Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Roth, Paul --- "Workplace privacy: new HK and UK codes" [2000] PrivLawPRpr 52; (2000) 7(6) Privacy Law and Policy Reporter 111

Workplace privacy: new HK and UK codes

The Hong Kong Code of Practice

Testing
Email monitoring
Other monitoring

The UK draft Code of Practice

Testing
Monitoring and surveillance
Communications monitoring

Workplace privacy: new HK and UK codes

Paul Roth

Workplaces tend to be inherently ‘public’ or ‘semi-public’ places. Accordingly, any right of privacy in the workplace — in the sense described by Justice Brandeis in the US Supreme Court as ‘the right to be left alone’ — will obviously need to be qualified in the employment context.[1] A worker is employed not be left alone, but to perform designated tasks in an environment where the employer’s interests are protected and promoted. An employer is entitled to take reasonable steps to ensure that assigned work is carried out, that it is performed to the required standard, that working conditions are safe, and that the employer’s other substantial interests — particularly in the security of its property — are safeguarded.

However, Professor Alan Westin, a pioneer in privacy law, goes too far when he cautions against placing too much emphasis on the value of privacy in the workplace. He has contended that privacy based arguments against intrusive workplace monitoring pose a ‘threat to central societal interests in quality work’, and are really disguised protests against worker supervision.[2]

Justice Brandeis’s formulation of privacy ought to apply, albeit in modified form, to the workplace, at least to the extent that workers should be entitled to be left alone in relation to matters that are irrelevant to the employment relationship. Employer action in the areas of testing and monitoring should at least be proscribed where it is illegal, where it interferes with workers’ health, and where it steps beyond the bounds of the terms of the employment contract. Ideally, the minimum standard should be one that is consistent with the ideal expressed in the Constitution of the International Labour Organisation (ILO), that workers should labour ‘in conditions of freedom and dignity’.[3]

Concerns about privacy in the workplace proceed from a human rights perspective, and are aimed at unfair or oppressive working conditions. Intrusive information practices in the workplace, however, have been driven by both the increasing availability and versatility of new technologies, and by ever increasing demands for information. As the Roman philosopher-poet Lucretius noted over two thousand years ago, each new invention creates a new need.

Although monitoring of work must be as old as the concept of work itself, the advance of technology has brought with it a great many new and intrusive means of carrying such monitoring out. The very fact that monitoring can take place with such sophistication that a worker cannot be certain whether or not he or she is being observed or measured (and for what) at any given moment adds to the stress and indignity caused by such practices. New tests have been devised to measure matters ranging from psychological makeup to drug use and genetic status.

Also driving intrusive information practices are the increasing demands for information for a great number of diverse purposes: government requirements, benefit entitlements, insurance, workplace health and safety, detection of out of work conduct that could be prejudicial to the business, better performance measures and the enhancement of efficiency.

The demand for specialised workplace privacy regulation comes from a number of different directions. Firstly, it stems from proponents of workers’ interests, who point to the effects intrusive practices have on workers’ dignity. Moreover, studies have been made concerning the stress effects of constant monitoring on worker health, as well as the high turnover in a workforce that is subject to such practices.

Secondly, there is the weakness of existing law, including specialised privacy legislation, to deal with privacy-intrusive practices. Employers are usually required by law to obtain a worker’s consent before implementing certain measures in the workplace, and they must always obtain consent before carrying out any kind of testing on workers. Given the power imbalance between worker and employer that is normally a feature of the employment relationship, consent is not difficult to procure in such a setting. This is even more so in relation to pre-employment testing, where a job applicant can usually be expected to co-operate fully with any of the proposed employer’s wishes.

Even where there is privacy legislation in place, regulation of workplace privacy matters is weak in practice. In New Zealand, for example, where there has been a privacy law of general application for seven years now, the main difference that seems to have been introduced by the legislation is that workers now have a right of access to most information held about them by their employers. Exercise of this right is particularly useful as a means of discovery that can be used before deciding whether or not to contest a dismissal or some other disadvantageous action. Otherwise, the legislation seems to have had little noticeable impact on the workplace. Nearly any practice is permissible if it has been authorised by employees. In so far as the cases go, surreptitious video monitoring of a locker room to detect theft has been found not to be objectionable in the circumstances,[4] as has been pre-employment psychometric testing.[5]

Finally, where there is privacy regulation of general application, there is considerable demand from both employers and employees to know how such legislation applies to particular situations in the workplace. Where the law is not specifically tailored to deal with workplace issues, it can be somewhat difficult to figure out what precisely is and is not permitted. Employers in particular desire the reassurance of knowing that a particular practice will not leave them open to legal challenge.

