Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
As a general principle in India, entities are required to obtain consent before collecting Sensitive Personal Information (SPI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. SPI includes personal data that contains information relating to financials, passwords, health (physical, physiological and mental), sexual orientation, medical history/records and biometrics.
Corporate entities must ensure that any sensitive personal information is collected for a lawful reason and that the collection of the data is necessary for that purpose. In addition, the company would need to:
- give the information provider (i.e. the data subject) an option to opt-out of providing their SPI;
- inform the data subject, while collecting SPI, that (a) their SPI is being collected, (b) the reason it is being collected, (c) the intended data recipients, and (d) the names and address of agencies which would collect and retain SPI; and,
- obtain written consent to collect the SPI (or consent through fax, electronic communication or email).
HR Best Practices: In the context of HR, consent would only apply to employment-related data that is defined as SPI under the Data Protection Rules. Prior to collecting any sensitive information, inform employees of the reason you are collecting SPI, the intended recipients of the SPI, and the name and addresses of the agencies that will be collecting and retaining the SPI.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.