Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Malaysia, employee and applicant personal data can only be processed if the processing meets one of the following requirements:
- the employee has consented to the processing of their personal information (excluding sensitive personal data);
- the data is being processed in order to either perform a contract to which the employee is a party (ex. an employment contract) or, to enter into a contract with the data subject (such as for recruitment purposes);
- the data is being processed to comply with a legal obligation to which the employer is subject, other than contractual obligations;
- the data is being processed for the vital interests of the employee;
- the data is being processed for the administration of justice; or,
- the data is being processed for the exercise of functions conferred on an employer by law.
In addition, employee data should only be processed if:
- the purpose for processing is directly related to an activity of the employer;
- the processing is necessary for, or directly related to that lawful purpose; and,
- the data that’s collected is appropriate and not excessive, given the reason for the collection.
Employees should be informed via written notice before the data is collected. The employee must also be notified before personal data is used for a new purpose, and before the data is disclosed to a third party. Notice to employees and the methods to provide consent should be provided in both the national (Bahasa Melayu) and English languages. The Personal Data Protection Act 2010 does not define or otherwise specify the elements of valid consent. Employees may withdraw their consent in writing at any time. The notice should include:
- a description of the personal data that’s being collected and processed;
- the purpose(s) of processing;
- the source of the data;
- the employees’ right to request access to and correction of their personal information, along with the point of contact to submit requests;
- the class of third parties to whom the employer may disclose the data;
- the employees’ choices and means to limit the processing of their personal data, including personal information relating to others who may be identified as a result of the collection;
- whether the employee is required to provide the data; and,
- when the personal data is required, a notification of the consequences of failing to supply the personal information.
Employers (and other data users) are not required to notify employees of the personal data collection when the information is being processed for: the assessment/collection of taxes, duties or other similar impositions; the prevention/detection of a crime; or, the apprehension/prosecution of offenders.
Processing sensitive personal data has additional restrictions. Sensitive personal data includes information relating to the physical/mental health or condition, political opinions, religious/other beliefs and alleged/committed criminal offences. This data can only be collected if the employee has given their explicit consent, or, as relevant to the processing HR data for employment-related purposes:
- if necessary for performing a legal right or obligation of the employer in connection with employment;
- to protect the vital interests of the employee or another person (in specific cases);
- if processed for medical purposes and is undertaken by either a healthcare professional or an individual who owes a duty of confidentiality similar to a healthcare professional;
- for the purpose of a legal proceeding, obtaining legal advice, establishing/defending/exercising legal rights, the administration of justice, or for exercising functions conferred on a person by/under written law; or,
- if the information contained in the personal data has been made public as a result of steps deliberately taken by the employee.
HR Best Practices: Commit to properly notifying employees, and requesting consent where appropriate, in advance of collecting their personal information. Ensure employees are also notified prior to using the data for a new purpose and prior to transferring to a third party. When sensitive personal information is required for employment-related purposes, obtain the employee’s explicit consent before processing their data.