- What would the PDPB advise regarding the data retention period of data of former staff?
- In Decree-law 73/89/M there are provisions for the archiving periods of historic files in Macao. The Personal Data Protection Act also has provisions for the data archiving periods. Which should be taken as standards?
- In its daily operation, an institution collects copies of people's IDs. How long should it keep the copies? What are the things it must heed when handling the ID copies?
- A data controller using automatic processing devices must notify the PDPB. What is automatic data processing?
- How long should an employer keep the personal data of a former employee?
- How should one view employee surveillance for assessing employee performance, which involves many aspects?
- Nowadays most facilities, such as hotels, banks and government agencies, have CCTV systems. Do such systems intrude on people’s privacy?
- What consequences will an employer take if he or she installs and runs a surveillance system in a workplace without informing the employees working there?
- When the employees are informed of the existence of a surveillance system, can they object?
- What is meant by "areas of high risks" mentioned in respect of the principle of proportionality expounded in Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring?
- Will Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring pose a hurdle to an employer's effective management?
- Where data processing is automatic, the processing institution must notify the Office for Personal Data Protection. If the Office finds that something violates the law, will the Office demand rectification of the institution?
- Where employees are allowed to communicate with customers using institution-provided MSN, is it legal for the employer to monitor the employees’ conversation with customers (given that such conversation may involve privacy)?
- Under what circumstances may employers monitor their employees by virtue of the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring?
- What kind of employee monitoring is legal, according to the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring?
- While it is legal to monitor consulting phone calls from the public, given the public and the employees are properly notified, is it legal if the monitoring is run only to know whether there is [internal] data leakage?
- Are the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring compulsory in any way?
- Are the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring the implementation rules of Law no. 8/2005? Are the Guidelines in conflict with the Basic Law?
- Do the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring pertain to the code of conduct referred to in Article 26 of the Personal Data Protection Act?
- When retrieving data gathered from employee monitoring, the employer must ensure the presence of the employees whose data are concerned, or that they must be properly informed. If, however, an employee is suspected of illegal conduct, criminal offence or administrative offences?
- To prevent the outsourced workers from staying idle in work hours, can we install camera surveillance device in the workers' sitting room? Can we install surveillance device in our security room?
- Usually incoming query calls from the public are audio recorded. If an executive wants to ascertain whether answers offered are correct, can he or she sample check the audio recordings?
- An institution has CCTV system on its premises for security reasons. Can staff ask to review the CCTV recordings for evidence for judging the dispute they have had in the lobby?
- CCTV systems installed for security purposes may take image data of staff members. Is it legal?
- While employers should not monitor employees in non-office hours, CCTV systems usually run 24 hours/day. Is it legal?
- In the Principles concerning the protection of personal data in the workplaces: guidelines for employee monitoring, it is advised that under special circumstances the data of monitoring should be kept for no more than 6 months. What are the special circumstances?
- If an employee is found sleeping in a warehouse via a CCTV system installed for security purposes, can the employee be disciplined based on the evidence derived from the CCTV?
- Is it appropriate to have video camera surveillance in a dining room where staffs have meals with no expensive apparatus or belongings stored there?
- Can a household have a video monitoring device to monitor any helper (or nanny) taking care of the household's baby? Is this practice in compliance with the Personal Data Protection Act?
- When an employer uses surveillance of employees in workplace, is it compulsory by law for the employer to make a personal data collection statement to the employees about the surveillance?
- What are the consequences of an enterprise not abiding by its personal data collection statement in running its surveillance on employees?
- How do you define monitoring? If computer systems come with monitoring functions enabled, but the employer claims that monitoring is not his or her purpose, how should we take it?
- Before the Personal Data Protection Act came into effect, most institutions did not make personal data collection statement when collecting data of their employees. How should the employers comply with the law in this regard from now on?
- If a staff member wants to review the surveillance data collected by the employer, does he or she need the approval of his or her Chief?
- According to the Administrative Procedural Code, a person against whom a law-enforcing action is to be taken must be informed of the action via a return registered letter. However, very often these persons would leave wrong addresses, which made the public authority difficult to contact them. In such cases, newspaper notices might be used but only their names will be disclosed. This might hurdle identifying the respective persons and will there be any other solutions?
- If an institution collects personal data for running a course or activity, must it make a personal data collection statement? If so, must the statement be printed upon the application form?
- Institutions tend to ask visitors to provide their personal data. Must the institutions have their personal data collection statement handy at their reception counters?
- How to distinguish security systems from monitoring ones?
- Can an employer access an employee's computer to review the data therein in the absence of the employee?
- While institutions may install CCTV systems in reception facilities and high-risk areas, can they install surveillance systems in the workplaces of the staff?
- Can employee surveillance data be reviewed in an internal hearing?
- If a shop has CCTV system installed on its business premises, must it inform the customers of the surveillance? Must it tell customers about the purposes of surveillance?
