Privacy watchdog says exposure of personal data, information on dismissal is a breach of data protection rules
A security service company has received an enforcement notice from Hong Kong's privacy watchdog after an employee's termination letter was sent to a group chat, exposing her personal data and information relating to her dismissal to colleagues.
Hong Kong's Privacy Commissioner for Personal Data (PCPD) found that the incident was a breach of the Data Protection Principle (DPP), which states that personal data should only be used for which it is collected.
The incident involved an employee of the security service company who was assigned to work at a leisure facility, according to the PCPD.
But when the complainant's supervisor issued a notice of termination of employment, the notice was sent to an instant messaging chat group that was set up for work purposes.
The act resulted in the disclosure of the employee's personal data, including her name, HKID card number, as well as information related to her dismissal, to other colleagues.
The company argued that the letter was sent to the chat group to let other employees know that the dismissed employee was no longer allowed to enter staff-only areas or to have access to internal information of the company.
A data protection breach
But the PCPD said disclosing the employee's HKID card number and dismissal information to other members of the group was beyond the original purpose of use of the data.
"The supervisor acted hastily and without due consideration, and failed to redact personal data that should not have been disclosed to third parties," the PCPD said in a statement.
And given that the dismissed employee did not give consent to her information being disclosed, the company breached one of the requirements of the DPP.
The PCPD served an Enforcement Notice on the company, instructing it to delete the relevant notice from the chat group as well as any other copies of the notice.
It was also ordered to formulate a policy for handling personal data related to employment contracts and incorporate the same into staff training.
Data protection breaches in Hong Kong
The incident joins the growing list of data protection violations that the PCPD has investigated.
In 2025, the office received a total of 4,228 complaints and handled 17,691 public enquiries. Public enquiries received included:
- Collection and use of personal data (28%)
- Complaint handling policy of the PCPD (15%)
- Access to and correction of personal data (6%)
- Installation and use of CCTV (5%)
The PCPD also addressed enquiries on the handling of personal data in employment cases (5%).
Privacy Commissioner Ada Chung Lai-ling said employers should have clear policies to protect employees' personal data to prevent security lapses.
"Employers should regard the protection of employees' personal data privacy as an integral part of the organisations' data governance," the commissioner said in a statement.
"This demonstrates the organisations' commitment to safeguarding employees' personal data and ensures compliance with the requirements of the PDPO, thereby creating a win-win situation for both employers and employees."
The PCPD outlined five recommendations for employers to safeguard employees' personal data privacy and data security:
- Introduce a Personal Data Privacy Management System
- Develop robust workflows and procedures
- Implement ongoing monitoring mechanisms to ensure consistent enforcement of personal data security policies
- Provide targeted training to employees, particularly the employees responsible for handling sensitive data
- Actively engage with employees and work with them to examine the workflow involving the handling of personal data
