Annex to Circular No. 00-011 (CR)
Key Features of the Code
RECRUITMENT
- An employer should not solicit personal data from job applicants, e.g. their personal resumes, in a recruitment advertisement that gives only a Post Office Box Number.
- If an employer finds it necessary to conceal its identity in recruitment advertisements, it may provide job applicants, upon request, with application forms that bear the employer's identity. Alternatively, it may use a recruitment agency, which should be identified in the advertisement, to receive the personal data solicited from job applicants.
- Recruitment advertisements that directly ask job applicants to provide their personal data should include a statement, as an integral part of the advertisement, informing applicants about the purposes for which their personal data are to be used and their rights to request access to, and to request the correction of, personal data in relation to their application. Alternatively, a statement to the following effect may be included - "Personal data provided by job applicants will be used strictly in accordance with the employer's personal data policies, a copy of which will be provided immediately upon request." In this case, contact information of the employer should be stated in the advertisement.
- Personal data collected from job applicants should be adequate but not excessive, and they should be relevant to the purpose of identifying suitable candidates for the job.
- An employer should not collect a copy of the identity card of a job applicant during the recruitment process unless and until the individual has accepted an offer of employment.
- Information may be compiled about a job applicant, e.g. by means of security vetting or integrity checking, to supplement other data collected at the time of the original application. Such supplementary information should be collected for the purpose of assessing the suitability of potential candidates for the job, and the data collected should be relevant to the nature of the job.
- Personal data concerning the health condition of a selected candidate may be collected by means of a pre-employment medical examination if the data directly relate to the inherent requirements of the job, and employment is conditional upon the fulfillment of the medical examination. However, such data should only be collected after the employer has made a conditional offer of employment to the selected candidate.
- Personal data of unsuccessful applicants may be retained for a period of up to two years from the date of rejecting applicants and should then be destroyed. The data may be retained for a longer period if there is a subsisting reason that obliges the employer to do so, or applicants have given their consent for the data to be retained beyond two years.
CURRENT EMPLOYMENT
- On appointment, an employer may collect additional personal data from an employee and his family members for the purpose of employment or to fulfil lawful requirements that regulate the affairs of the employer.
- Before personal data are collected from an employee, an employer should provide the employee with a Personal Information Collection Statement ("PICS") pertaining to employment. The PICS should inform the employee about the purposes for which the data are to be used, the classes of persons to whom these date may be transferred and the rights of the employee to request access to, and to request the correction of, the employment-related data.
- Information complied about an employee in the process of disciplinary proceedings, performance appraisal or promotion planning should only be used for purposes directly related to the process concerned. The information should not disclosed to a third party unless that third party has legitimate reasons for gaining access to those data.
- An employer should not disclose employment-related data of employees to a third party without first obtaining the employee' consent unless the disclosure is required by law or by statutory authorities.
- When employment-related data are transferred or disclosed to a third party, an employer should avoid disclosure of data in excess of that necessary for the purpose of use by the third party.
- An employer who engages a third party organisation to handle its employment-related functions should implement appropriate measures to ensure that the third party protects the employment-related data against unauthorised or accidental access or disclosure.
FORMER EMPLOYEES' MATTERS
- Personal data of a former employee may be retained for a period of up to seven years from the date the former employee ceases employment. The data may be retained for a longer period if there is a subsisting reason that obliges the employer to do so, or the data are necessary for the employer to fulfil its contractual or legal obligations.
- An employer should take all practicable steps, at the earliest opportunity upon the departure of an employee, to ensure that only relevant information of the former employee is retained to satisfy its retention requirements.
- In any public announcement notice regarding a former employee having left employment, the employer should take care not to disclose the identity card number of the employee concerned in the notice.
- An employer should not provide a reference concerning a former employee to a third party without first obtaining the employee's consent for this unless the employer is satisfied that the third party requesting the reference has obtained the prior consent of the employee concerned.
|