While employee background checks are generally allowed in Hong Kong, employers should be aware of the risks related to discrimination and data privacy legislation. Regardless of whether an employer is conducting its own background checks or hiring a third party to do the task, or if the background check is completed before or after an offer of employment has been made, the check should not be conducted in a manner amounting to unlawful discrimination. Information collected and processed must also comply with requirements as set out in the Personal Data (Privacy) Ordinance (the PDPO).
Discrimination
Hong Kong protects several personal attributes from discrimination through the Sex Discrimination Ordinance, Disability Discrimination Ordinance, Family Status Discrimination Ordinance, and Race Discrimination Ordinance. These Ordinances prohibit discrimination on the grounds of sex, pregnancy, breastfeeding, disability, family and marital status, and race. They also prohibit certain forms of harassment and vilification. The Employment Ordinance protects against discrimination on the basis of union membership. Information obtained from background checks on applicants should not be used in a discriminatory manner in an employer’s decision making process.
Data privacy
Personal data is defined as any data that relates directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained and is in a form in which access to or processing of the data is practicable. Examples include names, date of birth, addresses, passport/ID number, employment records, and mobile phone numbers.
The Six Data Protection Principles
Collection of information for background checks should comply with the six Data Protection Principles as set out in the PDPO. Broadly speaking, the principles relate to:
DDP 1: Purpose and manner of collection
Data must be collected in a fair, reasonable, and lawful means. Only data necessary for the purposes of assessing an applicant’s suitability should be collected.
DPP 2: Accuracy and duration of retention
Data collected should be, as far as practicably possible, ensured to be accurate for the purpose of collection and retained only for as long as necessary to fulfil the purpose of recruitment.
DPP 3: Use of personal data
Data collected should only be used for the legitimate purpose of assessing an applicant’s suitability. Where a new purpose for the use of the data arises, employers should seek consent from the applicant.
DPP 4: Security over personal data
Data collected should be protected against unauthorised or accidental access, processing, erasure, loss, or use – particularly in instances where a third party is engaged to conduct the background search.
DPP 5: Availability of information
Data policies should be made available by employers.
DPP 6: Data access and correction
Applicants should be able to access their data and correct it upon review if it is inaccurate.
Personal Information Collection Statement
Prior to the collection of any personal data, an employer should provide an applicant with a Personal Information Collection Statement (PICS). The PICS should include, inter alia, information on the purpose of collecting the relevant data, the length of retention, whether the provision of the requested data is voluntary or obligatory, and the classes of persons who may receive the data. Employers should ensure that the purpose of collection stated in the Statement is not too broad in scope.
Social media or internet searches on the applicant
Although background checks by way of social media or internet searches are legally permissible, given that information on public domains are typically not made publicly available by individuals for the purpose of background checks, it would be prudent of employers to inform the applicant and/or seek his/her consent before collecting such data, and the data collected should be processed/stored in accordance with the PDPO. Employers should also be cautious against unlawful discrimination arising from information gathered from social media or internet searches.
Medical or health checks
Information collected about an applicant’s health should only be collected where (1) the data relates directly to the job’s inherent requirements, (2) where the employment is conditional upon the fulfilment of the medical examination, and (3) the means of data collection are fair in relation to the purpose. Any information arising from the health check must not be used in a discriminatory manner.
Reference letters
An employer may obtain references from a potential candidate’s current or former employers in the recruitment process to assess the candidate’s suitability, but the employer should seek prior consent from the candidate before approaching the persons designated by him/her for a reference. As a practical tip, when establishing contact with the candidate’s current or former employers, the employers may inform the contact that consent has been given by the candidate.
Criminal background checks
Can an applicant be compelled to disclose any criminal history? With the exception of employers in industries with frequent contact with children or mentally incapacitated persons, an applicant cannot be compelled to disclose convictions. This may pose a problem for employers as such information is not readily available from the police or the judicial system in Hong Kong. The Hong Kong Police Force normally does not issue any Certificates of No Criminal Conviction for the purpose of employment background check.
Where applicants choose to comply with a disclosure request, the Rehabilitation of Offenders Ordinance enables them to treat certain convictions as ‘spent’, subject to certain exceptions. Convictions are deemed to be spent where:
-
The conviction did not result in a sentence of imprisonment exceeding three months or a fine exceeding HK$10,000; and
-
The individual has not previously been convicted in Hong Kong of any offence; and
-
Three years has lapsed without another conviction for an offence in Hong Kong.
