Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
China’s Cybersecurity Law requires that network operators obtain consent from data subjects in order to collect and use their personal information. “Network operators” primarily applies to organizations who collect information from website users. That said, no guidance or regulation currently defines whether “network operators” includes employers who are processing their employees’ personal information.
Some employers follow The Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2020) when collecting employee data. The Specification includes suggested best practices for personal data controllers (business and individuals who process personal data), such as:
- obtaining the employee’s consent to the collection/use/disclosure of their personal data;
- providing employees with a notification which includes: the purposes, means, scope and rules for the collection and use of personal information.
The Specification includes additional restrictions when processing sensitive personal information (ex. bank account numbers, personal health information, biometric data, personal identification numbers, network identification information, personal phone numbers, marriage history, religious beliefs, sexual orientation, undisclosed criminal records, geographical location, internet browsing history, etc.) According to the 2020 Specification, HR data may be considered sensitive personal information because it often contains personal identification information and some health information. When processing sensitive personal information and personal biometric information, employers should obtain express consent from employees and job applicants. Express consent should be specific, clear, unambiguous and voluntarily given.
Under the Specification, businesses do not have to obtain consent in certain cases, such as when:
- directly related to fulfilling the legal obligations of the data controller (such as the employer);
- directly related to national security;
- related to a trial, criminal investigation, prosecution or execution of judgments;
- protecting life, property, or material legal rights of individuals; or,
- directly related to public safety/public health/ public interests.