Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In Australia, you do not have to obtain consent from employees in advance of collecting personal data if the information falls within the ‘employee records exemption’ in the Privacy Act and the information only pertains to the employment relationship. Specifically, employee records (including terms and conditions of employment, training, disciplining and resignation, personal and emergency contact details, performance and conduct, taxation, banking and superannuation affairs, remuneration, leave, or trade union membership) are exempt if the data is managed by the employer. That said, due to the limited exemptions and the limited scope of the exemption, employee consent is obtained by many employers as a best practice.
For example, if information is disclosed to and collected by a third party (such as a parent corporation or HRIS), the exemption does not apply to the processing of the information by the third party. Therefore, employee consent is needed to transfer employee data outside Australia to third-parties. In addition, job applicant data is not included in the exemption.
Processing of non-exempt employee data may happen outside the employer’s control. For example, if an employee uses a business email address to send personal emails, this data would not be covered by the exemption. As a best practice, Australian employers create company policies that clearly explain that business email and internet systems will be monitored, that employees should have no expectation of privacy in the employer’s systems and that employee consent is implied through usage. If an employee may use a VPN or personal device to access company systems, they should be informed that the same rules apply.
Consent may be express or implied, but (according to the non-binding APP Guidelines issued by the Office of the Australian Information Commissioner), to be lawful:
- individuals must be adequately informed;
- consent must be given voluntarily;
- consent must be current and specific; and
- individuals must have the capacity to understand and communicate their consent.
Consent is not required in certain specific circumstances where collection is required or authorized by law.
For example, employers do not need consent to collect employee tax file numbers (TFNs) as long as it’s collected to comply with taxation, personal assistance or superannuation law. This includes third party 'approved recipients' who are engaged by an employer to provide services where it is reasonably necessary to have access to TFN information (e.g., payroll providers or administrators who manage the employer's incentive plans).
There is no employee records exemption in relation to health information. Employee health information should be handled in accordance with legal requirements outlined in each state Act and can only be disclosed to employees on a need-to-know basis. Company policies relating to health information should outline:
- how this information will be handled;
- how employees can review their information;
- how employees can request amendments to their health information; and,
- how to make complaints relating to the employer’s handling of any health information.
HR Best Practices: When determining whether consent should be used when collecting employees’ personal data, employers should consider whether the personal data that’s being collected falls within the ‘employee records exemption’ in the Privacy Act and whether the information only pertains to the employment relationship. Consent may be necessary in many cases, including when collecting job applicant data and, when the data may be transferred to third-parties. When consent is necessary, explicit consent is considered a best practice in case the validity of an individual’s consent is questioned.