The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In Japan, the Amended Act on the Protection of Personal Information (2016) regulates the processing of personal data. Under Article 2.1 of the Act, “personal information” is defined as any information which relates to a living individual and:
When companies handle or acquire personal information, the purpose must be restricted to a specific utilization. That purpose must be clearly disclosed to the individuals whose data is being collected or to the public (whichever is appropriate) unless it’s been previously announced. Individuals can be informed through a privacy policy, notice on the company’s website or via another method. When personal information will be used for a new purpose, employers should obtain consent in advance of using the data for the new purpose.
According to the Act, companies must obtain explicit consent when collecting “special care-required personal information” (i.e., sensitive personal data). This includes data on an individual’s:
Consent for special care-required personal information is exempted in certain circumstances such as when the data is required based on other laws and regulations. Companies must also obtain consent prior to transferring personal data to a third party inside or outside Japan (with few exceptions). The exceptions most relevant to employers include:
When transferring data to or from a third party, businesses generally have additional recordkeeping obligations relating to the data transfer (including retaining the name/appellation of the recipients of the data, the date of transmission, etc.). These records must be kept for a time prescribed by the PIPC, generally three years.
HR Best Practices: When collecting personal information in the context of HR, commit to properly informing employees, documenting legal rationales for data collection and making corrections/deletions when requested. Obtain informed consent prior to processing special care-required personal information. If you have a new use for previously collected HR data, request consent before processing the information in a new way.