Sectoral regulation in respect to workplace privacy began on the regional level in Europe in 1989 with Council of Europe Recommendation No R(89)2 on the Protection of Personal Data used for Employment Purposes. This recommendation applies only to member states of the Council of Europe that ratified the 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data.

More recently, in 1997 the ILO published a voluntary and non-binding code of practice (with commentary) on the Protection of Workers’ Personal Data.[6] The code was intended to provide guidance in the development of legislation, regulations, collective agreements, work rules, policies and practical measures in the workplace (cl 2).[7] The code had been prepared by the International Labour Office, the organisation’s secretariat. It was subsequently adopted by a tripartite Meeting of Experts convened by the Governing Body of the ILO. It was then submitted to the Governing Body, which in turn adopted it in November 1996. The ILO is not likely to go further than suggesting voluntary self-regulation, as it has adopted a general policy of targeting and consolidating certain existing core standards for greater impact.[8]

On the national level, two common law jurisdictions, Hong Kong and the United Kingdom, have recently seen fit to introduce codes of practice dealing with workplace privacy issues. These codes of practice reflect the level of demand there is for specialised guidance in this area, as well as the weakness of the protection conferred by privacy legislation of general application in this context. Although both codes cover a wide variety of workplace matters, the survey below will focus on the treatment by each code of two common areas of concern: employee testing and monitoring.

The Hong Kong Code of Practice

The Hong Kong privacy legislation is the Personal Data (Privacy) Ordinance 1995 (Cap 486). It already contained a few provisions that were specifically aimed at workplace matters. A unique feature of this legislation is that individuals have a right of access to personal references unless the person providing the reference had no obligation in the course of his occupation to do so and the reference concerns the other person’s suitability to fill a position. However, once the applicant for a position has been informed of the employment decision, there is then right of access to the reference (s 56).

The Code of Practice on Human Resource Management, issued under s 12 of the Ordinance, was notified by the Privacy Commissioner for Personal Data on 22 September 2000, and will come into effect on 1 April 2001.[9] The Code contains both mandatory provisions and explanatory notes. The purpose of the Code is to provide guidance to data users who handle personal data in the human resource area, and it focuses on issues concerning collection, holding, accuracy, use, security and data subject access to personal data of prospective, current and former employees. The Code, which is 43 pages long, deals with the following matters:

Notification requirements on collection of personal data; Accuracy and retention of employment-related data; Security measures to protect employment-related data; Complying with data access and correction requests; Employer’s liability for wrongful acts or practices by employees or agents; Collection of personal data from job applicants; Advertising of job vacancies; Employment agencies/executive search company; Internal records about job applicants; Receiving and processing applications for employment; Seeking information for selection assessment; Seeking personal references of job applicants; Acceptance by candidates; Unsuccessful candidates; Data access and correction requests by job applicants; Personal data in relation to terms and conditions of employment; Disciplinary proceedings; Performance appraisal; Staff planning; Promotion planning; Providing job references for employees; Data access and correction requests by employees; Accuracy and retention of employment-related data; Use of employment-related data of existing employees; Disclosure or transfer of employment-related data; Matters concerning the engagement of subcontract staff; Continued retention of personal data of former employees; Accuracy of former employees’ personal data; Security of former employees’ personal data; Providing job references for former employees; Public announcements about former employees; Erasure of former employees’ personal data; Retirement; Death of an employee.

