Employee Data Privacy A Regional Overview
Introduction All employers collect, handle and use employee personal data. Most jurisdictions have laws regulating such collection, handling and use of employee personal data. With increasing globalization and mobility of employees and the relative ease with which data can be transferred between legal entities and across borders complying with all requirement relating to personal data has become an increasingly difficult exercise. This publication attempts to ease such burden. This publication covers 16 different jurisdictions in Asia. For each of the jurisdictions covered we asked the following questions: A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? C. For how long must an employer retain an employee s personal data? What is best practice? D. What are the legal restrictions on transferring employees personal data outside your country? E. What are the legal restrictions on transferring employees personal data to a third party? F. What are the consequences of breaching privacy laws in your jurisdiction? G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data?
We have set out the answers to each of these questions in two different formats. Section 1 contains an Executive Summary of each jurisdiction responses. This is intended to be a short - at a glance - overview of the position. Section 2 contains the more substantive answers to the questions. We do hope that you find this publication useful. It has been made possible with the input from lawyers in leading law firms in each jurisdictions. Should you wish to contact the lawyers in any of the jurisdictions, their contact details are set out at the last Section of this publication. Phillipa Muir Partner Simpson Grierson
Asia Asia Section 1 Executive Summary 1 Section 2 The Expanded Answer to the Questions by Jurisdiction Australia 33 Hong Kong 47 India 55 Indonesia 59 Japan 63 Mainland China 67 Malaysia 69 New Zealand 73 Pakistan 81 Philippines 83 Singapore 91 South Korea 97 Sri Lanka 99 Taiwan 101 Thailand 111 Vietnam 117
Executive Summary AUSTRALIA A. Is there a law regulating employee personal data? A range of State and federal legislation regulates the handling of personal data. The principal piece of legislation for incorporated entities can be applied to employee data; however, it is substantially limited in such respect. B. Do I need to have a privacy statement or agreement? There is no legal requirement for such a statement or agreement; however, it is prudent to have a privacy code, policy or procedure in place. C. How long must I retain employee data? What is best practice? Various state and federal legislations require certain employee records (which could include personal data) to be retained for specified periods. Specific legislation requires that certain employee records be kept for at least 7 years D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? A determination may be made by the Privacy Commissioner, including a declaration that a reasonable act should be performed to redress any loss or damage suffered by a complainant, or that a complainant is entitled to a specified amount of compensation for any loss or damage suffered (including injury to feelings or humiliation). Determinations may be enforced by proceedings commenced in the Federal Court or Federal Magistrates Court. The Court may make such orders as it thinks fit. 1
AUSTRALIA G. What are the main pitfalls? Pitfalls include: Assuming privacy regulation is the same across all jurisdictions. Failure to ensure that any records held containing the personal information of employees are only dealt with in a manner that directly relates to the employment relationship; that is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Collection of unnecessary personal information and consequent exposure to legal risk. Failure to develop, implement and enforce comprehensive policies and procedures around the handling of personal information. Contributed by Corrs Chambers Westgarth 2 Employee Data Privacy in Asia
Executive Summary HONG KONG A. Is there a law regulating employee personal data? Yes. The Personal Data (Privacy) Ordinance. B. Do I need to have a privacy statement or agreement? No particular form of document is needed. Certain information required to be provided by legislation is typically provided in a Personal Information Collection Statement (PICS). C. How long must I retain employee data? What is best practice? The Employment Ordinance requires certain employee data be retained for at least 12 months. Best practice suggestion: 2 years for recruitment data and 7 years for employment data unless employer has a legitimate reason for retaining data longer (e.g. litigation). D. Can I transfer employee data overseas? Yes, subject to certain requirements. E. Can I transfer employee data to a third party? Yes, subject to certain requirements. F. What are the consequences of breach? Investigation by Commissioner. Commissioner may issue Enforcement notice. Criminal liability if failure to comply with an enforcement notice; on conviction, a fine at level 5 (currently HK$50,000), imprisonment for 2 years and, if continuing offence, a daily penalty of HK$10,000. Civil liability: data subject may claim compensation 3
HONG KONG G. What are the main pitfalls? Employers should issue PICS and ensure purpose of use of data specified in PICS covers employer s requirements. Employees can access and obtain their personal data by downloading a Data Access Request (DAR). An employer must provide all personal data of the employee in response to a DAR unless exception applies e.g. employees using DAR to fish for claims against employer. Contributed by Mayer Brown JSM 4 Employee Data Privacy in Asia
Executive Summary INDIA A. Is there a law regulating employee personal data? There is no specific law on the subject. However, action may be initiated for claim under the Information Technology Act, 2000, tort or for breach of fundamental right of life and liberty (including right to privacy) as guaranteed by the Constitution of India. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, it is advisable to have a privacy statement/agreement. C. How long must I retain employee data? What is best practice? Employees personal data may be retained for 3 years, and financial data for 8 years. D. Can I transfer employee data overseas? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. E. Can I transfer employee data to a third party? There is no law restricting transfer of employees personal data. However, the courts may impose reasonable restrictions if it considers the information to be of a sensitive nature. F. What are the consequences of breach? There is no specific law pertaining to transfer of employees personal data. However, action may be initiated by employee under tort or for breach of right to privacy or, in certain cases, under The Information Technology Act, 2000. 5
INDIA G. What are the main pitfalls? Though there is no specific law relating to data protection in India, there is some protection available under the Constitution of India Article 21 Right to Life and Liberty. The courts in India have interpreted Right to Privacy as part of the broad spectrum of Right to Life. Further, the Information Technology Act, 2000 extends protection to data in electronic form which is sensitive in nature (as may be notified by the Central Government). Further, the courts may impose restrictions on transfer of data in case it considers the data to be sensitive enough to cause irreparable harm to the employee if the data were so transferred. Therefore, it is advisable to seek the consent of the employee prior to any intended transfer of his/her personal data. Contributed by Trilegal 6 Employee Data Privacy in Asia
Executive Summary INDONESIA A. Is there a law regulating employee personal data? There is no specific law regulating employee personal data. Human Rights law provides right to privacy. B. Do I need to have a privacy statement or agreement? Yes, it is recommended to include statement in Company Regulation (work rules) clarifying employer s right to use personal data, albeit there is no legal requirement to do so. C. How long must I retain employee data? What is best practice? At discretion of Board of Directors. Best Practice: at least two (2) years after termination of employment. D. Can I transfer employee data overseas? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. E. Can I transfer employee data to a third party? There is no specific restriction but it is prudent to include such right in personal statement in Company Regulation. F. What are the consequences of breach? In theory, causes of action may include civil tort, civil or criminal defamation, or criminal unpleasant act. G. What are the main pitfalls? Personal data should be handled responsibly to avoid employee suffering embarrassment or other damages. Contributed by Soewito Suhardiman Eddymurthy Kardono 7
8 Employee Data Privacy in Asia
Executive Summary JAPAN A. Is there a law regulating employee personal data? Yes. There is the Personal Information Protection Act ( PIPA ) and various governmental guidelines. B. Do I need to have a privacy statement or agreement? Generally no. However, it is advisable to establish a privacy policy as this is the most convenient way to satisfy an employer s obligation upon receiving personal data, i.e. inform the employee of (or publicly announce) the purpose for use of such personal data. C. How long must I retain employee data? What is best practice? Certain important documents must be retained for 3 years. D. Can I transfer employee data overseas? Yes, so long as the transfer occurs within the same legal entity, no restrictions exist in transferring personal data overseas. However, transfer to a third party (including an overseas parent or related company) requires the prior consent of the employee. E. Can I transfer employee data to a third party? The prior consent of the employee is needed to transfer the employee s personal data to a third party. 9
JAPAN F. What are the consequences of breach? The government may issue a recommendation and/or order to rectify the breach. Failure to comply with the order may lead to imprisonment of up to 6 months or a fine of up to JPY 300,000. If a breach of the PIPA causes any damage, a person responsible for such breach may be liable for the damages as a result thereof. G. What are the main pitfalls? Special regulations exist for health-related information and other sensitive information. When conducting background check separately, it is advisable to obtain the job applicant s consent for the acquisition of personal data from a third-party service provider. Contributed by Anderson Mori & Tomotsune 10 Employee Data Privacy in Asia
Executive Summary MAINLAND CHINA A. Is there a law regulating employee personal data? Yes. Employment Services and Management Regulations. B. Do I need to have a privacy statement or agreement? There is no legal requirement. However, ideally an employer should have a written agreement with its employee regulating the collection, use and handling of personal data. C. How long must I retain employee data? What is best practice? The law is unclear. We suggest 2 years as best practice D. Can I transfer employee data overseas? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. E. Can I transfer employee data to a third party? Yes, but if the transfer involves publicizing the employee s personal data, then written consent from the employee is required. F. What are the consequences of breach? The consequences are unclear as there are no clear provisions setting out the consequences of breach. G. What are the main pitfalls? An employer is obliged to keep confidential the employee s personal data, and has to obtain the employee s written consent if it will publicize any such personal data. Contributed by JSM Shanghai Representative Office 11
12 Employee Data Privacy in Asia
Executive Summary MALAYSIA A. Is there a law regulating employee personal data? The Employment Act 1955. The Personal Data Protection Bill 2009 has been passed but not yet gazetted to commence. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? 6 Years. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? None. G. What are the main pitfalls? Ensuring up-to-date information on personnel. Be aware of the gazetting of the Personal Data Protection Bill 2009 to commence. Contributed by Shearn Delamore 13
14 Employee Data Privacy in Asia
Executive Summary NEW ZEALAND A. Is there a law regulating employee personal data? Yes, the Privacy Act 1993. B. Do I need to have a privacy statement or agreement? This is not required by the Privacy Act but is recommended as a matter of best practice. C. How long must I retain employee data? What is best practice? The Privacy Act does not require information to be held for any fixed period. The emphasis in the Act is on not holding information for longer than is necessary. However, there are various other statutes governing the minimum periods for which certain information must be held (for example, tax records must be held for 7 years, and wage records must be held for 6 years). D. Can I transfer employee data overseas? The Privacy Act does not contain specific restrictions on the transfer of personal information overseas. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other jurisdiction. E. Can I transfer employee data to a third party? The Privacy Act does not contain specific restrictions on the transfer of personal information to third parties. Individuals must be made aware of all intended recipients of their personal information at the time it is collected. If such notice is not provided, then the consent of employees must generally be obtained before transferring information to any other entity/third party. 15
New Zealand F. What are the consequences of breach? (1) Investigation by Privacy Commissioner (who can issue non-binding recommendations). (2) Human Rights Review Tribunal (potential remedies include damages up to NZ$200,000, although damage awards greater than NZ$10,000 are rare). (3) Administrative Penalties (may be liable on summary conviction for a fine not exceeding NZ$2,000). G. What are the main pitfalls? Common pitfalls include: The failure to properly notify an individual about the collection of personal information (in accordance with IPP 3). The use of personal information for a purpose other than that for which it was obtained (prohibited by IPP 10). Improper disclosure of personal information (prohibited by IPP 11). Contributed by Simpson Grierson 16
Executive Summary PAKISTAN A. Is there a law regulating employee personal data? Presently there is no statutory law, regulation or code which deals with collection, use and/or handling of an employee s personal data in Pakistan. However, normally all employers require personal data of their employees for security and crossreference reasons. Moreover, the employee s name, Computer National Identification Card and address is also used for filing of annual returns. The general principles of Law of Torts will apply but they do not require any strict compliance and lack of malice on the part of employer in collecting, storing and disclosing personal data of an employee will be sufficient defence against any potential action against the employer. Such an action, though a possibility, is seldom used. B. Do I need to have a privacy statement or agreement? There is no legal requirement to have a document to deal with the employee s personal data. C. How long must I retain employee data? What is best practice? There is no legal requirement for withholding of employee s personal data. The employers generally hold the employee s data for couple of years as a cross-reference and for their own personal record. D. Can I transfer employee data overseas? There are no legal restrictions on transferring employee s personal data outside Pakistan. 17
PAKISTAN E. Can I transfer employee data to a third party? As stated earlier, presently there is no statutory law which controls and regulates the collection and use of handling employee s personal data in Pakistan; therefore, there are no legal restrictions on transferring employee s personal data to a third party. However there is one exception and that is if employee and employer have entered into a confidentiality agreement, then both the parties would be governed by the terms of the confidentiality agreement. F. What are the consequences of breach? There are no privacy laws in Pakistan, therefore the occasion of their breach cannot arise; however, if privacy agreements are breached, then suit (civil action) for damages can be filed under the Law of Contracts. G. What are the main pitfalls? Presently, absence of laws regarding employee s personal data is the main drawback in Pakistan. However, if the personal data disclosed to a third party proves to be incorrect, the suit for damages under the Law of Torts can be filed demanding damages. This is a case of rare occurrence but still a possibility. Note: The above information is in reference to jurisdiction in Pakistan. Contributed by Meer & Hasan 18 Employee Data Privacy in Asia
Executive Summary PHILIPPINES A. Is there a law regulating employee personal data? Yes. However, these are general laws that regulate the use of personal data (including employee data) for the protection of the individual s constitutionally protected right to privacy and not a specific law that regulates the collection, use and/or handling of employee personal data per se. B. Do I need to have a privacy statement or agreement? None of the data privacy protection laws specifically require that a written privacy statement or agreement be in place before an employer may use employee personal data. The transfer of employee personal data to a third party is, however, subject to restrictions. (See Response to Question E.) C. How long must I retain employee data? What is best practice? There is no fixed period within which an employer is required to retain employee personal data. D. Can I transfer employee data overseas? Yes, as long as there is consent or a legitimate purpose for the transfer. E. Can I transfer employee data to a third party? Yes, as long as there is consent or a legitimate purpose for the transfer and as long as there is a written contract between the data processor (third party) and data controller (employer). F. What are the consequences of breach? The party divulging the information may be liable for the payment of damages. With respect to certain information, the party divulging such information may also open himself to a possible criminal liability. 19
