個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0074/2012/IP

Title: Six casinos have jointly established an “employee blacklist” to share the employee data

Reason: Complaint

Brief:

    Resident X heard that six casinos in Macao have jointly established an “employment blacklist” to share the employee data.  He also pointed out that quite a number of casinos refused to hire him after receiving his application, and he was told by one casino that since as he once worked for Casino A, for this reason he did not pass the background check.
  X was of the view that Casino A and other casinos have jointly established the said blacklist, and suspected that this violated the PDPA, thus requested the GPDP to follow up.

Analysis:

    The data processing in this case, according to Articles 4(1)(1) and Article 3(1) of the Personal Data Protection Act  (PDPA, or Law 8/2005), is governed by the same Law.
  Based on the six casinos’ replies, they all denied that they have established such a blacklist.
  Bureau B pointed out that the six casinos did not jointly establish the blacklist, most casinos have each built up their own human resources management systems and databases to store the data of the current employees, ex-employees and all applicants.
  The GPDP was of the view that, in the process of recruitment, casinos, while conducting background checks, shall comply with Law 8/96/M and Law 16/2001.  Information for checking includes whether the person to be employed has been listed amongst those who have been prohibited to enter any casino by judicial decision or administrative decision, his integrity, in addition that the purpose of the checking should be legal and necessary for its legitimate interests.
  During the recruitment process, each casino could collect the applicants’ data through the following methods:
  1. Collecting the data from the applicant, for instance, from the applicant’s personal resume, ex-employer’s written certificate, etc., which are the data provided voluntarily by the applicant and has the legitimacy as stipulated by Article 6 of the PDPA with regard the “data subject’s consent”.
  2. Collecting the data from a third party who possessed the applicant’s data.  Provided the applicant given his consent, a casino might learn from the applicant’s previous employer about his previous position, conduct record, and other data; this would also achieve the legitimacy as mentioned.  By comparing the applicant’s data  with the data provided by Bureau B, in order to ascertain whether the applicant is prohibited to enter into the casino area by judicial decision or administrative decision, this would also achieve the legitimacy pursuant to Article 6(2) of the PDPA which aims to govern the legitimacy emerged from statutory duties.
  3. Collecting the applicant’s data in the public domain.  Some casinos searched through the local media for the concerned data for the purpose of internal selection, its employment methods and aims.  This is lawful and complies with Article 6(5) of the PDPA.
  In the recruitment process, in order to assess one’s conduct, casinos would collect the applicant’s certificate of non-criminal record, which is also legitimate and is voluntarily provided by the applicant himself.  As such, if it complies with data protection and data security, this conforms to Article 8(2) of the PDPA.  With regard to the possibility of processing sensitive data (e.g. health checks data), if the applicant has voluntarily provided such data, it would comply with Article 7(2)(3) of the PDPA.
  Regarding the ex-employees’ data stored by the casinos, since the PDPA did not provide a specific time limit, it depends on the data processing purposes of the organization.  After the labour relations end, the employer could still process the ex-employees’ personal data within a certain period, for example, for assuming the obligations from the labour relations or for the ex-employee to be employed again.  As to the latter, the casinos could refer to his employment data to ensure that the employee is honest, decent in conduct and qualified.  Hence, it did not violate Article 5 of the PDPA, which governs the data processing principle.
  To sum up, no evidence showed that what X reported was true, and based on the present data, the background check against the applicants conducted by each casino, or the data provided by the ex-employee with his consent to the organization which he applies for, did not violate the PDPA.  Since X was unwilling to allow the GPDP to follow up with his specific case, the current case is closed.

Result:

    The GPDP has sent a reply to X regarding the above mentioned analysis and decision.  The case has been closed.

Reference:
Please refer to "Personal Data Protection Act", articles 3, 4, 5, 6, 7 and 8.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116