Guidance for Multinational Organisations

Protective Monitoring and Privacy Law:

Guidance for Multinational Organisations

© Copyright 2013

Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”)Document available for download at www.dtexsystems.com/protectivemonitoringFor more information contact: [email protected]

“Protective Monitoring” : the role of monitoring in the protection of commercially sensitive data, information systems and the people who use them.

All rights reserved. Copyright 2013 ©Page

Protective Monitoring and Privacy Law: Guidance for Multinational Organisations

1. Introduction

2. Protective Monitoring: Implementing a Global Programme

3. Protective Monitoring: A Core Requirement for Mitigating Risk

4. Privacy Impact Assessment: Understanding Local Requirements

5. Acceptable Use Policy: Driving Governance

6. Technology Considerations for Multinational Organisations

7. A Simplified Guide to International Implementation

8. Some Key Regions for Consideration

Table of ContentsDisclaimer

The content of this briefing is of general interest and is not intended to apply to specific circumstances. The content should not, therefore, be regarded as constituting legal advice and should not be relied on as such. In relation to any particular problem they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly.

2

........3

........4

........5

........5

........6

........7

........8

........9

page



1. Introduction

The protective monitoring of employee activities in the workplace is now recognised as a core security requirement for many multinational organisations. Navigating the different privacy laws in each country may seem like a daunting task, but by clearly understanding the legal requirements and taking an international perspective from the outset, a global implementation can be achieved efficiently and effectively with very positive results for the business.

This document provides guidance regarding some of the international laws and regulations related to the monitoring of computer activities in the workplace. It focusses primarily on regions that have already established laws in this area, with particular emphasis on those countries where the laws or regulations are well developed, but not necessarily easy to understand. However, there are many other countries in the process of establishing such laws and regulations which are not addressed in this document and therefore we recommend seeking legal advice where you are unsure of the laws in a particular country.

The table on page 8 provides a simplified view of the international landscape by highlighting the key variations between the relevant privacy requirements in different countries. This chart can be used as a high-level reference from which to draw on the additional information provided for each of the countries later in the document.

The vast majority of your employees will be responsible and loyal; however, there will always be a few who are less reliable or honest, who can expose your business to risk. One step you can take to mitigate this risk is to implement a protective monitoring solution. Provided you follow a few simple steps - a number of which are outlined in this helpful guidance note - it is possible to implement such tools, which inevitably involve some form of employee monitoring, in a privacy compliant way (for example by communicating a clear Acceptable Use Policy to staff and ensuring the tool is flexible enough to have different configurations for different countries).

“

”Suzanne Rodway

Group Head of Privacy Royal Bank of Scotland

3



2. Protective Monitoring: Implementing a Global Programme

Multinational organisations must consider local legal and regulatory requirements prior to the implementation of protective monitoring (PM) technologies, as privacy laws can vary from country to country. The following approach has been successfully adopted by large multinational organisations and is an example of how an organisation might prepare for implementing a PM programme:

1. Identify a global Programme Manager to supervise and manage implementation and maintenance of the PM programme.

2. Determine which countries will be prioritised for PM programme rollout. The following criteria should form part of this decision making process:

a) Privacy legislation and other relevant laws and regulations within each country. A Privacy Impact Assessment should be conducted in each country to assess the risks and benefits of PM implementation. Adequate time will need to be given to countries with more complex or more stringent privacy laws as go-live will necessarily fall later in an international roll out.

b) Risk profile of the user groups based in each country. Users who have access to sensitive data and/or systems should be targeted first. It is recommended that an Internal Risk Assessment be conducted across all user groups to fully appreciate the risk profile of users in each jurisdiction.

c) Readiness of the local operation.

Technical infrastructure: The ease of PM software implementation may be affected by the technical infrastructure within a local operation. Selecting a PM solution which has a light footprint with minimum impact to system performance will be critical.

Resources: What is the ability of the local team to support implementation? Key criteria should include:

• Is there a Country Manager who can be trusted with local management of the PM programme?

• Does the local IT team have the skill set to support the implementation? (Selecting a PM solution which is easy to deploy with a light footprint will reduce the need for a highly skilled IT team).

User policies and processes: A well-defined and well-communicated Information Security Policy and/or Acceptable Use Policy must be in place prior to deployment.

Employee relations: Some countries will require there to be consultation or approval from local employee representative bodies.

Privacy compliance: As well as communicating with users, any filings with national data protection authorities will need to be checked and may require updating to cover PM and possible pre-approval by the regulator.

