Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In Japan, the Amended Act on the Protection of Personal Information (2016) regulates the processing of personal data. Under Article 2.1 of the Act, “personal information” is defined as any information which relates to a living individual and:
- can identify the individual from that information or,
- can identify the individual from that information with easy reference to other information (such as public records).
According to the Act, companies must obtain explicit consent when collecting “special care-required personal information” (i.e., sensitive personal data). This includes data on an individual’s:
- social status;
- medical history (which includes employee medical records and files);
- criminal record;
- fact of having suffered damage by a crime;
- other information (as prescribed by cabinet order) where processing requires special care so as not to cause unfair discrimination, prejudice or other disadvantages (including mental/physical disorders, health examination results, and criminal procedures).
Consent for special care-required personal information is exempted in certain circumstances such as when the data is required based on other laws and regulations. Companies must also obtain consent prior to transferring personal data to a third party inside or outside Japan (with few exceptions). The exceptions most relevant to employers include:
- when the employer is using a third-party vendor strictly for HR purposes and the third-party relationship has already been communicated to the employee;
- change of company ownership such as mergers and acquisitions;
- when the employer has set-up an opt-out process for its employees. In this case, the employer must comply with the following requirements: (1) registering the opt-out process with the Japanese Data Protection Agency (Personal Information Protection Commission or PIPC), (2) informing the employees in advance of the process including how to opt-out, (3) ensuring that such process does not apply to any sensitive personal data; or
- when there is a specific legal exception.
When transferring data to or from a third party, businesses generally have additional recordkeeping obligations relating to the data transfer (including retaining the name/appellation of the recipients of the data, the date of transmission, etc.). These records must be kept for a time prescribed by the PIPC, generally three years.
HR Best Practices: When collecting personal information in the context of HR, commit to properly informing employees, documenting legal rationales for data collection and making corrections/deletions when requested. Obtain informed consent prior to processing special care-required personal information. If you have a new use for previously collected HR data, request consent before processing the information in a new way.