Workplace Investigations

The Employment Ordinance (EO), which is the primary legislation governing employment relationships in Hong Kong, does not provide for a statutory workplace investigation procedure.

The Labour Department of Hong Kong has, however, published a Guide to Good People Management Practices[1] which recommends that employers lay down rules of conduct, grievance and disciplinary procedures. Such rules should be simple and clear, logical and fair, and in line with the provisions in the EO.

As part of risk management and internal controls, Hong Kong-listed companies are expected by The Stock Exchange of Hong Kong Limited (SEHK) to establish whistleblowing policies and systems for employees to raise concerns about possible improprieties with independent board members. Listed companies are also expected to establish policies for the promotion and support of anti-corruption laws and regulations. Such policies and systems may include workplace investigation procedures.[2] If a listed company chooses to not establish such policies and systems, it is required to explain how it could achieve appropriate and effective risk management and internal controls.

While there are no specific laws that regulate a workplace investigation, there are several laws that companies should consider when conducting a workplace investigation concerning alleged employee misconduct.

One key example is the Whistleblower Protection Act (WPA). The WPA provides legal protection to a whistleblower if their allegations are raised in good faith and are in the public interest as specified under the WPA. If the WPA applies, certain obligations apply to the company, including but not limited to the following:

• the obligation to protect the confidentiality of the whistleblower’s identity;
• protecting the whistleblower if the whistleblower suffers or is likely to suffer serious harm to life or health as a result of whistleblowing and the whistleblower requests protection; and
• refraining from taking retaliatory action on the whistleblower.

Therefore, if an employee raises allegations of another employee’s misconduct, the company should review whether the allegations fall under the WPA.

There are also special laws that impose obligations on the company if there are certain types of allegations (eg, sexual harassment, workplace harassment).

In addition, when collecting and reviewing employees’ electronic data, such as emails or files stored in work laptops or company servers, which may contain personal information, the company should comply with data privacy laws discussed in more detail in questions 7 and 8.

Companies may also have internal policies (eg, whistleblower protection policies, Code of Conduct) that may apply to workplace investigations, aside from the requirements under Korean law.

There is no specific legal regulation for internal investigations in Switzerland. The legal framework is derived from general rules such as the employer's duty of care, the employee's duty of loyalty and the employee's data protection rights. Depending on the context of the investigation, additional legal provisions may apply; for instance, additional provisions of the Swiss Federal Act on Data Protection or the Swiss Criminal Code.

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.