The selection of a PM solution that can be customised by jurisdiction will allow the global PM programme to avoid the use of different solutions in different jurisdictions. It will also allow the IT team to manage and aggregate results centrally and provide senior management with more useful outputs.

3. Develop a global PM programme plan which should include the following interdependent project streams:

a) Technical Deployment Project Plan. How will the PM solution be deployed globally?

b) Operating Model Project Plan. How will the PM service be delivered as a BAU function for the group?

c) Business Implementation Project Plan. How will the programme team interact with the business stakeholders (e.g. Legal, HR, IT, Security) to implement and maintain the PM service?

4



3. Protective Monitoring: A Core Requirement for Mitigating Risk

“Protective Monitoring” is a term used to describe the role monitoring plays in the protection of commercially sensitive data, information systems and the people who use them. An increasing awareness of the benefits provided by protective monitoring can be seen in the UK. The UK government has promoted the use of protective monitoring within the public sector for a number of years. More recently, guidance published by the Centre for Protection of National Infrastructure (CPNI) has emphasised the positive impact of monitoring for private sector organisations. The guidance, “Holistic Management of Employee Risk (HoMER),” received strong support from the Information Commissioner’s Office (ICO), and set out the benefits of a risk-based approach to monitoring and implementing a well-structured PM programme. For many organisations, protective monitoring will become a fundamental requirement for protecting IT systems and mitigating internal risks.

The ICO in the UK, as well as CPNI, have provided clear guidance for the implementation of employee monitoring solutions, largely based on a judgement of “fairness” to the employee via the communication of a well-defined Acceptable Use Policy (AUP). While other countries may not have such clear guidance on PM in their jurisdiction, compliance with most laws and regulations regarding employee monitoring will be underpinned by conducting the appropriate Privacy Impact Assessments and implementing a well-defined and well-communicated AUP.

4. Privacy Impact Assessment: Understanding Local Requirements

A Privacy Impact Assessment (PIA) is conducted on a country-by-country basis to help assess the potential impact of PM to individuals in the collection, use and disclosure of their personal data. PIAs help identify privacy risks, foresee problems and evaluate PM solutions. A PIA should be conducted at the start of a PM project in order to help shape the project implementation strategy and determine the most appropriate configuration for the monitoring technology. Some of the countries covered by this document require organisations to conduct a PIA before implementing a PM solution.

The use of a PIA template or checklist is a common approach which helps to simplify the PIA process. Such a template should be adjusted to suit the requirements of each country and is likely to contain the following key components:

• Project introduction: Provide some background regarding the intended project.

• Purposes and benefits: Why is this project being considered and what are the benefits?

• Adverse impact: Are there any potentially negative impacts and how can these be overcome?

• Alternatives: Have other alternatives been considered and why have they been ruled out?

• Obligations: What are the obligations on staff if the project goes ahead and how will these be managed?

• Conclusion: Do the results of the PIA justify commencement of the project? If so, how will the project be aligned with the findings of the PIA? This conclusion should then be used as the basis of design for the PM solution.

5



5. Acceptable Use Policy: Driving Governance

An AUP (also known as a Fair Use Policy) is a set of rules applied by the owner/manager of a computer network that restrict the ways in which the network may be used. AUPs in the employment context often serve to inform employees of the expected standards of use and the potential consequences of infringement, while also establishing a foundation for PM. They can also include the information notices about PM systems, which are legally required in most jurisdictions, although some organisations choose to do this in a separate PM policy. New employees are generally asked to sign the AUP before they are given access to an employer’s information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are and are not allowed to do with an organisation’s IT systems. In order to meet the privacy requirements of most countries, an AUP should define what sanctions will be applied if a user breaches the AUP, making clear that monitoring may be used to ensure compliance. Compliance with the AUP should then be measured by regular audits.

In some countries, as explained further in this document, it may be illegal to monitor employees (or to use evidence from monitoring) to reprimand or dismiss an employee unless an AUP has been well communicated to staff. In particular, in countries with well-established data protection laws, organisations are required to provide individuals with certain information about the processing of their personal data. This information typically includes:

• The purposes of PM

• How PM is implemented

• Under what circumstances PM might take place

• The types of information collected by PM

• Details about how the collected information is processed, including who has access to the information and how the information may be used

This information should be provided in writing, for exam-ple within an organisation’s AUP.

