The system uses indicators such as desktop keystrokes, video calls, and scheduled meetings to build an estimated weekly activity footprint. The bank describes the initiative as a wellbeing-measure designed to create transparency and encourage open conversations around overwork rather than to penalise staff. The bank maintains the tool will not be used for performance evaluation.

This pilot is part of a wider trend in the financial services sector, where more employers are adopting monitoring technologies often described as “bossware” to track workloads and address long standing concerns about excessive hours, burnout and the pressures associated with remote work. It has already introduced measures such as capping working hours and restricting weekend work in an effort to ease the industry’s culture of gruelling schedules. Even so, employee surveillance, even when framed as supportive, raises concerns about privacy, workplace trust and the risk of a “Big Brother” environment. Some critics remain sceptical, arguing that the initiative is likely to increase pressure on workers rather than alleviate it.

Data privacy and employee monitoring

In the event the same measures were rolled out by the bank in Hong Kong, whether it would be regarded as permissible would be considered in conjunction with the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO does not prohibit workplace monitoring outright. However, any monitoring that involves collecting personal data must comply with the PDPO. Data Protection Principle 1 requires employers to ensure that (a) the personal data is only collected for a lawful purpose directly related to a function or activity of the data user; and (b) the collection of personal data is adequate but not excessive. Employers must also inform employees, on or before collecting their data, the purpose for which the data will be used. The Office of the Privacy Commissioner for Personal Data has recommended that employers undertake the "3As" assessment process, which refers to:

(a) Assessment, which involves assessing the risks and benefits of employee monitoring, having regard to the purposes that relate to the employer’s business functions or activities;

(b) Alternatives, which involves considering other options that may be equally cost-effective and practical, yet less privacy-intrusive; and

(c) Accountability, which involves implementing privacy-compliant data management practices for handling personal data obtained from employee monitoring.

When we examine the bank’s pilot programme through the lens of the Privacy Commissioner’s “3As” assessment process, it is evident that the monitoring raises several privacy concerns.

(a) Assessment: The pilot aims to identify overwork, but the monitoring may still capture personal activity on work devices (such as sending a personal email to a family member during their lunch break), which can feel intrusive. Even with assurances that the data will not be used for performance evaluation or enforcement purposes, there is a risk that managers may rely on it informally. This could undermine trust and cause unintended harm to employees.

(b) Alternatives: The bank's well-being goals could arguably be achieved through less intrusive means. This may include regular supervisor check-ins, where employees are given the opportunity to speak with their supervisors directly and voice out any concerns about their workload. This in turn would enhance communication and help build trust between the bank and the employee. Other alternatives include having a workload dashboard which sets out  work allocations for projects, deadlines, and staffing data and optional “digital wellbeing summaries” akin to screen-time tools on smartphones. If these options have not been properly considered, the bank may struggle to justify its monitoring approach.

(c) Accountability: Clear policies are needed to explain what data is collected, how it will be used, and who can access it. Data should be kept only for as long as needed and deleted once the wellbeing purpose is met. Access to monitoring data should be strictly limited to HR or senior management, and internal controls must prevent the data from being used for performance evaluation or anything other than the stated purpose. Regular reviews should ensure the tool remains necessary and proportionate.

Implications for employers considering employee monitoring

Employers introducing similar monitoring tools in Hong Kong would face significant compliance obligations under the PDPO. They would need to conduct privacy impact assessments, update internal policies, revise privacy notices and ensure any third party providers meet regulatory standards. Because these systems generate sensitive behavioural data, organisations must also implement strong security controls such as access restrictions, encryption and defined retention schedules. Any breach involving such detailed information could lead to serious legal and reputational consequences.

Beyond legal compliance, employers must consider the impact on workplace culture and employee trust. Even when framed as supportive, monitoring tools often create anxiety and can erode psychological safety, particularly in high pressure sectors. Experience in other financial institutions shows that such tracking has caused tension and concern among junior staff, who may fear indirect performance assessment or increased scrutiny. Monitoring can also unintentionally encourage presenteeism or activity performing behaviours rather than meaningful productivity. Without genuine changes to workload management and leadership practices, these tools risk worsening the very wellbeing issues they claim to address.

Conclusion

If a Hong Kong employer were to pilot monitoring technology, they would face significant PDPO compliance obligations, including transparency, proportionality and purpose-limitation requirements. The legal risks are substantial, but the cultural and trust related risks may be even greater. In Hong Kong, as elsewhere, employers seeking to improve wellbeing may achieve more through meaningful workload management, supportive leadership and cultural change than through algorithmic oversight.

If you require any assistance with employment or data privacy matters, please feel free to reach out to a member of our team.