Is an employee privacy notice required by law in Hong Kong?

Under the Personal Data (Privacy) Ordinance (Cap. 486), Data Protection Principle 1 requires that data subjects are informed of the purposes for which their personal data will be used, and DPP 3 limits use to those stated purposes. While there is no express requirement for a standalone 'privacy notice', the Privacy Commissioner for Personal Data (PCPD) strongly recommends that employers issue a written privacy notice to employees at the time of data collection. Failure to inform employees of data use purposes can amount to a breach of DPP 1 and DPP 3. Employers who collect sensitive categories of employee data — health records, biometric data, financial information, or criminal records — face a higher standard of justification under DPP 1. The PCPD's guidance on employment data specifies that employees must be informed of the specific purposes for which sensitive data is collected, and consent should be obtained where required. An employee privacy notice satisfies this notification requirement and provides documentary evidence of compliance if a PCPD investigation or audit occurs.

What categories of personal data can a Hong Kong employer collect from employees?

Hong Kong employers routinely collect several categories of employee personal data under the Personal Data (Privacy) Ordinance (Cap. 486), provided collection is limited to what is necessary for the stated employment purposes under Data Protection Principle 1. Basic identification data includes full legal name, HKID number, date of birth, address, contact details, and emergency contact information. This data is collected for employment record-keeping, MPF contributions under Cap. 485, and compliance with the Employment Ordinance (Cap. 57). Financial and payroll data includes bank account details for salary payment, MPF contribution records, salaries tax reporting data for IRD Form IR56B, and expense reimbursement records. The Inland Revenue Department (IRD) requires employers to maintain accurate payroll records for six years under the Inland Revenue Ordinance (Cap. 112). Health and medical data includes sick leave certificates, medical examination results (where required for certain roles), occupational health assessments, and insurance claims data. Employers must treat health data with particular care — it is sensitive personal data under PCPD guidance, and collection must be strictly limited to what is necessary. Performance and disciplinary records, employment history, qualifications, and reference checks form part of the HR record. These are collected for recruitment, performance management, and termination decisions.

How long can an employer retain employee personal data in Hong Kong?

Data Protection Principle 2 under the Personal Data (Privacy) Ordinance (Cap. 486) requires that personal data is not kept longer than is necessary for the purpose for which it was collected. The PCPD has published recommended model data retention periods for employment data, which employers should follow as a baseline. For current employees, personal data should be retained for the duration of employment plus any additional period required by law. For former employees, the PCPD recommends retaining personal data for seven years after termination of employment as a general rule, reflecting the six-year limitation period for most contract claims under the Limitation Ordinance (Cap. 347) plus one year's buffer. Specific legal requirements impose minimum retention periods that override the general rule. MPF contribution records must be kept for seven years under the Mandatory Provident Fund Schemes Ordinance (Cap. 485). Inland Revenue Ordinance (Cap. 112) records must be kept for six years. Employees' compensation records under Cap. 282 must be kept for the period of the claim plus any appeal period. Leave records under the Employment Ordinance (Cap. 57) should be kept for at least one year after each leave cycle. After the retention period expires, personal data should be securely disposed of — shredded for paper records, and securely deleted or overwritten for electronic records. The privacy notice should state the employer's data retention periods for each category of employee data.

What rights do employees have over their personal data under Hong Kong law?

Employees in Hong Kong have two main statutory rights over their personal data under the Personal Data (Privacy) Ordinance (Cap. 486): the right of access and the right of correction. Right of access (Section 18, Cap. 486): An employee may make a data access request to the employer to obtain a copy of the personal data the employer holds about them. The employer must respond within 40 days. The employer may charge a reasonable fee for providing the data. The employer can refuse access only on limited grounds specified in Schedule 2 of Cap. 486 — such as where disclosure would prejudice legal proceedings or where the data relates to management forecasting and planning. Right of correction (Section 22, Cap. 486): If an employee identifies inaccurate personal data, they may request correction. The employer must comply within 40 days if the data is inaccurate. If the employer refuses, they must notify the employee in writing of the refusal and the reasons. The employee may then make a complaint to the PCPD. Right to object to direct marketing (Section 35C, Cap. 486): Employees have the right to require employers not to use their personal data for direct marketing purposes. Once an opt-out is received, the employer must cease such use immediately. The employee privacy notice should inform employees of these rights and provide contact details for the employer's data protection officer or the person responsible for handling data access and correction requests. Employees may also complain to the PCPD under Section 37 of Cap.