PHILIPPINES G. What are the main pitfalls? There is no specific law that deals with the management of an employee s personal data. Contributed by SyCip Salazar Hernandez & Gatmaitan 20 Employee Data Privacy in Asia
Executive Summary SINGAPORE A. Is there a law regulating employee personal data? There is no single overarching legislation on employee data privacy in Singapore. However, the Computer Misuse Act ( CMA ) prohibits the unauthorised access to data and/or unauthorised interception of computer communications. The Model Data Protection Code for the private sector, which is not mandatory, has 10 principles that organisations should follow when collecting, processing and storing personal data. B. Do I need to have a privacy statement or agreement? An agreement with the person whose information is being collected is required for compliance with the CMA. No agreement is required for collection of employee data under other statutes. However, having one in place is nevertheless recommended. C. How long must I retain employee data? What is best practice? The time period for which employee data shall be retained depends on the individual statutes and generally varies from five to seven years. Where the retention period is not provided, the best practice is to retain the information for 7 years. D. Can I transfer employee data overseas? There are no restrictions on transferring employee data overseas. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. 21
SINGAPORE E. Can I transfer employee data to a third party? There are no restrictions on transferring employee data to third parties. However, please note that the Banking Act restricts the transfer of customer information to third parties and such disclosure is permitted only under the specific circumstances prescribed therein. F. What are the consequences of breach? Violation of the CMA provisions can lead to a maximum fine of S$5,000 or imprisonment for no more than 2 years or both for the first offence and a maximum fine of S$10,000 or imprisonment for no more than 3 years or both for subsequent offences. G. What are the main pitfalls? There is no single overarching legislation, although several legislations regulate this area. Contributed by Rajah & Tann 22 Employee Data Privacy in Asia
Executive Summary SOUTH KOREA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? Advisable. C. How long must I retain employee data? What is best practice? 3 years. D. Can I transfer employee data overseas? Advisable to obtain employee consent. E. Can I transfer employee data to a third party? Advisable to obtain employee consent. F. What are the consequences of breach? Depending on the characterization of the breach, consequences may include civil and/or criminal liability. G. What are the main pitfalls? Depending on the circumstances, the Protection of Credit Information Act containing criminal punishment may apply. Contributed by Kim & Chang 23
24 Employee Data Privacy in Asia
Executive Summary SRI LANKA A. Is there a law regulating employee personal data? No. B. Do I need to have a privacy statement or agreement? No. C. How long must I retain employee data? What is best practice? Depends on the category of employee. D. Can I transfer employee data overseas? Yes. E. Can I transfer employee data to a third party? Yes. F. What are the consequences of breach? Not applicable. G. What are the main pitfalls? No statutory provision. Contributed by John Wilson Partners 25
26 Employee Data Privacy in Asia
Executive Summary TAIWAN A. Is there a law regulating employee personal data? Yes, the CPDPA, which will be substituted by the PDPA passed on April 27, 2010 with the effective date to be published by the Executive Yuan, the Republic of China. B. Do I need to have a privacy statement or agreement? CPDPA No, but the CPDPA requires an employer to prepare a book with certain information listed for employee s inspection or review. PDPA No, but the PDPA requires that: 1) a private sector employer makes the collected personal data of an employee available to such employee for inspection and review or provides a duplicate of such personal data upon such employee s request subject to certain exceptions, such as national security concerns, etc.; and 2) a notification with certain information shall be presented to the employee when the employee s personal data is collected, used, or handled. C. How long must I retain employee data? What is best practice? CPDPA Under the CPDPA, an employer shall comply with the length of retention approved by the competent authority. PDPA Under the PDPA, in general, an employer may retain an employee s personal data where a specific purpose exists or prior to the expiration of the retention period. D. Can I transfer employee data overseas? CPDPA Yes, if international transfer of personal data is registered with and approved by the competent authority under the CPDPA. 27
TAIWAN CPDPA & PDPA Under both the CPDPA and PDPA, in certain circumstances, the central competent authority may nevertheless restrict lawful international transfers. E. Can I transfer employee data to a third party? CPDPA Yes, under the CPDPA, subject to certain exceptions, the transfer shall be limited to the scope of the specific purposes. PDPA Under the PDPA, in general, sensitive data may not be transferred, while non-sensitive data shall be limited to the scope of the specific purposes for collecting such data. F. What are the consequences of breach? CPDPA & PDPA An employer in violation of either the CPDPA or PDPA may be subject to civil, criminal and/or administrative liabilities. PDPA The PDPA increases the civil, criminal and administrative liabilities to provide more protection for individual s right of privacy. G. What are the main pitfalls? An employer should pay close attention to the effective date of the PDPA as well as the upcoming passages of or amendments to the enforcement rules and supplemental laws and regulations in relation to the PDPA. Contributed by Lee, Tsai & Partners 28 Employee Data Privacy in Asia
Executive Summary THAILAND A. Is there a law regulating employee personal data? Currently, there is no law that regulates employees personal data although the Personal Data Protection Bill (the Bill ) has long been expected to be put in place. B. Do I need to have a privacy statement or agreement? Not currently, but if the Bill comes into force, an employer will need consent from its employee to handle the employee s personal data. C. How long must I retain employee data? What is best practice? Under the Thai Labour Protection Act, an employer must keep an employee s register for not less than two years after termination of employment. If the Bill becomes law, the employee s personal data processed for any purpose may not be kept longer than necessary for such purpose. D. Can I transfer employee data overseas? Currently, there is no law that prohibits transfer of an employee s personal data overseas, but if the Bill comes into effect, written consent from the employee will be required. E. Can I transfer employee data to a third party? Currently, there is no law that prevents an employer from transferring its employee s personal data to a third party, but if the Bill takes effect, written consent from the employee will be needed. F. What are the consequences of breach? If an employer s use or disclosure of personal data causes damage to an employee, the employer may be subject to civil and/or criminal punishment. If the Bill becomes law, any breach may be subject to administrative and/or criminal penalties. 29
THAILAND G. What are the main pitfalls? If the Bill is issued, any collection, utilization and disclosure of an employee s personal data will require such employee s express consent. The employer will also need a secured personal data collection system to prevent exploitation or disclosure of the personal data. Contributed by Mayer Brown JSM (Thailand) Limited 30 Employee Data Privacy in Asia
Executive Summary VIETNAM A. Is there a law regulating employee personal data? Yes. B. Do I need to have a privacy statement or agreement? Yes. C. How long must I retain employee data? What is best practice? There is no statutory requirement regarding how long employee data can be retained. In practice, the employer should agree with the employee on the time limit for retaining his/her data. It would be preferable that written consent from the employee is obtained. D. Can I transfer employee data overseas? Yes, subject to the employee s consent. E. Can I transfer employee data to a third party? Yes, subject to the employee s consent. F. What are the consequences of breach? The employee would sue the breaching party in a court of law. G. What are the main pitfalls? The breaching party, depending on the seriousness of the breach, would be subject to an administrative penalty. If the breach causes damages to the employee s health, honour, dignity or reputation, compensation must be paid. Contributed by Mayer Brown JSM (Vietnam) 31
32 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction AUSTRALIA Australia A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Privacy in the employment context usually concerns the use by an employer of personal information 1 about an employee, including information about the employee s health and fitness. In Australia, legal obligations in respect of privacy of personal information are largely derived from statute. There is no constitutional protection of privacy rights similar to that which exists in other jurisdictions such as the United States. Privacy in Australia is regulated at both the federal and State level. Therefore, privacy obligations differ across the various jurisdictions, as well as between the public and private sectors. In each Australian jurisdiction, privacy of personal information may be regulated by specific privacy legislation and also by legislation in respect of health records, freedom of information and electronic surveillance. A summary of some of the key legislation that regulates privacy in Australia is set out below. Privacy Act 1988 (Cth) The Privacy Act 1988 (Cth) ( Privacy Act ) regulates the use, storage, handling, access, disclosure and security of personal information by Australian and Australian Capital Territory government agencies and Australian private sector organisations with an annual turnover greater than AUD 3 million. 1 It has been assumed for the purposes of this Australian section that the reference to personal data has the same or a similar meaning as the term personal information under the Privacy Act 1988 (Cth). Privacy issues also arise from the undertaking of workplace surveillance and monitoring. The issue of workplace surveillance and monitoring has not been covered in this report. 33
Australia AUSTRALIA There are some small businesses which may have an annual turnover of less than AUD 3 million whose activities are regulated by the Privacy Act. This includes health service providers or businesses that trade in personal information. The Privacy Act is intended to protect personal information about individuals who can reasonably be identified from the information. Personal information is generally defined as [i]nformation or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion. The Privacy Act establishes 12 National Privacy Principles which (together) operate to regulate the use, storage, handling, access and security of personal information by organisations in respect of which the Privacy Act applies. Organisations may discharge their obligations by creating and complying with a code of practice tailored to the organisation, and approved for use by the Privacy Commissioner. The Privacy Act expressly excludes acts done, or practices engaged in, by an employer (who is regulated by the Privacy Act) of an individual, if the act or practice is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual. Employee records are broadly defined as a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about, amongst other things, the engagement, training, disciplining or resignation of the employee; the termination of the employment of the employee; the terms and conditions of employment of the employee; the employee s personal and emergency 34 Employee Data Privacy in Asia
Australia contact details; the employee s performance or conduct; the employee s hours of employment; the employee s salary or wages; the employee s membership of a professional or trade association and the employee s taxation, banking or superannuation affairs. Practically, this means an employer does not need to comply with the National Privacy Principles (for example, in relation to storage, access, use, disclosure and handling of the information) in relation to records about its employees which fall within the above definition. The existence of the employee records exemption does not mean that all activities of an employer that relate to employment are excluded. For example, a prospective employee does not have an employment relationship with the potential employer. Therefore, potential employers and/or recruitment agencies must comply with the obligations of the Privacy Act in respect of candidates for employment. Another limitation to the exemption is that it will no longer apply once an employer discloses the employee records to a third party which is not involved in the employment relationship. On 14 October 2009, the Federal Government announced that it would commence a reform of the Federal privacy laws. Part of the second stage of those reforms may include consideration of whether the employee records exemption should be removed. Fair Work Act 2009 (Cth) The Fair Work Act 2009 (Cth) regulates the employment relationship between employees and national system employers. A national system employer is broadly defined in the Fair Work Act and relevantly includes all incorporated employers and, subject to the location in which the employment is based, various other employers in Australia. 35
Australia AUSTRALIA Privacy rights under the Fair Work Act arise insofar as unions have certain rights to access employment records in respect of their members. In some cases a non-member record can be accessed, particularly in circumstances where the nonmember consents or Fair Work Australia makes an order granting access. It is important to note that unions that access employee records must then comply with the obligations set out in the Privacy Act in respect of those records. Further, the employee records exemption will not apply in respect of the union s management of those records. Accordingly, unions accessing employee records pursuant to their rights under the Fair Work Act will still be required to comply with the privacy obligations under the Privacy Act in respect of those records. State and Territory privacy legislation In most States and Territories, privacy regulation is limited to the public sector. Employers should be mindful of the following legislation: Victoria Information Privacy Act 2000 (Vic) and the Charter of Human Rights and Responsibilities Act 2006 (Vic); New South Wales Privacy and Personal Information Protection Act 1998 (NSW); Queensland Information Privacy Act 2009 (Qld); Western Australia Freedom of Information Act 1992 (WA); and South Australia Information Privacy Principles (IPPs) reissued by the State Government of South Australia in 1992. 36 Employee Data Privacy in Asia
Australia There is also limited State legislation regulating privacy in respect of health records. In most States, access to health records retained by a public hospital or public health service is regulated by freedom of information legislation. Freedom of information legislation The Freedom of Information Act 1982 (Cth) provides that every person has a right to access documents held by federal government agencies or Ministers, other than exempt documents. Relevantly, one of the classes of exempt documents is where the disclosure of the document would involve the unreasonable disclosure of personal information of any person other than the applicant who has made the request. A number of factors will be taken into account in determining whether the disclosure would be unreasonable. Each State and Territory also has legislation dealing with freedom of information. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no general legal requirement to have a document to deal with employees personal data. However, as indicated in our response in section A above, organisations may discharge their privacy obligations by creating and complying with a code of practice tailored to the organisation and approved for use by the Privacy Commissioner. Employers may also be assisted in their compliance with privacy obligations by implementing privacy policies and procedures, setting out the kinds of information that are protected, relevant obligations and best practice. 37
Australia AUSTRALIA Accordingly, as a matter of risk management and regulatory compliance, it is prudent for an organisation to develop, implement and comply with a privacy policy or code of practice. This will be particularly important in circumstances where it is not clear whether employee records are being collected, used or disclosed for the purpose of the employment relationship. For example, employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. C. For how long must an employer retain an employee s personal data? What is best practice? Provided that the personal data falls within the employee records exemption under the Privacy Act, there are no obligations with respect to the retention of personal data under the Privacy Act. However, various Federal and State legislation requires that employers retain certain records relating to employees (which could include personal data). The Fair Work Regulations 2009 (Cth) requires that specific employee records be retained for all employees (with certain limited exceptions) for a period of seven years. For the purposes of the Fair Work Regulations, record means any record about the employee (or former employee) containing information about the nature of their employment and their entitlements (e.g. applicable industrial instruments, classification, pay rates, hours, shift work, overtime, leave, superannuation etc.), and also information about the employee s termination (if a former employee). However, the Fair Work Regulations do not require that employers keep records relating to an employee s performance. 38 Employee Data Privacy in Asia
