[Viewpoint] The struggle over employee privacy

Foreigners who have spent considerable time here may be well acquainted with the saying “there are no secrets in Korea.” Indeed, in densely populated, socially (and digitally) integrated Korea, this expression contains more than a kernel of truth. Nevertheless, employees working in Korea do retain certain rights of privacy, even vis-a-vis their employers, and as such, the gathering, storing and transferring of personal information by employers is fraught with legal and practical complexities.

In today’s information age, prospective and current employers and employees must understand their rights and responsibilities in protecting personal data.

Historically, Korean privacy laws and regulations have varied widely among different industries, causing confusion among companies and foreign investors alike but the recently enacted Personal Information Protection Act was designed to align the principles of processing personal information in Korea with generally accepted international standards and to prevent the unauthorized disclosure of personal information.

But daunting challenges remain in the pursuit of a practical balance between promoting the free exchange of relevant information among current, prospective and future employers and protecting employees’ personal privacy.

For many multinational companies, candidate background checks are an essential and standard human resources practice, but privacy restrictions and defamation laws make such processes very difficult in Korea. In principle, obtaining information other than basic credit histories can be very difficult without the employee’s express consent and criminal background checks are essentially impossible for anyone other than a law enforcement official or public prosecutor to conduct. Even checking references provided voluntarily by a candidate - i.e., contacting a former employer or school administrator - to look into a candidate’s background prior to extending an offer of employment must be handled carefully.

Many former employers, fearing a defamation lawsuit for disclosing anything critical of the employee (even if true,) will refuse to disclose any material information concerning the employee’s performance or even the circumstances surrounding his or her departure and will respond to inquiries by prospective employers only by confirming the relevant dates of employment; they may also be required to notify the candidate himself of the inquiries they’ve received. These limitations, coupled with Korea’s very restrictive employment laws, often dissuade employers from offering candidates jobs.

Once the employee joins the organization, the process of gathering personal data in Korea becomes only slightly easier. PIPA requires the processor of personal information to disclose certain items to the owner of the personal information, such as the identity of any third parties to whom the personal information is to be provided, the purpose behind the use of the personal information, the specific items of personal information to be provided and the time period of retention and use by the third party.

Further, a separate notice and prior consent must be obtained when transferring personal information overseas. The personal information processor must establish and disclose a set of guidelines for processing the information and should appoint a personal information protection officer within the company. PIPA expressly prohibits the processing of sensitive information (such as an employee’s religious or political affiliations) in principle; such information would be subject to a separate consent process, and should be pursued only in the most exceptional of circumstances.

In order to fully comply with PIPA and other applicable privacy regulations while compiling and disseminating the information their business may require, employers are advised to seek consent from their employees in writing.

Well-crafted consent documents usually contain three sections: an explanation of the employer’s purpose for collecting and using an employee’s personal information, details regarding the type of personal information to be collected and a description of the period during which the data will be retained and how it is likely to be used.

A failure to secure valid and informed consent by an employee prior to transferring his or her personal data overseas may lead to civil lawsuits against the company and as such employers should afford the same care and sensitivity to data transfers to related entities as they do to transfers to third parties.

Employees would be wise to act responsibly in safeguarding their own personal data and should be mindful of the limits of their privacy, particularly at, or, within the workplace.

More and more current or prospective employers are conducting Internet searches or visiting social or business networking Web sites like Naver, LinkedIn and Facebook prior to extending offers of employment and employees should realize that the online persona they present will be evaluated carefully, as the line between what is public or private conduct becomes increasingly blurred.

While rights of privacy will never completely disappear, secrets are becoming increasingly difficult to keep in an open and fast-moving Korean society.

*The writer is a foreign legal consultant at Kim & Chang, Seoul.

By Patrick Monaghan