- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Electronic monitoring and workplace surveillance

As organizations adopt productivity enhancement policies and require employees to account for work in terms of billable hours, management is increasingly employing technology that can monitor and trace employees workplace activities. An example of this technology would be e-mail monitoring software that may record details of outbound and inbound messages sent from, or to, an E-mail account provided by the employer for work-related purposes. While most people would concede that it is an employer's right to be able to monitor, supervise and oversee employee's workplace behaviour, the use of information surveillance technology may potentially be in conflict with the data protection.

The following reading discusses the issue of workplace privacy. The sections entitled ‘Computer Monitoring’, ‘Electronic Mail and Voice’ and ‘Workplace Privacy Protections’ are most relevant to our discussion.

‘Employee Monitoring: Is There Privacy in the Workplace?’

Ensure security of data

Principle 4 of the Ordinance requires websites to adopt security measures to protect the data that they collect and transmit. Organizations should apply a "harm test" to the personal data they collect and transmit on the Internet so as to implement the appropriate level of security measures.

As a general rule, organizations collecting detailed or sensitive personal details (such as resumes from job applicants or credit card/bank account information for service payments) are required to observe a stringent level of security (such as the use of firewalls or encryption). If transfers of sensitive personal data are not encrypted, web sites should alert users to the risks of transmission and offer alternative secure means to the users for supplying the data. Therefore, when processing sensitive information such as the financial data, medical data or person identifiers of an individual, privacy enhancing technologies must be adopted. In addition to following principle 4 of the Ordinance, there are other reasons why organizations should take measures to ensure the security of online data. A leak of a client's personal data caused by the organization's lax security may easily give rise to civil claims for compensation and criminal prosecution.

Principle 4 of the Ordinance also relates to security measure fro storing personal data Allowing uncontrolled access by Internet surfers to personal data held by an organisation could be in contravention of Principle 4. Again, a "harm test" can be applied. In addition, individuals providing personal data concerned should be fully informed at the outset about the sort of access that others may have to information that they provide.

Be open about the use of cookies

A cookie is a small computer file that is sent from a web server to a user's computer for future identification when the computer again visits the same web site. In keeping with Principle 1 of the Ordinance, organizations using cookies should inform visitors of this practice in their Privacy Policy Statements and inform visitors that non-acceptance of cookies may affect the functionality of the organizations’ websites.

Giving special regard to youth and children

Data Protection Principle 1 of the Ordinance provides, among other requirements, that personal data shall be collected by means which are fair in the circumstances of the case. Children and young persons are vulnerable and collecting information including personal data directly from them without appropriate parental control and supervision could be regarded as unfair collection of personal data. However, unlike America, Hong Kong does yet not have a specific legislation controlling the collection and use of personal data supplied by under age young people and children.

However, the PCO is of the view that when collecting information from children, an organization must take Principle 1 of the Ordinance into account and ensure that information is collected in ways that are ‘lawful and fair’. Sites aimed at minors are therefore strongly urged to carefully consider their policies for collecting information from young persons, and to involve parents/guardians in the data collection process.

The following links take you to privacy statements for sites aimed at young children:



Notice how these statements provide guidance notes to parents on how to supervise their children when they surf the Internet.

Post clear privacy policy statements

It is quite common for websites to have long-winded privacy policy statements. There are good reasons why this is the case. In order to demonstrate their awareness of and compliance with the six key principles of the Ordinance, most organizations collecting personal data online, usually prepare and make available an easy-to-find privacy policy statement that describes the organizations data privacy protection measures.

A privacy statement usually informs visitors of the organization's privacy policies and its practices in relation to personal data (for example the kinds of personal data collected and held and the main purposes for which the data are used.) Although organizations are not required to post privacy statements on every page of their website, websites are encouraged The Office of Privacy Commissioner to have them posted in a conspicuous place. The privacy policy statement should be set up as a linked page accessible from the home page and other pages from which personal data are collected. Most privacy policies are usually accessed by a link at the bottom part of each page.