Australia The Fair Work Regulations stipulate that records must be kept in a legible form in the English language and in a form that is readily accessible to a Fair Work Inspector. Importantly, the Fair Work Regulations do not stipulate that the record must be an original copy, or kept in hard-copy. The Superannuation Guarantee (Administration) Act 1992 (Cth) requires corporations to retain specific superannuation documents for a period of five years. Further, the Income Tax Assessment Act 1997 (Cth) requires that specific taxation records must be retained for five years. Obligations in relation to employee records also arise under workers compensation legislation in each of the States and Territories. For example, in NSW employers are required under the Workers Compensation Act 1987 (NSW) to retain wages records (which may include personal data). Finally, it is important to note that where litigation is anticipated or has been commenced, an employer must not destroy or dispose of any documents that may be required for the purposes of the litigation (which may include employee records). D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Transborder data flows are the subject of a specific National Privacy Principle referring to the movement of personal data across national borders. The Privacy Act originally dealt only with personal information collected and handled within Australia. However, it has since been amended to apply to acts done, or practices engaged in, by an organisation outside Australia and the external Territories. The purpose of these amendments to the Privacy Act was to prevent organisations from avoiding their privacy obligations by transferring the handling of personal information to countries with lower privacy protection standards. 39
Australia AUSTRALIA An organisation in Australia can only transfer personal information outside Australia if: the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the National Privacy Principles; the individual consents to the transfer; the transfer is for the benefit of the individual and it is impracticable to obtain consent, but it is likely consent would have been given; the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or the organisation has taken reasonable steps to ensure the information will not be held, used or disclosed by its recipient inconsistently with the National Privacy Principles. The Privacy Commissioner has powers to oversee complaints that arise in respect of a breach which occurs outside of Australia and which fall within the scope of the Privacy Act. E. What are the legal restrictions on transferring employees personal data to a third party? As set out in our response in section A above, the obligations set out in the Privacy Act do not apply to the collection, use, disclosure and storage of personal information contained within an employee record, provided that the act or practice directly relates to the employment relationship. Unfortunately directly related is not defined in the Privacy Act and there is presently no case law which has considered the meaning of directly related to the employment 40 Employee Data Privacy in Asia
Australia relationship in a privacy context. However, an act which may not directly relate to the employment relationship may include sending a list of employee details to another organisation for marketing purposes. If an employer that is an organisation covered by the Privacy Act seeks to collect, use or disclose employee records in a way not directly related to the employment relationship, it must comply with the National Privacy Principles. Relevantly, we set out the key aspects of National Privacy Principles 1 and 2 below. National Privacy Principle 1 Collection An organisation must only collect personal information that is necessary for one or more of its legitimate functions or activities (the primary purpose). An organisation must only collect personal information by lawful and fair means and not in an unreasonably intrusive way. At the time of collection (or as soon as practicable afterwards) an organisation must take reasonable steps to ensure that the individual is told: the identity of the organisation and how to contact it; that they can access the information; why the information is collected; the disclosure practices of the organisation; and any law that requires the particular information to be collected and the consequences (if any) for the individual if the information is not provided. Where practicable, an organisation should collect personal information directly from the individual. 41
Australia AUSTRALIA National Privacy Principle 2 Use and disclosure As a general rule, an organisation should only use or disclose personal information for the purpose for which it was collected (the primary purpose). But an organisation can use or disclose personal information about an individual for another purpose (the secondary purpose) if: the individual has consented; or the secondary purpose is related to the primary purpose and might reasonably be expected to be used or disclosed for the secondary purpose. Special additional provisions apply for direct marketing and sensitive information (including health information). Legislation in the Australian Capital Territory, New South Wales and Victoria regulates organisations which collect, hold and use health information. Such legislation contains health record privacy principles which are broadly similar to the National Privacy Principles. In certain circumstances, if the employer collects health information, the employer will be required to comply with the health records legislation in the relevant State or Territory. F. What are the consequences of breaching privacy laws in your jurisdiction? General If an organisation breaches a National Privacy Principle, the organisation will have contravened section 16A(2) of the Privacy Act and interfered with the privacy of an individual contrary to section 13A(1)(b) of the Privacy Act. Individuals must make any complaints regarding an interference with privacy to the relevant organisation. If the complaint is not resolved it can be referred to the Office 42 Employee Data Privacy in Asia
Australia of the Privacy Commissioner for conciliation, and if this is not successful, for formal determination (enforceable by the Federal Court of Australia). Privacy Commissioner functions (a) Powers without complaint Under section 27(1)(ab) of the Privacy Act, the Privacy Commissioner has the power to investigate an act or practice of an organisation that may be an interference with the privacy of an individual because of section 13A and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation. Where the Commissioner has investigated an act or practice (without a complaint having been made under section 36 of the Privacy Act), the Commissioner must report to the Minister about the act or practice, if the Commissioner thinks the act or practice is an interference with the privacy of an individual. The Minister must table the report before each house of the Federal Parliament. In this way, the report acts to name and shame contraveners of Privacy Act obligations. (b) Powers following complaint Pursuant to section 40 of the Privacy Act, the Commissioner must investigate an act or practice if: the act or practice may be an interference with the privacy of an individual; and a complaint about the act or practice has been made under section 36 of the Privacy Act. Pursuant to section 44 of the Privacy Act, if the Commissioner has reason to believe that a person has information or a document relevant to an investigation, the Commissioner may give to the person a written 43
Australia AUSTRALIA notice requiring the person to give the information to the Commissioner and/or to produce the document to the Commissioner. The Commissioner is also empowered to examine witnesses and direct persons to attend compulsory conferences for the purpose of the investigation. After investigating a complaint, the Commissioner may, under section 52 of the Privacy Act, find the complaint substantiated and make a determination, including a declaration that: the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant; and/or the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint. A determination by the Commissioner is not binding or conclusive between any of the parties to the determination. An organisation that is the respondent to a determination made under section 52: must not repeat or continue conduct that is covered by a declaration that determined the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; and must perform the act or course of conduct that is covered by a declaration that determined the 44 Employee Data Privacy in Asia
Australia respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant. The complainant or the Commissioner (if a determination was made under section 52) may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination. If the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit. The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employers should be mindful to ensure that any records held which contain the personal information of employees are only dealt with in a manner that directly relates to the employment relationship. That is, any employee records should only be collected, used and disclosed for the purpose of the employment relationship. Employers should obtain a written consent from prospective employees in relation to the collection, use and disclosure of personal and sensitive information which is obtained during the recruitment process. Employers should consider including such consents in their contracts of employment. Such consents will reduce the likelihood of an employer inadvertently breaching the Privacy Act in relation to information that does not directly relate to the employment relationship. 45
Australia AUSTRALIA Further, if the employee records exemption is removed from the Privacy Act, it is likely that employers will be required to obtain consents in relation to the collection, use and disclosure of personal information from all employees. Broadly speaking, Employers should also ensure that they: understand the legislation regulating the collection and use of personal information as well as access to personal information; do not assume regulation of privacy in Australia is the same across all jurisdictions; develop and implement comprehensive policies and procedures regulating the collection, use, disclosure and storage of personal information; and train employees in the use and handling of personal information in accordance with the law. Contributed by Corrs Chambers Westgarth 46 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction HONG KONG Hong Kong A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Yes. In Hong Kong, the Personal Data (Privacy) Ordinance ( PDPO ) (which was passed in December 1996) regulates among other things, the collection, holding, use, security, access and correction of personal data of an individual. Personal data is defined in the PDPO as any data: relating directly or indirectly to a living individual (e.g. an employee), from which it is practicable for the identity of the individual to be directly or indirectly ascertainable, and which is in a form in which access to or processing of the data is practicable. Section 4 of the PDPO states that a data user shall not do an act or engage in a practice that contravenes a data protection principle unless the act or practice as the case may be, is required or permitted under this Ordinance. There are 6 data protection principles ( DPP ) with which data users (e.g. employers) are required to comply covering the following areas: DPP 1 purpose and manner of collection of personal data, DPP 2 accuracy and duration of retention of personal data, DPP 3 use of personal data, DPP 4 security of personal data, DPP 5 information to be generally available, DPP 6 access to personal data. 47
Hong Kong HONG KONG Data user is defined as the person who, either jointly or in common with other persons, controls the collection, holding, processing or use of the personal data (e.g. an employer). Data subject is basically the individual who is the subject of the data (e.g. the employee). The Privacy Commissioner for Personal Data (the Commissioner ) has issued a Code of Practice on Human Resource Management (the Code ) in accordance with his powers under the PDPO. The Code came into effect on 1st April 2001 and provides employers with a practical guide to the application of the provisions of the PDPO to employment-related personal data privacy. Where a data user (e.g. employer) fails to comply with the Code, a court or the Administrative Appeals Board is entitled to take that fact into account when deciding whether there has been a breach of the PDPO. Non-compliance with the Code would also weigh against the party concerned in any case under investigation by the Commissioner. In addition to the Code, on 17 December 2004 the Commissioner issued the Privacy Guidelines: Monitoring and Personal Data Privacy at Work which provides practical guidance personal data privacy where employee monitoring is carried out at work resulting in the collection of personal data of employees through telephone monitoring, email monitoring, internet monitoring and video monitoring. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no legal requirement under the PDPO for an employer to provide any particular form of document to an employee before the collection of personal data from an individual. However, there are obligations on an employer to take all practical steps to notify a relevant individual (e.g. job applicant or employee) on or before the collection and use of 48 Employee Data Privacy in Asia
Hong Kong the individual s employment-related personal data of certain information. This information includes: (a) the purpose for which the data are to be used, (b) the classes of persons to whom the data may be transferred, and (c) whether it is obligatory or voluntary for the individual to supply the data unless this is obvious from the circumstances, (d) (before the use of the personal data) details of the rights of the individual to request access to, and correction of, his personal data and the name and address of the person to whom such request may be made. The above information is typically set out in a Personal Information Collection Statement ( PICS ). Indeed the Commissioner recommends as a matter of good practice that each employer provides a PICS complying with the notification obligations under the PDPO to each job applicant and employee. The PICS may be attached to, for example, a job application form or incorporated into the body of the job application form itself. C. For how long must an employer retain an employee s personal data? What is best practice? The Employment Ordinance ( EO ) provides that an employer must keep and maintain a record in which is set out the wage and employment history of each employee covering the period of employment during the preceding 12 months. The EO defines a record to include particulars in relation to each employee of that employee s: name and identity card number, commencement date of employment, job title, 49
Hong Kong HONG KONG wages paid in respect of each wage period, wage period, periods of annual leave (including periods of closure of business or part thereof for the purpose of granting any annual leave), sick leave, maternity leave and holidays to which the employee is entitled and that which has been taken together with details of payments made in respect of such periods, amount of any end of year payment payable under the EO and the period to which it relates, period of notice required for termination of contract, and date of termination of employment. The wage record must be kept at the employer s place of business or at the place where the employee is employed and for a period of 12 months after the employee ceases to be employed. The PDPO provides that only data necessary for an employer to fulfil its contractual and legal obligations should be retained and that personal data shall not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is to be used. As discussed above, the record required to be retained by the EO must be retained for at least 12 months after the employee ceases to be employed. However, in practice, an employer may need to retain certain employee data longer than 12 months because of, for example, the need to respond to a discrimination complaint which has a 2-year limitation period from the date of the alleged discrimination for commencing court proceedings. In the circumstances, an employer may wish to adopt the following guidelines (which reflects the recommendation of the Code) in relation to the period of document retention: 50 Employee Data Privacy in Asia
Hong Kong (i) 2 years in respect of recruitment related data held about a job applicant from the date of rejecting the applicant, (ii) 7 years in respect of employment related data held about an employee from the date the employee leaves employment, unless (iii) the individual concerned has given express consent for the data to be retained for a longer period, or (iv) there is a subsisting reason that obliges the employer to retain the data for a longer period. A subsisting reason may be where there is ongoing litigation, where there are contractual obligations on the employer to retain the data or where it is in the public interest (including historical interest) for the data not to be erased. This would reflect best practice. D. Can an employer lawfully transfer an employee s personal data outside your jurisdiction? Yes, provided the employer complies with the DPPs. Employment-related personal data may be transferred outside Hong Kong to, say, an associate of the employer, without seeking the relevant employee s consent provided (among other things) such transfer is for (a) a purpose for which the data were to be used at the time of collection of the data or (b) a purpose directly related to the purpose mentioned in (a). To the extent that the overseas entity may be collecting personal data and is subject to the PDPO, such collection of the data must be adequate but not excessive in relation to the purpose for which the data is collected. Section 33 of the PDPO contains a prohibition against the transfer of personal data to a place outside Hong Kong except in specified circumstances. However, s.33 has not been gazetted to commence. 51