Testing

The Hong Kong Code does not contain anything specific on drug or alcohol testing. There are, however, a number of requirements that apply generally to the collection of information from employees, and specifically to the collection of health data. The collection of data generally must be necessary for or directly related to a human resource function of the employer or be carried out pursuant to a lawful requirement that regulates the affairs of the employer, and it must be undertaken by means that are fair in the circumstances. The data collection must not be excessive in relation to the purpose.[10] The collection of data relating to an employee’s health condition may be made so long as it is for a purpose that is directly related to an assessment of the suitability of the employee’s continuance in employment or directly related to the employer’s administration of medical or other benefits or compensation provided to the employee (para 3.2.4).

In relation to job applicants, para 2.9.1 of the Code provides as follows:

An employer may, no earlier than at the time of making a conditional offer of employment to a selected candidate, collect personal data concerning the health condition of the candidate by means of a pre-employment medical examination, provided that:

2.9.1.1 the personal data directly relate to the inherent requirements of the job;

2.9.1.2 the employment is conditional upon the fulfilment of the medical examination; and

2.9.1.3 the personal data are collected by means that are fair in the circumstances and are not excessive in relation to this purpose.

There is specific reference to psychological testing in the context of selection for employment and promotion (paras 2.7.1 and 3.6.1). In each case, such testing is acceptable so long as the purpose is to assess suitability for the job, and provided that the collection of personal information is undertaken fairly and is not excessive in relation to the purpose for the collection of information.

Email monitoring

The Hong Kong Code provides that where internet access (including email) is made available to employees, the employer should have a written policy on its use and inform employees of that policy (para 1.4.6).

The Code goes on to provide non-binding advice on good practice in relation to what such a policy ought to include. It states that an employer’s email policy should include coverage of the following matters:

• whether the use of the email system by employees for sending and receiving personal email is permitted and any special arrangements that employees should adopt for segregating personal email from work-related email;
• whether the employer reserves the right to access and read email sent and received by employees using the email system; and
• specific rules that apply to the distribution of incoming or outgoing email and the erasure of unnecessary email that contain personal data or has an attachment that includes such data.

Other monitoring

Monitoring is covered in the Code only in the context of performance appraisals. This indicates that if monitoring is to be undertaken, it must be carried out with a view towards a specific purpose rather than on an ongoing basis without any kind of limitation. The operative principle here is that the collection of information should not be excessive in relation to the purpose for its collection, and that it is carried out by means that are fair in the circumstances (para 3.4.2). The Code then goes on to provide the following non-binding advice on good practice:

For example, it would not be fair to record an employee’s work-related telephone conversations as part of a performance appraisal process unless there is no other reasonably practicable way of monitoring the employee’s performance, and prior notification is given of such a practice. It would also not be fair to use electronic surveillance of employees at work, such as the use of a finger-scan system, to monitor staff attendance at work unless there is no other less privacy-intrusive means of doing so. As a matter of good practice, employees should be served notice in writing if specific techniques are to be deployed to monitor their performance.

The UK draft Code of Practice

The United Kingdom Data Protection Commissioner has issued a draft Code of Practice on the Use of Personal Data in Employer/Employee Relationships. This forms the basis for a public consultation exercise that is taking place between 6 October 2000 and 5 January 2001.[11] Section 51(3) of the Data Protection Act 1998 (UK) gives the Data Protection Commissioner the power to issue such codes. Given that the matter is only at the consultation stage at this point, the final version of the Code (expected in the first half of 2001) may turn out to be somewhat different from this draft. This draft Code is somewhat more robust and prescriptive than the Hong Kong Code.

Two factors in particular led to the development of this draft Code. Firstly, developments in technology and practice, such as automated decision-making and electronic and video monitoring, have had a significant impact on employees. Secondly, there were significant new developments in the law, namely the enactment of the Data Protection Act 1998 (based on the European Union Data Directive, and significantly wider than the previous legislation in the area) and the Human Rights Act 1998 (which came into force on 2 October 2000).

