Articles

Privacy Commissioner warns against anonymous “Blind” recruitment advertisements

Privacy Commissioner warns against anonymous “Blind” recruitment advertisements

Privacy Commissioner warns against anonymous “Blind” recruitment advertisements

Thursday, 29 May 2014 18:31

By Adam Hugill


Following a two month investigation, the Privacy Commissioner has published his investigation report into the use of “Blind Ads” - Unfair Collection of Personal Data by the use of “Blind” Recruitment Advertisement – Investigation Report 29 May 2014.  Notwithstanding guidance having been in place since 2000, so far every employer investigated has been found to be in breach of the Personal Data (Privacy) Ordinance (the “Ordinance”) and 48 Enforcement Notices have been issued.


What is a Blind Ad?

A “Blind Ad” is a recruitment advertisement that does not identify the name of the employer or a recruitment agent.  A Blind Ad itself does not breach the Ordinance, the breach occurs if the advertisement solicits applicants to provide personal data to the potential employer (e.g. by asking for CVs or resumes).

Blind Ads are of particular concern because they can be used unscrupulously as a means for collecting personal data that could then be used for direct marketing or fraudulent activities.  The Commissioner’s Code of Practice on Human Resource Management issued in 2000 specifically cautions against the use of Blind Ads that solicit personal data.
Not all Blind Ads breach the Ordinance.  The Commissioner is aware that it may be necessary to advertise a role while concealing the identity of the employer (for example, when looking to replace existing staff).  In this regard, Blind Ads that simply ask applicants to contact a number or email address for the purposes of obtaining further information about the employer or an application form will not breach the Ordinance because they are not soliciting personal data.


Investigation

Following a self-initiated survey by the Commissioner of seven Hong Kong recruitment media during just one week in March 2014, 311 Blind Ads were identified and 71 random cases were investigated.

During the course of the investigation, some of the employers attempted to defend the use of Blind Ads.  Defences fell into three categories: (i) ignorance; (ii) blaming the publisher; or (iii) asserting that there was no intention to solicit personal data.

At the time the report was published, investigations into 48 employers had been completed and all 48 were found to have breached the Ordinance.  All of the employers were issued with Enforcement Notices for the unfair collection of personal data and contravention of the Ordinance.

In many of the defences, employers asserted that the recruitment media should have an understanding of what constitutes a breach and they should have advised on the wording of the advert.  Ignorance and blaming the publisher were flatly rejected as defences by the Commissioner and the Commissioner noted that he did not have any power over the recruitment media because they were not data users.  He did, however, urge the recruitment media, as the gatekeepers to compliance, to step up efforts in identifying advertisers, screen advertisements and consider refusing to post Blind Ads that solicit personal data.


Implications

The Commissioner hopes that his report will serve to not only highlight the problem of Blind Ads but also educate applicants and promote employers’ compliance with the Ordinance and in particular the six data protection principles:
•    DDP1: the lawful and fair collection of data with individuals being informed of the purpose for which their data is collected and used;
•    DDP2: ensuring the accuracy of personal data and deleting data once its purpose has been fulfilled;
•    DPP3: using data for only the purpose for which is was collected, unless express consent is given for the data to be used for another purpose;
•    DPP4: ensuring that personal data is protected against unauthorised or accidental access, processing or erasure;
•    DPP5: the formulation of policies and practices in relation to personal data; and
•    DPP6: granting individuals the right of access to and correction of their personal data.

This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.