Hong Kong HONG KONG E. Can an employer lawfully transfer an employee s personal data to a third party? Yes, provided the employer complies with the DPPs. Among other things, the employer should ensure that it complies with DPP 3 and that the transfer to the third party falls within the purpose for which the data was collected. The Code recommends that if an employer is required to transfer personal data to a third party (e.g. legal representative or HR consultant) the employer should ensure that the data being transferred is limited to those required for the specific services requested from the third party. F. What are the consequences of breaching privacy laws in your jurisdiction? Data subject may make a Complaint: A disgruntled officer may make a complaint to the Commissioner. After receiving a complaint and verifying the identity of the complainant the Commissioner will liaise with the complainant and the party complained against to determine whether on the face of things a case can be established. If so, the Commissioner may try to resolve the dispute through mediation. Investigation by Commissioner: If the dispute cannot be resolved by mediation, the Commissioner may carry out a formal investigation. If the issue complained about is serious, the Commissioner may skip the mediation process and go straight to an investigation. If the investigation confirms a contravention of the PDPO the Commssioner may serve an enforcement notice which will set out steps that need to be taken. Enforcement notice: The Commissioner may investigate any allegations of contravention of the PDPO and serve an enforcement notice on the data user prescribing, among other things, remedial action to be taken by the data user. 52 Employee Data Privacy in Asia
Hong Kong Criminal liability: A data user who fails to comply with an enforcement notice served on him commits an offence and is liable on conviction to a fine at level 5 (currently HK$50,000) and to imprisonment for 2 years and, in the case of continuing offence, to a daily penalty of HK$10,000. Civil liability: In addition to the above, any data subject who suffers damage (including injury to feelings) by reason of a contravention of any requirement under the PDPO (including the contravention of a DPP) by a data user may claim compensation from the data user for the damage. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employers should familiarise themselves with the DPPs. They should ensure that they have provided the PICS to relevant individuals before such individuals collecting personal data and that the various purposes for which personal data may be used by the employer is broad enough to cover the requirements of the employer. An employer should be aware that an employee can access and obtain a copy of any of the employee s personal data held by the employer (unless an exception applies) by serving a data access request ( DAR ) on the employer. Such DAR has became a favourite tactic of aggrieved employees looking to find a lever against their former employer. However, employers are becoming increasingly sophisticated in finding reasons to refuse to comply with such DARs. Therefore, a key issue for any employer is to minimise the creation of personal data, especially in a dispute or potential dispute. So, do not use the employee s name in emails. Train business teams to speak to each other on sensitive issues rather than corresponding by email. Contributed by Mayer Brown JSM 53
Hong Kong HONG KONG 54 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction INDIA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? India There is no law/code on data privacy in India. However, Article 21 of the Indian Constitution guarantees to its citizens the right to life and liberty as a fundamental right. The right to privacy is implied in this right to life and liberty. In addition, The Information Technology Act, 2000 provides for certain aspects pertaining to protection/privacy of electronic data, though it does not particularly deal with employees personal data. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no legal requirement in India for a company to issue a privacy policy or information collection statement, or to execute an agreement with an employee pertaining to employee data privacy. However, it would be desirable to have such a document. C. For how long must an employer retain an employee s personal data? What is best practice? An employer should retain employee personal data for at least 3 years, as the laws on limitation provide that civil legal proceedings may be initiated during such period. However, the (Indian) Income Tax Act, 1961, provides that the Income Tax department may initiate proceedings against a person during any of the 7 assessment years succeeding the relevant assessment year. Companies therefore usually retain financial information, including those relating to the employees, for a minimum period of 8 years. 55
INDIA India D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? There is no law restricting the transfer of employees personal data in India. However, the Indian courts have, in certain cases imposed restrictions on institutions transferring personal data (relating mainly to medical records) of individuals where the court considered the same to be of sensitive nature. While none of the judgments pertain to imposition of restrictions on companies for transfer of employee data, it is possible that in a given situation, transfer of employee data may be restricted on similar grounds. It is therefore advisable that companies enter into comprehensive agreements with the employees to take their consent for any intended transfer of personal data. E. What are the legal restrictions on transferring employees personal data to a third party? Please refer to our answer to question (D) above. F. What are the consequences of breaching privacy laws in your jurisdiction? Since there are no specific laws pertaining to data privacy in India, civil action may be initiated only under tort, or for enforcement of Right to Privacy under the Constitution of India. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? There is no specific legislation in India pertaining to collection, use and/or handling of employees personal data. However, there is some protection available under the Constitution of India Article 21 Right to Life and Liberty. The courts in India have interpreted Right to Privacy 56 Employee Data Privacy in Asia
as part of the broad spectrum of Right to Life and Liberty. The courts in India have at times imposed restrictions on transfer of personal data of individuals as a measure to protect the fundamental Right to Life and Liberty. Although such restrictions have been imposed mainly on hospitals transferring medical records of individuals, it is possible that a similar view may be taken in case of companies which seek to transfer sensitive personal information of its employees. In addition to the above, an employee could also make a claim under tort for disclosure of his/her personal information. Further an employee may claim under the Information Technology Act, 2000 which extends protection to data in electronic form which is sensitive in nature (as may be notified by the Central Government). In light of the above, it is advisable that consent of employees be obtained prior to transfer of any data pertaining to him/her to avoid any possible litigation. India Contributed by Trilegal 57
INDIA India 58 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction INDONESIA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? There are no specific Indonesian labor regulations governing the collection, use and/or handling of an employee s personal data including protection of the privacy of an employee s particulars. However, all persons have a general right to privacy under the Human Rights Law. Indonesia B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data. However, we recommend that the employer include a statement detailing its right to use employee s personal data in the Company Regulation (work rules) which is binding on all employees. C. For how long must an employer retain an employee s personal data? What is best practice? The primary regulation on maintaining corporate documents is Law No. 8 of 1997 Regarding Corporate Documents ( Law No. 8 ). Manpower laws and regulations do not expressly deal with employee data privacy. Articles 3 and 4 of Law No. 8 differentiate between (i) financial documents; and (ii) other documents. Financial documents consist of records, bookkeeping documentation, and financial administration supporting data, which evidence the rights, obligations, financial affairs and business activities of a company. Other documents consist of data or any writings containing information having effective value for a company even though not directly related to financial documents. 59
INDONESIA Indonesia The Elucidation of Article 4 of Law No. 8 mentions that other documents include minutes of general meetings of shareholders, a company s deed of establishment, other authentic deeds containing specific legal interests, and a company s taxpayer registration number. We note that employee personal data is not expressly mentioned as an example of other documents in the Elucidation. However, it is prudent to treat employee personal data as other documents and to apply the related rules as follows. Pursuant to Article 11(3) of Law No. 8, the retention term of other documents (i.e. employee files) shall be based on the usage value of such documents. The term shall be determined in the discretion of the Board of Directors. We note that pursuant to Article 96 of Law No. 13 of 2003 Regarding Manpower, there is a two (2) year limitation period for employee claims. We therefore recommend that employee personal data be retained for at least two (2) years after termination of employment. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? While there is no specific legal restriction, we recommend that the employer s right to do so should be set forth in the Company Regulation. E. What are the legal restrictions on transferring employees personal data to a third party? While there is no specific legal restriction, we recommend that the employer s right to do so should be set forth in the Company Regulation. 60 Employee Data Privacy in Asia
F. What are the consequences of breaching privacy laws in your jurisdiction? In theory, causes of action may include civil tort, civil or criminal defamation or criminal unpleasant act. We are not aware of any such actions being taken in practice. Indonesia G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employee personal data should be handled responsibly and not abused in any way in order to avoid embarrassment or other damages being incurred by the employee which may give rise to the above-mentioned causes of action. Contributed by Soewito Suhardiman Eddymurthy Kardono 61
INDONESIA Indonesia 62 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction JAPAN A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Yes. The main sources of obligations with respect to the protection of employee s personal data are the Personal Information Protection Act (Law No. 57 of 2003, as amended) ( PIPA ) and the various guidelines issued by government agencies. In particular, the guidelines issued by the Ministry of Health, Labour and Welfare are most relevant to the handling of employees personal data (the MHLW Guidelines ). Japan B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Generally, no. However, under the PIPA, upon obtaining personal data of an employee, an employer must promptly either (i) publicly announce the purpose of use of the personal data, or (ii) individually notify the relevant employee of the purpose of use of the personal data (unless such purpose of use has previously been publicly announced). Although it is not a legal requirement that such announcement or notification of the purpose of use be in writing, in practice, it is advisable to establish a privacy policy in writing and announce the policy to the employees (in a way easily accessible to the employees such as posting on an intranet). Moreover, under the guidelines established by the Ministry of Economy, Trade and Industry, when an employer conducts video or online monitoring of employees, the employer is required to set forth the purpose and the method of implementation of such monitoring in the company rules. 63
JAPAN C. For how long must an employer retain an employee s personal data? What is best practice? Japan An employer is required to retain the workers register, payroll book, and other important documents relating to hiring, dismissal, occupational accidents, wages and other matters relating to employment for three years (Article 109 of the Labour Standards Act). Separately, the MHLW Guidelines require that employee personal data that is no longer needed in light of the purpose of use should be destroyed or deleted without delay. Accordingly, except for basic and important information as listed in Article 109 of the Labour Standards Act, an employer should destroy or delete an employee s personal data as soon as possible when it is no longer needed. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? No particular restrictions exist when an employer transfers employees personal data outside Japan so long as the transfer occurs within the same legal entity (i.e. to an overseas office of the same company). However, when an employer transfers employees personal data to a third party (whether the third party is located inside or outside Japan), the employer must, in principle, obtain the employee s prior consent. See E below for more details. Please note that a parent company or other related company is treated as a third party under the PIPA and an employer is required to obtain the prior consent of employees when it transfers their data to such overseas parent or related companies. E. What are the legal restrictions on transferring employees personal data to a third party? The employee s prior consent is required to transfer his/her personal data to a third party except for cases specified under the PIPA, such as when it is legally required or when it is 64 Employee Data Privacy in Asia
necessary to protect the life, body or asset of a person and it is difficult to obtain the relevant employee s consent. A third party does not include a contractor retained by an employer to process the personal data of the employees to the extent necessary to achieve the purpose of use. Therefore, an employer is not required to obtain an employee s prior consent when it transfers the employee s personal data to such a contractor. Japan F. What are the consequences of breaching privacy laws in your jurisdiction? When there is a breach of the PIPA, the government may issue a recommendation to rectify the breach. If a person fails to comply with the recommendation without due cause, the government may issue an order to comply with it. If the person fails to comply with the order, the person is subject to imprisonment of up to 6 months or a fine of up to JPY$300,000. If an individual who is a representative or employee of a legal entity (e.g. a company) breaches the PIPA in connection with the business of the legal entity, not only shall the individual be punished but also the legal entity shall be subject to the fine of up to JPY$300,000. If a breach of the PIPA causes any damage, a person responsible for such breach may be liable for the damages as a result thereof. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Special regulations are stipulated in the MHLW Guidelines regarding the collection, use and handling of health-related information and other sensitive information of employees. 65
JAPAN Japan Separately, when an employer conducts background checks on job applicants, it is advisable to obtain written consent from the job applicants for a third-party service provider to supply their personal data to the employer. This is because employers are prohibited from acquiring personal data by fraudulent or dishonest means, which might include a case where a third-party service provider obtains and/or discloses personal information of job applicants without the relevant consent. Contributed by Anderson Mori & Tomotsune 66 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction MAINLAND CHINA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? The Employment Services and Management Regulations (which were issued by the Human Resources and Social Security Ministry and came into force on 1 January 2008) covers this area. The Regulations provide that the employer is obliged to keep confidential the employee s personal data, and has to obtain the employee s written consent if it will publicize any of such personal data. However, there is no definition of personal data, nor any further explanation as to what kind of actions will amount to publicizing. How such Regulations will be enforced in practice is still unclear. Mainland China B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no such legal requirement although ideally we would recommend that an employer obtains its employees written agreement for the employer to collect, use and handle their personal data. C. For how long must an employer retain an employee s personal data? What is best practice? There are no clear legal provisions regulating how long an employer must retain an employee s personal data. However, it is, in our view, good practice for an employer to keep its employee s personal data for 2 years or more after termination of such employee s employment. D. Can an employer lawfully transfer an employee s personal data outside your jurisdiction? Under the Employment Services and Management Regulations, the employer is obliged to keep the employee s personal data confidential, and it has to obtain the employee s written consent if it will publicize any of such personal data. 67