The Code (with commentary), which is 63 pages long, deals with the following matters:

• Managing data protection (Allocating responsibility; Procedures; Awareness; Line management; Notification)
• Recruitment (Advertising; Applications; Verification; Shortlisting; Selection testing; Interviews; Pre-employment vetting; Retention of recruitment records)
• Employment records (Collection of information; Maintaining records; Sickness records; Security; Data processors; Pension/insurance schemes; Occupational health schemes; Equal opportunities; Review/appraisal; Marketing; Fraud prevention/detection; Financial control; International management)
• Access and disclosure (Subject access; Automated decisions; References; Disclosure requests; Other discretionary disclosures; Mergers and acquisitions)
• Contract and agency staff
• Employee monitoring (Monitoring: general considerations; Covert monitoring; Monitoring communications; Video and audio monitoring; Vehicle monitoring; Information monitoring)
• Medical testing (Drug/alcohol testing; Genetic testing)
• Discipline and dismissal
• Retention of records/former employees.

Testing

Any form of testing must be lawful and fair to the job applicant or employee. Fairness in this context means, among other things, that testing and the interpretation of test results should only be carried out by persons who are qualified to do so (para 2.5).

In relation to medical testing, the draft Code notes that ‘consent will not be freely given if the penalty for not consenting is dismissal’. In such cases, the consent will be invalid (para 7). The Code goes on to note that even where consent is valid, the processing of the personal data may be unfair ‘if, taking into account the circumstances in which consent is obtained, the employer uses its dominant position to carry out testing even though the benefits do not outweigh the inevitable intrusion into privacy’.

In relation to drug and alcohol testing in particular, the Code sets out the following standards (para 7.1):

• Unless justified on safety grounds, only introduce drug or alcohol testing of current or potential employees if it is part of a voluntary programme for the detection and treatment of drug/alcohol abuse (Principles 1 and 3).
• Do not conduct covert drug/alcohol testing unless it is in the course of the detection of serious crime and the police are involved (Principle 1).
• Take particular care when carrying out an assessment of whether drug testing is justified on health and safety grounds. Bear in mind that:

• — the employer’s interest is in detecting drug use that puts at risk the safety of others. This can arise from drugs that are legal as well as illegal. Employers should not test merely to find evidence of the use of illegal drugs;
• — the drug testing used must address the risk. It must be capable of providing real evidence of impairment at work that is sufficient to put at risk the safety of others;
• — other than in the most safety critical areas, drug testing is unlikely to be justified unless there is a reasonable suspicion of drug use that has an impact on safety;
• — information that is obtained in the course of a drugs test that does not have a significant bearing on the employee’s ability to work safely should be discarded. For example, information that shows an employee to be pregnant or to have been in contact with cannabis in the past should be neither recorded nor used;
• — drugs testing must provide significantly better evidence of impairment that puts safety at risk than less intrusive alternatives such as a test of speed of reaction (Principles 1 and 3).

• Ensure that drug testing that is used as a basis for decisions affecting a person’s employability or continued employment is of the highest technical quality and is subject to rigorous quality control procedures. It must be conducted under the direction of, and positive test results interpreted by a medically qualified person competent in the field of drug testing (Principles 3 and 4).

In relation to genetic testing, the Code sets out the following standards (para 7.2):

• Unless justified on the grounds that an employee with a particular, detectable genetic condition is likely to pose a serious safety risk to others, only introduce genetic testing of current or potential employees if it is part of a voluntary programme where it is known that a specific working environment or practice might pose specific risks to employees with particular genetic variations (Principles 1 and 3).
• Ensure any genetic test used for employment purposes is subject to assured levels of accuracy and reliability, reflecting best practice. Any use of genetic testing should be evidence based and consensual. Ensure the results of any test undertaken are always communicated to the person tested and professional advice is available. Ensure test results are carefully interpreted, taking account of how they might be affected by working conditions (Principles 3 and 4).
• Do not require an individual to disclose the results of a previous genetic test unless there is clear evidence that the information it provides is needed to assess either current ability to perform a job safely or susceptibility to harm from doing a certain job (Principle 3).