Can a Hong Kong employer share employee data with third parties?

A Hong Kong employer may share employee personal data with third parties only where permitted under the Personal Data (Privacy) Ordinance (Cap. 486). Data Protection Principle 3 restricts use and disclosure to the purposes for which the data was collected, or directly related purposes. The employee privacy notice should disclose all categories of third party recipients in advance. Permitted third-party disclosures in the employment context include: MPF trustees for mandatory provident fund contributions under Cap. 485; the Inland Revenue Department (IRD) for salaries tax reporting under Cap. 112; the Labour Department for employees' compensation claims under Cap. 282; group medical insurance providers for employee benefit administration; payroll outsourcing providers who process salary payments as data processors on the employer's behalf; and background check providers for recruitment verification, with the candidate's consent. Where data is shared with a data processor — a company that processes data on behalf of the employer, such as a cloud HR system provider — the employer remains the data user and must ensure the processor provides sufficient data security guarantees. A data processing agreement should be in place. Cross-border transfers of employee data — for example, sharing HR data with a parent company overseas — are subject to additional considerations. Cap. 486 does not currently prohibit cross-border transfers, but the PCPD recommends that employers ensure the overseas recipient provides a comparable level of protection.

Employee Privacy Notice (Hong Kong)

EMPLOYEE PRIVACY NOTICE

Issued by: [Employer Name] (CRN: [Employer CRN])

Address: [Employer Address]

Effective Date: [Effective Date]

Data queries: [Privacy Officer Name], [Privacy Officer Email]

1. INTRODUCTION

1.1 [Employer Name] (the "Employer") is committed to protecting the personal data of its employees in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") and its six Data Protection Principles ("DPPs").

1.2 This Notice explains what personal data we collect, why we collect it, how we use it, and your rights under the PDPO.

2. PERSONAL DATA COLLECTED

2.1 We collect the following categories of personal data about you: [Data Categories].

3. PURPOSES OF USE

3.1 Your personal data is collected and used for the following purposes: [Purposes Of Use].

3.2 We will not use your personal data for purposes other than those stated above without your prior consent, unless required by law (DPP 3).

4. DISCLOSURE TO THIRD PARTIES

4.1 Your personal data may be disclosed to: [Third Party Disclosures].

4.2 All third parties receiving your data are required to maintain its confidentiality and use it only for the disclosed purpose.

5. RETENTION

5.1 [Retention Period]. Data will be securely destroyed after the retention period expires (DPP 2).

6. YOUR RIGHTS

6.1 Under sections 18–22 of the PDPO, you have the right to: (a) request access to your personal data held by the Employer; (b) request correction of any inaccurate personal data; and (c) be informed of the Employer's policies and practices regarding personal data.

6.2 To exercise your rights or make a complaint, contact: [Privacy Officer Name], [Privacy Officer Email].

6.3 You also have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.

Employer Representative

________________

Signature

Employee (acknowledgment of receipt)

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Employee Privacy Notice (Hong Kong)?

An Employee Privacy Notice in Hong Kong gives formal notice of the matter it concerns to the recipient.

Data Protection Principle 1 (DPP 1) under Cap. 486 imposes two key requirements on every data user — including all employers in Hong Kong. First, personal data must be collected for a lawful purpose that is directly related to a function or activity of the employer. Second, the data subject (the employee) must be explicitly notified of the purposes of collection at or before the time the personal data is collected. An Employee Privacy Notice satisfies this notification obligation in writing and constitutes the employer's documented compliance record for DPP 1 across all employee data collection activities — from onboarding to termination.

