As cybersecurity threats and the need for better data protection across all sectors has become a global issue that is more prevalent than ever, this is no exception in the employment agency sector in Hong Kong.
At the time of writing, there are currently 3,148 licensed employment agencies (“Licenced Employment Agencies”) registered under the Labour Department in Hong Kong. Many of these Licensees may not have the knowledge or understanding of the importance of personal data protection and how it may affect their business.
This article aims to bridge this gap by providing a brief overview of the Hong Kong laws in relation to personal data protection, specifically in the context of employment agency sector, and the common issues which they may face in their day-to-day operation.
Data protection and employment agency laws in Hong Kong
In Hong Kong, personal data is protected by the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) which came into force in 1996, and it covers both private and public stakeholders.
The PDPO’s six data protection principles (DPPs) provide guidance to data user on how to handle personal data throughout the course of a data life cycle.
Although mere contravention of the DPPs is itself not an offence, the Privacy Commissioner for Personal Data (PCPD) may issue an ‘enforcement notice’ to a data user in the event that there is a serious data breach or contravention of the DPPs. A breach of an ‘enforcement notice’ is an offence under the PDPO, and may attract a fine of HKD $50,000 and imprisonment for 2 years.
Apart from the offence of breach of enforcement notice, the PDPO creates other criminal offences, such as, disclosing personal data without the consent of the impacted individual (i.e. data subject), where psychological harm may have been inflicted. A person who commits such an offence is liable on conviction to a fine of HKD $1,000,000 and to imprisonment for 5 years.
In the context of employment agency, the Employment Ordinance (Cap. 57) (“EO”) contains the main legal provisions that are relevant to the protection of personal data of an employment agent and its related persons.
For example, under the EO, a Licenced Employment Agency must maintain a record of all job applicants (i.e. data subjects), and the record must contain, amongst other things, the following personal data:
name and address of the job-applicant;
Hong Kong ID number (or in the case of a non-resident, his or her passport number);
fee and commission received;
date of employment; and
name and address of the employer.
The EO also requires those records to be retained for a period of not less than 12 months after the expiration of each accounting year, so that the records are available for Labour Department’s inspections.
More importantly, the Labour Department may refuse to issue, renew, or revoke a licence if it was satisfied on reasonable grounds that the Licenced Employment Agency, or the person intending to apply for one, has not complied with the ‘code(s) of practice’ issued by the Commissioner for Labour under s.62A(1) of the EO.
The main relevant code which provides guidance to the practice and operation of employment agency is the Code of Practice for Employment Agency (the “Code”). The Code sets out the legislative requirements in the EO and provides the minimum standards of which the Commissioner for Labour expects from the Licensee.
Failure of compliance of the Code may allow the Commissioner for Labour to refuse or renew the Licenced Employment Agency’s licence, or it may even revoke the licence under s.53(1) of the EO. Furthermore, the Commissioner for Labour may issue warning letters to the Licensee if it breached the requirements under the Code and, for the purpose of protecting the interest of the public, publishes such information if it sees fit.
Issues relating to data protection and employment agencies in Hong Kong
There are many problems related to personal data protection in the context of employment agency. The following are a selected few to illustrate some of the difficulties of personal data protection in this sector and key issues that deserve greater attention.
A. The growing complexity of different personal data sources and consents
One of the most common problems which Licenced Employment Agencies often faced is that nowadays they have adopted multiple channels through which to acquire personal data from different sources, such as, public career/job-seeking website(s), personal interviews, WhatsApp/text messages and/or emails etc.
Each type of sources may have different type of consent mechanism. For example, an employment agency may use public career/job-seeking website(s) to obtain personal data of potential candidates (i.e. data subjects). These public career/job-seeking websites would often allow data users to download CVs or other personal data from their web without the need of the data subject giving specific consent.
B. Lack of clarity in Personal Information Collection Statement (PICS)
Another common problem is that some of the Licenced Employment Agencies do not expressly state that they would pass the collected personal data to third-party, i.e. potential employers, in their PICS, and they often do not state the duration of data retention.
There is also a tendency nowadays for employment agencies to draft PICS that are deliberately too wide in scope, such that it can include every single nameable purpose as its ‘purpose of collection’. Employment agencies should be mindful of such practices, as the PCPD or the court may likely construe the PICS, and may rule adversely against the Licenced Employment Agency, to be in contravention of the principle of ‘fair or lawful collection of personal data’ (DPP1). We therefore recommend Licensees to redraft their PICS in a much precise manner.
C. Compliance of the Code
Similar to the EO, the Code provides that a Licenced Employment Agency shall maintain a record showing particulars of every job-seeker, and under it, a sample of the record sheet is stipulated in Appendix 1 of the Code.
However, we have seen cases where the Licenced Employment Agency has not been maintaining such record. Furthermore, in some cases, the Licenced Employment Agency has not followed the sample of record stipulated in Appendix 1 of the Code. Although the Code does not expressly state that it should strictly follow the record sheet sample provided in Appendix 1, it is highly recommended that it does so in order to avoid unnecessary non-compliance.
It is also important to note that under the DPPs and the Code, Licenced Employment Agency should only collect personal data that are necessary and not excessive to achieve the purpose of collection, and that they should keep a security and data protection policy in place to ensure their staff are informed and comply with the standards prescribed by the PDPO, EO and the Code.
To conclude, employment agencies in Hong Kong are not only required to comply with the PDPO but also the EO and the Code, which adds an extra layer of complexity when it comes to compliance issues in relation to personal data. This is perhaps necessary as cybersecurity and personal data protection are becoming a ‘top threat’ to organisations and business entities, not to mention that the pre-emptive compliance cost is much lower than the cost of handling a data breach incident. Therefore, we foresee growing demands for data protection and cybersecurity expertise in Hong Kong as business recognise the importance and benefits of compliance with the PDPO, the EO and the Code.
 Schedule 1 of the PDPO  s.50A of the PDPO  s.64 of the PDPO  We will not be discussing the Employment Agency Regulations (Cap. 57A) (“EAR”) any further, as it merely deals with the administrative procedures and requirements for application for the issue or renewal of employment agencies’ licence.  s.56 of the EO  s.56(1)(b) of the EO  Para. 1.3 of the Code  Para. 4.1.3 of the Code  Para. 3.4.2 of the Code