MLS Company Secretary : Handling and processing data by an employer during the Covid-19, in Hong-Kong and Singapore

In fighting against Covid-19, local governmental entities and companies have been collecting personal information to screen and identify patients.

Companies should adopt measures to safeguard personal information, in particular, sensitive personal information, from being divulged, tampered or damaged. Companies may take necessary internal management measures such as access control, encrypted storage, audit and so on. Companies generally should not disclose relevant information on the internet. Where any disclosure within the company is necessary, companies should take measures (such as only disclosing statistic numbers, or adopting de-identification) to avoid causing any significant impact to relevant persons (for example, discrimination).

  1. Collect and process Personal data in the workplace during the outbreak of Covid-19 in Hong Kong

The ongoing outbreak of COVID-19 has created concerns for employers who are asking whether they are permitted to collect health data about their employees to help monitor and prevent the spread of the virus in the workplace and the wider community.
The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner), Mr Stephen Kai-yi WONG said:

“The public health and safety of the community in times of the pandemic remains our primary concern. We should be mindful of the compelling public interests in the current public health emergency when considering compliance with data protection laws, which should not be seen as hindering the measures taken in fighting or combating the pandemic especially when the collection and use of personal data is in the public interest and/or in the interest of public health.”

The Privacy Commissioner also stressed,

“While we acknowledge that there is legitimate basis for employers to collect additional data of their employees to help control the spread of the disease, the collection and processing of employees’ personal data should be specifically related to and used for the purposes in relation to public health and should be limited in both duration and scope as required in the particular situation. Additional data to be collected must still adhere to the usual principles such as minimisation, purpose specification and use limitation. It must be necessary, appropriate and proportionate to the purpose to be achieved.”

Employers must follow the general rule that the measures taken to collect data should be necessary, appropriate and proportionate. They should seek to process the relevant data in an anonymised or de-identified way. Least privacy intrusive measures should be preferred.

Generally speaking, a self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately. Employers should spell out to their employees how the data collected will be handled. If the collection of such data is not covered by the existing privacy notices, a fresh Personal Information Collection Statement (PICS) must be provided when or before the data collection to inform employees of the data collected and the purposes (e.g. protection of public health), and the classes of persons (e.g. public health authorities) to whom their data may be transferred. It is also a good and ethical practice to inform the employees in the PICS how long the data will be retained by the employer.

If an employee unfortunately contracts COVID-19, the employer may notify other employees, visitors and the property management office etc. without disclosing personally identifiable information of the infected. For example, it is generally sufficient for the employer just to issue a notice with information that it has staff infected. Under most circumstances, disclosure of the name and other personal particulars of an infected employee in the notice will not be considered as necessary or proportionate.
Under the Ordinance, employers may only use or disclose personal data for a purpose consistent with the original collection purpose or a directly related purpose unless the employee provides voluntary and express consent (Data Protection Principle 3, Ordinance).

The Ordinance provides some exceptions allowing for use and disclosure of personal data without employee consent, including, for example, where:

  • Applying the Ordinance would likely cause serious harm to the employee’s or any other individual’s physical or mental health (Section 59, Ordinance).
  • The employer has reasonable grounds to believe that the disclosure is in the public interest (Section 61, Ordinance). However, the Ordinance does not explicitly define the terms “serious harm” and “public interest.” Employers should document their reasons for relying on these consent exceptions when disclosing health data to third parties in case disclosure is later challenged.

The PCPD has stated in the Fight COVID-19 Pandemic Guidelines for Employers and Employees that for purposes of protecting public health, employers do not violate the Ordinance when disclosing an individual’s identity, health, and location data to the government or health authorities solely for the purposes of:

  • Tracking down and treating the infected.
  • Tracing their close contacts when pressing needs arise.

Employers should take reasonable and practicable measures to ensure that they protect employee personal data against unauthorized or accidental access, processing, erasure, loss, or use (Data Protection Principle 4, Ordinance).
Then, Employers should:

  • Train staff handling employee data to observe the employer’s personal data privacy policies and exercise due diligence in the application of those policies.
  • Audit employees’ compliance with their personal data privacy policies.