The rules around employee monitoring, as with many privacy requirements, can vary greatly country by country. Much of this is driven by underlying cultural and social differences, which can be deeply embedded into a particular country’s society, so getting monitoring right is very important to any organisation. Having a flexible approach that can be tailored to different country requirements is key.

Peter Gooch Director

Security and PrivacyDeloitte LLP

“

”

6



6. Technology Considerations For Multinational Organisations

Where multiple jurisdictions are involved, organisations may be tempted to apply a harmonised approach, for example by choosing the regime of the country with the strictest privacy laws and applying this uniformly across its network. However, as different countries may have contradictory requirements (for example, banning private use of work email is illegal in France whilst being common practice in Germany), particular care should be observed if a harmonised approach is to be taken, especially as non-compliance in some countries can lead to criminal liability.

Organisations are likely to find broad commonality in the PM compliance requirements of many countries. However, configuring any monitoring system for the specific legal requirements of each country (in terms of the tool and also the procedures around handling positive results) is likely to be the most appropriate approach for multinationals, where contradictory laws are almost certain to apply. It is advisable that an Internal Risk Assessment is undertaken in order to gain a clear understanding of the actual risks created by user activities in each country.

It’s important to understand that the chosen monitoring technology must be flexible enough to enable different configurations in different territories, providing the ability to quickly and easily adapt configurations either centrally or in a distributed fashion. This will ensure that each operating entity is well positioned to maintain compliance as privacy laws and regulations evolve internationally.

It is also advisable that any officially appointed Data Protection Officer is involved in the planning and implementation of the PM programme and that they keep any Works Councils and/or trade unions informed where necessary. In some countries, consultation or even approval may be required from the local employee representative body.

The ‘locked-down’ security model is challenged when looking to support the flexibility required for some companies to operate. This can result in the perception that the security strategy is not aligned with the business strategy and lead the business to circumvent restrictive security controls. As a comparison, protective monitoring is an effective way of ensuring compliance with acceptable use policy without having to limit user access to resources. The trust and verify approach allows the business the flexibility to operate and compete while supporting the governance, compliance and risk frameworks.

“

”Mo Ahddoud

Programme LeaderInternational Security

NBC Universal

7



7. A Simplified Guide To International Implementation

8

Priv

acy

Impa

ct

Ass

essm

ents

Wor

ks C

ounc

ils

or e

mpl

oyee

re

pres

enta

tives

to b

e co

nsul

ted?

Man

dato

ry

Acc

epta

ble

Use

Po

licy?

(i.e

. rul

es fo

r us

e of

IT e

quip

men

t)

Man

dato

ry E

mpl

oyee

N

otic

es?

(i.e.

not

ice

of m

onito

ring

to

empl

oyee

s)

Any

requ

ired

filin

gs

with

dat

a pr

otec

tion

auth

oriti

es?

Issu

es re

latin

g to

pe

rson

al u

se o

f wor

k em

ail /

IT e

quip

men

t

USA

but highly recommended

plus consent required

Employers entitled to monitor private emails to establish whether business related. Content of clearly personal emails should not be proc-essed, unless there is a genuine suspicion of misconduct.

UK


Employers entitled to monitor private emails to establish whether business related. Content of clearly personal emails should not be proc-essed, unless there is a genuine suspicion of misconduct.

MExICO



Employer should not process emails marked as personal, unless employees have been banned from using email for private use. Where unmarked, processing is permitted until private nature discovered.

JAPAN


If justifying PM to “uphold procedures”

Employer may monitor private emails sent using company equipment if it has justifiable grounds. However, it is highly advisable not to process personal emails which the company becomes aware of during monitoring.

HONg KONg



Employers are entitled to monitor private emails if they are work related but there is greater risk in monitoring emails which are purely private in nature.

SWITzERlAND



Illegal to process the content of private emails. An employer may be permitted to open an email to establish whether it is a business or personal email, but processing must be ceased if the email is found to be personal.

gERMANy


plusauthorisation required

if Data Protection Officer appointed

In practice, personal use of work email is usually banned on the recommendation of lawyers to avoid application of telecommunications law. Such a ban would need to be enforced in order to be effective.

FRANCEbut highly recommended

Illegal to ban personal use of work email / IT systems.

SPAIN



Employers in Spain are entitled to ban employees from using their work email for private purposes. When employers have informed employees that their work email will be monitored, they are entitled to do so. If they have not informed employees about the specific monitoring measures, employees can expect a reasonable level of privacy.

