The Privacy Commissioner for Personal Data recently found that collection of employees’ fingerprint data by their employer for the purpose of monitoring attendance was unnecessary and excessive, and therefore contravened Data Protection Principle.
The Privacy Commissioner gave the following reasons:
• Undue influence might be exerted upon the data subjects i.e. the employees, in an employment relationship where there is a disparity in bargaining power.
• The employer did not provide the employees with a free choice whether to give their fingerprint data to the company.
• The employer did not notify the employees of the purpose of collection and the availability of alternatives. As a result, the employees were not able to make an informed choice as to whether to provide their fingerprint data to the company. Employers are recommended to collect employees’ personal data in the least intrusive way.
Employer Found Liable for Employees’ Breach of PDPO
A management company was held accountable under the Personal Data (Privacy) Ordinance (“PDPO”) for the act of its employees in the course of their employment. The employees concerned made fun of the name and other personal data of an owner of an estate in an on-line chat room. It found that the management company was liable for its employees’ act and therefore the employer had also contravened DPP3. The management company appealed to the Administrative Appeals Board (“AAB”) and argued that it should not be responsible for the employees’ act, which was not done “in the course of employment”. Counsel for the management company argued that the employees’ act did not have any close connection with the company because:
(i) The company had no knowledge of and did not consent to the act or practice of leaving messages on the chat room of the website;
(ii) Such act, even if known, was not permitted by the company;
(iii) the act or practice was not done for the benefit of the company.
Paul Arkwright
Publisher