The PCO has prepared a booklet called “Preparing Online Personal Information Collection (PIC) Statements and Privacy Policy Statements (PPS)” to help websites comply with the Privacy Ordinance. This is available at

Prepare personal information collection (“PIC”) statements

Websites usually collect personal data from online users by asking them to complete forms.

Data Protection Principle 1 of the Ordinance requires organizations to clearly state their reasons for collecting personal data and Principle 3 states that this data can only be used for the reasons stated. Using information for any purposes that have not been stated may be in breach of the Ordinance. Therefore, websites should prepare and make available on-line a Personal Information Collection (“PIC”) Statement setting out the purposes for which the data collected are to be used. The Office of Privacy Commissioner suggests that the PIC Statement be laid out on the same web page as any personal data collection forms. However, the PIC could also be on another page, as long as it carries a clearly visible, well-described link to the page from which information is collected.

Direct marketing – the right to opt out

The tremendous growth in the number of people using email, has resulted in the Internet being increasingly used as a marketing tool by corporations. One of the most popular forms of e-commerce is using e-mail as a direct marketing tool.

In the past, merchants relied on direct mailing, faxes and telemarketing to conduct targeted marketing campaigns. While these marketing methods are still widely used, email is increasingly being adopted as a marketing medium because it is cheap, fast and potentially has a very wide reach. Unlike direct mailing which requires costly the production of printed materials and postage charges, a massive email marketing campaign can literally be distributed all over the world without any significant cost. Furthermore, the transmission of marketing materials by email only requires bandwidth, which is not charged according to usage volumes. The Internet therefore provides a new, easy and economical platform for direct marketing. If advertisers can also obtain spending and demographic profiles of consumers via cookie-generated profiles and/or via bought customer email lists, the potential for cheap targeted marketing is enormous.

However, Hong Kong's direct e-marketers need to be aware of data protection obligations when they are collecting, recording and using personal data via email. Hong Kong organizations must observe certain legal restrictions on data collection when compiling advertising profiles and mailing lists, and must observe the data protection principles and provisions of the Hong Kong Data Protection Ordinance when they engage in online direct marketing. Consumers also have the right to opt out of marketing that is directed towards them.


It's very likely that every time you check your email account, you will find some unsolicited ‘junk mail’, or promotional or advertising material that has been sent by a business or organization. Unsolicited electronic mail, also called "spam," is both a nuisance to Internet users and a threat to network security. Spam imposes substantial costs on Internet users and providers (especially in terms of time), and users and Internet providers have undertaken a variety of measures to reduce or stop spamming. Later in this unit (when we look at how website owners should comply with data protection laws), we will see that most attempts by users to control spamming have been counterproductive.
To find out more about spam, you can visit the following site:

Collecting Personal Data From Children

Let's now focus on an issue that is noted in the Yahoo privacy statement, namely the issue relating to children's use of the Internet. In particular, the question of how information is collected from children is worth examining.

Increasingly children are becoming a target for direct marketing over the Internet or television. Please elaborate on/give examples of some specific privacy issues related to kids.

The US is the largest market for electronic commerce and the White House report "A framework for Global Electronic Commerce" (dated 1 July 1997) cites as a particular concern "the use of information gathered from children, who may lack the cognitive ability to recognise and appreciate privacy concerns. Parents should be able to choose whether or not personally identifiable information is collected from or about their children". As a result of a large scale survey of websites, the US Federal Trade Commission in its "Report to Congress on Privacy Online" (dated 4 June 1998) recommended legislation that would place parents in control of the online collection and use of personal data from their children. This legislation requires that when websites collect information from kids they also need to provide notice to the children's parents and obtain parental consent. The aim of the legislation is to ensure that parents know about, and control, the online collection of information from their children.


Clicktrails are information derived from an individual's behaviour, pathway, or choices expressed while visiting a web site. They contain the links that a user has followed and are logged on the web server (the ISP's computer, for those who do not run their web server).

