Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Colombia, employers must generally obtain the employee’s authorization prior to processing personal information. Consent must be prior, express and informed. The consent to process data can be provided in writing, verbally, or through “unequivocal conduct” by the employee which would reasonably lead to the conclusion that the authorization was granted. Note that an individual’s silence does not meet the requirements to process personal data (Decree 1377 of 2013). Employers should retain the proof of the employee’s authorization.
Authorization is not needed in certain cases. Exceptions which will most likely relate to employers include when:
- processing is required by an administrative/public entity to exercise legal functions or required by court order; or, when
- the data is of a public nature.
Employees have the right to revoke consent at any time by submitting a request to the employer. The revocation does not apply in cases where the processing is required by law or by contract.
Under Law 1581 of 2012, explicit consent must be obtained prior to processing sensitive personal data, unless the processing is required by law or necessary for the establishment/execution/defense of a right in a legal proceeding. Sensitive personal data is considered to be data which affects the privacy of the individual or which could result in discrimination if improperly used. Sensitive personal data includes information that reveals: race/ethnicity, political orientation, religious/philosophical beliefs, membership in a trade union/social/political/human rights organization, and health/sexual/biometric information. Employees must be informed that they are not required to authorize the processing of their sensitive personal data.
When requesting consent to process personal data, employees must be clearly and expressly informed:
- of the purpose(s) of the data collection and how the personal information will be processed;
- that providing the answer to questions related to sensitive data is optional (child and adolescent employees are also required to be informed that providing their information is optional);
- when sensitive personal data is being processed, which data is considered “sensitive” and the purpose(s) for processing that data;
- of the employer’s data processing policy;
- of their rights relating to their personal data; and,
- of the contact information for the “Treatment Manager” (i.e. the manager in charge of the data).
Employers are required to maintain an information processing policy that’s accessible to employees in paper or electronic form. The policy must include:
- the employer’s contact information;
- the purpose(s) for processing the personal data if not disclosed in a data processing notice;
- the employees’ rights relating to their personal data;
- the contact information for the individual or department responsible for responding to requests/questions/complaints about the data processing;
- procedures for responding to employees’ requests to exercise their rights;
- an effective date.
All material changes to the policy should be promptly communicated to employees.
HR Best Practices: Before collecting personal data, ensure employees are properly informed of the data collection, and are given access to the company’s processing policy. Except in cases where consent is not required, obtain the consent of the employee prior to processing personal data and retain a copy of the authorization.