Lexis insights

Legal news, views and insight from LexisNexis Hong Kong

27 April 2020 | by LexisNexis Hong Kong


As the current COVID – 19 outbreak creates public health and safety concerns, employers are now seeking permissions to collect health data about their employees for monitoring and preventing the spread of the coronavirus in the working environment and the wider community.

The Privacy Commissioner for Personal Data (“PCPD”) states that it is legitimate for employers to gather and process employees’ personal data in aid of controlling the spread of the virus.  During this pandemic, such practices should be specifically connected to and used for the purposes of protecting public health and should be restricted in both duration and scope as needed in this particular circumstance. The extra data gathered must still comply to the usual principles such as minimisation, purpose specification and use limitation. Such personal information obtained must be necessary, appropriate and proportionate for achieving its purposes.

Further, employers and employees are working from home and conducting webinar business meetings as this would avoid and reduce social contacts. However, the new adjustment would open to greater risks for mistakes such as theft or loss of portable devices, more strain on information technology staff, and a greater chance for cyber criminals to benefit by camouflaging password-stealing messages or malware as health alerts. Therefore, both employers and employees should be cautious during this pandemic.

Key Considerations

Can an employer collect temperature measurements or other health data from his employees?

Yes. Employers have legal and corporate duties to safeguard the health and safety of their employees and visitors. In the event of COVID – 19, it is generally justifiable for employers to collect temperature measurements or other personal health data of its employees and visitors only for the purposes of protecting their health and safety.

What kind of personal data may employers collect, and how can this be done properly?

Employers must comply with the general rule of “necessary, appropriate and proportionate” in taking measures to collect personal data. In doing so, it is preferable to use least privacy intrusive measures. Further, employers should seek to process the relevant personal data namelessly.

Personal health data is collected indiscriminately by using a self-reporting system. A Personal Information Collection Statement (PICS) is required if collecting such personal data is not covered by existing privacy notices. PICS must be issued when or before collecting personal data. It must notify and make clear to their employees on how the data collected, the purposes of collecting such data and the classes of persons to whom their personal data may be distributed to. In addition, it is recommended to state the duration of retaining the data by the employer.

How about travel history? Can employers ask for travel data of their employees?

The Personal Data (Privacy) Ordinance (“PDPO”) does not prohibit any organisation from collecting one’s travel data. It is justifiable for employers to request for employees’ travel data (for those who have returned from overseas, especially from areas of high risk) to provide a safe working environment in the circumstances of COVID-19 pandemic. Similarly, minimal travel data should be collected for its specific purpose. A self-reporting system is more favourable than an across-the-board mandatory system.

Can the personal data collected be disclosed to other parties, or used for other purposes?

Personal health data collected by employers must not be used or disclosed for other unrelated purposes except if the individuals concerned have given express and voluntary consents or the exemptions under the PDPO apply.

It will not be considered as violating the Data Protection Principle 3 under the PDPO for employers to disclose the identity, health and location data of individuals to the government or health authorities if the only purpose was to track down and treat the infected individual, and trace their close contacts when emergency needs arise.

The employer may inform other employees, visitors and others concerned that an employee has been infected with COVID – 19 without the need to disclose his or her personal identifiable information (name, or other personal particulars). It is generally enough for the employer to issue a notice only stating that it has staff infected.

How long can the personal data collected be retained?

Employers are required to permanently destroy the personal information collected once the objective of collecting such personal data is met. This happens in situations where there is no evidence indicating that any of their employees have infected the coronavirus or have close contacts with others who have caught COVID – 19 after a reasonable period of time.

What kind of data security issues relating to employees’ medical or health data should an employer be mindful of?

All practicable measures (i.e. storing the data in a locked cabinet, encrypting the data and only allowing authorised personnel to have access to the personal data) must be followed by an employer to protect against unauthorized or accidental access, processing, erasure, loss or use of such data. It is crucial to protect employees’ medical and/or health data as it is one’s sensitive information and a breach of safeguarding this information will result in substantial harm to those concerned.

More of employees are working from home during the pandemic.  What kind of security measures should employers have in place for homeworking?

Employers and employees should be careful of transferring and using work documents and data while working from home rather than at a professionally managed work environment. Cyber criminals may benefit in these situations by causing cyberattacks like disguising password-stealing messages and malware as health alerts to intrude on organisations and obtaining confidential data or information through breaching the security of one’s internet connection.

For more practical steps and/or advices on transferring data/information and preventing data leakages regarding internet connection security, please see Media Statement issued by the PCPD.

Kindly refer to another Lexis Insight post regarding the use of information on social media for tracking potential carriers of COVID – 19 here.

The Lexis Insights articles are provided for reference purposes only and are not intended, nor should they be used, as a substitute for professional advice or judgment or to provide legal advice with respect to specific circumstances. If you require any legal advice or other expert assistance, please consult a competent professional adviser.

For enquiries about the following publications, please contact your Account Manager via sales.hk@lexisnexis.com

Upcoming Data Protection
CPD course

We are delighted to have Mr. Dominic Wai, Partner and Mr. Joshua Chu, Consultant from ONC Lawyers to be the speakers for this conference.


Contact Us