Monitoring and surveillance

The draft Code requires that any monitoring or surveillance be lawful and fair to employees. It emphasises openness and proportionality in relation to such practices. The Code sets out the following standards for all monitoring (para 6.1):

• Establish the specific business purpose for which the monitoring is to be introduced (Principles 1 and 2).
• Assess the impact of the monitoring on the privacy, autonomy and other legitimate rights of staff. Do not introduce monitoring in which any adverse impact is out of proportion to the benefits (Principle 1).
• In making this assessment consult relevant trade unions or other employee representatives.[12]
• Record both the business purpose for which the monitoring is to be introduced and the impact assessment behind it.
• If comparable benefits can reasonably be achieved by another method with less adverse impact, adopt this (Principles 1 and 3).
• Target any monitoring on those areas where it is actually necessary and proportionate to achieving the business purpose. Monitoring of all staff will not be justified if the purpose of the monitoring is to address a risk that is posed only by a few (Principles 1 and 3).
• Make all staff subject to the monitoring aware that it is taking place, and the purpose for which personal information is collected unless in exceptional circumstances:

• — the monitoring is behavioural; and
• — it is carried out for the purpose of preventing or detecting crime or the apprehension or prosecution of offenders; and
• — informing staff would be likely to prejudice this purpose; and
• — the standards in s 6.2 are complied with (Principle 1/s 29).

• Do not use personal information collected through monitoring for purposes other than those for which the monitoring was introduced and staff were told about unless the information is such that no reasonable employer could ignore it ie it reveals criminal activity or gross misconduct (Principles 1 and 2).
• Remember that information collected through monitoring can be misleading, misinterpreted or even deliberately falsified as well as being inaccurate because of equipment malfunction. If the information is to be used in a way that might have an adverse impact on employees, present them with the information and give them an opportunity to challenge or explain it before it is used (Principles 1 and 4).

The Code disapproves of covert employee performance monitoring, and views the justifiability of covert employee behavioural monitoring as limited to those circumstances where openness would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.[13] The Code’s standards for covert monitoring are as follows (para 6.2):

• Only use covert monitoring of behaviour if:

• — specific criminal activity has been identified; and
• — the need to use covert monitoring to obtain evidence of that criminal activity has been established; and
• — an assessment has concluded that explaining the monitoring to employees would prejudice success in obtaining such evidence; and
• — an assessment has been made of how long the monitoring should continue for; and
• — in the case of a public authority the monitoring is carried out in accordance with an authorisation granted under the provisions of Part II of the Regulation of Investigatory Powers Act 2000 (Principle 1/s 29).

• Document the above.
• Ensure that information obtained through covert monitoring is used only for the prevention or detection of the criminal activity or the apprehension or prosecution of offenders to which the monitoring was directed. Disregard other information collected in the course of the monitoring unless it is of such seriousness that no reasonable employer could ignore it ie it reveals other criminal activity or gross misconduct (Principles 1 and 2).

The Code sets out the following standards for video and audio monitoring (para 6.4):

• In assessing whether the adverse impact of video or audio monitoring is out of proportion to the benefits, bear in mind that such routine monitoring is only likely to be justified where these are particular safety or security risks that cannot be adequately addressed in other less intrusive ways (Principle 1).
• In this assessment treat video and audio capability separately. Cases where both video and audio monitoring are justified are likely to be extremely rare (Principles 1 and 2).
• Ensure that if people other than employees, such as visitors, are likely to be caught by video or audio monitoring they are made aware that it is in operation and the purposes for which the information will be used (Principle 1).
• Do not install covert video or audio monitoring unless the standards set out in s 6.2 are met. Even then, do not install it in locations where individuals have a reasonable expectation of privacy, for example in cloakrooms, vehicles or to monitor individuals in their private offices. If monitoring in such locations is justified, the police should be involved (Principle 1).

In relation to vehicle monitoring through tachograph or tracking devices, the Code sets out the following standards (para 6.5):

• Apply the standards for general and, in appropriate cases, covert monitoring in this Code to monitoring the movement of vehicles provided exclusively for business and related use (eg home-to-work journeys) (Principle 1).
• Do not attempt to monitor the movement of private vehicles. If such monitoring can be justified the police should be involved (Principle 1).
• Where vehicles are supplied both for business and private use, provide employees with the ability to disable any monitoring when the vehicle is being used privately. If covert monitoring can be justified and this extends to private use of the vehicle the police should be involved (Principles 1 and 2).

