13. Who is liable for a contravention of the Ordinance in relation to employment-related personal data – the employer or the human resources manager?
This depends on the offence in question. Section 64 of the Ordinance specifies a number of offences, some of which may be committed by "persons" (i.e. organizations or individual persons). Under the Criminal Procedure Ordinance, where a statutory offence has been committed by a company which can be both a "person" or a "data user" under the Personal Data (Privacy) Ordinance, and it is proved that the offence was committed with the "consent or connivance" of a director or other officer concerned in the management of the company, that director or other officer is personally liable. Accordingly, both the employer and the human resources manager could be liable for a contravention of the Ordinance in relation to employment-related personal data.
In practice, where the human resources manager acts in accordance with the instructions of the employer, the efforts of the PCO in enforcing compliance would normally be directed at the employer. On the other hand, if the employer has taken all reasonable practical steps to ensure compliance with the Ordinance and the human resources manager has contravened the Ordinance by acting in a manner contrary to company policy and practice, enforcement action taken by the PCO may be directed at the human resources manager.