How to handle employees’ personal data

Author: PM editorial | Date: 30 Nov 2016

Be aware of what counts as ‘necessary’ information and the requirements around collection, usage and storage

From emergency contact details to information on pay and performance, organisations are legally allowed to hold large amounts of personal information about their workforce – but with that responsibility comes a huge dollop of risk.
So what are the requirements around the collection, usage and storage of this data, and what should you be mindful of?
Hong Kong, Singapore, Malaysia and Taiwan all have comprehensive policy laws, but each deals with employee data in different ways, says Anne-Marie Allgrove, who heads Baker & McKenzie’s global IT and communications practice. In most cases, however, “the requirements in each jurisdiction reflect the core principles of privacy law: proportionality, accountability and transparency.”
Bryony Binns, employment partner at Baker & McKenzie, recommends you “only collect information that is truly necessary for the job in question.” What is ‘necessary’ may extend to the collection of information through the monitoring of IT systems, and therefore it’s important to communicate to employees that what they are creating on employer systems is not private to them, she says.
Organisations should have an email policy that clearly states if work email is being monitored, says Gabriela Kennedy, partner at Mayer Brown JSM. It’s generally recommended to segregate personal from work email, and employers should not access personal email unless under the compulsion of law.
In all cases, staff should be notified about what data will be collected and what it will be used for. It cannot be used in an unlawful way, or for a commercial purpose that is not related to the employment relationship. “You can only use employees’ personal data for the purpose you have collected it,” adds Kennedy. “If you change the purpose, you would have to notify them.”
For companies that operate across several jurisdictions in Asia, be aware that there may be restrictions on creating information storage in one jurisdiction for the whole region. “In order to disclose personal information to a third party offshore and have them store that information, some jurisdictions require consent, some only notice,” says Allgrove, although there are some exceptions.
“Most privacy laws will also require organisations to have taken reasonable steps to ensure the adequate security of the data they hold,” she says. Arguably, using an experienced and reputable third party service provider could reduce your susceptibility to cyber risk, as they are likely to have robust security systems in place. “If you are doing it yourself, you need to bring that same rigour to it, to check that you’ve got appropriate firewalls and other protections from a technological point of view to minimise the chances of any unauthorised access,” adds Allgrove.
When it comes to requests from employees to access the data held about them, “it’s important for HR professionals to understand that access principles don’t necessarily extend to entire files, but to particular discreet types of information that they may be allowed access to, but in a redacted form, for example,” says Binns. “In light of this, it is important that practitioners are careful about the types of records they keep together, understanding that access may need to be granted at some point in time. For example, they should not keep consolidated information that relates to more than one person together.”