88% of employers we surveyed as part of our Future of Work Report 2023: Balancing Acts said that they have implemented new technology solutions with workforce implications, including electronic monitoring technologies. Employers know monitoring and surveillance can be unpopular and more than a third (38%) expect it to be a key trigger of activism in the next five years. This update charts some of the key legal issues around surveillance and monitoring at work.

Question Singapore Indonesia Mainland China Hong Kong Thailand
Do employees have a right to privacy at work? There is no constitutional or statutory right to privacy in Singapore.

However, the Personal Data Protection Act 2012 (PDPA), being the main legislation on data privacy, provides a set of rights with regard to personal data protection of individuals.

Under the PDPA, personal data is defined as data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access.

Any collection, use or disclosure of information about an employee which amounts to personal data is governed by the PDPA.

 Law No 39 of 1999 on Human Rights provides, amongst others, that (a) each individual has the right to their own privacy, and may not be subjected to any research without their agreement; and (b) freedom and secrecy of communication by letter or any other electronic media may not be disturbed or interrupted except upon the instruction of a judge or other authority in accordance with the prevailing laws.

Additionally, Indonesia has various laws relating to data privacy in several areas, including in relation to electronic information and transaction.1 Indonesia also recently passed the Personal Data Protection Law (PDPL) being the main legislation on data privacy, which provides a set of rights with regard to personal data protection of individuals.

Under the PDPL, personal data is defined as data about an individual who is identified or may be identified either from that data or in combination with other information either directly or indirectly through electronic or non-electronic system.

The processing of personal data is governed by the PDPL.

 The Civil Code provides that a natural person enjoys the right to privacy. No organisation or individual may infringe upon the right to privacy of others by spying, invading and harassing, disclosing or publishing the relevant information or by any other means.

Additionally, the Personal Information Protection Law (PIPL) being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.

Under the PIPL, personal information refers to information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously. There is also a subset of personal information called 'sensitive personal information' which is conferred additional protection. Sensitive personal information refers to personal information that can easily lead to the infringement of personal dignity of natural persons or harm of personal or property safety once leaked or illegally used, eg biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts.

The processing of personal information of natural persons within Mainland China is governed by the PIPL.

 The Basic Law provides that the freedom and privacy of communication of Hong Kong residents shall be protected by law. Article 14 of the Bill of Rights also provides that no one shall be subjected to arbitrary or unlawful interference with his privacy.

Additionally, the Personal Data (Privacy) Ordinance (PDPO) being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.

Under the PDPO, personal data is defined as information which relates to a living individual and can be used to identify that individual. It must also exist in a form which access to or processing of is practicable.

Any collection, use or disclosure of information about an employee which amounts to personal data is governed by the PDPO.

 The Constitution of Thailand specifically endorses the rights to data privacy of individuals (including employees).

Additionally, the Thai Personal Data Protection Act B.E. 2562 (2019) (Thai PDPA), being the main legislation on data privacy, also provides a set of rights with regard to personal data protection of individuals.

Under the Thai PDPA, personal data is defined as information relating to a natural person which is identifiable (either directly or indirectly), excluding the information of death person.

The processing of personal data is governed by the Thai PDPA.
As monitoring employees at work likely involves processing employees' personal data, are there lawful grounds for processing employees' personal data in this context? Under the PDPA, an individual's consent is required before an organisation may collect, use or disclose their personal data unless the collection, use, or disclosure falls within one of the consent exceptions under the PDPA.

In the context of employee monitoring, some of the relevant consent exceptions include where the collection, use or disclosure of personal data about is:

  • necessary for evaluative purposes, which include determining the suitability, eligibility or qualifications of an individual for continuance and/or promotion in employment;
  • necessary for any investigation; and
  • reasonable for the purpose of managing or terminating the employment relationship with or appointment of the individual.

Regardless of whether consent is required, employers are still required to notify employees of the purpose of the collection, use or disclosure.

An employer must also ensure that collection, use or disclosure of personal data as part of employee monitoring complies with the limitation of purpose obligation. This requires that personal data is collected, use or disclosed for purposes that a reasonable person would consider appropriate in the circumstances.

 There are several lawful grounds for processing employees' personal data in the context of employee monitoring, namely where:

  • the individual gives valid and explicit consent for the purpose of employee monitoring;
  • the monitoring is necessary for the satisfaction of an obligation (eg employment-related obligation) in an agreement where the employee is one of the parties; or
  • the monitoring is necessary for the satisfaction of a legal obligation of the employer in accordance with laws and regulations.

However, some of the accepted grounds listed above are very broadly drafted, making their precise meaning and application in practice somewhat unclear.