MAINLAND CHINA As it is most likely that the transfer of an employee s personal data outside Mainland China will be regarded as publicizing, ideally the employer should obtain the employee s written consent. E. Can an employer lawfully transfer an employee s personal data to a third party? Mainland China Under the Employment Services and Management Regulations, the employer is obliged to keep the employee s personal data confidential, and it has to obtain the employee s written consent if it will publicize any of such personal data. As it is most likely that the transfer of an employee s personal data to a third party will be regarded as publicizing, ideally the employer should obtain the employee s written consent. F. What are the consequences of breaching privacy laws in your jurisdiction? Due to lack of a dedicated privacy law, and the clear consequences of breaching the Employment Services and Management Regulations in relation to the privacy, we cannot see any serious consequences in this aspect at the moment. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? An employer should keep confidential the employee s personal data, and obtain the employee s written consent if it will publicize any of such personal data. Contributed by JSM Shanghai Representative Office 68 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction MALAYSIA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? There are no specific law/code that regulates the collection, use or handling of an employee s personal data. At present only the Employment Act 1955 provides provisions relating to information with regards to employees. The provisions of the Employment Act provide that an employer is to maintain a register with certain information of employees regarding personal details, details of terms and conditions of employment and details of wages and allowances earned during the each wage period. Such information must be kept in the office within the place of employment on which the employees are employed. Such information must be available for inspection by the relevant authorities and the employee. These requirements however are only applicable to employees covered under the Employment Act 1955. A recent development in Malaysia is the passing of the Personal Data Protection Bill 2009 by Parliament. However, at present this Bill is not yet in force in the country. However, the Act applies only to personal data in respect of commercial transactions. On whether the Bill would apply in a employee/ employer relationship would largely depend on how wide the word commercial transaction will be interpreted. In any event in the abundance of caution we shall deal with the provisions of the Bill as well. Malaysia B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? At present, none. However, the Personal Data Protection Bill provides that personal information cannot be collected, recorded, held or stored unless the individual who is providing such information gives consent. 69
MALAYSIA Furthermore, the data user is required to provide a written notice to inform the individual providing the information amongst others the purpose for which personal data is collected, recorded, held or stored and certain third parties who may have access to the personal information C. For how long must an employer retain an employee s personal data? What is best practice? Malaysia Section 61 (2) of the Employment Act 1955 provides that a register containing information in relation to an employee must be kept and be available for inspection for not less than six years after the recording thereof. The Personal Data Protection Bill provides that personal data collected, recorded, held or stored for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? At present there are none. However, the Personal Data Protection Bill 2009 provides that the personal data cannot be transferred outside the jurisdiction. There are a few exceptions such as any jurisdictions that have been exempted by the Act, the consent of the individual providing the information has been obtained, and that it is necessary for the performance of a contract between the data user and the individual. E. What are the legal restrictions on transferring employees personal data to a third party? At present there are none. The Personal Data Protection Bill provides that personal data can only be transferred to a third party if consent is obtained from the individual providing such information. 70 Employee Data Privacy in Asia
F. What are the consequences of breaching privacy laws in your jurisdiction? At present there are no legal sanctions in place for breaching privacy laws. The Personal Data Protection Bill provide is that in the event the personal information is collected or disclosed without consent a person could be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or both. In the event there is contravention of the principles as set out by the Personal Data Protection Bill with regards to collecting, recording, holding or storing of personal information, a data user could be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or both. Malaysia G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Ensuring that the register containing information of the employees is kept up to date and ready for inspection pursuant to the Employment Act 1955. Contributed by Shearn Delamore 71
MALAYSIA Malaysia 72 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction NEW ZEALAND A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Yes, the Privacy Act 1993 (Privacy Act) is the primary statute governing the collection, storage, security, use and disclosure of personal information in New Zealand. The Office of the Privacy Commissioner also has the power to issue Codes of Practice. These traditionally build on the Privacy Act s existing Information Privacy Principles (IPPs) and are tailored to better reflect the unique privacy requirements of specific areas or industries. Currently, Codes of Practice are in place in the following areas: Credit Reporting Telecommunications Information Health Information Justice (Unique Identifiers) Superannuation Schemes (Unique Identifiers) The Privacy Act applies to all agencies who collect, hold, use or disclose personal information. An agency includes any corporate or unincorporated entity, whether in the private sector or the public sector (with limited exceptions). Personal information is broadly defined in the Privacy Act as information about an identifiable individual. Personal information extends to information that is personal to the individual concerned, in the sense of being private or sensitive. New Zealand B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? The Privacy Act does not require an employer to implement any form of written privacy policy; however, it is the 73
NEW ZEALAND New Zealand responsibility of each agency to ensure that there are, within that agency, one or more individuals whose responsibilities include: the encouragement of compliance, by the agency, with the IPPs; dealing with requests made to the agency pursuant to the Privacy Act; working with the Privacy Commissioner in relation to investigations conducted in relation to the agency; and otherwise ensuring compliance by the agency with the provisions of the Privacy Act. However, in order to properly set employees expectations, and assist with ensuring compliance with the Privacy Act, it is generally recommended that employers implement clear policies governing the collection, storage, security, use and disclosure of employees personal information. C. For how long must an employer retain an employee s personal data? What is best practice? IPP 9 provides that personal information collected under the Privacy Act should not be kept for longer than is required for the purposes for which the information may be lawfully used. The emphasis in IPP 9 is on not holding personal information for longer than is necessary. IPP 9 does not require an agency to hold personal information for a fixed period or for any statutory period. Agencies should not hold personal information for longer than is legally permitted. The purpose of the general wording is not to intrude on internal management or agency record keeping, but to encourage rethinking of how long it is really necessary to keep personal information. 74 Employee Data Privacy in Asia
In most cases there is no legal limit, and therefore most personal information may be retained indefinitely. However, the law requires that some personal information must be kept for specified periods of time. For example, tax/paye records must be kept for at least seven years, and wages and time records must be kept for at least six years. Whether, and for how long, other personal information should be retained is a matter within the discretion of each agency. IPP 9 does not require an individual s permission before any decision is made to retain or destroy personal information relating to them. However, details of the length that an agency intends holding information before destruction should be provided to employees before the information is collected, in accordance with the wider obligations under the Privacy Act. The obligations imposed on agencies by IPP 8 (requiring accuracy of personal information) before using such information are also relevant. As a matter of best practice, agencies should undertake regular internal audits of employee personal information held by them to determine its accuracy and whether retention is necessary. New Zealand D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? The Privacy Act does not contain specific restrictions on the transfer of personal information to third parties or overseas. However, the IPPs relating to access and correction of personal information, storage, security, retention, use and disclosure will extend to the personal information held by an agency outside of New Zealand (subject to any laws that would apply in the jurisdiction in which the personal information is held). Accordingly, an agency will need to ensure that the personal information it provides to any overseas agencies or any other third party overseas, to store or use on its behalf, is handled in accordance with the requirements of the Privacy Act. For example, to ensure compliance with IPP 3, an agency 75
New Zealand must, among other things, ensure that individuals are made aware of all intended recipients of their personal information at that time it is collected. If individuals are not provided with these details at the time the information is collected, they will need to specifically consent to the transfer of their personal information. The Privacy (Cross-border Information) Amendment Act establishes a mechanism for controlling the transfer of information that has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated. E. What are the legal restrictions on transferring employees personal data to a third party? New Zealand There is no specific restriction on the transfer of personal information to third parties. Rather, to ensure compliance with IPP 3, an agency must, amongst other things, ensure that individuals are made aware of all intended recipients of their personal information at the time it is collected. If individuals are not provided with these details at the time that the information is collected (under IPP 3), they will need to specifically consent to the transfer of their personal information (under IPPs 10 and 11). F. What are the consequences of breaching privacy laws in your jurisdiction? Privacy Commissioner An individual who believes there has been an interference with his or her privacy may lodge a complaint with the Privacy Commissioner. The Privacy Commissioner can investigate any action that appears to be an interference with the privacy of an individual on receipt of such a complaint, or on his or her own initiative. 76 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction When a complaint is received, the Privacy Commissioner has a discretion whether or not to take any action on the complaint in certain circumstances, including where a complaint is trivial, frivolous or vexatious or not made in good faith. The Privacy Commissioner also has a discretion to decide not to take any further action on a complaint if it appears during the course of an investigation that, having regard to all the circumstances of the case, any further action is unnecessary or inappropriate. The Privacy Commissioner can, where he or she considers it appropriate, refer a complaint, or part of a complaint, to an Ombudsman, the Health and Disability Commissioner or the Inspector-General of Intelligence and Security. The Privacy Commissioner s powers after investigating a complaint are limited to the issuing of non-binding recommendations. However, the Privacy Commissioner may refer the matter to the Director of Human Rights Proceedings, who in turn will have the discretion to determine whether or not to institute proceedings before the Human Rights Review Tribunal. New Zealand Human Rights Review Tribunal Where any proceedings are commenced before the Human Rights Review Tribunal, the remedies that may be sought include: a declaration that the action of the defendant is an interference with the privacy of an individual; an order restraining the defendant from continuing or repeating the interference, or from engaging in, or causing or permitting others to engage in, conduct of the same kind as that constituting the interference, or conduct of any similar kind specified in the order. 77
New Zealand Damages for: pecuniary loss; loss of any benefit (whether or not of a monetary kind); humiliation, loss of dignity or injury to feelings of the aggrieved individual (up to a maximum of NZ$200,000, although damages awards greater than NZ$10,000 are rare); an order that the defendant take specified remedial action; or such other relief as the Human Rights Review Tribunal thinks fit. New Zealand Administrative Penalties A person commits an offence, and is liable on summary conviction for a fine not exceeding NZ$2,000, who: without reasonable excuse, obstructs, hinders, or resists the Privacy Commissioner or any other person in the exercise of their powers under the Privacy Act; without reasonable excuse, refuses or fails to comply with any lawful requirement of the Commissioner or any other person under the Privacy Act; makes any other statement or gives any information to the Commissioner or any other person exercising powers under the Privacy Act, knowing that the statement or information is false or misleading; or represents directly or indirectly that he or she holds any authority under the Privacy Act when he or she does not hold that authority. 78 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? One of the main areas where breaches are commonly established is in relation to an agency s failure to provide access to personal information (or to make a decision on such access) within the statutory time frame of 20 working days, and the improper withholding of access. There are only limited reasons for withholding access to an individual s personal information, including where the information is not readily retrievable or where the information is evaluative material. Evaluative material is defined as evaluative or opinion material compiled for the purpose of determining the suitability, eligibility, or qualifications of an individual for employment, promotion or continuance in employment, or removal from employment. This exception only applies to personal information or other material provided to an agency on the basis that the material and the identity of the supplier would be held in confidence. The failure to notify an individual in accordance with IPP 3 of various factors relating to the collection of their personal information is another common issue. IPP 3 requires agencies collecting personal information directly from the individual concerned to take reasonable steps to make the person aware of the fact of collection and its purpose, the proposed dissemination of the information, the identity and address of the agency or agencies collecting and holding the information and their statutory authority (if any), the consequences of refusal to provide information and whether providing it is mandatory, and the individual s rights of access to and correction of information under the Privacy Act. Other common pitfalls are the use of personal information for a purpose or purposes other than that for which it was originally obtained, and the improper disclosure of personal information. IPP 10 of the Act prevents the use of personal New Zealand 79
New Zealand information obtained for one purpose for any other purpose. There are, however, a number of exceptions to this rule. The most important is that information obtained for one purpose can be used for a purpose that the agency believes is a directly related purpose. IPP 11 provides limits on the disclosure of personal information to any other person, body, or agency. There are also exceptions to this, including where an agency believes the proposed disclosure is one of the reasons why the information was obtained, the proposed disclosure is directly related to the original purpose of collection, or where the agency is authorised to do so by law. Contributed by Simpson Grierson New Zealand Phillipa Muir Partner Simpson Grierson T: +64 9 977 5071 F: +64 9 977 5083 E: phillipa.muir@simpsongrierson.com Carl Blake Senior Associate Simpson Grierson T: +64 9 977 5163 F: +64 9 977 5083 E: carl.blake@simpsongrierson.com 80 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction PAKISTAN A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Presently there is no statutory law, regulation or code which deals with collection, use and/or handling of an employee s personal data in Pakistan. However, all employers normally require personal data of their employees for security and cross-reference reasons. Moreover, the employee s name, Computer National Identification Card and address is also used for filing of annual returns. The general principles of law of Torts will apply but they do not require any strict compliance, and lack of malice on the part of an employer in collecting, storing and disclosing personal data of an employee will be a sufficient defence to any potential action against the employer. Such an action, though a possibility, is seldom used. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Pakistan There is no legal requirement to have a document to deal with the employee s personal data. C. For how long must an employer retain an employee s personal data? What is best practice? There is no legal requirement for how long an employer must hold an employee s personal data. The employers generally hold the employee s data for a couple of years as a crossreference and for their own personal record. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? There are no legal restrictions on transferring an employee s personal data outside Pakistan. 81