The spent conviction and its non-disclosure cannot be used by the employer as grounds for dismissal, exclusion from employment, or prejudice.
Sexual conviction record check
Where the relevant field of work involves frequent contact with children or mentally incapacitated persons, employers may require applicants to undergo a Sexual Conviction Record Check (SCRC) through the Hong Kong Police Force. Employers will be able to verify whether the applicant has criminal conviction records against a specified list of sexual offences (e.g., rape, indecent assault, or offences relating to child pornography). An employer who demands an applicant to apply for the SCRC in the absence of frequent work relating to children or mentally incapacitated persons, may be liable for breach of the PDPO. Furthermore, the records obtained by the employer – whether the results involve a conviction record or not – must not be used for any purpose outside of the recruitment process, or transferred to classes of persons not set out in the relevant PICS.
Unlawfully conducted background checks
Breaches of Data Protection Principles under the PDPO are not immediately subject to punishment. The Privacy Commissioner for Personal Data may issue an enforcement notice upon completion of its investigation, to require the employer to take steps to remedy the relevant breach. An employer who contravenes the enforcement notice commits an offence. On first conviction, the employer will be liable to a maximum fine of HK$50,000 (with a HK$1,000 daily penalty for a continuing offence) and 2 years of imprisonment. Subsequent convictions face a maximum penalty of HK$100,000 (with HK$2,000 daily penalty for a continuing offence) and 2 years of imprisonment. An employer may have a defence where it can show that it exercised all due diligence to comply with the enforcement notice.
Discriminatory breaches
The Equal Opportunities Commission may conduct a formal investigation into complaints made by an applicant on discriminatory grounds. The Commission may serve an enforcement notice on the employer requiring changes to be made to its practice. Further legal action may be taken by the Commission where the enforcement notice is not complied with.
In conclusion, every hire offers a new opportunity for the organisation while presenting a potential business risk. Conducting a thorough background check to obtain the correct information about a candidate before hiring, ensures the organisation chooses suitable candidates and safeguards its reputation.
