Next
Is it mandatory to have a Privacy Compliance Officer for companies?
Is it mandatory to have a Privacy Compliance Officer for companies?
2019-02-28
 |
In order to keep up with the workplace privacy issues & personal data processing, some companies may opt to engage a Privacy Compliance Officer (or Data Protection Officer) to oversee their data protection matters on an on-going basis. Is it mandatory due to the latest Personal Data (Privacy) Ordinance (PD(P)O) update?
Although the PD(P)O does not in any way make such a hiring mandatory for employers, responsibilities of this type of officer can vary widely depending on the power and role conferred upon him/her in an organization. Some officers may simply be confined to process data access and correction requests, while others may be charged with handling everything from the collection of employee data to the security of its transmission and storage, and policy implementation of Code of Practice on Human Resource Management(*).
It doesn't matter whether or not that person is specifically given the title of Privacy Compliance Officer anyone who has the authority to handle employee data would need to comply with the Code, or else be liable to contravene its requirements, possibly leading to a breach of the PD(P)O as well. If any breach was convicted,, he or she would be personally liable together with the employing company. "
Personal data protection during recruitment
That is to say,If there's no employer-employee relationship exists, a person who gathers data solely for the purpose of administering his/her personal and family affairs is generally exempt from the requirements of the Code/PD(P)O. However, there is no such exemption applicable in the educational context, she says.
Filing in a complaint to the Privacy Commissioner
Typically, a person can file a complaint to the office of the Privacy Commissioner in case of a contravention of the Code. In some cases, where, say, a data user has disclosed personal data of a data subject imparted to him in confidence, the PD(P)O entitles the aggrieved person to seek compensation for damage, even for injury to feelings.
Although non-compliance with the Code itself does not automatically considered as a breach of the PD(P)O, such non-compliance could be taken into account by the court or the Administrative Appeals Board as evidence in deciding whether the PD(P)O has been breached. However, that the decision will always depend on the circumstances of the case.
(*)The Code of Practice on Human Resources Management
The Code of Practice on Human Resource Management, which is based on the Personal Data (Privacy) Ordinance (PD(P)O), reiterates that Hong Kong employees have the right to be informed of the use of their personal data and to expect that the data is up-to-date, secure, and kept no longer than necessary,
It exemplifies the balances between employees' personal rights and employers' business interests, provided with practical examples to elaborate on a range of foreseeable circumstances where complicated issues concerning the use of employee data might arise and where the laws - i.e. the requirements of the PD(P)O - should be abided by in relation to human resource practices.
Disclaimer: This article serves as the provision of general information and reference only. It is not intended to be served or interpreted as any legal advice in any occasion, at any cost. Please seek professional help if you have any relevant legal issue.
Look out for further updates on our Facebook fan page!
Related Articles
Follow CTgoodjobs for the latest career news, hot topics and recommended jobs!