2. Collect and process personal data in the work place during the outbreak Covid-19 In Singapore:

Organisations may collect personal data of visitors to premises where it is necessary for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the COVID-19.
In the event of a COVID-19 case, personal data can be collected, used and disclosed without consent to carry out contact tracing and other response measures, pursuant to sections 1(b) of the Second, Third and Fourth Schedules to the PDPA, as “this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.”
As organisations may require NRIC/FIN/passport numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors’ NRIC, FIN or passport numbers where it is necessary for this purpose.
Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure (e.g. ensure visitor logbooks are kept secured and not visible to other visitors), and ensuring that the personal data is not used for other purposes without consent or authorisation under the law. Organisations should also delete the data when it is no longer needed for contact tracing-related purposes.
Employers that collect, use, or disclose personal data in Singapore must appoint at least one data protection officer and make their business contact information available to the public (Section 11(3), PDPA). Organizations must also develop and implement policies and practices to comply with the PDPA (Section 12, PDPA).
Employers can collect, use, and disclose personal data without consent to carry out contact tracing and other COVID-19 response measures under Section 1(b) of the Second, Third, and Fourth Schedules to the PDPA because “it is necessary to respond to an emergency that threatens the life, health, or safety of other individuals.” However, this exemption does not absolve organizations from their obligations in PDPA Parts III to VI, including that employers must:

  • Only use or disclose the personal data they collect for reasonable purposes.
  • Notify their employees of the purposes of personal data use.
  • Make reasonable efforts to ensure that the data is accurate and complete.
  • Implement measures to prevent unauthorized access, use, disclosure, or modification to the personal data.
  • Give employees access and the right to correct their personal data, if requested.
  • Delete or destroy personal data once retention is no longer needed for the original collection purpose.

When requesting a health declaration, employers may only collect, use, or disclose NRIC numbers and other national identification numbers, including FIN and passport and driver’s license numbers, where either:

  • Required by law.
  • Necessary to accurately establish and verify an individual’s identity to a high degree of fidelity, such as when there is:
  • a significant safety or security risk; or
  • a risk of significant impact or harm to an individual or an organization, such as fraudulent claims. (Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers (August 31, 2018).)

Organisations should attempt to collect and use unique identifiers for non-employees other than national identification information, including, for example:

  • Full name.
  • Designation.
  • Company name.
  • Mobile number.
  • Email address.

However, if an organisation chooses to collect national identification information for non-employees, it must take strict security measures to protect that data from any unauthorized access or similar risks.
The COVID-19 Advisory urges organisations to comply with the PDPA when collecting national identification information for non-employees by:

  • Making reasonable security arrangements to protect the personal data in their possession from unauthorized access or disclosure, for example, by ensuring they keep visitor logbooks secure and not visible to other visitors.
  • Not using the personal data for other purposes without consent or legal authorization.
  • Destroying or deleting the data when it is no longer needed for contact tracing-related purposes.

Employers may only retain personal data records, including health declarations, if they have a specific legal or business purpose for doing so. If no such purpose exists, the employer must completely destroy or anonymize the data. (Section 25, PDPA.)
An employer may also have a policy allowing it to keep copies of employees’ records, such as medical certificates, expense claims, and health declarations, for the duration of employment or a period following termination. In those cases, employers may be able to justify retaining health declaration forms for implementing and complying with their internal employment-related recordkeeping policies.
Thus, when you collect and process personal data during the COVID-19 situation in Hong Kong and Singapore, you still need to follow the rules. Employers should take reasonable and practicable measures to ensure that they protect their employees’ personal data.
At MLS Company Secretary, we have the experience, expertise and resources to help, we offer DPO and other data consultancy services that support you in becoming and staying compliant with the PDPA, GDPR and other data privacy laws and regulations.

Any question? Please contact:

Helene Canard-Duchene (Singapore)
Practitioner certificate of data protection in Singapore
+65 9396 9193

Maëva Slotine (Hong Kong)
+852 2639 3680

The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice.


Support the business community through our COVID-19 Collaborative Platform!