Employment lawyer offers tip for compliance in age of remote work
The rise of remote and hybrid work has raised new concerns about employee privacy.
With work-from-home arrangements being more prevalent, the right to a reasonable expectation of privacy is “more nuanced,” according to Felda Yeung, partner at Gall.
“There’s less of a delineation between working hours and personal time.”
While Hong Kong law doesn't prohibit employee monitoring, Yeung emphasizes that any data collection through such practices must adhere strictly to privacy regulations.
“Monitoring can present a range of legal challenges, including invasion of privacy, misuse of personal data, and potential discrimination or biased decisions,” she says.
Software malfunctions can also result in misleading data collection, which adds further complications.
As privacy laws evolve, employers must keep up with regulatory requirements like the Personal Data (Privacy) Ordinance (PDPO) and international frameworks such as the General Data Protection Regulation (GDPR).
“The Privacy Commissioner regularly issues guidelines on employee monitoring practices,” says Yeung. “Employers should continually check for updates and review their internal policies to ensure compliance.”
Regular reviews are crucial to avoid potential privacy breaches or disputes, especially as privacy regulations adapt to new technology.
Yeung highlights several common employee monitoring methods, including “reporting the time spent on web browsing activities, collecting telephone records, monitoring the contents of emails, and logging websites visited by employees.”
However, she warns that employers must carefully assess whether these practices are appropriate and legal.
“For instance, when monitoring employees' emails, companies need to consider whether they are only monitoring work-related emails or if personal communications are being accessed. Blocking personal email access on work devices is one way to avoid privacy violations.”
To minimize disputes and maintain legal compliance, Yeung recommends a structured approach, centered around the "3 A's": assessment, alternatives, and accountability, as noted in the Privacy Commissioner’s Guidelines:
Assessment: Employers should first assess the risk the monitoring seeks to manage and the benefit it brings to the business. “You need to assess how necessary the monitoring is for the company’s operations and if the monitoring is proportionate to the business need it addresses,” Yeung advises.
Alternatives: Consider whether there are any less intrusive alternatives that could achieve the same result. “Employers should ask themselves if there’s a less invasive way to monitor employee performance or behavior while still being cost-effective and practical,” she says.
Accountability: Employers need to maintain accountability in how they handle personal data obtained through monitoring. “This means implementing best practices for managing the data responsibly, ensuring that the collection, storage, and use of personal data align with privacy laws,” Yeung adds.
Beyond assessing the appropriateness of monitoring, Yeung also emphasizes the "3 C's": clarity, communication, and control, as essential pillars of a transparent and respectful monitoring process. These principles are also stated in the Privacy Commissioner's Guidelines:
Clarity: Employers need to clearly develop and implement monitoring policies that specify the purpose of monitoring, when it will occur, and how the data will be used. “Employees should know exactly why they are being monitored and the scope of the monitoring activities,” Yeung advises.
Communication: Employers must also communicate the nature of the monitoring to employees beforehand. “Informing employees of the reasons for monitoring and how it will impact them before starting the monitoring is key to ensuring transparency and reducing resistance,” she explains.
Control: Employers must control the data collected by ensuring it is securely stored, processed, and handled appropriately. “Proper control over monitoring records and personal data is crucial to avoid any potential breaches or misuse of information,” says Yeung.
Disputes can arise when personal data is stored on company devices.
“I’ve acted in cases where employees saved personal information, such as family photos or banking documents, on work laptops. When employment ends, the employee often wants this data back, but it’s difficult since the device belongs to the company,” she says.
In some cases, employees delete personal files before returning the company device, which can lead to investigations.
“Companies often check to ensure no business information has been deleted, which can cause friction,” she says.
These situations are especially difficult when trust between employer and employee has already eroded. To avoid such disputes, Yeung recommends keeping personal and work devices separate: “No one wants to carry two laptops, but it’s the best practice to prevent complications.”
Yeung notes that AI-driven monitoring technologies are becoming more common but bring new privacy challenges.
“AI is a very hot topic right now, but there’s currently no overarching legislation in Hong Kong regulating its use in monitoring.”
She advises that the Privacy Commissioner has issued a model personal data protection framework, offering guidelines on the ethical use of AI.
However, companies can still take internal actions while awaiting formalized regulatory changes. “Employers should develop clear policies on AI usage and provide training to staff to prevent breaches of privacy laws,” she suggests.
Transparency is essential in building trust between employers and employees when monitoring is involved. Yeung emphasizes the importance of communication: “If there’s a consultative approach where employers explain the reasons for monitoring and give employees an opportunity to raise concerns, it helps build trust.”
Clear communication and a consultative process are key to fostering a culture where employees feel informed and respected, she says. When monitoring practices are handled with care, employees are more likely to accept them, knowing their privacy rights are protected and their concerns acknowledged.
“Employees are more likely to accept monitoring when they understand why it’s necessary and feel that their concerns are taken seriously,” Yeung says.
Ultimately, by staying compliant with privacy regulations, regularly updating monitoring policies, and maintaining open dialogue, companies can create a balanced approach that strengthens both business goals and protects employees’ rights.