AI in the workplace: Employment law risks from using AI
12Sep2024The use of Artificial Intelligence (“AI”) can provide benefit to all sectors of the economy. This requires AI to be deployed in workplaces. Employers and HR teams must be mindful of ethical and privacy risks that arise from the use of AI in recruitment and employment processes and management. Mark Chiu, Consultant in our Employment practice, explains more.
General Legal Requirements
The Personal Data (Privacy) Ordinance (the “PDPO”) applies in respect of the protection of personal data in the employment context. This applies throughout the personal data life cycle, including collection, processing, transfer, retention, use and destruction of personal data. Typical classes of personal data in the employment context include recruitment data, personnel records, performance records, activity records and sensitive records.
The Office of the Privacy Commissioner of Personal Data (the “PCPD”) issued the Code of Practice on Human Resource Management in April 2016. If an employer breaches this Code of Practice, this gives rise to a rebuttable presumption in any legal proceedings that the employer has breached the PDPO.
The key Data Protection Principles (enshrined in the PDPO) as they apply to an employer are to:
- only collect personal data for a lawful purpose within necessary limits that are related to a function or activity of the employees;
- take practicable steps to ensure the employees’ personal data are accurate and up-to-date, and retained no longer than necessary;
- only utilise the employees’ personal data for the purposes obtained or obtain express voluntary consent for any new purpose;
- ensure that measures are in place to protect the employees’ personal data against unauthorised access, processing or erasure;
- be open and transparent to employees in respect of the types of data the employer holds and the personal data policies of the employer; and
- inform employees of their right to request access to their personal data, and to correct them.
Approach to AI in Hong Kong
The PCPD has been the primary regulator exploring and addressing regulatory issues arising from AI. This is understandable as there is an overlap of issues between governance of personal data and governance of AI. Nonetheless, this does reflect a degree of regulatory courage, as the issues involved in governance of AI are broader and more complex than simply personal data protection.
The PCPD had published two key papers on AI governance. Its first publication in August 2021 introduced an explanation of governing ethical principles for AI Development and use, and provided practical guidance on systems and processes an organisation could adopt. It included a practical self-help checklist for organisations to self-assessment. More recently in June 2024, the PCPD deepened its prior published guidance by publishing a model framework for personal data protection in the context of AI development and use.
Key features employers should take note of from the 2021 guidance and 2024 model framework above include that companies should:
- set up, communicate and follow policies on how to use AI ethically;
- conduct risk and impact assessments before deploying and using AI, which should consider factors such as the sensitivity and volume of the data, and the potential harm from security leakages;
- provide employees training on their use of AI in the course of their work;
- adopt human oversight measures in respect of automated decisions conducted by AI; and
- test and monitor such AI systems for resilience, accuracy and security.
Employers need to ensure that they comply with the PDPO when deploying and using AI in respect of employment matters. They should also be aware of the personal data risks with the use of AI and automated decision making. These include over-collection and over-retention of data, use of personal data for unauthorised purposes, and data privacy and security. For instance, risks may arise when employee personal data collected from recruitment or performance reviews are used as AI training data sets for future selection exercises.
The PCPD conducted compliance checks on 28 local organisations from August 2023 to February 2024 on their collection, use and processing of personal data using AI, and their AI governance structure. The PCPD will continue to monitor the personal data privacy and protection risks arising from the development, deployment and use of AI.
Other Jurisdictions
The Artificial Intelligence Act in the EU came into force in August 2024. Generally, it follows a risk-based approach in classifying AI systems on levels of risk and establishing certain requirements based on that risk. The EU classified activities regarding selection, promotion, recruitment and termination as high risk.
The UK government opted for a “pro-innovation approach” to regulating AI. The UK government presently does not intend to introduce an all-encompassing statute to regulate AI, and will instead customise existing regulations to address risks. The intention is to maintain flexibility of commercial operations. However, the new UK government has not ruled out the possibility of legislating on the development of AI systems in the future.
Conclusion
AI may bring possible benefits and efficiencies to employers. These include:
- deriving insights for talent acquisition;
- evaluating performance and employee experience; and
- improving workforce planning and training.
The PDPO, being a principle-based and technology-neutral legislation, allows a relatively flexible regulatory regime in the use of AI that balances the needs of the relevant stakeholders and the legal requirements on personal data appropriate to the local circumstances.
Employers should familiarise themselves with the current requirements under the PDPO and be aware of any changes as to these rules. They should formulate and introduce policies for AI and conduct impact assessments before using AI tools and technology. This is a rapidly changing area. New requirements will likely arise at a quick pace. Insofar as AI is concerned, the future is no longer coming; the future is here.
Russell Bennett and Mark Chiu
If you want to know more about the content of this article, please contact:
Russell Bennett
Partner | Email
Consultant | Email
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 12 September 2024