Internet and Email Policy (Hong Kong)

An Internet and Email Policy in Hong Kong establishes the rules and responsibilities that govern the conduct it addresses.

The Personal Data (Privacy) Ordinance (Cap. 486), administered by the Privacy Commissioner for Personal Data (PCPD), is the primary data protection statute in Hong Kong. The PDPO's six Data Protection Principles (DPPs) impose obligations on employers (as data users) regarding the collection, holding, processing, use, and transfer of employees' personal data. When an employer monitors employees' email and internet use, it collects personal data about those employees — triggering obligations under DPP1 (purpose limitation), DPP3 (use limitation), and DPP4 (data security). The PCPD has published guidance specifically addressing workplace monitoring, recommending that employers: adopt a written IT and email policy; inform employees before monitoring commences; limit monitoring to what is necessary and proportionate; and handle data collected through monitoring in accordance with the PDPO.

The Employment Ordinance (Cap. 57), administered by the Labour Department, governs the employment relationship in Hong Kong. An Internet and Email Policy adopted as part of the employment terms — and acknowledged in writing by employees — becomes a term of employment. Breach of the policy by an employee may constitute misconduct justifying disciplinary action or, in serious cases, summary dismissal for gross misconduct under section 9 of Cap. 57. Any dismissal for IT policy breach must be handled in accordance with fair dismissal principles to avoid a claim before the Labour Tribunal.

Cybersecurity in Hong Kong is addressed through multiple regulatory channels. Regulated entities — banks supervised by the Hong Kong Monetary Authority (HKMA), licensed corporations supervised by the Securities and Futures Commission (SFC), and insurers supervised by the Insurance Authority (IA) — are subject to specific cybersecurity circulars requiring strong IT security management. For general businesses, the PDPO's DPP4 (data security) requires organisations to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use.

The Control of Obscene and Indecent Articles Ordinance (Cap. 390), the Sex Discrimination Ordinance (Cap. 480), the Race Discrimination Ordinance (Cap. 602), and the Defamation Ordinance (Cap. 21) create legal risks for employers where employees use company IT systems to access or distribute prohibited content. An Internet and Email Policy that expressly prohibits such uses, and provides for disciplinary consequences, helps establish that the employer has taken reasonable steps to prevent such misuse. The Labour Department and the Privacy Commissioner for Personal Data (PCPD) both provide published guidance to Hong Kong employers on balancing lawful monitoring with employees' privacy rights under Cap. 486.

An Internet and Email Policy in Hong Kong is needed by every organisation that provides employees with access to company IT systems, email accounts, or internet connectivity — which in practice means virtually every Hong Kong employer.

New business establishment: a company setting up operations in Hong Kong for the first time should adopt an Internet and Email Policy as part of its employment documentation package, alongside employment contracts and a staff handbook. Adopting the policy before employees commence work confirms monitoring is lawful from the outset under the PDPO and that employees have been informed of acceptable use standards before any potential breaches occur.

Existing businesses without a written policy: many Hong Kong SMEs and even larger organisations operate without a formal written IT policy. The absence of a policy creates legal risks: without express notice to employees about monitoring, the employer may breach the PDPO when monitoring emails and internet use; without clear disciplinary provisions, dismissal for IT misuse may be challenged as unfair before the Labour Tribunal under Cap. 57; and without an acceptable use policy, employees may claim they were unaware that certain conduct was prohibited.

Policy updates for new technology: organisations that have adopted legacy IT policies should update them to address new technologies including cloud computing, remote working platforms such as Microsoft Teams and Slack, bring-your-own-device (BYOD) arrangements, artificial intelligence tools accessed via the internet, and social media use during and outside working hours.

Remote working arrangements: following widespread adoption of remote and hybrid working in Hong Kong, organisations need to update their policies to address security risks of employees accessing company systems from home networks, personal devices, and public Wi-Fi — and to set clear expectations about cybersecurity practices including VPN use, screen locking, and secure document storage.

Regulated financial institutions: banks, licensed corporations, and insurers regulated by the HKMA, SFC, or IA are subject to specific cybersecurity requirements including the HKMA's Cybersecurity Fortification Initiative (CFI) and the SFC's cybersecurity circular, which must be reflected in documented acceptable use policies.

Post-incident review: organisations that have experienced a data breach, cyberattack, or incident involving employee misuse of IT systems should review and update their Internet and Email Policy as part of the incident response and remediation process, and communicate the updated policy to all staff.

A well-drafted Internet and Email Policy for a Hong Kong employer should include the following key elements to comply with the Personal Data (Privacy) Ordinance (Cap. 486), the Employment Ordinance (Cap. 57), and Hong Kong's broader regulatory framework.

Scope and purpose: the policy should define the IT systems, devices, and services covered — corporate computers and laptops, company-issued mobile devices, corporate email accounts, intranet systems, cloud platforms, and any personal devices used to access company systems under a BYOD arrangement. The policy's purpose — protecting company information, confirming regulatory compliance, and defining acceptable use — should be stated at the outset.

Acceptable use standards: the policy must set out what uses of company IT systems are permitted and prohibited. Prohibited uses should expressly include: accessing or distributing obscene or indecent material (an offence under the Control of Obscene and Indecent Articles Ordinance (Cap. 390)); sending harassing, discriminatory, or defamatory communications creating employer liability under the Sex Discrimination Ordinance (Cap. 480) and Race Discrimination Ordinance (Cap. 602); downloading unlicensed software or infringing intellectual property under the Copyright Ordinance (Cap. 528); and disclosing confidential company information or personal data to unauthorised parties.

Monitoring and privacy notice: the PDPO's Data Protection Principles require employers to inform employees that monitoring is taking place, the purposes for which data collected will be used, and the classes of persons to whom the data may be transferred (DPP1 and DPP3). The policy must include a clear monitoring notice stating that the employer may monitor, log, and review employees' use of company IT systems — including email content, internet browsing history, and system activity — for specified purposes including security, compliance, and investigation of suspected misconduct.

Data security obligations: employees' obligations regarding data security must be specified — password management, mandatory screen locking, prohibition on sharing login credentials, requirements for encrypted storage of sensitive data, and reporting procedures for suspected security incidents. The HKMA's Cybersecurity Fortification Initiative (CFI) and SFC cybersecurity guidelines should be reflected for regulated entities.

Social media policy: the acceptable use section should address employees' use of personal social media accounts during working hours and the prohibition on disclosing confidential company information or making statements that could damage the company's reputation through social media channels.

Disciplinary consequences: the policy must state that breaches will be treated as misconduct and set out the range of disciplinary consequences — from written warning through to summary dismissal for serious breaches under section 9 of the Employment Ordinance (Cap. 57). The policy should identify which breaches constitute gross misconduct warranting summary dismissal — for example, accessing child sexual abuse material, transmitting trade secrets to competitors, or committing fraud using company systems.

Employee acknowledgement: employees must sign an acknowledgement confirming they have read, understood, and agree to comply with the policy. This is essential both as evidence of informed consent for PDPO purposes and as evidence that the employee was aware of the rules in any subsequent disciplinary proceedings before the Labour Tribunal. Section 9 of the Employment Ordinance (Cap. 57) permits summary dismissal for gross misconduct; section 64 of Cap. 57 sets out the employer's general obligations. Section 26 of Cap. 57 requires written consent for wage deductions. Section 4 of the Personal Data (Privacy) Ordinance (Cap. 486) mandates data security measures meeting Data Protection Principle 4 standards. Download a free template at forms-legal.com. Related documents include the HK Data Protection Policy and HK Employment Contract.