An employer must also ensure that processing of personal data as part of employee monitoring is carried out in a limited and specific, legal and valid, and transparent manner.

 There are two main grounds for processing employees' personal data in the context of employee monitoring, namely where:

  • the employee gives consent; or
  • the processing is necessary for human resources management.

However, current laws do not offer a precise definition of what constitutes a necessity for human resources management, making its precise meaning and application in practice somewhat unclear.

An employer must also ensure that processing of personal information as part of employee monitoring satisfies the limitation principle. This requires that the collection of personal information is limited to the minimum scope necessary to achieve the processing purpose.

 Under the PDPO and the data protection principles contained therein, employers must ensure that personal data of employees are collected on a fully-informed basis and in a fair manner, with due consideration towards minimising amount of personal data collected.

An employer must also ensure that processing of personal data is in a secure manner and only kept as long as necessary for fulfilling the purposes of using the data.

The Office of the Privacy Commissioner for Personal Data has issued guidelines for employers to evaluate the need for employee monitoring and manage personal data obtained from employee monitoring:

  • in evaluating the need and appropriateness for employee monitoring, employers are recommended to adopt a systematic process: (1) assessment of risks balanced against the purpose achieved from the monitoring; (2) consider available alternatives to achieve the purpose of employee monitoring which is less privacy intrusive; and (3) accountability as regards the personal data collected as a result of the monitoring.
  • When processing and managing employees' data collected from employee monitoring, employers are encouraged to (1) have clarity in the development and implementation of policies which clearly state the purposes served from such monitoring including how personal data may be used, and the circumstances which monitoring may take place, (2) communicate with employees to inform them of such policies and rationale behind employee monitoring, and (3) have control over and safeguard the protection of personal data collected in accordance with the PDPO.
 There are two main lawful bases for processing employees' personal data in the context of employee monitoring, namely:

  • employee's prior consent; and
  • legitimate interest (where data processing (ie monitoring) is necessary for legitimate interest of the data controller or other persons, provided that such interest must not override the data subject's fundamental rights.

For "legitimate interest", although this could be subjective, it leaves room for the employers to prove that monitoring employees' behaviour is for the employer's benefit. One key point to be cautious of is that such monitoring must not override/cause adverse effect on employee's privacy rights. Therefore, monitoring should be on a necessity basis and employers should have justifiable reasons to do so every single time they monitor employees. Legitimate interest as a lawful basis cannot be relied on in processing a special category of data (ie sensitive data) such as employee's health data, trade union information, political opinion, and religious belief.

For "consent", employee's consent should be used only when legitimate interest is not viable (such as when monitoring includes employee's sensitive data) as consent requirements are extensive and consent can be revoked by the employee at any time, which can pose risk in terms of Thai PDPA compliance management.
What are employees' rights as data subjects in relation to monitoring at work? Employees as data subjects generally have the right to:

  • access their own personal data;
  • rectify/correct their own personal data where inaccurate or incomplete;
  • data portability (passed by Parliament but not yet in force); and
  • withdraw consent.

However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.

 Employees as data subjects generally have the right to, amongst others:

  • access their own personal data;
  • rectify/correct their own personal data where inaccurate or incomplete;
  • erase their personal data;
  • restrict data processing;
  • data portability;
  • object to the processing of their personal data;
  • withdraw consent.

However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.

 Employees as data subjects generally have the right to, amongst others:

  • access their own personal data;
  • rectify/correct their own personal data where inaccurate or incomplete;
  • erase their personal data;
  • restrict data processing;
  • data portability;
  • object to the processing of their personal data;
  • withdraw consent.

However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.

 Employees as data subjects generally have the right to:

  • access their own personal data;
  • rectify/correct their own personal data where inaccurate or incomplete;
  • erase their personal data;
  • data portability (contained the PDPO but not yet in force);
  • withdraw consent (where consent had been sought for use of personal data for new purpose unrelated to the original purpose of collecting the data)

However, there are various requirements around the scope of the rights and conditions that must be satisfied to exercise of the above rights.

 Employees as data subjects generally have the right to, amongst others:

  • access their own personal data;
  • rectify/correct their own personal data where inaccurate or incomplete;
  • erase their personal data;
  • restrict data processing;
  • data portability;
  • object to the processing of their personal data;
  • withdraw consent.

However, there are various requirements around the scope of the rights and conditions that must be satisfied by the data subject to exercise the above rights.

1. This includes laws relating to the use of information pertaining to a person's personal data through electronic media under Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 on the Amendment to Law No. 11 of 2008 on Electronic Information and Transactions, and its implementing regulations under Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions. The Minister of Communication and Information also issued Regulation No. 20 of 2016 on Personal Data Protection in Electronic System.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.