Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Hong Kong, the individual’s consent is not generally required in order to collect personal data. Employers are allowed to collect personal employee information when it’s done in a lawful and fair manner for a purpose that is directly related to a function or activity of the employer, on the condition that certain information about the collection has been disclosed to the employee. The information that’s collected must be reasonable, given that specific purpose (i.e. you shouldn’t collect excessive personal information).
Note that the collected personal data cannot be used for a new purpose without the voluntary and explicit consent of the individual. In addition, personal data should not be revealed to a third-party without the employee’s express, voluntary consent, unless it’s legally required (or unless the employer already informed the individual that the personal data may be disclosed to the third-party).
Before collecting personal employee or applicant data, employers must explicitly notify the individual through a Personal Information Collection Statement. This Statement should include:
- the purpose of the data collection;
- the classes of individuals to whom personal data may be transferred;
- whether the data collection is required or voluntary (unless it’s obvious from the circumstances);
- notification that individuals have the right to access and correct their personal information; and,
- the name or job title, and address of the individual to whom access/correction requests should be sent.
There is no required format for the Personal Information Collection Statement. It can be given in hard copy or electronically (ex., displaying the Statement on a webpage before the employee accesses an electronic form).
In the event that employment-related personal information was collected prior to December 20, 1996 and employees did not receive any notifications on the collection, the employer can continue to use the information for the implicit purpose for which it was collected.
HR Best Practices: Limit data processing to what is necessary to perform HR functions and to fulfill your contractual obligations with employees. Prior to collecting personal employee and applicant information, provide individuals with a Personal Information Collection Statement.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.