Jurisdiction - Hong Kong
Hong Kong – Monitoring Employees’ Social Media Postings.

6 February, 2013


Legal News & Analysis – Asia Pacific – Hong Kong – TMT


Use of social media for business purposes is becoming more prevalent nowadays. Social media sites therefore often present themselves as a convenient medium for an employer to explore its employees’ work ethics. Further, an employer may have an interest in knowing what its employees are posting on social media sites as it might potentially be vicariously liable for its employees’ postings there although at present, there has not been case law in Hong Kong that addresses the extent to which an employer may be held vicariously liable for its employees’ social media postings.

The good news for employers in Hong Kong is that there is no general prohibition against an employer monitoring its employees’ social media sites in Hong Kong as long as the employee monitoring measures comply with the Personal Data (Privacy) Ordinance (the “PD(P)O”). The question is therefore how and to what extent an employer can go about monitoring the social media postings of its employees.


The position under the PD(P)O

The information obtained from an employee’s social media sites would satisfy the definition of personal data under the PD(P)O. When monitoring employees’ social media sites, an employer must comply with the Data Protection Principles (the “DPP”) in the PD(P)O which regulate the purpose and manner of personal data collection. In particular, an employer should:


  • Obtain consent from an employee to use his/her personal data obtained from social media sites throughout the employment;
  • Ensure that the data are collected for a lawful purpose that relates directly to its business and the collection of the data is necessary for and not excessive in relation to that purpose; and
  • Ensure that the means by which it collects the data is lawful and fair in the circumstances of the case.


Evaluating the appropriateness of employee monitoring


The Privacy Commissioner has issued a set of guidelines for employee monitoring and personal data privacy (the “Monitoring Guidelines”) which set out a number of factors that an employer should take into account when assessing the appropriateness of implementing employee monitoring:




When assessing the risks that employee monitoring (including monitoring employees’ social media postings) seeks to manage, the key question an employer should have regard to is whether the undertaking of employee monitoring can be justified as reasonable and fair. This means that an employer should:


  • Justify the existence and extent of the risks and have well founded and legitimate reasons for the monitoring which must be related to and align with its business needs; and
  • Evaluate the likely adverse impact that the monitoring may have on the personal data privacy of its employees.



An employer should also give careful consideration to realistic alternatives to employee monitoring. When considering this issue, an employer may reflect upon questions such as whether the monitoring can be restricted to certain personnel rather than conducted on a universal basis and whether selective or random checking as opposed to continuous monitoring is sufficient for its purpose.




Once an employer has decided that employee monitoring is appropriate, it must be accountable for the proper conduct and operation of its monitoring activities and ensure that the monitoring is carried out by the least intrusive means. For example:


  • The monitoring measures must be necessary to meet the purpose of employee monitoring and are confined to employees’ work.
  • The personal data collected in the course of the monitoring must be kept to the minimum necessary to protect the employer’s interest.


It is important for an employer to be aware that its legal obligation extends to the acts undertaken by those employees/agents charged with the responsibility of handling the personal data collected in the course of conducting employee monitoring.


Obtaining employees’ consent and designing employee monitoring policies


An employer should obtain express consent from its employees to use their personal data obtained from social media sites. This can be done, for example, by incorporating the consent into the employer’s standard data collection statement and/or the employment contract.


Further, an employer should implement clear and comprehensive employee monitoring polices and social media policies that are in compliance with the requirements of the PD(P)O. These policies may help to set guidelines on an employee’s use of social media and also to protect an employer’s interest against potential legal liability as well as harm to its reputation from the use of social media sites.


It would also be good practice for an employer to consult its employees in the process of designing an employee monitoring policy as this may help to prevent any unpleasant surprise to the employees when the policy is put into force. Efforts should also be made to communicate the polices to employees and to inform employees of any revisions to the same.




With the growing popularity of the use of social media for business purposes, the need for employers to control the information placed on these sites by its employees may become more pressing. Employers may address this issue by monitoring their employees’ social media postings provided that the monitoring measures are compliant with the requirements under the PD(P)O and by implementing suitably drafted social media and employee monitoring policies.



For further information, please contact:

Comments are closed.