The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Malaysia, employee and applicant personal data can only be processed if the processing meets one of the following requirements:
In addition, employee data should only be processed if:
Privacy Notices
Employees should be informed via written notice before the data is collected. The employee must also be notified before personal data is used for a new purpose, and before the data is disclosed to a third party. Notice to employees and the methods to provide consent should be provided in both the national (Bahasa Melayu) and English languages. The Personal Data Protection Act 2010 does not define or otherwise specify the elements of valid consent. Employees may withdraw their consent in writing at any time. The notice should include:
Employers (and other data users) are not required to notify employees of the personal data collection when the information is being processed for: the assessment/collection of taxes, duties or other similar impositions; the prevention/detection of a crime; or, the apprehension/prosecution of offenders.
Processing sensitive personal data has additional restrictions. Sensitive personal data includes information relating to the physical/mental health or condition, political opinions, religious/other beliefs and alleged/committed criminal offences. This data can only be collected if the employee has given their explicit consent, or, as relevant to the processing HR data for employment-related purposes:
HR Best Practices: Commit to properly notifying employees, and requesting consent where appropriate, in advance of collecting their personal information. Ensure employees are also notified prior to using the data for a new purpose and prior to transferring to a third party. When sensitive personal information is required for employment-related purposes, obtain the employee’s explicit consent before processing their data.