Photos / Provided (Felda Yeung, Partner at Gall Solicitors)
share on
Partner at Gall Solicitors, Felda Yeung shares guidelines employers should take into consideration while implementing their sick leave policies and engaging with third parties.
Starting from 6 March 2023, all medical certificates (more commonly known as sick leave certificates or sick notes) issued by the Hospital Authority (HA) will have a digital signature instead of a traditional manual signature and be issued electronically.
With both digital certificates by HA and paper certificates by private clinics and hospitals being applicable in Hong Kong, concerns may arise around the processing and storage of employees' medical records.
To delve deeper into this topic, HRO's Tracy Chan speaks to Felda Yeung, partner of Gall, to understand the guidelines employers should take into consideration and compliance with to implement their sick leave policies and engage with third parties.
Q: What are the potential legal risks brought by the implementation of electronic medical/ sick leave certificates? Which areas should employers pay extra attention to?
Currently, these e-sick leave certificate will only be issued by the HA and not by private clinic or doctors so the risk of forgery or counterfeits is limited as there will be a QR code authentication system. Employers should pay extra attention to familiarising themselves with the QR code system, which will allow the HR department to verify the authenticity of a e-sick note by scanning the QR code and inputting the employee’s name and the sick leave date.
Additionally, as with any form of data, employers should also take steps to safeguard and protect the privacy, security, and confidentiality of their employees’ personal details. With digitalisation, employers should be more careful in storing and accessing these e-sick notes.
Q: In terms of electronic medical certificate storage, how can employers ensure all records are properly kept – how long should they be kept, are paper certificates still necessary, and how to ensure personal data privacy and security?
The HA encourages patients to opt for the e-sick leave certificate but for the time being, they will continue to print the e-sick leave certificate for patients.
There are no statutory requirements for the storage of electronic records specifically. Employers can elect to store the electronic version or the paper version, but the company policy will need to take into consideration that private clinics and hospitals will continue to issue paper certificates. If the company adopts a fully electronic record, then paper certificates may need to be scanned and saved onto the system.
Employers should continue to maintain clear and updated records for all their employees, noting the requirement under the Employment Ordinance (Cap. 57) (“EO”) for employers to keep a record of the sickness days of all their employees. This applies equally to the requirement to maintain a record of maternity leave taken and maternity leave pay paid.
If external cloud storage providers are used for data storage, additional care should be taken to ensure confidentiality and compliance with the Personal Data (Privacy) Ordinance (Cap.486) (“PDPO”) as there can be security breaches.
Additionally, as a matter of good practice, employers should inform employees of the retention period of their health data. There is no statutory requirement relating to the retention of electronic health data but employers can follow the requirements provided by the EO for the retention of wage and employment records. Section 49A of the EO requires an employer to retain the wage and employment history of each employee covering the period of his employment during the preceding 12 months and for a period of 6 months after the employee ceases to be employed.
However, pursuant to section 4 of the Code of Practice on Human Resource Management published by the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) on April 2016 (“COP”), personal data of a former employee should not be retained for a period longer than seven years from the date the former employee ceases to be employed unless there is a subsisting reason or the former employee expressly consents for the data to be retained for a longer period. Subsisting reasons require the employer to retain the data for reasons including but is not limited to ongoing civil or criminal litigation.
There are currently no statutory requirements that employers must follow regarding the storage and system security of their employee’s health data. However, the COP, provides guidelines that employers can follow regarding the collection, sharing, use, and safekeeping of their employees’ health data. These guidelines, include, but are not limited to:
- Providing ongoing training to staff.
- Restricting access to, and processing of, personal data on a “need-to-know” and “need-to-use” basis.
- Carrying out random checks to ensure compliance with the procedures.
- Ensuring that there are sufficient security features adopted, including the use of account names and passwords; software encryption; dedicated terminals; an audit trail or installed warning feature that can detect unsuccessful attempts to access data; automatic log-off after a timed period of inactivity; and prohibiting unauthorised copies of employment-related personal data to be on distributed computers.
- If an employer engages a third party to perform any of its human resource management functions, it must adopt contractual or other means to ensure that the third party applies appropriate security protection to the employment-related data. For example, an agreement may be drawn up controlling how data are transmitted or processed and requiring the processing agency to take steps to ensure the integrity, prudence, and competence of its staff having access to the data.
- Collecting health data that is necessary for and directly related to the purposes of the data collection. Health data irrelevant to or not necessary should not be collected. An employer may only need the minimum information about a sick leave application of an employee to verify or calculate the entitlement to sick leave but not the treatment prescribed for the medical condition of the employee.
- If data needs to be disclosed to a third party, for example an insurer, an employer can remind the recipient to confine its use of data to only those purposes that are directly related to the purpose of the disclosure.
- Separating the personal data of former employees to existing employees to enhance security.
- In the event of a data leakage, the employer should notify the staff member concerned and the PCPD as soon as possible.
- Emails should be marked as “Confidential” or “Restricted” when sending documents containing personal data to staff members by email.
Q: With the convenience that comes with digital certificates and telehealth services, what should employers do to avoid the misuse of sick leave?
As discussed above, e-sick leave certificates issued by the HA will contain an encrypted QR code which enables employers to verify the authenticity. This unified system allows verification of the sick leave certificates to minimise misuse.
Additionally, employers can review their current sick leave policies to ensure there are clear guidelines for their employees to follow when requesting for sick leave. Commonly adopted policies include requirements for a sick leave certificate if an employee wishes to take sick leave, and an option for the company to request for a second medical opinion from a clinic or medical practitioner designated by the employer.
Q: Looking forward, what policy on sick leave, maternity leave and work injury compensation should employers put in place to align with the development of smart healthcare in Hong Kong?
In view of the developments in smart healthcare, employers should review their existing employment contracts and handbooks and revise its sick leave, maternity leave, and work injuries policies as necessary.
With the introduction of e-sick leave certificates, employers may eliminate the need for original paper certificates and simply utilise the digital format as proof. Rather than waiting for the employee to return to work, employees can upload their electronic medical certificate on their company’s system or email the electronic medical certificate to the relevant staff member within a specified timeframe.
Additionally, if previous updates to the EO have not been reflected in the employment handbook, these can also be incorporated. For example, sick leave includes doctor’s appointments, and check-ups as an out-patient or in-patient at hospitals. For employees’ medical examination in relation to pregnancy or post-confinement medical treatment, employers should note that any absence will be counted as sick leave, provided that the employee has produced a medical certificate or certificate of attendance as support.
If an electronic notification and storage system is adopted, companies may also consider whether reminders for notification to insurers where relevant can be built into the system.
share on