Not a mandatory requirement

A mandatory requirement



8. Some Key Regions for Consideration

EUROPE: gENERAl

For countries in the European Union, Data Protection Directives 95/46/EC and 2002/58/EC (as amended) provide the legal framework for PM. These set out general principles and are not specific to PM. Implementation of the Directives differs in each Member State, and some Member States have additional legislation addressing this issue. Guidance at a European Union level has been provided by a body known as the Article 29 Working Party. In a document published in 20021 , the Working Party noted:

• Employees have a legitimate expectation of a certain degree of privacy in the workplace

• A PIA should be carried out before rolling out PM

• Employees should be given notice of PM.

The European Convention on Human Rights is also relevant to EU Member States as well as 20 additional European countries.

UNITED KINgDOM

The UK’s Data Protection Act 1998 regulates the use of personal data. The Regulation of Investigatory Powers Act 2000 (“RIPA”) and the accompanying Regulations2 are also relevant, as they regulate the monitoring and interception of communications. The Regulations allow monitoring (that would otherwise be prohibited under RIPA) when it is conducted for legitimate business purposes over an employer’s network. To rely on the Regulations, the employer must have made all reasonable efforts to ensure that employees are made aware of the possibility of monitoring. Detailed guidance on PM is provided in the Information Commissioner’s Employment Practices Code (“The Code”)3 .

The Code states that an employer should conduct an impact assessment prior to using PM. This should assess:

• What are the lawful purposes for monitoring? (e.g. upholding policies and standards which have been brought to employees’ attention, specific business threats etc.)

• What are the adverse impacts of monitoring? (e.g. impact on employee privacy, mutual trust and confidence, relationships with third parties)

• Whether these aims can be achieved in a less intrusive way (e.g. greater supervision, targeting high risk individuals, spot checks over systematic checks etc.)

• What obligations arise from the monitoring? (e.g. notifying employees of the monitoring, secure handling of data)

gERMANy

Although there is no law specifically regulating privacy in the workplace, Germany does have strict general communications privacy requirements (partly based on the German Constitution) which are, along with general data protection principles, relevant for monitoring activities. There are plans to introduce a specific data protection regime for employees which will likely contain detailed provisions on PM which may change the legal position set out below.

Under the current law, whether personal use of company IT resources is permitted/tolerated by the German employer is key. If personal use of telecommunication infrastructure (email, telephone, internet access, etc.) is permitted, this subjects the employer to stricter requirements, because the employer would be regarded as a telecommunications services provider under the German Telecommunications Act (“TKG”). The TKG contains regulations protecting telecommunications secrecy, including a prohibition on general monitoring of both usage data and the contents of personal communications. This then restricts the ability of an employer to monitor professional communications, as, in most instances, employees do not separate their personal and professional use of IT resources.

In order to avoid the application of these stricter requirements of the TKG and allow broader monitoring, a German employer can expressly forbid private use of internet and email systems (which many companies in Germany do). Such a ban should be enforced through regular spot checks, otherwise the TKG may still apply. Where private use of company IT systems is allowed, monitoring rights are more limited but PM is still possible if

1 See http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp55_en.pdf2 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (“LBP Regulations”) (as

amended)3 See http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/employment.aspx

9



(i) it is not applied to all employees generally, but only when and where there are specific suspicions of wrongdoing (although this may change under draft legislation) or (ii) (arguably) employees consent to a monitoring scheme. The latter is not without complication as consent is only valid if employees have genuine choice (which may be the case if a company provides options, e.g. allowing an employee to choose whether he or she wants to use company email for private use and accept monitoring, or use a private webmail without being monitored.)

There are additional requirements if a works council exists. Works councils are particularly prevalent in Germany and it is common for large organisations to have one, as do many SMEs – any business with over 5 employees may have a works council if its employees choose to elect one. A works council has co-determination rights for matters regarding “the introduction and use of technical devices designed to monitor the behaviour or performance of the employees,” which covers the implementation of automated PM tools. Organisations are therefore required to obtain consent from the relevant works council before implementing a PM programme, and a veto from the council can only be overturned by a mediation committee or a court. In order to gain consent from a works council, an employer will need to be able to demonstrate to the representatives that it has taken steps to ensure employee privacy is protected. An ability to configure PM technologies can prove helpful here, where steps can be taken to ensure data from certain files or folders are not collected.

FRANCE

The right to privacy in the work place is enshrined in the French labour code, which also imposes an obligation of fairness: employers must consult work councils4 and inform employees prior to the implementation of any PM system5. In addition, there are limits to email monitoring and access to employees’ private files under the Penal Code. Employers should also be aware that it is illegal to ban employees from using the employer’s IT resources (including email) for personal use.