Clicktrails are normally used for troubleshooting and system maintenance purposes. However, clicktrails can also be misused to record profiles of the habits, tastes and online activities of an individual user. Information thereby traced (depending on the type of information) can adversely impinge on a person's privacy by targeting an individual for marketing a product or by fraudulently soliciting business from an individual. Please give some examples of how clicktrails can be used.

For more information about clicktrails, please refer to

Website privacy statements

Trust is an important element of e-commerce.

Businesses and consumers that trade over the Internet do not have the benefit of seeing each other face to face. Nor do they have a history of personal interaction to base their trust on. The Internet is an open network that is easily subject to misuse such as an outsider getting personal information such as credit card data and medical records without authority. To build trust, e-commerce providers must be able to ensure customer privacy and maintain security of websites and email communications. Enterprises taking inadequate privacy and security measures face the risk of litigation, negative publicity, and loss of customer loyalty. Consequently, most reputable e-traders employ security measures and publish an online privacy statement that guarantees commitment to a range of privacy issues.

The best way to get a broad understanding of online privacy issues that relate to corporations and businesses is to actually go online and to look at some commercial privacy policies. The following activity asks you to look at the privacy statements of three websites that receive a lot of traffic in Hong Kong. As you browse their privacy statements, try to assess the key issues that each statement addresses.

Taking steps to protect your own personal data

As we can see, disclosure of personal information online may unwittingly expose individuals to a host of on- and offline dangers. However, we also cannot escape the fact that we need to give information to access online services and that information is stored about us on a daily basis across a range of electronic databases. Most of the services that require us to give personal information should have security measures in place to protect this information (and in a moment we will look at examples of corporate privacy and security statements). We should also be aware of our rights to data privacy and later in the unit we will explore how we can access and enact these rights.

The most fundamental guideline for protecting your own personal data is to only disclose personal information whenever it is absolutely required and where organizations or corporations offer clear guidelines to protect data privacy.

You should be extremely careful not to disclose personal information online in situations where there are no privacy protection guidelines (for example, posting personal information in a chat room or newsgroup). Avoid disclosing your own or others’ personal information such as email addresses, home addresses, job and company details in a public forum. Disclosing this kind of information in a public forum such as a chat room can lead to many of the above abuses of privacy as well as other problems such as solicitation for fraudulent investments, electronic harassment or stalking, and attempts to establish undesired relationships or contacts. Also, take care not to pass on others’ email addresses or details without their permission. Simply forwarding an email with others’ email addresses on it can compromise the data privacy of others and result in privacy intrusions such as unwanted messages or spam.

Regrettably, many Internet users are not sufficiently aware of the dangers associated with disclosing sensitive personal information in the online environment. To assist surfers protect their own privacy, Hong Kong's Privacy Commission Office has published a booklet entitled "Internet Surfing with Privacy in Mind - A Guide for Individual Net Users". This booklet is available from the PCO's website at

Employment records

Nowadays, most organizations and corporations store their human resources records on electronic databases. Although many organizations and institutions (including the Open University of Hong Kong) now adopt measures to safeguard and protect the personal records of employees, the potential still exists for employment record privacy to be violated intentionally and unintentionally. Incorrect data information relating to an employee can have a strong negative impact on someone's career; for example, it could result in a wrong performance appraisal or prevent someone from achieving a promotion.

Health and medical records

Online medical data can also be abused. At the very least, the tampering with or unauthorized publication of someone's medical history can cause embarrassment and or inconvenience to an individual. However, if a person's medical records are changed or used without authorization, a person's health can be compromised if inaccurate medical records result in wrong diagnosis or treatment. The loss or compromise of medical information can be fatal if doctors are denied information about treatment history or are given incorrect or inappropriate data

Financial and credit information

Many people use online banking services. Financial data such as transactional records on deposits and savings are stored online. Unauthorised access and alteration can result in money being taken from accounts. Incorrect credit information can result in bad credit information, harming a person's credit rating and his/her future ability to borrow from financial institutions.