. Generally speaking, if personal data is going to be transferred to a different country or jurisdiction, employers must make sure that there is in place a data protection regime that gives at least equivalent levels of data protection. This can be especially challenging for larger companies with complex structures.
Where equivalent regulations are not in place, employers need to take the initiative and make sure that appropriate agreements are in place to ensure sufficient levels of security over the data. In some cases, particularly where data will be transferred to a country within the European Union, a company’s data protection obligations may even be more onerous on transfer.
Multinationals should give careful thought to how personal data is dealt with as data is often transferred between group companies or jurisdictions. Even smaller firms must take new care over these issues, if they are pondering cloud-based storage solutions.
Employers should confirm to staff that communications through the employer’s IT systems – such as telephones, internet and e-mail – may be monitored. It should be clear they should have no expectation as to the privacy of those communications.
Necessary Safeguards
Data protection regimes can be complex and vary considerably between each jurisdiction. In turn, employers should be proactive and seek advice when implementing or changing policies.
Firms must be aware of data protection rules in every jurisdiction they operate in and consider how they restrict or regulate the transfer of data. They should have a clear policy explaining to staff how data is collected, processed and stored.
Where possible, they should include a clause dealing with personal data protection in employment agreements. Staff who collect, use or process data should get regular training.
Access to employee data should be tightly controlled. Appropriate security measures should be put in place in relation to both physical and electronic storage of the data. Agreements and systems should be in place on data transfers to third parties.
Kathleen Healy is a partner in the expanding Employment, Pensions and Benefits practice in Asia of Freshfields. Based in Hong Kong, she specialises in advising on Asia-Pacific employment and HR projects, and on the multijurisdictional employment aspects of internal investigations.