[ad_1]
However, the Personal Data Protection Act 2012 (PDPA), being the main legislation on data privacy, provides a set of rights with regard to personal data protection of individuals.
Under the PDPA, personal data is defined as data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access.
Any collection, use or disclosure of information about an employee which amounts to personal data is governed by the PDPA.
Additionally, Indonesia has various laws relating to data privacy in several areas, including in relation to electronic information and transaction.[1] Indonesia also recently passed the Personal Data Protection Law (PDPL) being the main legislation on data privacy, which provides a set of rights with regard to personal data protection of individuals.
Under the PDPL, personal data is defined as data about an individual who is identified or may be identified either from that data or in combination with other information either directly or indirectly through electronic or non-electronic system.
The processing of personal data is governed by the PDPL.
Additionally, the Personal Information Protection Law (PIPL) being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.
Under the PIPL, personal information refers to information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously. There is also a subset of personal information called ‘sensitive personal information’ which is conferred additional protection. Sensitive personal information refers to personal information that can easily lead to the infringement of personal dignity of natural persons or harm of personal or property safety once leaked or illegally used, eg biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts.
The processing of personal information of natural persons within Mainland China is governed by the PIPL.
Additionally, the Personal Data (Privacy) Ordinance (PDPO) being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.
Under the PDPO, personal data is defined as information which relates to a living individual and can be used to identify that individual. It must also exist in a form which access to or processing of is practicable.
Any collection, use or disclosure of information about an employee which amounts to personal data is governed by the PDPO.
Additionally, the Thai Personal Data Protection Act B.E. 2562 (2019) (Thai PDPA), being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.
Under the Thai PDPA, personal data is defined as information relating to a natural person which is identifiable (either directly or indirectly), excluding the information of death person.
The processing of personal data is governed by the Thai PDPA.
In the context of employee monitoring, some of the relevant consent exceptions include where the collection, use or disclosure of personal data about is:
- necessary for evaluative purposes, which include determining the suitability, eligibility or qualifications of an individual for continuance and/or promotion in employment;
- necessary for any investigation; and
- reasonable for the purpose of managing or terminating the employment relationship with or appointment of the individual.
Regardless of whether consent is required, employers are still required to notify employees of the purpose of the collection, use or disclosure.
An employer must also ensure that collection, use or disclosure of personal data as part of employee monitoring complies with the limitation of purpose obligation. This requires that personal data is collected, use or disclosed for purposes that a reasonable person would consider appropriate in the circumstances.
- the individual gives valid and explicit consent for the purpose of employee monitoring;
- the monitoring is necessary for the satisfaction of an obligation (eg employment-related obligation) in an agreement where the employee is one of the parties; or
- the monitoring is necessary for the satisfaction of a legal obligation of the employer in accordance with laws and regulations.
However, some of the accepted grounds listed above are very broadly drafted, making their precise meaning and application in practice somewhat unclear.
An employer must also ensure that processing of personal data as part of employee monitoring is carried out in a limited and specific, legal and valid, and transparent manner.
- the employee gives consent; or
- the processing is necessary for human resources management.
However, current laws do not offer a precise definition of what constitutes a necessity for human resources management, making its precise meaning and application in practice somewhat unclear.
An employer must also ensure that processing of personal information as part of employee monitoring satisfies the limitation principle. This requires that the collection of personal information is limited to the minimum scope necessary to achieve the processing purpose.
An employer must also ensure that processing of personal data is in a secure manner and only kept as long as necessary for fulfilling the purposes of using the data.
The Office of the Privacy Commissioner for Personal Data has issued guidelines for employers to evaluate the need for employee monitoring and manage personal data obtained from employee monitoring:
- in evaluating the need and appropriateness for employee monitoring, employers are recommended to adopt a systematic process: (1) assessment of risks balanced against the purpose achieved from the monitoring; (2) consider available alternatives to achieve the purpose of employee monitoring which is less privacy intrusive; and (3) accountability as regards the personal data collected as a result of the monitoring.
- When processing and managing employees’ data collected from employee monitoring, employers are encouraged to (1) have clarity in the development and implementation of policies which clearly state the purposes served from such monitoring including how personal data may be used, and the circumstances which monitoring may take place, (2) communicate with employees to inform them of such policies and rationale behind employee monitoring, and (3) have control over and safeguard the protection of personal data collected in accordance with the PDPO.
- employee’s prior consent; and
- legitimate interest (where data processing (ie monitoring) is necessary for legitimate interest of the data controller or other persons, provided that such interest must not override the data subject’s fundamental rights.
For “legitimate interest”, although this could be subjective, it leaves room for the employers to prove that monitoring employees’ behaviour is for the employer’s benefit. One key point to be cautious of is that such monitoring must not override/cause adverse effect on employee’s privacy rights. Therefore, monitoring should be on a necessity basis and employers should have justifiable reasons to do so every single time they monitor employees. Legitimate interest as a lawful basis cannot be relied on in processing a special category of data (ie sensitive data) such as employee’s health data, trade union information, political opinion, and religious belief.
For “consent”, employee’s consent should be used only when legitimate interest is not viable (such as when monitoring includes employee’s sensitive data) as consent requirements are extensive and consent can be revoked by the employee at any time, which can pose risk in terms of Thai PDPA compliance management.
- access their own personal data;
- rectify/correct their own personal data where inaccurate or incomplete;
- data portability (passed by Parliament but not yet in force); and
- withdraw consent.
However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.
- access their own personal data;
- rectify/correct their own personal data where inaccurate or incomplete;
- erase their personal data;
- restrict data processing;
- data portability;
- object to the processing of their personal data;
- withdraw consent.
However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.
- access their own personal data;
- rectify/correct their own personal data where inaccurate or incomplete;
- erase their personal data;
- restrict data processing;
- data portability;
- object to the processing of their personal data;
- withdraw consent.
However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.
- access their own personal data;
- rectify/correct their own personal data where inaccurate or incomplete;
- erase their personal data;
- data portability (contained the PDPO but not yet in force);
- withdraw consent (where consent had been sought for use of personal data for new purpose unrelated to the original purpose of collecting the data)
However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.
- access their own personal data;
- rectify/correct their own personal data where inaccurate or incomplete;
- erase their personal data;
- restrict data processing;
- data portability;
- object to the processing of their personal data;
- withdraw consent.
However, there are various requirements around the scope of the rights and conditions that must be satisfied by the data subject to exercise the above rights.
[ad_2]
