An organisation’s obligations in respect of managing personal information vary greatly from country to country. We consider the different obligations employers have around the region in relation to collecting, using and storing employee data.
IS THERE A DISTINCTION BETWEEN “GENERAL” PERSONAL INFORMATION (“PI”), AND SENSITIVE PI (“SPI”)?
IS CONSENT REQUIRED TO COLLECT PI?
|CHINA||PI is defined under the Cyber Security Law of China (“CSL”) as any information recorded electronically or otherwise that can independently or, combined with other information, identify an individual’s personal identity including but not limited to, an individual’s names, date of birth, ID number, biologically information, address and telephone numbers, etc.|
SPI may be defined separately under certain non-mandatory industrial standards.
There is a third category of “important data” defined under draft guidelines by the Cyberspace Administration of China (“CAC”) as the data which is closely related to the national security, economic development and social and public interests.
The individual whose information is to be collected and used must be informed of the purpose, method and scope of the collection, use of the personal information, the channels for inquiry and correction of information and the consequences of refusal to provide information. Consent of the person for collection and use of the personal information must be obtained.
According to the Guidelines, collection of general PI requires tacit consent (i.e. no explicit objection after being informed of the collection) while sensitive PI requires express consent.
|HONG KONG||PI is defined as any data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.|
There is no distinction between PI and SPI under Hong Kong law, but when applying the rules, the courts will consider the nature (and sensitivity) of the data involved in deciding whether a data protection principle has been complied with. For example, the Privacy Commissioner has issued a Code of Practice on Identity Card Number and other Personal Identifiers, to make clear its expectations around the collection and retention of HKID numbers and cards, due to the potential risk of identity theft if this information is misused.
|Consent to collect PI is normally not required under Hong Kong law, but there are certain notification requirements which need to be complied with for the collection of personal data.|
The Code of Practice on Human Resource Management recommends that as a matter of good practice, an employer should comply with the notification requirements by means of a written Personal Information Collection Statement.
|INDONESIA||PI is not defined under Indonesian law, and there is also no distinction between PI and SPI, as Indonesian law is generally silent on such terms.||Due to the absence of the law, there is no express requirement to obtain consent on PI although generally it is advisable to obtain consent to avoid any claim related to privacy rights.|
However, PI protection specifically within electronic systems is specifically governed by the Minister of Communication and Information Technology Regulation No. 20 of 2016 (“MOCIT Reg 20/2016”). For gathering of PI within an electronic system, written consent is required.
|JAPAN||PI is defined as information of a living person that would allow identification of that person, i.e. name, DOB, address, fingerprint, facial recognition data, passport number, drivers licence number, My Number (similar to social security number), mobile phone number, etc.|
SPI is defined as race, creed, social status, medical record (e.g. disabilities, prescriptions, results of annual health checks, etc.), criminal history, and status as a victim of crime, i.e. anything that can lead to social discrimination of that person.
|Yes, consent is required. The uses of the PI must be set out (e.g. will be used to process payroll).|
|SINGAPORE||There is no distinction between “general” PI and “sensitive” PI in Singapore.|
The Personal Data Protection Commission has however issued advisory guidelines on the collection and processing of National Registration Identification Card numbers.
|Yes. Pursuant to the Personal Data Protection Act 2012 (“PDPA”), consent from the employee is required before his/her PI can be collected, used or disclosed (“Consent Requirement”). For the purposes of obtaining consent, the employee must be informed of the purpose of such collection, use or disclosure (“Notification Requirement”).|
There are certain specific exceptions to the Consent Requirement and/or Notification Requirements (such as where the collection / use / disclosure is necessary for any investigation or proceedings and it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the PI). Further, the Consent and Notification Requirements need not be met if the threshold for deemed consent can be established.
|SOUTH KOREA||There are three types of data recognised by Korean law. These are:|
PI is defined as information that relates to a living individual, by which the individual can be identified on its own or when easily combined with other information. Examples of personal information include name, address and photographs.
SPI is defined as personal information concerning an individual’s ideology; faith; labour union membership; political views or membership in a political party; health or medical treatment; sexual orientation; genetics; and criminal record.
Unique identification information is an individual’s resident registration number; passport number; driver’s license number; and foreign registration number
|The criteria for the collection of PI are:|
It is also necessary to advise the person that he/she has the right to refuse to give consent and the consequences of any such refusal.
SPI can be processed only if the processing is required or permitted by statute or the consent of the data subject is separately obtained.
Forms of unique identification information (except resident registration numbers) can be processed if the processing is required or permitted by statute or the consent of the data subject is separately obtained. However, resident registration numbers can only be processed if a statute or regulation specifically authorises or requires the processing. The data subject’s separate consent is not a sufficient basis for processing resident registration numbers.
|THAILAND||Currently, there is no specific statutory law governing data protection or privacy for the private sector in Thailand and there is also no distinction between “general” PI and sensitive PI.|
In Thailand, a general data protection framework is derived from the Constitution of the Kingdom of Thailand (“Constitution”), which recognises the right to privacy. The right to privacy set out in the Constitution is further protected through secondary legislation, including:
|Whilst there are no specific statutory laws governing data protection or privacy for private sector, a clear and written consent from the PI owner should generally be obtained before collecting PI.|
Herbert Smith Freehills is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with our Formal Law Alliance partner, Prolegis LLC.
If you would like further information on this topic, please contact Fatim Jumabhoy at firstname.lastname@example.org.