Global menu

Our global pages


Global employment briefing: Hong Kong, October 2016

  • Hong Kong
  • Employment law


Privacy Commissioner issues new guidance on BYOD

In August 2016 the Hong Kong Privacy Commissioner for Personal Data issued guidance for employers who operate a Bring Your Own Device (BYOD) scheme.

The guidance can be viewed here.

The guidance highlights the following issues:

  1. Use of BYOD by definition means that employees will be accessing company-collected personal data on their own mobile devices. This means that data is being transferred from the employer’s secure systems onto what is likely to be a less secure mobile device. The Commissioner stresses that the employer remains responsible for the security of the data in accordance with the Personal Data Privacy Ordinance (the Ordinance) (notwithstanding that it is stored on an employee’s own device) and should take effective steps to ensure that its obligations are met.
  2. The employer would also have an obligation to respect the privacy of the employee’s own personal data on their personal device and any measures taken should take that distinction into account.
  3. Any company policy on retention and deletion of data should be considered in light of BYOD and any appropriate amendments made to accommodate a BYOD practice. Consideration should also be given to lost or sold devices, and to the security measures applied on termination of employment.
  4. It is recommended that employers put a clear policy in place. We would advise that such policy deals with roles and responsibilities, security, monitoring and access (including any intended remote access) to the device. Any policy should be reviewed and updated regularly in order to respond to developing circumstances and risks.
  5. The Commissioner confirms that obligations in respect of access to and correction of personal data apply to personal devices as much as corporate ones. Employers should therefore ensure that their access and correction procedures capture and review data from any relevant personal devices.
  6. Conducting a risk assessment is an effective way of evaluating risk and ensuring any remedial steps are proportionate.
  7. Technology can assist in addressing security concerns, such as additional layers of password protection and encryption.