Jurisdiction - Hong Kong
Reports and Analysis
Hong Kong – Employees’ Complaint Procedure With The Office Of The Privacy Commissioner For Personal Data.

27 May, 2014

 

Legal News & Analysis – Asia Pacific – Hong Kong – Labour & Employment

 

Employees that suspect a breach of the Personal Data (Privacy) Ordinance (Cap 486) should first raise concerns with the employer and attempt to resolve the matter internally. Should these discussions be exhausted however, employees may file a complaint with the Office of the Privacy Commissioner for Personal Data. In this Practice Note written by Peter Bullock, Partner at Pinsent Masons, we discuss the relevant procedure.

 

As an employer, it would be prudent to have in place an internal complaint procedure and to take reasonable steps to make this procedure known to all employees within the firm. More importantly, employers should comply with their internal complaint procedures. The formal complaint procedure of the Office of the Privacy Commissioner for Personal Data (the PCO) should only be invoked in the event that internal discussions with the employer break down. 


Lodging A Complaint To The PCO


Under Section 37 of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO), an individual (eg an employee) or a relevant person on behalf of an individual may lodge a complaint to the PCO. For the purposes of PDPO a relevant person has different meanings depending on the context. Where the employee complainant is a minor, a relevant person would be his or her parent or guardian; where an individual cannot manage his or her own affairs, a relevant person would be the person appointed by a court to manage those affairs. A relevant person may also be authorised by an individual complainant in writing to make the complaint on his or her behalf. 


The PCO has issued a Complaint Handling Policy (the Policy) that aims to assist in implementing a consistent, impartial and efficient approach in its handling of complaints under PDPO, s 37. Statements that are extracted from the Policy (available from the PCO website) are presented in block quote style in this Practice Note. 


The Policy has three primary purposes:

 

  • to enable a complainant to understand what specific criteria have to be met in making a complaint under section 37 of the PDPO; 
  • to bring awareness of the relevant parties to a complaint the standard policy of the PCO in handling a complaint, to enable them to have a basic understanding and realistic expectation of how their case is to be handled; and 
  • in the event of a subsequent appeal to the Administrative Appeals Board, to enable the Board to give regard to such policy in accordance with section 21(2) of the Administrative Appeals Board Ordinance.
 

Complaints made under PDPO, s 37 must satisfy three requirements:

 

  • it is in respect of an act or practice of a data user specified in the complaint, which relates to personal data; 
  • the complaint is brought by the individual who is the subject of the data, or by someone else in the capacity of a relevant person of such individual, as defined in the Ordinance; and 
  • the act or practice may be a contravention of a requirement under the Ordinance.
 

A complaint must be written in Chinese or English specifying details of the complaint. Providing the full name and accurate contact details of the complainant and the person being complained about are compulsory since the PCO may refuse to carry out or continue an investigation if the identity of the complainant cannot be traced or identified (PDPO, s 39(1)). Proof of identity will be necessary and is satisfied by producing an identification document as a complainant or producing an identification document and a written authorisation as a relevant person. Sufficient information relevant to the complaint should be supplied to the PCO to substantiate allegations against the employer. For example, the mere fact that an employer has personal data about an employee is not sufficient to demonstrate that personal data has been handled in breach of PDPO.

 

Alternatively, a complaint may be filed by completing a specified complaint form (OPS 001, available from the PCO website) issued by the PCO. The PCO provides appropriate assistance in strict confidence to complainants who need help with completing the form.


Investigations By The PCO


The PCO encourages parties to attempt mediation wherever possible. Upon receipt of a complaint, the Privacy Commissioner for Personal Data (the Commissioner) will determine whether a prima facie case exists after communicating with the complainant and the individual being complained of. The Commissioner may exercise general powers of enquiry to assess whether the case can be resolved without formal investigation. Such powers of enquiry allow the Commissioner to request any information or documents as he or she thinks fit, to summon and examine any person he or she deems relevant and to conduct a hearing. 


If a prima facie case is established, the Commissioner shall attempt mediation to resolve the dispute. The Commissioner may carry out a formal investigation if the parties cannot come to a settlement through mediation. Alternatively, the Commissioner may proceed directly to a formal investigation if the matter at issue is serious in nature. 


Discretion Of The Commissioner


In limited situations the Commissioner may decide to terminate or refuse to carry out an investigation as stipulated in PDPO, s 39(1) and (2). The Policy sets out helpful guidance for the Commissioner to invoke the grounds of refusal:

 

  • the act or practice specified in a complaint may be considered to be trivial, if the damage (if any) or inconvenience caused to the complainant by such act or practice is seen to be small; 
  • the complaint may be considered to be vexatious, if the complainant has habitually and persistently made to the PCO other complaints against the same or different parties unless there is seen to be reasonable grounds for making all or most of the complaints; 
  • the complaint may be considered not to be made in good faith, if the complaint is seen to be motivated by personal feud or other factors not related to concern for one’s privacy, or the complainant furnishes misleading or false information; 
  • the primary subject matter of the complaint is considered not to be related to personal data privacy, e.g. the complaint stems from consumer, employment or contractual disputes.
 

In addition, an investigation or further investigation may be considered unnecessary if:

 

  • after preliminary enquiry by the PCO, there is no prima facie case of any contravention of the requirements under the Ordinance; 
  • the data protection principles are seen not to be engaged at all, in that there has been no collection of personal data;
  • the complainant and party complained against are able or should be able to resolve the dispute between them without intervention by the PCO;
  • given the conciliation by the PCO, remedial action taken by the party complained against or other practical circumstances, the investigation or further investigation of the case cannot reasonably be expected to bring about a more satisfactory result; 
  • the complaint in question or a directly related dispute is currently or soon to be under investigation by another regulatory or law enforcing body; or 
  • the ulterior motive of the complaint in question is not concerned with privacy and data protection.
 

Decisions to refuse to carry out or to terminate an investigation must be communicated to the employee within 45 days after receipt of the complaint. Essentially the 45-day time limit will start running once the PCO is satisfied that the complainant has fulfilled the three requirements under PDPO, s 37.


Issuing An Enforcement Notice


Once an investigation reveals that the employer has acted in breach of PDPO, an enforcement notice may be served on the employer. The enforcement notice would require the employer to take necessary steps to rectify the breach or other measures to prevent recurrence of the breach. Breach of this enforcement notice may result in a fine or imprisonment. 


Remedies For The Employee


If the PCO finds an employer in contravention of PDPO, the employer may face criminal sanctions in certain circumstances such as non-compliance with an enforcement notice and using personal data for marketing purposes without obtaining consent. Damages suffered by an employee as a result of the employer’s breach may be recoverable through legal proceedings.


Appeal Against The Commissioner’s Decision


An appeal may be lodged with the Administrative Appeals Board in respect of the Commissioner’s refusal to carry out an investigation or decision to serve an enforcement notice. Pursuant to Section 9 of the Administrative Appeals Board Ordinance (Cap 442), the appellant is required to lodge a notice of appeal within 28 days from receipt of the Commissioner’s notice to terminate or refusal to carry out an investigation. If the Commissioner has served an enforcement notice the employer may appeal no later than 14 days after the notice is served in accordance with PDPO, s 50(7).

 

This article was supplied by Lexis Practical Guidance.

 

PG Logo_with white background-01

 

For more information on Lexis Practical Guidance, please click here.

Comments are closed.