Lao Peoples’ Democratic Republic (Lao PDR) introduced the E-Data Protection Law (№ 25/NA) to protect the electronic data of individuals from improper disclosure or use.
The E-Data Protection Law classifies electronic personal data into two broad categories:
- General data (referring to the data of individuals, legal entities, or organizations that is able to be accessed, used, and disseminated without consent provided that the source of the data is stated, such as name, position, address, telephone number, or email address)
- Specific data (referring to data, including official and personal data, of individuals, legal entities and organizations that is restricted from access, use, or dissemination without authorization of the relevant data owner, such as customer data, financial data, personal history, health records, race, religion, project data, budget data, or official secrets)
A key distinction between specific data and general data is that collection, use, or dissemination of specific data is expressly subject to the authorization of the individual concerned. By contrast, general data may be collected, used, or disseminated without any authorization, provided the source of the general data is stated.
In the context of employment relationships, the information that an employee may have to provide to the employer at the recruitment stage and during employment will be of a personal nature and as such classified as specific data. The employer will therefore be prohibited from disclosing it to any person or entity (including an affiliate or other group company) without the authorization of the data owner (i.e., the employee) or if it is otherwise required by law.
The collection, use, and disclosure of personal information without the authorization of the owner is considered an offense under Lao PDR’s penal code (№ 62/NA, May 17, 2017). An employer disclosing another person’s confidential information which has come to its knowledge during the performance of his or her profession or duties, and such disclosure causes damage to the other person, may also be criminally liable and subject to a fine or imprisonment.
To mitigate risk, employers may want to ensure that they include a clause in employment contracts where employees consent to the collection, use, and disclosure by the employer of their personal information for any legitimate purpose. Without such a consent clause, employers are legally restricted from collecting, using, and disclosing an employee’s personal information to third parties (including the employer’s affiliates or group companies) and would have to seek separate written consent from the employee, which depending on the relationship at the time, may not be forthcoming.
Written by Standre Bezuidenhout and Bounyasith Daopasith of DFDL and Roger James of Ogletree Deakins
© 2020 DFDL and Ogletree, Deakins, Nash, Smoak and Stewart, P.C.