The 1978 French Data Protection Act (relating to “Data processing, files and liberties”) also imposes privacy obligations. The French Data Protection Authority (the CNIL) has long-standing guidance on how to implement PM correctly, now contained in the “CNIL’s guide for employers and employees6”. The main obligations are:

• Identifying the lawful purpose of the data processing and informing employees of this purpose, such as

4 And also, under certain circumstances, the Health and Safety committee. 5 Labour code articles L1221-9, L2323-4, L2323-13, L2323-32. 6 See http://www.cnil.fr/fileadmin/documents/Guides_pratiques/Livrets/travail/index.html

through an AUP.

• Respecting individual rights and liberties, as well as the fairness and proportionality principles (employers should assess in particular whether less intrusive means of monitoring can be applied)

• Complying with filing obligations regarding any PM data processing (including CCTV), unless a data protection officer (CIL) has been appointed.

• Tolerating reasonable use of the IT system for private purposes, clearly defining limits in the AUP and respecting the secrecy of private correspondence and the right to privacy where files/emails are clearly marked as personal or private.

In order to comply with the above obligations, employers should conduct a PIA – the output of this will be a conclusion as to whether monitoring is justifiable.

SPAIN

The principal laws regulating employee monitoring are Royal Decree 1/1995 on the consolidated text of the Law of the Statute of Workers (“Statute of Workers”), Organic Law 15/1999 on Data Protection (“DPA”) and Royal Decree 1720/2007 that develops the DPA (the “Regulation”).

Article 20.3 of the Statute of Workers states that employers may adopt measures to monitor employee compliance subject to limits in respect of “human dignity”. Although this does not expressly include PM carried out electronically, the Spanish Supreme Court held in 2007 that an employer is entitled to carry out PM on their IT system when employers own the computers, as they are entitled to ensure that they are used for work purposes. However, even when employees are using the employer’s equipment, employees may have a reasonable expectation that a minimum level of privacy will be respected. This “tolerance” will only be deemed to exist where the employer has failed to set specific rules on the use of electronic resources and has not informed employees that they may be monitored. Consequently, employers who wish to monitor employees must ensure that (i) the rules relating to this monitoring are “established in advance,” and (ii) employees have been informed of these rules and how compliance with them will be monitored. These details will generally be covered by an AUP (see above).

In addition to the duty to inform employees, employers are required to inform and consult workers’ representatives (works council) before any monitoring activity in relation

10



to worker behaviour is introduced. Whilst works councils are common in Spain, they do not have a statutory right to veto the introduction of PM systems as exists in Germany. Instead, the works council can only issue a non-binding report on the measures following the required consultation.

Monitoring measures to be applied must be proportional. The test, much like that set out by the ICO in the UK, requires employers to check by way of a PIA:

• Is the measure necessary, i.e. will PM adequately address the purpose for which it has been implemented?

• Is the measure suitable, i.e., are there any other less intrusive measures that would achieve the same aims, or can the employer show that PM is more effective?

• Is the measure justified and balanced, i.e. will the PM solution be configured in such a way that it does not significantly impact employee privacy without cause?

Employers must also comply with the Spanish Data Protection Act and its Regulations. Amongst other requirements, this means providing employees with detailed information about the processing, which can be covered in the AUP. There is no need to obtain employee consent to PM.

SWITzERlAND

The relevant legislation with respect to employee monitoring is the following: the Swiss Federal Data Protection Act (“DPA”), the Swiss Federal Ordinance 3 to the Labour Act (“LAO”), the Swiss Code of Obligations and the Swiss Federal Penal Code.

Monitoring systems may be implemented for reasons such as security but they must be configured so that the health and mobility of employees is not affected and so that employee performance is not reviewed. In addition, the principles of the DPA must be observed. Under the DPA, PM is only permitted if (a) the processing can be justified (see below), (b) there is no other way to achieve the targeted aim (principle of proportionality), (c) the personal data collected will only be used for the stated purposes, (d) the security of the collected data is guaranteed at all times and (e) the employees have been informed of the surveillance system. These issues can be picked up through a PIA before PM and an AUP. Employers should note that they are not allowed to collect data which is not relevant for the employment relationship, although data collected to monitor compliance with contractual obligations such as the AUP is permitted. Employers who wish to monitor email or internet use must issue a policy to employees that describes the surveillance, how it works and what kind of sanctions may apply in case of non-

compliance. This should ideally also contain information on acceptable internet use and private e-mails. This could all be included within a single AUP.

