Career Advice Legal Case studies for employers

Know where you stand on data access requests

A data access request can be a powerful tool for a disgruntled employee. Equally, receipt of a data access request by an employee can give rise to significant operational and compliance challenges for an organisation. It is therefore critical for employers to understand their obligations and to have plans in place to deal with any requests.

Access by employees to their personal data, which is held by their employer, is a core right at the heart of many data protection laws. In Hong Kong, this right has been codified in the principles contained in the Personal Data (Privacy) Ordinance.

In summary, a job applicant, employee or former employee is entitled to ascertain whether an employer holds personal data of which the person making the request is the subject. Where personal data is held by the employer, the individual is entitled to the personal data requested within 40 days of the employer’s receipt of their request in a form that is intelligible and at a fee that is not excessive.

There are various rules surrounding the way in which the data must be provided, but there are five key guidelines all employers should remember when processing data access requests.

Firstly, someone is not entitled to access data which is not personal or which is personal data not belonging to him.

In order to constitute personal data, the information must relate directly or indirectly to the individual and it must be possible to identify the individual either directly or indirectly from that data. For example, documents in an employee’s personnel file, such as performance appraisals and previous disciplinary sanctions will most likely constitute personal data. However, a business report or other piece of work merely authored by the employee most likely will not.

This can be an important distinction and may help employers limit the amount of potentially sensitive information that must be released to an employee. A data access request is not designed to replace a disclosure process in litigation and should not be used as a “fishing” exercise to bolster an employee’s claim.

Secondly, it is reasonable for the employer to seek further clarification from the requestor where the request is generic or unclear.

In these days of “big data”, it can be very unhelpful for an employer to receive a request for “all personal data”, particularly where there has been a high level of interaction between the employee and employer. Where the scope of the request is very broad and/or generic, the employer is entitled to seek further clarification about the scope of the information sought.

Thirdly, the requirement to ascertain whether an employer holds and/or controls personal data that is relevant to the request is limited to steps which are reasonably practicable

What constitutes a “reasonably practicable” step will differ according to the circumstances of the request and of the employer. It is, however, important to remember that an employer is not obliged to provide or create personal data that it does not have.

Fourthly, consent will be required if another individual’s personal data is to be disclosed.

If the personal data sought under a data access request contains personal data of another individual, the employer will need to seek the consent of that individual before providing the data. Alternatively (and more commonly) an employer can look to remove the name or identifying particulars of the other individual.

Finally, requests may be refused in certain limited circumstances.

There are a number of exceptions listed in the Personal Data (Privacy) Ordinance that would allow the employer to refuse a data access request. Aside from procedural reasons (for example, the requestor has not provided good proof of their identity or has not paid the required fee), there are a couple of exceptions specifically relevant to data access requests from employees.

Where the request concerns personal data relevant to a staff planning proposal either to fill a series of current vacancies or to cease employment of a group of individuals, that data is exempt from being disclosed under a data access request until such time as the process has been completed. This exemption does not, however, apply to single vacancies or terminations.

The law on data access requests and, in particular, the situations in which employers can refuse to provide personal data can be complex and the above is intended only as a high-level guide. Specialist advice should generally be sought when contemplating whether or not to disclose personal data, especially given the legal pitfalls inherent in doing so.

 

This article appeared in the Classified Post print edition as Know where you stand on data access requests.

Career Advice , Case Study , data access requests , Personal Data

Laura Chapman and Stephanie Chiu

Laura Chapman (left) is a counsel at Freshfields and leads the employment, pensions and benefits practice in Hong Kong. She has a broad range of experience advising employers throughout the Asia-Pacific region.
Stephanie Chiu (right) is an associate in Freshfields’ employment, pensions and benefits practice based in Hong Kong. She regularly advises on all aspects of the employment relationship and has experience with cross-border work.

Recommended jobs for you

Back to Legal Case studies for employers
Connect with Us
Copyright © 2024. CPJobs International Limited. All rights reserved
Privacy Policy Sitemap