- with Senior Company Executives, HR and Inhouse Counsel
Conducting background checks on job candidates has become a common practice amongst employers. These may include obtaining work references, inquiring about the candidate's criminal record and assessing their social media and online presence. As the outcome of a background check can significantly influence an employer's decision to hire a candidate, job offers are often made conditional upon the satisfactory completion of such checks.
In Hong Kong, employers face a complex web of obligations under the Personal Data (Privacy) Ordinance ("PDPO") and sector-specific rules such as the Mandatory Reference Checking Scheme. These frameworks are designed to protect candidates' rights while allowing businesses to make informed hiring decisions. Missteps—whether collecting excessive data, using information for an unrelated purpose, or failing to obtain consent—can lead to regulatory breaches and reputational harm.
This article explores the key questions employers should ask before conducting background checks: What information can you lawfully collect? How should you handle data from public sources? And what safeguards are required when engaging third-party providers? Understanding these principles is essential to balancing compliance with the practical need to assess candidate suitability.
Can employers inquire about a job applicant's criminal conviction records?
An individual's criminal record is considered personal data. Any collection and use of the candidate's personal data is governed by the PDPO, which is centred around six data protection principles. Data protection principle ("DPP") 1(1) provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. DPP 1(1) also requires that the collection of the data is necessary for or directly related to that purpose, and, in relation to that purpose, the data is adequate but not excessive. In other words, employers must consider whether the collection of the candidate's criminal records, being personal data, is necessary for the purpose of human resource management. This assessment would depend on the role, its nature, and the responsibilities involved. Roles that demand honesty, integrity and utmost trustworthiness, such as those employed in the financial and legal sector, are more likely to warrant such data collection.
Compared to other jurisdictions, it is difficult for employers in Hong Kong to independently verify a candidate's criminal history. Employers therefore largely rely on candidates to disclose any of their criminal record. At common law, a candidate has no duty to disclose their criminal record, but the employer is entitled to ask. If a candidate chooses to answer these questions, they must do so truthfully. However, there are significant limitations on what candidates can obtain as written proof of their criminal records in Hong Kong.
The Hong Kong Police Force will only issue a certificate of no criminal conviction ("CNCC") in limited circumstances. Specifically, a CNCC is provided solely for the purposes of visa applications or adoption of children. Once the application is processed, the CNCC will be sent to the relevant Consulate, Immigration Authority and/or Government Authority only and not the applicant themselves. Applications submitted for any other purposes, including employment background checks, will not be accepted. Accordingly, requesting a candidate to obtain a CNCC to verify their criminal history as part of the background check process is not a viable option.
As a workaround to the limitations of obtaining a CNCC, sometimes prospective employers may request a candidate to submit a data access request to the Criminal Conviction Data Office ("CCD"), which is an office operated by the Hong Kong Police Force, regarding their criminal conviction records. A data access request is a legal mechanism under the PDPO which allows an individual to ascertain whether a data user holds their personal data and obtain a copy of such personal data.
Given that criminal conviction data is highly private and sensitive, the application must be made by the candidate personally and cannot be submitted through an authorised person. If such records are found, a copy of the records will be given to the candidate in person. However, if the CCD does not hold any such record, it is not required to provide a written response, as would normally be required under the PDPO. Instead, the CCD is only required to orally inform the candidate within the statutory 40-day period that no criminal record is held by them. Employers should be aware that the Rehabilitation of Offenders Ordinance allows individuals with spent convictions to withhold this information for employment purposes and be deemed to have no conviction record, subject to certain exceptions. Such exceptions cover the admission as a solicitor, barrister or accountant, decisions relating to a person's suitability to obtain or hold any licence or registration, or for those employed in the banking industry.
Can employers use information in the public domain to carry out the background check?
The availability of a candidate's personal data in the public domain, such as public register, does not imply a blanket consent for use of their personal data for whatever purposes. Such data may be incomplete, misleading, or outdated and the use of such data without the candidate's knowledge and without providing them with the opportunity to rectify any data could lead to unfair assessments of the candidate.
Under DPP3, personal data must not, without the prescribed consent of the data subject, be used for a new purpose. A "new purpose" refers to any purpose other than the one for which the personal data was originally collected or a directly related purpose. Before using publicly accessible personal data, employers should carefully consider the following factors in assessing the permitted purposes of use:
- The original purpose for which the personal data was placed in the public domain;
- The restrictions, if any, imposed by the candidate for further uses; and
- The candidate's reasonable expectation of the personal data privacy.
Employers should therefore inform candidates that their personal data may be collected from them directly, or from other sources and provide them with an opportunity to rectify any inaccuracies. If the original purpose for which the personal data was placed in the public domain is not clear, employers should obtain candidates' express and voluntary consent before collecting and using the publicly accessible data.
If a third-party service provider is engaged to supply the personal data to the company, employers should ensure that adequate contractual safeguards are in place. Agreements should require the third-party service provider to comply with all applicable data protection laws and regulations when collecting, processing and using such data.
Can employers reach out to the candidate's former and/or current employer for a reference check?
Reference checks for certain specified positions in the banking sector are mandatory. The Mandatory Reference Checking Scheme requires authorised institutions under the supervision of the Hong Kong Monetary Authority to approach the candidate's former and current authorised institutions employer(s) and request conduct-related information covering the seven years prior to the application for such position.
When employers seek references from a candidate's former or current employer, they inevitably collect personal data related to the candidate's performance and suitability. Similar to the use of publicly available personal data, the original purpose for which this data was collected, typically for employment management, does not extend to background checks by third parties. It is therefore essential to obtain the candidate's express consent before proceeding with reference checks.
From a practical standpoint, requesting consent reinforces transparency and trust. Reaching out to the candidate's current or former employer without obtaining the candidate's prior consent will likely undermine their confidence in the employer prior to the commencement of employment.
As seen above, when performing background checks, employers must carefully balance their legitimate interests in making informed hiring decisions with the need to respect and safeguard a prospective employee's right to privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