The Office of the Privacy Commissioner for Personal Data (PCPD) — established under Part VI of Cap. 486 and responsible for enforcing the Ordinance across Hong Kong — has issued specific guidance on employment data, including recommended model data collection statements and privacy notice clauses tailored to the employment context. The PCPD strongly recommends that employers issue a written privacy notice to every employee at the commencement of employment, and update the notice whenever data collection practices, purposes, or third-party disclosures change. Employers who fail to provide adequate notification face potential enforcement action under Section 37 of Cap. 486, which empowers the PCPD to investigate complaints, issue enforcement notices, and refer serious breaches for criminal prosecution.

Employee personal data collected by Hong Kong employers typically spans multiple categories that must all be addressed in the privacy notice: basic identification data (full name, HKID number, date of birth, residential address, emergency contact); payroll and banking data (bank account details for salary payment, salary history for IRD Form IR56B reporting under the Inland Revenue Ordinance Cap. 112); Mandatory Provident Fund (MPF) contribution records and trustee notifications under Cap. 485; health and medical data (sick leave certificates, pre-employment medical examinations, occupational health assessments, medical insurance claims); performance management and disciplinary records; employment history, qualifications, and reference checks; building access control records; and CCTV footage from workplace cameras. Each category must be identified in the notice, together with its specific purpose.

The Personal Data (Privacy) (Amendment) Ordinance 2021 significantly strengthened the PCPD's enforcement powers, introducing new doxxing offences under Section 26A, higher penalties, and broader investigation powers. These changes have materially increased the legal and reputational risk for employers who fail to comply with their data obligations — including the obligation to maintain an up-to-date Employee Privacy Notice. A current, well-maintained notice demonstrates the employer's commitment to data governance and reduces exposure in the event of a data breach, PCPD audit, or employee complaint. Download this Employee Privacy Notice template free on forms-legal.com in PDF or Word format.

When Do You Need a Employee Privacy Notice (Hong Kong)?

An Employee Privacy Notice (Hong Kong) is needed in several situations throughout the employment lifecycle.

At the start of employment: The notice should be issued to every new employee before or at the commencement of employment — ideally as part of the onboarding documentation alongside the employment contract. DPP 1 of Cap. 486 requires notification at or before the time of data collection. Issuing the notice at onboarding satisfies this requirement for all standard categories of employment data.

When collecting sensitive data: Where the employer collects sensitive categories of data — health records, biometric data (fingerprints, facial recognition for access control), financial information beyond payroll, or criminal records checks — the privacy notice must specifically address the purpose and legal basis for collecting that data. The PCPD's guidance on sensitive data requires particular care, and employee consent may be required in some cases.

When data practices change: The privacy notice must be updated whenever the employer introduces new data collection activities, new third-party recipients, new monitoring technologies, or new retention policies. Changes that reduce employee privacy rights — such as introducing keylogger software on company devices — must be notified in advance. Employers should maintain a version-controlled archive of all privacy notices issued.

For employees in roles involving access to third-party personal data: Employees who handle client, customer, or patient personal data in their role should receive both the employee privacy notice (covering their own HR data) and the employer's general data protection policy (covering how they must handle third-party data in their role). The two documents serve different purposes and should not be confused.

When responding to a PCPD investigation: If the PCPD investigates a complaint about the employer's data practices, the employer should be able to produce a current employee privacy notice and evidence of its distribution. A documented notice is a primary defence in PCPD enforcement proceedings.

For employees in roles with access to sensitive third-party data: Employees who process client personal data, patient health information, student records, or other sensitive third-party data in their professional role need a clear distinction between the employee privacy notice (covering their own HR data) and the employer's data protection policy governing how they must handle third-party personal data. Both documents should be issued at onboarding and reviewed together. The employee must understand the PDPO obligations applicable to both categories of data.

For PCPD compliance documentation: Employers who are subject to a PCPD investigation, data breach inquiry, or audit should produce the current employee privacy notice — together with a distribution log confirming each employee received the notice — as primary evidence of compliance with Data Protection Principle 1 of Cap. 486. A well-maintained distribution record, including dates of issue and employee acknowledgements, significantly strengthens the employer's defence in enforcement proceedings before the PCPD and reduces the risk of an enforcement notice under Section 37 of Cap. 486. Download this Employee Privacy Notice template on forms-legal.com in PDF or Word format.