- If a company needs to send its staff's personal data to a government agency, must it say so in its personal data collection statement? Must its statement have the staff's signatures?
- If staff are forbidden to use company equipment for personal purposes in office hours, does the employer have the right to access and review data on such equipment anytime?
- Is it legal for institutions to have their visitors' personal data registered for security reasons?
- When the personal data collection statement is ready, should we put it up on the company notice board or have it signed by every employee?
- When there is a customer complaint, can we retrieve the audio recordings as evidence. Can we use the conversation recordings between the staff and the customers as training material? If there is a phone-call reminder like “for service quality and training purpose, the conversation will be recorded”, can we use the recordings as training material?
- Our company often receives written requests from banks, hotels, etc., which asked for the former employees’ information, for instance, their performance during the employment, salary, among others. Despite the requests usually come with the written approval of the employees, is it a violation of the laws if we provided the information of the former staff to other companies?
- When holding recruitment exams, government agencies tend to refer the applicants' personal data to the Identification Bureau for verification. Does it require prior consent of the applicants? If an applicant objects, what can we do?
- If we use Fingerprint Attendance Systems for attendance logging, do we have to notify the PDPB?
- When hiring workers for confidential data processing, can institutions review their background (e.g. family members' status)?
- Can institutions use their staff's or students' photos on their WebPages or in journals for administrative or operational reasons? Does it require the consent of the data subject?
- Must government agencies obtain consent of their staff to upload the staff's photos to the intranet to be accessed and reviewed by the Chiefs and Personnel Executives?
- Can audio recordings be legally made of recruiting interviews?
- Can we upload staff names list onto the intranet to facilitate institution-wide search for office numbers and phone numbers?
- The MSAR Government Portal has established user accounts for the public to log onto the websites of other public departments. For example, through these accounts they can access to the system of the Public Administration and Civil Service Bureau or the Pension Fund. Given both these public departments possess the personal data of the data subjects, but no transfer of personal data was initiated. If only data checks are conducted, can it be regarded as data combination? On the contrary if data combination exists, can data subjects’ uses of the service be understood as giving consent? Or it is necessary to acquire prior consent through written agreement from the data subjects?
- Is it legal to demand that service providers provide a list of their personnel before allowing them to enter an entity to work?
- A staff of a management company was found falling asleep at work. If the employer secretly took photos of this employee’s dozing during duty hours, and later used the photos as evidence for sacking, would the employer intrude the privacy of the staff?
- Can institutions require their employees to provide health reports?
- Can an employer oblige if he or she is approached by someone seeking information about a former employee's job performance, with the authorization to obtain such information signed by the former employee in question?
- Must an institution appoint a personal data officer? If so, must it inform the PDPB of its appointment?
- If a dossier of an employee contains only Certificate of Criminal Record, but it is kept in the same file cabinet with other dossiers, is it proper?
- Are companies responsible for taking proactive actions to correct customer data? For example, adding "28" or "6" to their contact numbers where necessary.
- Can a public department require its staff to provide travel documents to prove that they have been out of Macao during their special vacations?
- Is it appropriate for companies to require each of their staff to surrender their office computers' log-in passwords?
- A company plans to buy staff insurance policies from an insurance company in Hong Kong. Does it have to apply to the Personal Data Protection Bureau for approval?
- Is it an infringement on staff's privacy if a government agency displays on its premises a list of seniority of its staff?
- The in-service certificate issued by an agency to a public servant bears the data subject's ID document number and job title details. Is this practice subject to the Personal Data Protection Act? If so, is anything about the practice against the Act?
- When collecting copies of IDs and other documents such as certificates from employees, the employer demands that the originals be produced at the same time. Is it appropriate?
- Can we print a member's ID numbers on a membership card? Does the PDPB have any guidelines on how many digits of a set of ID numbers may appear on a membership card?
- Is it appropriate for a bank to collect, for security reasons, personal data of the workers from the providing services to company servicing the bank?
- Article 11(5) of the Personal Data Protection Act provides that the doctor designated by the patient concerned can exercise the right of access to the patient’s healthcare data. When a patient seeks for healthcare service, there would be practical difficulties if a doctor has to be authorized by the patient before the access to his healthcare records. Will there be any other solutions to such situation?
- Is it legal for healthcare institutions to send their patient record documents via the Internet?
- Can doctors disclose their patients' personal data to others?
- The law requires to undertake personal data "combination" with authorization. What is data combination? If existing personal data are already in combination, does it constitute a breach of law?
- Must public departments have authorization to share personal data between them by combination of the data in their possession?
- If, when collecting personal data, we inform the staff concerned that their data will be transferred or combined, and we have obtained their consent, are we still required to notify or seek authorization from the PDPB in order to protect personal data?