Communications monitoring

The draft Code sets out the following standards for telephone monitoring (para 6.3.1):

• Do not monitor or record the content of calls unless it is clear the business purpose for which the monitoring is undertaken cannot be achieved by the use of an itemised call record. If the itemised call record alone is not sufficient to achieve the business purpose use it to ensure any monitoring or recording is strictly limited and targeted (Principles 1 and 3).
• Ensure those making calls to or receiving calls from the organisation as well as employees are aware of any monitoring and the purpose behind it unless this is obvious. For example, it is at least as important that those making personal calls to employees are told their calls may be monitored and why, as customers who are conducting financial transactions by telephone and might well expect them to be recorded. If there is no better way of achieving this instruct employees to inform callers that their calls may be recorded and why (Principle 1).
• Provide some lines at work, whether by the use of dedicated lines, payphones or otherwise, which employees can use for private calls confident that calls made from them will not be recorded or monitored.
• If mobile phones are provided for employees make sure they are aware of the extent to which you will receive information about their private use of the phone and how this might be used (Principle 1).

The draft Code sets out the following standards for email monitoring (para 6.3.2):

• Do not monitor the content of email messages unless it is clear the business purpose for which the monitoring is undertaken cannot be achieved by the use of a record of email traffic. If the traffic record alone is not sufficient to achieve the business purpose use it to ensure any further monitoring is, as far as possible, strictly limited and targeted (Principles 1 and 3).
• Only consider the monitoring of content if neither a record of traffic nor a record of both traffic and the subject of emails achieves the business purpose. In assessing whether monitoring of content is justified take account of the privacy of those sending e-mails as well as the privacy and autonomy of those receiving them. Wherever possible restrict the monitoring of emails sent to specific employees to messages the employee has received and chosen to retain rather than delete. Do not open e-mails that are clearly personal (Principles 1 & 3).
• If monitoring the content of incoming emails is justified on the basis of detecting computer viruses, use an automated monitoring and detection process. Only use information obtained for the purpose of virus detection. A need for virus detection does not warrant the reading of the content of incoming emails (Principles 1 and 2).
• If it is necessary to check the mail boxes of employees in their absence make sure they are aware this will happen. The purpose of such monitoring is to ensure the business responds properly to its customers and other contacts. Only use the information for this purpose unless it reveals criminal offences or gross misconduct. Do not open emails that are clearly personal (Principles 1 and 2).
• Provide a means by which employees can effectively expunge from the system emails they receive or send (Principles 5 and 7).

Finally, the draft Code sets out the following standards for internet access monitoring (para 6.3.3):

• As well as setting out clearly to employees any limits on the circumstances in which they may use internet access facilities you provide for personal reasons, specify clearly any restrictions on material from the internet that can be viewed or copied. A simple ban on access to ‘pornography’ is not sufficiently clear.
• Do not monitor sites visited or content viewed unless it is clear the business purpose for which the monitoring is undertaken cannot be achieved by simply recording the time spent accessing the internet (Principles 1 and 3).
• As far as possible enforce your policy on internet access by technical means to restrict access rather than by monitoring behaviour. For example, products are available that, it is claimed, can recognise excessive skin tones in an image, and thereby prevent the display of pornographic material (Principles 1 and 3).
• If the purpose of monitoring is to detect the downloading of pornography, ensure the monitoring is justified on the basis of a realistic analysis, on the lines set out above, of the risks faced. Bear in mind that information obtained from the monitoring should be disregarded unless it reveals the downloading of pornography that poses a significant risk to you as employer (Principles 1 and 2).
• In using the results of any monitoring take account of the ease with which websites can be visited unwittingly through unintended responses of search engines, unclear hypertext links, misleading banner advertising or miskeying (Principles 1, 3 and 4).
• Ensure, as far as possible, that if employees are allowed to use the employer’s system to access the internet for personal reasons no record is kept in the system of the sites they have visited or the content they have viewed. To the extent that this might not be technically possible make sure employees are aware of what is retained and for how long (Principles 1 and 3).

Dr Paul Roth of the University of Otago, Dunedin, New Zealand is author of the Privacy Law and Practice looseleaf service (Butterworths NZ). A longer version of this article was presented at the Australian Business Limited ‘Workplace Privacy Issues’ Conference, Sydney, November 2000.