Privacy watchdog calls for caution on handling employee data when arranging sick leave
Complaints related to mishandled employee data have seen an increase this year, prompting a reminder from Hong Kong's privacy watchdog on protecting sensitive employee information.
The Office of the Privacy Commissioner for Personal Data (PCPD) said there have been 103 complaints of mishandled employee data so far this year, up from 89 last year, Radio Television Hong Kong (RTHK) reported.
Among these complaints include cases where employers mishandled their employees' information when managing sick leave arrangements.
"There is no need at all for the employers, or for HR managers, to disclose the physical conditions of the employees in question to other workers," said Privacy Commissioner Ada Chung as quoted by RTHK.
The PCPD released two investigation cases that demonstrated the mishandling of employee data when managing sick leave arrangements.
In one case, a direct supervisor from Kwong Wah Hospital disclosed the illness of an employee applying for sick leave when the manager forwarded the request to a chat group that had 47 staff from the same department.
This happened on two occasions, according to the PCPD's investigation case, with the employee expressing dissatisfaction over their supervisor's actions.
The PCPD, citing the Data Protection Principle (DPP) 3, said the Hospital Authority (HA) is only allowed to use an employee's sick leave data to handle matters related to application and staff deployment.
Disclosing the illness to the members of the chat group was "excessive," according to the privacy commissioner.
"Given that the HA did not obtain the complainant's prescribed consent for such use, the HA had contravened the requirement of DPP3 as regards the use of personal data in the present case," the PCPD said.
The second case involved Christian Louboutin Asia Limited, where an employee submitted to his manager a certificate of diagnosis and a medical certificate through an instant messaging application.
The documents were intended to support the employee's sick leave application and inform the supervisor that he was unfit to work.
The supervisor, however, forwarded a photo of the certificate of diagnosis to a work-related chat group of 14 people. The medical certificate was also forwarded to another work-related chat group with around 10 staff members.
The Privacy Commissioner said the members of these chat groups did not need to know the employee's condition, and without the employee's consent to disclose such information, Christian Louboutin also breached DPP3(1).
"Christian Louboutin's use of the complainant's personal data about his physical condition in this case was inconsistent with the purposes for which the personal data had been collected in the first place, and such use amounted to using the personal data for a new purpose," the PCPD said.
The PCPD said it served an Enforcement Notice on both employers, directing it to take steps in raising awareness of personal data protection.
It also recommended the appointment of a Data Protection Officer to coordinate the implementation of privacy management measures and "promote the effective functioning of the privacy management program."