Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Under the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”), employers and other entities in India must meet certain requirements before collecting Sensitive Personal Data or Information (SPDI). The Privacy Rules require that companies:
- give the information provider (i.e. the data subject) an option to opt-out of providing their SPDI;
- inform the data subject, while collecting SPDI, that (a) their SPDI is being collected, (b) the reason it is being collected, (c) the intended data recipients and, (d) the names and address of agencies which would collect and retain SPDI; and,
- obtain written consent to collect the SDPI (or consent through fax, electronic communication or email).
That said, note that if the parties agree on what constitutes reasonable security practices/procedures, the parties can agree to exclude the applicability of the Privacy Rules.