PAKISTAN E. What are the legal restrictions on transferring employees personal data to a third party? As stated earlier, presently there is no statutory law which deals with, controls and regulates the collection and use of handling employees personal data in Pakistan; therefore, there is no legal restriction on transferring an employee s personal data to a third party. However there is one exception and that is if the employee and employer have entered into a confidentiality agreement, then both the parties would be governed by the terms of the confidentiality agreement. F. What are the consequences of breaching privacy laws in your jurisdiction? Pakistan There are no privacy laws in Pakistan; therefore, the occasion of their breach cannot arise, however, if privacy agreements are breached, then suit (civil action) for damages can be filed under the law of Contracts. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Presently, the absence of laws regarding employees personal data is the main drawback in Pakistan. However, if the personal data disclosed to a third party proves to be incorrect, the suit for damages under the law of Torts can be filed demanding damages. This rarely occurs but still is a possibility. Contributed by Meer & Hasan 82 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction PHILIPPINES A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? There is no specific law that regulates the collection, use and/ or handling of an employee s personal data in the Philippines. There are, however, several laws that protect an individual s right to privacy that apply to the collection, use and/or handling of personal data (including employee personal data). Among these statutes are: (1) the Philippine Constitution, (2) the Civil Code of the Philippines ( Civil Code ) and (3) the Anti-Wiretapping Law, to name a few. The right to privacy is a constitutionally protected right under Philippine law. The 1987 Philippine Constitution, Article III, Section 3 provides that: (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law. (2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding. It must be noted that the rights enshrined in the Constitution are directed against abusive government action, and are not intended to govern the relationship between private individuals. Nevertheless, in the event that a private individual violates this Constitutional right, such person shall be liable for damages in accordance with the Civil Code, Article 32 provision which states that any public officer or employee, or any private individual, who directly or indirectly obstructs, defeats, violates or in any manner impedes or impairs any of the right to privacy of communication and correspondence of another person shall be liable for damages. There are also other Civil Code provisions that govern human relations and require the exercise of prudence in dealing with Philippines 83
PHILIPPINES Philippines the affairs of another person, which can include the collection and maintenance of an employee s personal data. Article 19 states that every person must, in the exercise of his rights and in the performance of his duties, act with justice, give everyone his due, and observe honesty and good faith. Article 26 of the Civil Code also provides that every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief: (1) prying into the privacy of another s residence; (2) meddling with or disturbing the private life or family relations of another; (3) intriguing to cause another to be alienated from his friends; and (4) vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect or other personal condition. On the other hand, Republic Act No. 4200, otherwise known as the Anti-Wiretapping Law, prohibits any person from tapping or recording or possessing a recording of any private communication or spoken word through the use of any device commonly used for such purpose, unless all the parties give their consent. With respect to certain information, like bank deposits or access devices (e.g. card, personal identification number, electronic serial number or any other means of account access), special laws prohibit the disclosure of information unless authorized by the account or device holder. The cornerstone of the Philippine regulatory structure with respect to the exercise of the right to privacy is the reasonable expectations of privacy test. 2 As discussed by the Supreme Court of the Philippines, an individual possesses an expectation of privacy where it is established that (1) he has, 2 Blas F. Ople vs. Ruben D. Torres et al., G.R. No. 127685. July 23, 1998. 84 Employee Data Privacy in Asia
by his conduct, exhibited an expectation of privacy and (2) the expectation is one that society recognizes as reasonable. Thus, in any circumstance where an individual has disclosed information only for specified purposes and not intended to be made public (i.e. employment applications, employee information), any disclosure of such information will be seen as violating the reasonable expectations of privacy of such individual. Applying the foregoing to the information held by employers, it is arguable that an employer is mandated to keep confidential employee data information that comes to its possession. For purposes of regulating personal data in any information and communication system 3, the Department of Trade and Industry issued Administrative Order No. 08-06 dated July 21, 2006, captioned Prescribing Guidelines for the Protection of Personal Data in Information and Communications System in the Private Sector (the Personal Data Protection Guidelines ). These guidelines would also regulate collection, use and/or handling of an employee s personal data, which are processed in any information and communication system. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Philippines There is no Philippine data protection law that categorically requires that there be a document setting out the manner for the collection, use and/or handling of an employee s personal data (e.g. privacy policy or privacy statement). The Personal 3 The Guidelines define an Information and Communication System as a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or in which data is recorded or stored and any procedures related to the recordings or storage of electronic data message or electronic document. 85
PHILIPPINES Philippines Data Protection Guidelines in fact provide that personal data processing (including processing by an employer) is permitted (a) if not otherwise prescribed by law, and (b) where any of the following conditions exist: (i) the employee gives unambiguous consent; (ii) data processing results from the contractual obligations of the data subject; (iii) data processing will enable the employer (as data controller) to perform its lawful obligations as intended by the parties; or (iv) data processing is necessary to protect vital interests of the employee. The foregoing cases that warrant the handling of personal data (including employee personal data) show that a written document is not legally required in all cases before an employer may collect, use and/or handle an employee s personal data. The employer may, nonetheless, opt to advise the employee or furnish him a copy of a written document indicating the company s policy regarding data management. Except where data processing falls under cases (ii) to (iv) above, employee consent is required before any data processing using his employee personal data is undertaken. Although the Personal Data Protection Guidelines adopts directory (as opposed to mandatory) rules, entities in the private sector are encouraged to adopt privacy policies consistent with the Personal Data Protection Guidelines. This is because, while the Personal Data Protection Guidelines do not prescribe penalties for non-compliance with the guidelines, it creates a Privacy Complaints Office where complainants can report complaints related to personal data privacy violations under the guidelines, and which will assist complainants to file their complaints in the proper venue. C. For how long must an employer retain an employee s personal data? What is best practice? There is no fixed period set by law that limits the time during which an employee s personal data may be stored. But the Personal Data Protection Guidelines prescribe that personal 86 Employee Data Privacy in Asia
data (including employee personal data) may be stored and used only for as long as it is necessary to achieve the purpose for which it was processed. Thereafter, personal data shall either be deleted from a personal data or blocked once the purpose for retention has been achieved unless otherwise stipulated in acts on individual types of personal data. We are not aware of best practice on the length of time for retaining employee personal data. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? The transfer of the employees personal data to another jurisdiction is limited by the requirement of good faith or the existence of a legitimate business purpose, as when there is a regular exchange of information between a parent company and its subsidiary. Certain types of data, like bank deposits and other disclosed information that, through the employee s conduct shows that there is a reasonable expectation of privacy, can not be indiscriminately transferred and subjected to the control of another jurisdiction, without the consent of the concerned individual. The discussion in Question E below is also relevant where the transfer of employee personal data is to a third party outside of Philippine jurisdiction. Philippines E. What are the legal restrictions on transferring employees personal data to a third party? If the information was disclosed when there is a reasonable expectation of privacy on the part of the person making the disclosure, and this expectation is regarded by society as reasonable, then any attempt to transfer personal data to a third party can lead to a violation of an individual s right to privacy. Accordingly, this cannot be done unless the party disclosing the information gives his consent. 87
PHILIPPINES Nevertheless, in an employer-employee relationship, there may be certain work-related data that does not elicit any reasonable expectation of privacy on the part of the employee (e.g. attendance record, compliance with governmentmandated salary deductions, etc.). These types of information may be transferred to third parties, subject only to the limitation that disclosure is done for a legitimate purpose and there was no intention to interfere, meddle or violate a person s right to privacy. However, where an employer (the data collector) will disclose employee personal data to a third-party data processor (who is not an employee of the data controller), the Personal Data Protection Guidelines requires that before an employer may entrust the personal data (i) there should be a written contract between the data processor and data controller and (ii) the personal data may be processed only within the scope and in accordance with the purpose specified in the contract. Philippines F. What are the consequences of breaching privacy laws in your jurisdiction? If the right to privacy is breached, the injured party may file a civil action for damages against the party who committed such violation. The party who filed the suit may be awarded actual damages, moral damages, exemplary damages and attorney s fees, depending on the circumstances of the case. If the cause of action is anchored under Article 32 of the Civil Code, which is an independent civil action, the proceedings may proceed independently of any criminal action that may have also been filed (e.g. violation of the Anti-Wiretapping Law). The injured party, however, may not recover damages twice for the same act. The violation of special laws like the Anti-Wiretapping Law also provides criminal liability against the wrongdoer. 88 Employee Data Privacy in Asia
If convicted, the accused shall suffer the penalty of imprisonment. If the offender is an alien, he shall be subject to deportation proceedings. Additionally, any communication obtained in violation of this law shall be inadmissible as evidence in any judicial, quasi-judicial, legislative or administrative hearing or investigation. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? There is no specific law that deals squarely with the management of an employee s personal data. This notwithstanding, an employer must act with discretion because the employee is protected by the broader concept of the right to privacy. Information gathered from or about an employee on account of his employment, whether the employment relationship is prospective, current or already severed, is not simply a matter of labor and management relations. The employer must be guided by good faith considerations in assessing the privacy risks coupled with the use of an individual s personal data. Philippines Contributed by SyCip Salazar Hernandez & Gatmaitan 89
PHILIPPINES Philippines 90 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction SINGAPORE A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? The right to privacy is not guaranteed by the Singapore Constitution, and there is no general data protection law or privacy law in Singapore. In particular, there is no legislation in Singapore that regulates the privacy of personal data of employees. There is also no strict prohibition on transferring employee information outside Singapore or operating information-gathering websites or information-gathering software on servers that are located outside Singapore. However, there are statutes that regulate the collection, processing and storage of employee data by the employer such as the Employment Act (Cap 91), the Income Tax Act and the Central Provident Fund Act (Cap 36) for specified regulatory purposes or that touch on the processing of personal data in general, such as the Info-Communications Development Authority of Singapore Act, the Electronic Transactions Act and the Computer Misuse Act. The following paragraphs expand on each of the relevant statutes. Employment Act The Employment Act requires an employer to maintain a register of its employees that shows the name, address, the basic rate of pay and allowances, and the amount earned as well as the amount of deductions made from the earnings of each employee. Similarly, an employer is also required to maintain a record at the workplace that shows the basic rate of pay and allowances of all workmen including the amount earned and the deductions made from each workman s salary. Singapore Computer Misuse Act The Computer Misuse Act ( CMA ) prohibits the unauthorised interception of computer communications and unauthorised access to data. Data is defined by the CMA as representations of 91
SINGAPORE information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer. Unauthorised access to data is prohibited under the CMA by imprisonment or fine, or both. Under the CMA, personal information of an employee may contain data or may itself be considered as data, which cannot be accessed without permission. Employers should ensure that any personal information belonging to the employee is collected only after the employee s permission for collecting the relevant data has been secured. In that context, it is advisable to secure such permission by including a clause to that effect in the employment agreement or in a staff handbook that is incorporated into the employment agreement. Income Tax Act The Inland Revenue Authority of Singapore ( IRAS ) requires all employers to keep proper records of all employees income and deductions that are submitted to the IRAS. The employer needs to make such information available to the IRAS for inspection if requested. This is a statutory right and no agreement or permission of the employee is needed. Singapore Central Provident Fund Act The CPF Act requires employers to provide to the CPF Board or an inspector appointed by the Board, upon request, employee records pertaining to any payments made for that employee. This is a statutory right and no agreement or permission of the employee is needed. Model Data Protection Code Please note that the National Internet Advisory Committee ( NIAC ) issued a Model Data Protection Code ( MDPC ) for the private sector in December 2002. The MDPC regulates the collection, storage, use and dissemination of personal 92 Employee Data Privacy in Asia
information and is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Although the Model Data Protection Code applies to any private sector organisation that collects and stores personal data in electronic form, it is only a guideline and is not mandatory. Common Law Finally, it should be noted that confidential information may be protected under a duty of confidence, which provides that confidential information acquired must not be disclosed except as required by law. However, if the person providing the confidential information gives his consent for disclosure freely and without duress, then such consent will preclude any claims under this heading in common law. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? There is no legal requirement to have documentation that sets out the company s policy on an employee s privacy or the company s policy on the collection, storage and/or processing of employee information. However, we recommend that a clause to this effect be included in the employment agreement or in an employee handbook that is incorporated into the employment agreement. Singapore C. For how long must an employer retain an employee s personal data? What is best practice? There is legislation that provides guidance directly or obliquely on how long employee records must be retained by the Company. Although there is no time period spelled out in the Employment Act as to how long the information must be held, this is typically taken to be seven years, given the laws relating to limitation. Please note that the Employment Act 93
SINGAPORE only applies to certain classes of employees and generally does not include managerial or executive employees. Hence, the retention will be regulated by contract, although we would recommend seven years given the limitation laws. The IRAS also requires all employers to keep proper records of all employees income and deductions submitted to the IRAS for five years. This requirement is applicable for information from Year of Assessment 2008 onwards. For information related to Year of Assessment prior to 2008, employers are required to keep records for seven years. We, therefore, recommend all relevant employee information be kept on file for seven years to ensure full compliance. Under Rule 11 of the CPF Rules under the CPF Act, an employer shall retain all records of payments given by the CPF Board for a period of not less than two years from the date on which they were issued and shall during that period make them available for inspection by any inspector appointed by the Board. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Singapore There are no legal restrictions on transferring employee data outside the jurisdiction. Nevertheless, we recommend that a clause to this effect be included in the employment agreement or in an employee handbook that is incorporated into the employment agreement. However, please note that the Banking Act prohibits the disclosure of customer information by a Bank and such disclosure is permitted only under the specific circumstances prescribed in the Banking Act. In particular, the Monetary Authority of Singapore places various restrictions on outsourcing any functions that may involve the transfer of customer information to third parties. If such outsourcing will involve transfer of customer information, Banks are required to perform a thorough due diligence with the appointed outsource company, ensure 94 Employee Data Privacy in Asia