- The Land, Public Works and Transport Bureau provides to other public departments, private association or organizations the registered data of the construction professionals, construction companies and their registration list (which include their name/company name, contact address, contact numbers, registration numbers, etc.). Would such provision of information violate Law No. 8/2005 (Personal Data Protection Act)? Does processing as such rely on the data subjects’ consent? Is it necessary to notify the Personal Data Protection Bureau?
- Are Driver Licenses regarded as personal data of identifiable persons? Can a government agency refer a person’s penalty data to another agency by way of data combination? Does such reference require the authorization of the PDPB?
- Does it constitute personal data transfer or combination if such data is transferred between different departments of the same public authority, e.g., between Department A and B of the Municipal Affairs Bureau?
- A magazine publisher often runs surveys and product promotions by making phone calls to citizens' mobile phones. Is it an intrusion on citizens' privacy and hence a violation of the Personal Data Protection Act?
- Which government agency oversees an institution's practice of personal data processing? Which entity is responsible for prosecuting those institutions that do not abide by the law?
- Does the Personal Data Protection Act trace back to any offence in the past? Will legal actions be taken against mishandling of personal data before the Act took effect?
- If an institution's computer system is infiltrated with the result of data leaks, will the institution be held responsible?
- Does the Personal Data Protection Bureau have any guideline on the extent to which institutions should have their computer systems protected?
- Network service providers offer salary management software to customers. What responsibilities do they have in respect of personal data protection?
- If a company contracts a service project to its Shanghai branch, is it related to the data processing practice in conformity with the Personal Data Protection Act? Must it notify the PDPB or apply for any approval?
- What penalties are there for employers who abuse employees' personal data?
- Has the PDPB issued any guidelines regarding fees to be charged for personal data access?
- Do we have to log every step of data processing, such as the time of collection, updating and by whom?
- Civil servants' ID numbers are used in various ways for recognition by different public departments. Should it be standardised?
- Article 3 of the Personal Data Protection Act provides that the applicable scope of the Act covers the wholly or partially automatic personal data processing, and the non-automatic handling of personal data stored or to be stored in manual file systems. But what is a file system? Does this Act apply to the processing of any individual file?
- A company plans to disclose the name list of its shareholders on its website. Is such a move subject to the Personal Data Protection Act?
- In order to claim back money owed, can one upload the copy of the debtor's ID card onto the Internet (with one of the characters of the cardholder's name concealed, and the eyes on the photo blurred and other personal data deleted)?
- The enquirer has made secret audio recordings of her husband talking with a third party, and wonders if she has breached the Personal Data Protection Act.
- If one installs a surveillance system (in the sitting room only) in his home to monitor how his household helper takes care of the kids, is such a conduct subject to the provisions of the Personal Data Protection Act?
- Is handling company account data subject to the provisions of the Personal Data Protection Act?
- When applying for a job, the enquirer sent his CV by mistake to a wrong email inbox. The CV contains his phone number, ID document number and other data. What can the enquirer do about it?
- Are public departments as public legal persons which subject to the provisions of the Personal Data Protection Act?
- Someone used his credit card to pay for the cigarettes he bought in a shop in Hong Kong, but he was asked to produce his Hong Kong Resident ID card. The shop keepers explained that the ID check was a measure to prevent fraudulent credit cards. This person wondered if the shop could ask for his ID or not?
- Is it proper to install a CCTV system at the door of one's flat to monitor the corridor that is also the neighbours?
- How should a person retrieve his or her personal data and belongings which have been under seizure?
- With the consent of the data subjects, Land, Public Works and Transport Bureau intends to publish on its website, for public access, the information of the registered construction professionals, architectural companies and other companies? Is this mandatory to specify to them that their information and personal data will be processed for the said purpose? If these personal data are processed for such purpose, is it obliged to notify to the Personal Data Protection Bureau?
- If a bank was required by a foreign law-enforcing agency to provide its customers' personal data, should it oblige?
- Can a bank collect a customer's data that are disclosed in a court announcement that is published in newspapers?
- Is it legal for a bank to supply a remitter's personal data to the bank of the remittance receiver, at the request of the receiving bank?
- Which are the authorized public authorities in Macao that may review a bank's customer database?
- The Macau Institute of Financial Services, affiliated with the Monetary Authority of Macau, requires the applicants of its courses to provide their ID copies. Is it appropriate? The Institute stated that the data will be mainly used for issuing course certificates.
- Can employer institutions use fingerprint attendance system to log staff's working time?
- If a frontline staff come to someone’s home in order to locate him, but this person was out of reach. If the staff obtained this person’s contact from his neighbor, is it a violation of laws?
- If an institution's computer system is infiltrated with the result of data leaks, will the institution be held responsible?
- In order to claim back money owed, can one upload the copy of the debtor’s ID card onto the Internet (with one of the characters of the cardholder’s name erased, and the eyes on the photo blurred and other personal data deleted)?
- Are data controllers required to submit the documents, related to their self-constituted Personal Data Policy and Personal Data Collection Statement given to the data subjects and the involved individuals, to the PDPB?