[中文版本]
背景審查 – 僱主應知事項
撰文:巫振凌,合伙人,摩根路易斯律師事務所香港辦公室
一般來說,香港容許對僱員進行背景審查,但僱主應注意有關歧視和資料私隱的法律風險。僱主可能指派公司內部人員進行背景審查或聘用第三方查核資料,而背景審查可能在聘用前或後完成。不論怎樣,審查的工作都不應違反歧視,而資料的收集和處理方式亦須符合《個人資料(私隱)條例》《私隱條例》的規定。
歧視問題
香港通過《性別歧視條例》、《殘疾歧視條例》、《家庭崗位歧視條例》和《種族歧視條例》保障多項個人屬性不受歧視。這些條例禁止基於性別、懷孕、餵哺母乳、殘疾、家庭和婚姻狀況以及種族而產生的歧視,亦禁止某些形式的騷擾和誹謗。此外,《僱傭條例》保障職工會會員不受歧視。資料使用者應在不存歧視的情況下使用背景審查的資料,以免影響僱主的聘用決定。
資料私隱
個人資料的定義是指直接或間接與一名在世人士有關,以及直接或間接可確定其個人身份的資料,這些資料亦必須可供查閲及處理,如姓名、出生日期、地址、護照或身份證號碼、受聘記錄和手機號碼。
六項保障資料原則
背景審查所收集的資料應符合《私隱條例》所訂明的「六項保障資料原則」。廣義上,這些原則涉及:
原則1: 收集目的及方式
收集方法應公平、合理和合法,僱主應只收集用來評估應徵者合適度的資料。
原則2 :準確性及保留期限
採取所有切實可行的步驟和方法,確保所得的資料準確無誤,並達致原來目的之需要,而保留時間不應超過聘用目的之實際需要。
原則3: 個人資料的使用
僱主應只將收集的資料合理合法地用來評估應徵者的合適度,若將原先收集的資料擬用於「新目的」,則應先向當事人取得同意。
原則4 :個人資料的保安
個人資料應獲得保障,確保不會未經授權或意外地被查閲、處理、刪除、喪失或使用。當授權第三方收集個人資料時,保安問題更顯重要。
原則5 :收集資料途徑
僱主應訂明相關的資料收集政策。
原則6 :查閲及改正
應徵者應可查閲自己的個人資料,並有權更改錯誤的部份。
收集個人資料聲明
收集任何個人資料之前,僱主應向應徵者提供「收集個人資料聲明」。該聲明應包括有關收集相關資料的目的、保留時間、提供所需資料屬自願或強制性,以及可能接收資料的人員類別。僱主應確保聲明中所述的收集目的不會涉及太廣泛的範圍。
社交媒體或互聯網搜尋資料
雖然,法律容許透過社交媒體或互聯網搜尋個別人士的背景資料,但一般人在公眾領域發放的資料均不會作為背景審查的用途。為審慎起見,僱主應在收集該等資料前取得應徵者的同意,而所收集的資料應根據《私隱條例》所訂明的原則處理和儲存。僱主亦應提高警覺,小心辨識從社交媒體或互聯網所搜尋的資料是否帶有歧視成份。
醫療或健康檢查
僱主只可在以下情況收集有關應徵者健康狀況的資料:(1) 該等資料與工作本身的要求存在直接關係、(2) 通過體檢為聘用條件之一,以及 (3) 收集資料的方法和目的應是公平的。僱主不應對健康檢查所得的任何資料存有歧視或偏見。
推薦信
在招聘過程中,僱主可向候選應徵者的現任或前任僱主索取推薦信,以評估該應徵者的合適度,但僱主應事先取得應徵者的同意才與指定的推薦人聯絡。建議僱主與應徵者的現任或前任僱主聯絡時,可以知會對方已獲得應徵者的同意。
犯罪背景審查
僱主是否可以迫使應徵者披露任何犯罪記錄?除非應徵者經常與兒童或精神上無行為能力的人接觸,否則,僱主不能迫使應徵者披露其定罪記錄。事實上,僱主要進行犯罪背景審查亦困難重重,因為香港警方或司法系統不會隨意提供這些資料。香港警務處一般不會發出任何「無犯罪記錄證明書」作為招聘所需的背景審查。
若應徵者接受披露犯罪記錄的要求,《罪犯自新條例》可讓他們將某些定罪視為「已失時效」(除某些情況例外)。可被視為「已失時效」的定罪包括:
僱主不能以「已失時效」的定罪和「免予披露」作為解僱、不獲聘用或產生偏見的理由。
性犯罪記錄審查
若相關工作領域涉及經常接觸兒童或精神上無行為能力的人,僱主可要求應徵者透過香港警務處進行「性罪行定罪紀錄查核」。僱主可根據警務處的「性罪行定罪紀錄查核」機制所涵蓋指明列表中的性罪行(如強姦、猥褻或與兒童色情相關的罪行),查核應徵者的性罪行刑事定罪記錄。
若應徵者不需要經常與兒童或精神上無行為能力的人接觸而被僱主要求申請 「性罪行定罪紀錄查核」,則該僱主可能違反《私隱條例》。此外,無論僱主所取得的記錄是否屬於定罪個案,也不得用作招聘以外的目的,或轉發給未列於「收集個人資料聲明」 中的人員類別。
違法進行背景審查
違反《私隱條例》所訂明的「保障資料原則」不會立即受到懲處。「個人資料私隱專員公署」或會在調查完成後發出強制執行通知,要求僱主採取措施糾正相關違規行為。僱主違反執行通知即屬犯罪。首次定罪,僱主最高可被判罰款港幣 50,000 元(持續違規每日罰款港幣 1,000 元)及監禁兩年。其後再次定罪,最高可被判罰款港幣 100,000 元(持續違規每日罰款港幣 2,000 元)及監禁兩年。僱主可以提出抗辯,證明已盡一切努力遵守執行通知。
違反歧視
若應徵者以歧視為由向「平等機會委員會」(平機會)作出投訴,「平機會」或會就該等投訴展開正式調查,亦可能會向僱主發出強制執行通知,要求修正其做法。若僱主不遵守執行通知,「平機會」可能會採取進一步法律行動。
總括來說,每次招聘都會為機構帶來新機會,但同時也會帶來潛在的業務風險。在聘用之前進行徹底的背景審查以取得有關應徵者的正確資料,可以確保機構能夠挑選出合適的人選並維護公司的聲譽。
