Employers’ rights to collecting employee health data amid COVID-19

By DLA Piper | Thursday, 16 Sep 2021

Unfortunately, as we move towards the end of the pandemic’s second year, it is becoming increasingly apparent that there will not be an end anytime soon. Collection of employee health data is likely to continue being a common feature in today’s workplaces. While the Privacy Commissioner of Personal Data has openly stated that Hong Kong’s data privacy laws should not be seen to hamper measures taken to combat COVID-19, employers are still expected to comply with such laws even in times like these. Where employers collect employee health data, data privacy laws will generally impose continuing duties on such employers in relation to the collection and handling of such data. It is therefore important for employers to refresh themselves as to the relevant data privacy principles to ensure ongoing compliance throughout the pandemic.


Are employers permitted to collect employee health data?

Generally, Hong Kong data privacy laws do not prohibit the collection of employee health data. Instead, these laws mostly seek to regulate the collection and handling of such data. From a data privacy perspective therefore, employers are generally permitted to collect employee health data provided that they comply with Hong Kong data privacy laws.


Should employers collect employee health data?

While employers generally know to ask whether they are permitted to collect employee health data, an often-overlooked question is whether there is any need to collect employee health data in the first place. Applicable law provides that personal data (e.g. employee health data) can only be collected for a lawful purpose directly related to a function or activity of the data user (e.g. employers who collect personal data). It is therefore incumbent on employers to determine, from the outset, what purpose they have for the collection of employee health data.

Employers will generally cite that the purpose of collecting employee health data is to enable the employer to fulfil its general duty to ensure the safety and health of its employees at work. Indeed, the Privacy Commissioner for Personal Data has also stated that such a purpose generally justifies collection of employee health data. This does not, however, necessarily mean that all employers must collect employee health data in order to comply with this general duty. As a brief reminder, this duty only requires an employer to take such steps as are reasonably practicable to ensure the safety and health of its employees. What is considered reasonably practicable steps will depend on the particular circumstances facing each employer and is determined on a case-by-case basis. Employers should therefore evaluate their particular circumstances to determine whether there is indeed a need to collect employee health data and, if so, what type and level of data is required.  If, for example, there is a need to know vaccination levels amongst staff, it may be feasible for this to be collated on an anonymized basis.


What kind of medical or health data may employers collect?

Generally speaking, Hong Kong data privacy laws do not restrict the kind or type of personal data that may be collected. Examples of employee health data that may be collected include temperature data, health declarations, vaccination records and COVID-19 test results. The collection of such data, however, should be no more than is necessary to achieve the intended purpose. Accordingly, employers should note that they are not free to collect any and all employee health data and should conduct an analysis of which types of data they really need.


How should employee health data be collected?

Hong Kong data privacy laws require that the means of data collection should be lawful and fair. This would generally mean that before collecting employee health data, employers should notify employees via a Personal Information Collection Statement (PICS) of various items such as: (i) whether such data collection is mandatory and if so, what the consequences for not providing such data are; (ii) the purpose of the data collection; (iii) the classes of person to whom their data may be transferred; and (iv) employees’ right to access, right to request access to and correction of data. The Privacy Commissioner has also stated employers should adopt employee self-reporting systems as opposed to a mandatory data collection system whereby employee health data is collected indiscriminately.


What kind of privacy issues should an employer be mindful of?


Once employee health data has been collected, employers must ensure that they take practicable steps to protect such data from unauthorised access, processing, erasure, loss or use. While there is generally no distinction in law as to employee health data as opposed to other types of personal data, the Privacy Commissioner has indicated that higher security standards should be applied in relation to sensitive data such as health or medical data.


Use or disclosure

Employers may continue to use the collected employee health data for the purpose for which such data was originally collected. Employers cannot, however, use or disclose the collected data for any other purposes without prior employee consent. Having said this, the Privacy Commissioner has stated that it does not regard the disclosure of, among others, health or identity data of employees to the Government or health authorities as a breach of the data privacy laws if such disclosure was for the purposes of protecting public health.



Once employee health data has been collected, employers are required to continuously assess whether the purpose of collection of data has been fulfilled. If so, employers are required to permanently destroy the personal data collected. The Privacy Commissioner generally suggests that collected employee data should be deleted where there is no longer any evidence suggesting that such employees have contracted COVID-19 after a reasonable period of time. Accordingly, for example, employers may need to consider whether they should permanently delete temperature data which has been collected for longer than the incubation period for COVID-19. 


Written by: Helen Colquhoun (Partner and Head of DLA Piper’s Employment practice in Hong Kong) and Jason Lo (Employment practice, DLA Piper Hong Kong)

DLA Piper

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning them to help clients with their legal needs around the world.

COVID-19 COVID19 Pandemic Health Health data Data privacy Privacy Data collection Law Compliance Confidential Best workplace

Related Posts