What to Include in Your Employee Privacy Notice (Hong Kong)

A Hong Kong Employee Privacy Notice should include the following elements to comply with the Personal Data (Privacy) Ordinance (Cap. 486) and PCPD guidance on employment data.

Data user identity: The employer's full legal name, Companies Registry number, registered address, and the contact details of the person or department responsible for handling employee data enquiries, access requests, and corrections. Employees must know who to contact with data concerns.

Categories of personal data collected: A complete list of the categories of personal data the employer collects from employees — identification data, payroll and bank data, MPF data, health and medical data, performance records, disciplinary records, CCTV and access control data, IT usage data, and any other category relevant to the employer's operations. This satisfies the DPP 1 requirement to specify what is collected.

Purposes of collection: For each category of data, a clear statement of the specific purposes for which the data is used — payroll processing, salaries tax reporting to IRD, MPF contributions to the trustee, employees' compensation insurance under Cap. 282, performance management, recruitment, health and safety compliance under Cap. 509, and security monitoring. DPP 3 limits use to stated purposes.

Data retention periods: How long each category of data is retained — for example, payroll records for seven years (IRD requirement under Cap. 112), MPF records for seven years (Cap. 485 requirement), employment contracts for seven years after termination, and CCTV footage for 31 days as a standard period. Reference to the PCPD's recommended model retention periods.

Third-party disclosures: All categories of third parties to whom employee data may be disclosed — MPF trustees, IRD, Labour Department, group insurance providers, payroll processors, occupational health providers, background check agencies, and group company members. DPP 3 requires advance disclosure of all planned recipients.

Employee rights: The employee's right of access to their personal data under Section 18 of Cap. 486, the right of correction under Section 22, the right to object to direct marketing under Section 35C, and the right to complain to the PCPD under Section 37. The notice should state the procedure for making access and correction requests and the 40-day response period. Download this Employee Privacy Notice template on forms-legal.com in PDF or Word format, compliant with Hong Kong PDPO Cap. 486.

Biometric data and special category data: Where the employer collects biometric data — fingerprints, facial recognition data for access control, or retina scans — the notice must specifically address this collection. The Office of the Privacy Commissioner for Personal Data (PCPD) treats biometric data as particularly sensitive personal data requiring express consent and strict security measures. The notice should identify the specific biometric system in use, the purpose (access control, time and attendance), who has access to the biometric data, and the retention and deletion policy. CCTV footage from workplace cameras is also personal data under Cap. 486 and must be addressed in the notice, including the locations of cameras, retention period (typically 31 days as a standard period), and access controls.

Data breach notification: The notice should inform employees of the employer's data breach response procedures — how the employer detects, investigates, and responds to data incidents involving employee personal data, and how employees will be notified if their data is compromised. While Cap. 486 does not currently mandate breach notification to data subjects in all cases, the PCPD's guidance strongly recommends notification where there is real risk of harm. The Personal Data (Privacy) (Amendment) Ordinance 2021 significantly strengthened the PCPD's enforcement powers and introduced new doxxing offences under Section 26A. Download this Employee Privacy Notice template on forms-legal.com in PDF or Word format, compliant with Hong Kong PDPO Cap. 486.

Sources & Citations

Statutory citations link to official government sources.

Personal Data (Privacy) Ordinance (Cap. 486)HK official

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Employee Privacy Notice (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/employment/hr-forms/privacy-notice-employees-hong-kong

MLA

"Employee Privacy Notice (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/employment/hr-forms/privacy-notice-employees-hong-kong.

BibTeX

@misc{formslegal-privacy-notice-employees-hong-kong,
  author       = {{Forms Legal}},
  title        = {Employee Privacy Notice (Hong Kong) (Hong Kong)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/hong-kong/employment/hr-forms/privacy-notice-employees-hong-kong}},
  note         = {Free legal document template. Based on Employment Ordinance (Cap. 57)}
}

Also available for these jurisdictions:

Australia

Canada

New Zealand

Frequently Asked Questions

Based on Employment Ordinance (Cap. 57) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know