Code of Practice on Monitoring and Personal Data Privacy at WorkComments by the Hong Kong General Chamber of CommerceJune 2002Introduction1. The Chamber welcomes the opportunity to be consulted on the Draft Code of Practice on Monitoring and Personal Data Privacy at Work. The Draft Code has generated much interest among Chamber members. We have conducted extensive consultation, as well as organised a Roundtable luncheon with the Privacy Commissioner Mr Raymond Tang on 30 April 2002 in which more than 40 Chamber members attended. We commend the Privacy Commissioner for his open and positive attitude in taking forward this consultation exercise.2. Before the Draft Code was published, in December 2001 the Chamber submitted a paper commenting on the principles which were being considered in the course of developing the Draft Code. The main thrust of the Chamber's earlier paper was that it was not necessary to establish a Code of Practice on workplace surveillance under Section 12 of the Personal Data (Privacy) Ordinance. Instead, the Code should be replaced by a more neutral Guideline. After considering the Draft Code and consulting our members, we maintain the same view which we would like to reinforce in this paper. Code versus Guideline3. The Consultation Paper outlines four main issues for consultation. In our view, the last issue – whether the Code should be replaced by a Guideline – is the most important. Our members have shown, in no uncertain terms, a clear preference for the document to be issued as a Guideline, not as a Code under Section 12 of the Personal Data (Privacy) Ordinance. We elaborate our reasons below.4. As described in the Consultation Paper, a Code under Section 12 will, in legal proceedings, give rise to a “rebuttable presumption of contravention” of the Personal Data (Privacy) Ordinance. What this implies is that the employer is presumed to have broken the law when taken to court, and although that presumption can be rebutted, the burden of proof lies in the employer. Thus the employer is “presumed guilty unless proven innocent”. This is a very heavy burden for business, especially small and medium enterprises, hence such provision should only be used when there is very strong justification. Such justification is lacking in the case of workplace monitoring.5. In the vast majority of cases, workplace monitoring is conducted out of a need for operational management to safeguard corporate assets, rather than as a tool for personnel management. The issue that may arise between workplace monitoring and employee privacy should be one of reasonableness of the surveillance measures, not a matter of lawfulness. To use a Code under Section 12 to impose reasonable practices would be a regulatory overkill. It would be far preferable – and more reasonable – to establish a set of non-binding Guidelines to give guidance to both employers and employees. 6. We have no objection to the principles of transparency and proportionality as described in the Consultation Paper. We consider the practices recommended in the Draft Code to be reasonable, such as letting employees know about monitoring devices and procedures. Our principal objection is to the form in which this is being introduced, namely, as a Code under the Ordinance. 7. At the end of the day, the issue in question is that of good employer-employee relationship at the workplace. This is a matter which can only be encouraged and promoted, not legislated for. A voluntary Guideline would be an appropriate tool to do so. The advantage of a Guideline is that it can be applied flexibly and companies can modify it to suit their own needs – high-security companies in the information industries may have a very different need in workplace monitoring from that of restaurants, for instance. Employees, as party to the business rather than as an adversary, would understand the different operational requirements under different situations.8. We understand that if a Guideline is to be issued instead of a Code, there may be a concern that it does not have teeth. But we submit that “teeth” is not the most appropriate means to achieve the aim of promoting respect for privacy in the workplace. A self-regulatory Guideline will be much more effective than a quasi-legal Code which would create a potentially adversarial relationship between employer and employee.9. In conclusion, we recommend that the draft Code should be turned into a Guideline rather than a Code of Practice under Section 12. The latter should only be contemplated if the Guideline is demonstrated not to work and there is a huge public outcry over privacy abuse in the workplace.Other issues10. Once the decision is taken to change the Code into a Guideline, the other issues will fall into place.Issue 1 – employee monitoring where no record is collected by the employer11. A Code of Practice issued under the Personal Data (Privacy) Ordinance should apply only to personal data privacy. It is not appropriate for the Code to apply where no record, and hence no data, is collected. By contrast, a Guideline is more flexible and it will be appropriate for a Guideline to address issues not directly covered under the Ordinance. Issue 2 – grounds for exception from specific provisions of the Code12. This would become a difficult issue if the document were to be established as a Code under the Ordinance. To make exceptions will mean asking the Privacy Commissioner to make a judgment as to which industries should be exempt, thus undermining the industry-neutral character of the Code. Such a problem would not arise for a Guideline, which would be adapted by different industries in accordance with their own needs. Issue 3 – the retention period for employee monitoring records13. This is an issue for which the practical solution will vary from industry to industry, depending on different operational and security needs. Other than the principle that the retention period should not be excessive, it is difficult to set a standard which can apply across the board. The difficulty is compounded under a Code, which by nature cannot be too flexible. Under a Guideline, however, industry can be left to regulate itself and the six month suggestion can become simply a norm, not a standard to be adhered to.
Top