Any internet/email surveillance must consist of two phases: in a first phase, the surveillance has to be made on an anonymous (or non-personal) basis (nichtpersonenbezogen). In practice, the employer should exercise all technical steps possible to prevent the person monitoring email and internet usage from identifying the individual until necessary to investigate a misuse. If the employer discovers a misuse (as defined by the employer in its AUP), in a second step it is allowed to analyse the personal data on a personal basis (personenbezogen).

Employers are not allowed to read the content of personal e-mails. If the email address or title makes it clear that an email is private, then the employer should not process it. If the employer learns that a certain e-mail is of a private nature, it must stop processing that e-mail and the employer is not allowed to take notice of the content of such e-mail.

UNITED STATES

The United States is known to have far less stringent privacy laws than the European Union and most of its Member States. While there is no U.S. federal law specifically addressing PM, the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. § 2510-22) allows employers to monitor activities on their own networks and equipment where monitoring serves a legitimate business purpose and is conducted with employees’ express or implied consent.

MExICO

Mexico also has a data protection law, the Federal Law on the Protection of Personal Data held by Private Parties (the “Law”), which regulates the processing of personal data carried out by all private entities with the exception of credit reporting companies (who are regulated by other laws). The Law establishes general principles and obligations for data controllers that are not specific to employee monitoring or employers.

Neither the Law nor Mexican employment law requires employers to consult or seek authorisation from work councils or the Mexican Data Protection Authority before implementing PM technologies. Employees must be provided with clear and unambiguous information about PM and the processing of their personal data. Employees must also be informed of their employer’s policy on acceptable use for company IT systems through the issuance of rules for the correct use of emails/desktops/

11



JAPAN

Under Japanese law, employees have a legitimate expectation of a certain degree of privacy in the work place. However, monitoring can be used in a broad number of situations – for example, for preventing disclosure of trade secrets and confidential information, investigating suspected unlawful actions, and ensuring compliance with internal company regulations as well as legal and regulatory requirements.

The Act on the Protection of Personal Information (Act No. 57 of 1993, as amended) (“APPI”) sets out general rules concerning the handling of personal data by a business operator in Japan. The Consumer Affairs Agency is responsible for establishing the legal framework for the handling of personal information by a business operator. Employers are required to implement PM in a manner that complies with the APPI. For example, under the APPI, the employer must identify the purposes for which the personal data collected during PM will be used and disclose such purposes to its employees.

It is recommended that employers establish internal guidelines (such as an AUP) and notify employees of these guidelines before implementing PM. In practice, it is common to include the following in these guidelines:

• The purposes and scope of PM

• The manner of implementing PM

• The types of the information collected during PM

The audit procedures to confirm that PM has been properly implemented.

HONg KONg The Personal Data Privacy Ordinance (Cap. 486) (“PDPO”) as amended by the Personal Data (Privacy) (Amendment) Ordinance 2012 in Hong Kong (including the Data Protection Principles, “DPP”) sets out a legal framework for the collection, holding, processing, transfer and use of personal data. Detailed guidance on PM is provided in the “Privacy Guidelines: Monitoring and Personal Data Privacy at Work” published by the Privacy Commissioner’s Office in 2004 (“Guidelines”).

The Guidelines provide that, prior to conducting PM, an employer should evaluate the need for PM and its impact upon the employees’ privacy through a PIA, which should address similar topics to those highlighted for the UK.

To comply with the PDPO, including the DPP, an employer should also make sure that a written PM Policy is published, which sets out the reasons for conducting PM, the circumstances under which PM may take place, what data might be collected through PM and how it may be used. An employer should also take practicable steps to communicate the policy to employees, e.g. publishing the policy in the employee handbook and including it as part of the employment contract.

laptops, etc. All of this information should be provided in writing, for example in an AUP. If these rules state that company IT systems may only be used for work related purposes, employees should not have an expectation of privacy that would conflict with PM. If employers do not ban use of work email for personal use, then an employer should not open communications marked as personal. Employers should also ensure that monitoring measures are proportionate to the risks that they are trying to avoid and that the least intrusive means are used. For example, an employer who wishes to implement PM to prevent the loss of trade secrets should be able to demonstrate that they have considered other methods such as internal audit trails. This can be achieved by performing a PIA, as in the UK.

12

Documents

Guidance for Multinational Organisations