that the outsourcing agreement has provisions on protecting customer information, etc. E. What are the legal restrictions on transferring employees personal data to a third party? There are no legal restrictions on transferring employee data outside the jurisdiction. Nevertheless, we recommend that a clause to this effect be included in the employment agreement or in an employee handbook that is incorporated into the employment agreement. As stated in paragraph D above, if such outsourcing will involve transfer of customer information, Banks are required to perform a thorough due diligence with the appointed outsource company, ensure that the outsourcing agreement has provisions on protecting customer information, etc. F. What are the consequences of breaching privacy laws in your jurisdiction? There is no overarching privacy law in Singapore, especially with respect to employee data. However, the CMA provides that any unauthorised access of Data shall be liable, on conviction, to a fine not exceeding S$5,000 or imprisonment for no more than 2 years or both for the first offence. In the case of a second or subsequent conviction, the penalty increases to a maximum fine of S$10,000 or imprisonment for no more than 3 years or both. Singapore G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Although there is no overarching legislation on privacy or the collection of employee data, there is legislation that regulates the collection of employee information in Singapore. Employers should ensure that their business is in compliance with the various regulatory requirements. Further, given the 95
SINGAPORE lack of statutory instruments that regulate employee privacy in particular, we recommend that employment agreements include provisions that permit the employer to collect, store, process and share employee s personal information. Contributed by Rajah & Tann Singapore 96 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction SOUTH KOREA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Korea does not yet have laws or provisions that regulate the collection, use and/or handling of an employee s personal data specifically. However, the data privacy of an employee is protected under more general laws ranging from the Korean Constitution, Civil and Criminal Codes to specialized laws for protection of electronically transmitted information and communication and credit information, depending on the circumstances. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? While there is no legal requirement to have a document to deal with the employee s personal data specifically, it is advisable to obtain explicit consent from the concerned employee(s) or at least have a general policy to minimize creating a reasonable expectation of privacy regarding personal data given to the employer. C. For how long must an employer retain an employee s personal data? What is best practice? The Korean Labor Standards Act specifically requires that the employer preserve important documents regarding the employment contract for three (3) years. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? South Korea To the extent that transferring employees personal data outside Korea may violate an employee s right to privacy, such collection and retention may be prohibited under the theory of general tort (i.e. infringement of privacy). Therefore, it would be advisable to obtain explicit consent thereof. 97
SOUTH KOREA E. What are the legal restrictions on transferring employees personal data to a third party? To the extent that transferring employees personal data to a third party may violate an employee s right to privacy, such collection and retention may be prohibited under the theory of general tort (i.e. infringement of privacy). Therefore, it would be advisable to obtain explicit consent thereof. F. What are the consequences of breaching privacy laws in your jurisdiction? Depending on the characterization of the breach, consequences may include civil and/or criminal liability. More specifically, criminal liability may arise if (i) the concerned employee related information is also information deemed to be personal credit information under the Protection of Credit Information Act ( PCIA ) and (ii) such information is transferred to a third party or used beyond the original purposes for which the information was obtained. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? South Korea Even though there is no specific law and regulation governing the protection of employee data specifically, there is a possibility that the PCIA may apply depending upon circumstances (i.e. in a case where the employee s personal information is combined with other information regarding his/her credibility and financial status). In such case, the collection and transfer of such information may be subject to the restrictions under the PCIA. Contributed by Kim & Chang 98 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction SRI LANKA A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? No. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? No. C. For how long must an employer retain an employee s personal data? What is best practice? In terms of the Shop and Office Employees (Regulation of Employment and Remuneration) Act as amended and regulations gazetted thereunder, an employer is required to maintain in respect of each employee certain records including: a remuneration record a service record a time and leave record records in respect of deductions from salary Such records are required to contain certain particulars which include personal data such as the name of the employee, age, civil status, sex and race, as applicable. Records must be preserved for a minimum period of four years except for service records which are required to be kept for a minimum of two years. It should however be noted that the actionable period for all prosecutions is six years from the commission of the offence. Therefore, if a dispute in relation to any of the above records were to arise within the actionable period but at a time after which the records have been disposed of, an employer could find it difficult to justify the employer s position without the records and it is therefore advisable for an employer to preserve records for a period of six years. Sri Lanka 99
SRI LANKA In term of the Wages Boards Ordinance the employer of workers in any trade for which a Wages Board is established is required in respect of each wage period to maintain and keep in the premises in which that trade is carried on one or more registers showing certain particulars including the name and sex of each worker. Such register must be preserved for a period of four years. The Ordinance also, in certain circumstances, contains a general requirement for the employer of workers in any trade to maintain and keep a clear and accurate record in writing (a wages record) in respect of each wage period of such workers specifying certain particulars including the names of the workers; and to preserve such record for a period of four years. It would be prudent to include provision in the contract of employment that the employee expressly consents to the transfer of personal data outside Sri Lanka or to a third party. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? No specific statutory provision. E. What are the legal restrictions on transferring employees personal data to a third party? No specific statutory provision. F. What are the consequences of breaching privacy laws in your jurisdiction? Sri Lanka Not applicable. Damages might lie in the event of success in any action for breach of privacy based on the actio inuria. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Not applicable. Contributed by John Wilson Partners 100 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction TAIWAN A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? In Taiwan, an employer s collection, use and/or handling of an employee s personal data is mainly regulated in the Computer- Processed Personal Data Protection Act (the CPDPA ). However, the CPDPA only governs computer-processed personal data and not other forms of personal data. Further, the CPDPA, in addition to public sector employers, only governs sector employers in eight specific industries, i.e. credit investigation industry, a group or an individual whose business is mainly to collect or computer-process personal data, hospitals, schools, telecommunications industry, financial industry, securities industry, insurance industry, mass media industry and or any other enterprises, groups or individuals designated by the Ministry of Justice of the Republic of China (the ROC ) and central competent authority (collectively known as the Eight Major Industries in Taiwan). Under the CPDPA, prior to the collection and processing of personal information through computers, an employer in one of the Eight Major Industries should register with and apply for a permit from the competent authority, fulfil the specific purposes prescribed in The Specific Purpose and the Types of Personal Data in CPDPA and meet any of the listed circumstances, such as employees written consents, etc., before obtaining its employees personal data. Moreover, employers, regardless of whether they are covered by the CPDPA, may only process employees personal data and disclose such data with justifiable reasons. An employer found to have unlawfully processed or disclosed its employees personal data may be liable for violating the employees privacy under the Criminal Code and may also be civilly liable under the law of tort. It is worth noting that the Personal Data Protection Act ( PDPA ) passed on April 27, 2010 will replace the CPDPA and Taiwan 101
TAIWAN will expand an individual s right of privacy after its effective date (currently unknown) to be published by the Executive Yuan, the ROC. The PDPA, in a nutshell, governs personal data collected, used and/or handled by any public or private sectors. In other words, subsequent to the effectiveness of the PDPA, all employers, regardless of whether the employer falls within one of the Eight Major Industries, will be subject to the PDPA, and all personal data, regardless of whether it is computer processed, will be governed by the PDPA. Moreover, the PDPA distinguishes sensitive data (as stated in C. below, with prohibition in general of collection, using or handling thereof) from other personal data and no longer requires prior registration with or obtaining a permit from competent authority for the personal data collection. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Taiwan CPDPA There is no legal requirement to have a document, such as privacy policy, to deal with the use of employee s personal data. However, the CPDPA requires a private sector employer to prepare a book listing certain information as stated below for employees to inspect and review. As mentioned in A. above, a private sector employer is required to register with and apply for a permit to the competent authority prior to collecting and processing personal information of its employee through computers. The CPDPA further provides that for such registration the employer shall list the following information in the application: (i) the employer s name and address; (ii) the file name of the employee s personal data; (iii) the specific purposes to obtain such personal data; (iv) the types of personal data; (v) the scope of personal data; (vi) the period 102 Employee Data Privacy in Asia
of retaining the personal data; (vii) the method used to collect the personal data; (viii) the scope to use the personal data; (ix) the direct receiver of internationally transmitting personal data; (x) the name of the person in charge of the maintenance of the personal data; and (xi) the safeguard plan for maintaining the personal data. Once such registration is approved by the authority, the information from (i) to (x) shall not only be posted by the employer in a government gazette and on a local newspaper but also prepared by the employer in a book for the employees to inspect and review. PDPA There is no legal requirement to have a document, such as privacy policy, to deal with the use of employee s personal data. However, the PDPA requires a private sector employer to make the collected personal data of an employee available to such employee for inspection and review or provide a duplicate of such personal data upon such employee s request subject to certain exceptions, such as national security concern, etc. In addition, the PDPA imposes a new obligation on a private sector employer to specifically notify an employee of certain information as stated in Article 8 below when the employer collects such employee s non-sensitive personal data (namely personal data other than the sensitive one as stated in C. below) from him or her directly or indirectly. According to Article 8 of the PDPA, when a private sector employer collects an employee s non-sensitive personal data for a specific purpose directly from the employee due to one of the circumstances prescribed in Article 19 of the PDPA, (i.e. circumstances explicitly required by laws, a contract relationship or a relationship similar to that between the employer and employee, personal data published by the employee himself/herself or having been published in accordance with laws, employee s written consent, personal Taiwan 103
TAIWAN Taiwan data in relation to public interests, generally accessible personal data, etc.), the employee shall be explicitly notified of the following information: 1. the name of the private sector employer; 2. the collection purpose; 3. the types of personal data; 4. the time period, area and manner of the personal data to be used, and the person(s) to which the personal data is to be transferred; 5. the employee s rights to and manners to exercise his/her personal data under Article 3 of the PDPA may not be waived or otherwise restricted in advance, namely rights to inspect, inquire or view, to request a duplicate, to request the supplement or correction of the information, to request for discontinuance of collection, handling or use, and to request to delete; and 6. the information that the employee has the option of not providing his/her personal data, and the impact if the employee chooses not to provide the personal data. However, if any of the following circumstances applies, the requirement for an employer to explicitly notify its employee of the information above may be exempted: (i) such notification is not required by law; (ii) it is necessary for the employer to perform its statutory obligations; (iii) the notification will undermine a public sector s performance of its statutory duty; (iv) the notification will undermine a third party s substantial interests; or (v) the employee should have known the content of the notification. 104 Employee Data Privacy in Asia
On the other hand, according to Article 8 of the PDPA, when a private sector employer with an employee s non-sensitive personal data for a specific purpose from a third party due to the enumerated circumstances prescribed in Article 19, prior to handling or use of such personal data, in addition to items 1. to 5. out of the six types of above-mentioned information which shall be explicitly notified to the employee, the source of obtaining such personal data shall also be stated in the notification subject to certain exceptions, such as personal data collected by the mass media enterprises for the purpose of public interests and news dissemination. C. For how long must an employer retain an employee s personal data? What is best practice? CPDPA Under the CPDPA, the specific period that an employer may retain an employee s personal data is not provided per se. However, since as stated in B. above, the employer is required to specify the period of retaining the personal data when it applies for the personal data collection and processing, the period approved therein shall be followed by the employer if such application for registration is approved by the authority. PDPA Under the PDPA, an employer in general may retain an employee s personal data for as long as any of specific purposes exists or the period of retention has not expired. According to Article 11.3 of the PDPA, once the employer no longer needs to collect the personal data under the specific purpose or the period of collecting the personal data has expired, the employer shall actively or upon the employee s request delete or discontinue to handle or use such employee s personal data. However, where it is necessary for the performance of business or the employee has consented in writing, the employer may still retain, handle or use such employee s personal data. Taiwan 105
TAIWAN As such, under the PDPA, the best practice for such retention, handling and use of an employee s personal data after the purpose for collecting such information ceases to exist or the expiry of the collection period will be to have the employee specifically consent to such retention in a written agreement. Further, it is worth noting that under Article 6 of the PDPA if the employee s personal data is related to sensitive data, i.e. medical treatment, genes, sexual life, health examination and criminal records, the employer shall not collect, handle or use such data subject to enumerated exceptions, i.e. circumstances explicitly required by laws, personal data published by the employee himself/herself or having been published in accordance with laws, necessity for the employer to perform its statutory obligations with appropriate safeguard measures, etc. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? CPDPA Under the CPDPA, a private sector employer shall not transfer its employees personal data outside Taiwan without the employer s registration with and application to the competent authority for its approval. Taiwan PDPA Under the PDPA, international transfer is defined as transferring personal data for cross-border handling or use. Moreover, according to Article 21 of the PDPA with only minor wording revisions to the corresponding article in the CPDPA, the central competent authority may put restrictions on any of the following circumstances when an employer transfers employees personal data internationally: 1. substantial interests of the nation is involved; 106 Employee Data Privacy in Asia
2. international treaties or agreements provide in particular; 3. the country where the personal data is transferred to does not have robust laws and regulations to protect personal data leading to prospective infringement of the employees rights; or 4. the employees personal data is transferred to a third country/region to circumvent the application of the PDPA. E. What are the legal restrictions on transferring employees personal data to a third party? CPDPA Under the CPDPA, without distinguishing sensitive personal, a private sector employer shall use employees personal data, including transferring it to a third party, within the scope of the specific purposes approved by the authority, subject to the following exceptions: 1. enhancing public interests; 2. preventing the employees lives, bodies, freedom or properties from being in clear and present danger; 3. preventing others rights from being substantially infringed if it is necessary; or 4. the employees written consents. PDPA Under the PDPA, for sensitive personal data, as stated above in C., an employer shall not collect, handle or use such data subject to certain exceptions. On the other hand, in terms of personal data other than those categorized as sensitive ( non-sensitive personal data ), pursuant to Article 20.1 of the PDPA, an employer s use of employees non-sensitive personal Taiwan 107
TAIWAN data, including transferring it to a third party, is allowed in principle but limited to the scope of the specific purposes for collection. Thus, if the specific purposes for collecting employees personal data do not include transferring such data to a third party, such transfer is not allowed. However, if any of the following circumstances is met, nonsensitive personal data may still be used/transferred to a third party even though such transfer is beyond the scope of specific purposes: 1. circumstances explicitly required by laws; 2. enhancing public interests; 3. preventing the employees lives, bodies, freedom or properties from being in danger; 4. preventing others rights from being substantially infringed; 5. for the necessary purposes of statistics or academic researches of public sectors or institutes due to public interests, the identities of the employees whose personal data is to be provided or disclosed by the employer are not able to be identified; or 6. the employees written consents. F. What are the consequences of breaching privacy laws in your jurisdiction? Taiwan Under both CPDPA and PDPA, an employer who violates the provisions thereof may be subject to civil, criminal and/or administrative liabilities. In relation to civil liabilities, while the CPDPA provides that arising out of the same occurrence, employees may claim for damages against an employer in violation of the CPDPA for up to NT$20 million, the PDPA increases the claim amount arising out of the same occurrence to NT$200 million. 108 Employee Data Privacy in Asia
Moreover, the PDPA additionally provides that a foundation or a non-profit organization may file a class action on behalf of employees whose privacy rights are violated by their employer. As for criminal liabilities, an employer who intends to profit from collecting, handling or using computer-processed personal data in violation of the CPDPA may be punished with imprisonment for not more than 2 years, detention, and/or a fine of not more than NT$40,000. Further, a prosecutor shall not initiate investigations for the crimes provided under the CPDPA without receiving an employee/victim s complaint. The PDPA increases the penalty for such violations to imprisonment for not more than 5 years, detention, and/or a fine of not more than NT$1 million. Further, under the PDPA, an employer who does not have the intent to receive profits but collects, handles or uses personal data in violation of the Act and causes prospective damage to others, may still be punished with imprisonment for not more than 2 years, detention, and/or a fine of not more than NT$200,000. Further, a prosecutor may actively initiate investigations for the crimes provided under the PDPA even without the employee/victim s complaint. As to administrative liabilities, for certain violations of the CPDPA, where an employer does not rectify the violations within the time limit notified by the competent authority, the responsible person of the employer may be fined an amount of no less than NT$10,000 but no more than NT$50,000, and shall be fined for each repeated violation and every continuing violation. On the other hand, for certain violations of the PDPA, where an employer does not rectify the violations within the time limit notified by the competent authority, the fine is not only increased to an amount ranging from NT$20,000 to 200,000 for each repeated violation and for every continuing violation, but also imposed respectively on the employer and its representative, manager or other person who may represent the employer, except for the latter of whom Taiwan 109
TAIWAN may prove that he/she has performed the duty to prevent such violation. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Owing to the passage of the PDPA with major amendments to the CPDPA, in respect of an employer s collection, use and/or handling of an employee s personal data in Taiwan, one should pay close and continuous attention to not only the effective date of the PDPA to be published by the Executive Yuan, the ROC, but also the upcoming passages of and/or amendments to the enforcement rules and supplemental laws and regulations, such as specific purposes and types of personal data left to be redefined by the Ministry of Justice, the ROC and the central competent authority as provided under Article 53 of the PDPA. Contributed by Lee, Tsai & Partners Taiwan 110 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction THAILAND In preparing these responses, we base our advice mainly on relevant provisions under the latest draft of the Personal Data Protection Bill (the Bill ), which was prepared by the Council of State in August 2009. Should the finalized form of the Bill, once enacted, differ from such draft, the responses below may need to be altered. In brief, the Bill is intended to be a legal mechanism to protect the personal data of natural persons and control the handling of such data by private and state enterprises. The most recent form of the Bill is significantly different from the first draft and has been pending parliamentary consideration since November 2009. As of this date, it is difficult to predict when the Bill will become law. A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? The Constitution of the Kingdom of Thailand recognizes the people s rights to have their personal data protected from illegal exploitation as provided by law. Although there are specific data protection laws applicable to personal data in the hands of government agencies and financial institutions, the larger part of personal data handled by private entities and individuals has not been regulated. Therefore, under current circumstances, an employer s collection, utilization, disclosure (and handling) of an employee s personal data may be done through contractual arrangements. According to the current draft of the Bill, the term personal data refers to any personal information relating to a natural person who is identified or identifiable by referring to the relevant facts, such as education details, financial status, medical records, criminal records, employment records, activities records and any other matters. Such information consists of names, numbers and codes, and may be in the form of fingerprints, sound recordings or photos. The Bill also includes personal information of a deceased person in the definition of personal data. Thailand 111
THAILAND B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Currently, there is no relevant legal requirement for an employer to have a document to deal with an employee s personal data. However, if the Bill comes into force, a data controller (an employer in this case) will generally have to notify the data subject (its employee) of its objectives for collecting, using and disclosing the employee s personal data, and the employee must expressly consent to the same. The personal data must be processed exclusively for the objectives to which the employee agreed. C. For how long must an employer retain an employee s personal data? What is best practice? Thailand Under the Thai Labour Protection Act B.E. 2541 (1998), an employer must maintain an employee s register for not less than two years from the date of termination of employment of each employee. For the avoidance of doubt, the employee s register consists of at least the following particulars: (1) first name and family name; (2) sex; (3) nationality; (4) date of birth or age; (5) present address; (6) date of commencement of employment; (7) position or duty; (8) wage or other remuneration; and (9) date of termination of employment. 112 Employee Data Privacy in Asia
According to the Bill, however, there is no required period for an employer to retain an employee s personal data. The Bill allows an employer to keep an employee s personal data until: (1) the necessity for retaining the personal data for the notified objectives ends; (2) the notified period expires; or (3) the employee cancels his/her consent that was given earlier. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Under the current law, there are no legal restrictions that would prevent an employer from transferring employees personal data outside of Thailand. However, once the Bill is put in place, it will generally prohibit an employer from transferring an employee s personal data overseas without the employee s written consent, except for transfers made for the following purposes: (1) for internal or international legal proceedings; (2) for the benefit of the employee; (3) necessary for the life, health or safety of the employee; (4) as required under contract between the employee or at the employee s request; (5) as required under the Money Laundering Act or Terrorism Act; and (6) for other necessary purposes as prescribed by the Committee. E. What are the legal restrictions on transferring employees personal data to a third party? Under the current law, there are no legal restrictions in Thailand 113
THAILAND relation to an employer s transfer of its employee s personal data to a third party. However, once the Bill becomes effective, no disclosure or transfer of an employee s personal data may be done without the employee s written consent, except in the following cases: (1) disclosure to the employer s lawyers for legal proceedings; (2) for the purposes of collecting debt that the employee is required to pay to the employer; (3) disclosure to government officials in relation to historical records; (4) disclosure at a government official s request in case there is suspicion that the personal data may be relevant to national or international security; and (5) for other necessary purposes as prescribed by the Committee. F. What are the consequences of breaching privacy laws in your jurisdiction? Thailand Currently, if an employer wilfully or negligently uses or discloses its employee s personal information without the employee s consent or agreement, and thereby causes damage (including damage to reputation) to the employee, the employer may be deemed to have committed a wrongful act under the Civil and Commercial Code. As a result, the injured employee may claim compensation from its employer for such wrongful act. Specifically, for damage to reputation, Thai Courts may, on application by the injured employee, order proper measures to be taken for the restoration of such employee s reputation instead of, or together with, damages. Similar issues could arise under the Criminal Code if the disclosure by the employer is likely to impair the reputation of the employee and is deemed to be a defamatory offence. In 114 Employee Data Privacy in Asia
such case, the employee might be able to bring a defamation case against its employer, whereby the employer may be subject to criminal punishment (i.e. imprisonment and/or fine). Once the Bill becomes law, any violation thereof will be subject to an administrative fine and criminal imprisonment and/or fine. Furthermore, in case the violator is a juristic entity, the same punishment may also be extended to its directors or managers, unless they can prove that they were not involved in or did not consent to such violation. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? Employers in Thailand, as data controllers, will be required to comply with the Bill once it comes into effect in the future. Based on the latest draft of the Bill, employers will have to ensure that their employee data systems are secure enough to prevent exploitation or disclosure of personal data. Also, to collect, use and disclose personal data of their employees, employers will have to indicate the objectives of such actions and obtain written consent from the employees beforehand. Contributed by Mayer Brown JSM (Thailand) Limited Thailand 115
THAILAND Thailand 116 Employee Data Privacy in Asia
The Expanded Answer to the Questions by Jurisdiction VIETNAM A. Is there a law/code or other similar document regulating the collection, use and/or handling of an employee s personal data in your jurisdiction? Yes. This is the 2005 Civil Code. B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee s personal data? Yes. Article 38 of the Civil Code provides that the collection and publication of personal data pertaining to a person must be subject to his/her consent. C. For how long must an employer retain an employee s personal data? What is best practice? There is no statutory requirement regarding how long employee data can be retained. In practice, the employer should agree with the employee on the time limit for retaining his/her data. It would be preferable that written consent from the employee is obtained. D. What are the legal restrictions on transferring employees personal data outside your jurisdiction? Article 38 of the Civil Code provides that the collection and publication of personal data pertaining to a person must be subject to his/her consent. E. What are the legal restrictions on transferring employees personal data to a third party? Article 38 of the Civil Code provides that the collection and publication of personal data pertaining to a person must be subject to his/her consent. F. What are the consequences of breaching privacy laws in your jurisdiction? 117 Vietnam
VIETNAM The employee could sue the breaching party at a court for compensation if the employees has suffered damage to his/her health, honour, dignity or reputation. Depending upon the seriousness of the breach, the employer could be subject to an administrative penalty. G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee s personal data? The breaching party, depending on the seriousness of the breach, would be subject to an administrative penalty. If the breach causes damages to the employee s health, honour, dignity or reputation, compensation must be paid. Contributed by Mayer Brown JSM (Vietnam) Vietnam 118 Employee Data Privacy in Asia
Contact Details
Contact details Asia Hong Kong Hong Tran Mayer Brown JSM E: hong.tran@mayerbrownjsm.com 16th - 19th Floors, Prince s Building, T: +852 2843 4233 10 Chater Road, Central, Hong Kong F: +852 2103 5070 Mainland China Rachel Zhang JSM Shanghai Representative Office E: rachel.zhang@mayerbrownjsm.com Suite 2301, Tower II, Plaza 66, T: +86 21 6120 1066 ext. 585 +852 2843 4482 1366 Nan Jing Road W., F: +852 2103 5017 Shanghai 200040, China Australia John Denton Corrs Chambers Westgarth E: john.denton@corrs.com.au Bourke Place, 600 Bourke Street, T: +61 3 9672 3158 Melbourne VIC 3000, Australia F: +61 3 9672 3010 India Anand Prasad Trilegal E: anand.prasad@trilegal.com A-38, Kailash Colony, T: +91 11 4163 9393 New Delhi -110 048, India F: +91 11 4163 9292 Indonesia Richard Emmerson Soewito Suhardiman Eddymurthy Kardono E: richardemmerson@ssek.com Wisma Bank Dharmala, 14th Floor, T: +62 21 521 2038 Jl. Jend. Sudirman Kav.28 Jakarta 12920, F: +62 21 521 2039 Indonesia Japan Chisato Higashio Anderson Mori & Tomotsune E: chisato.higashio@amt-law.com Izumi Garden Tower, 6-1, Roppongi 1-chome, T: +81 3 6888 1150 Minato-ku, Tokyo 106-6036, Japan F: +81 3 6888 3150 Malaysia Sivabalah N Shearn Delamore E: sivabalah@shearndelamore.com 7th Floor, Wisma Hamzah-Kwong Hing, T: +60 3 2076 2866 No. 1 Leboh Ampang 50100, Kuala Lumpur, F: +60 3 2026 4506 Malaysia New Zealand Phillipa Muir Simpson Grierson E: phillipa.muir@simpsongrierson.com Lumley Centre, 88 Shortland Street, T: +64 9 977 5071 Private Bag 92518, Auckland 1141, F: +64 9 977 5083 New Zealand
Pakistan Salim Hasan Meer & Hasan E: mail@meerhasan.com 1-Farid Kot Road Lahore, T: +92 42 3723 5812 54000 Pakistan F: +92 42 3723 4332 +92 42 3724 9893 Philippines Rene Soranio SyCip Salazar Hernandez & Gatmaitan E: rysoriano@syciplaw.com 4th Floor, SSHG Law Centre, T: +63 2 817 1788 +63 2 817 9811 to 20 105 Paseo de Roxas, Makati City, Philippines F: +63 2 817 3896 +63 2 817 3567 Singapore Kala Anandarajah Rajah & Tann E: kala.anandarajah@rajahtann.com 9 Battery Road, T: +65 6232 0111 No.25-01 Straits Trading Building, F: +65 6225 7725 Singapore 049910 South Korea C.W. Hyun Kim & Chang E: cwhyun@kimchang.com Seyang Building, 223, Naeja-Dong, T: +82 2 3703 1114 Chongro-ku, Seoul, 110-720, South Korea F: +82 2 737 9091 +82 2 737 9093 Sri Lanka John Wilson John Wilson Partners E: john@srilankalaw.com 365 Dam Street Colombo 12, T: +94 11 232 4579 +94 11 244 8931 Sri Lanka F: +94 11 244 6954 Taiwan Jaclyn Tsai Lee, Tsai & Partners E: jaclyntsai@leetsai.com 9th floor, 218 Tun Hwa S. Road, Sec. 2, T: +886 2 2378 5780 ext. 2218 Taipei 106, Taiwan, R.O.C. F: +886 2 2378 5781 Thailand Manuswi Intaranont Mayer Brown JSM (Thailand) Limited E: manuswi.intaranont@mayerbrownjsm.com 28th Floor, Q. House Lumpini Building, T: +66 2 677 7555 1 South Sathorn Road, Tungmahamek, F: +66 2 677 7599 Sathorn, Bangkok 10120, Thailand Vietnam Dao Nguyen Mayer Brown JSM (Vietnam) E: dao.nguyen@mayerbrownjsm.com 17th Floor, Saigon Tower, 29 Le Duan Street, T: +84 8 3822 8860 ext.128 District 1, Ho Chi Minh City, Vietnam. F: +84 8 3822 8864