Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In order to collect employees’ personal data in Mexico, consent is generally required, with a few exceptions (Federal Law on the Protection of Personal Data Held by Private Parties). Consent can be provided verbally, in writing or via any technology. With the exception of sensitive personal data and financial data (which require explicit consent), tacit consent is allowed under the law when the individual is provided with a privacy notice and has the option to opt-out of the collection. Employers must also give individuals the option to opt-out of consent at a later date via the privacy notice (note: the revocation would not be retroactive). Consent to collect personal information is not necessary when:
- otherwise required by law or regulation;
- the data is publicly accessible;
- the personal data has been deidentified;
- the collection is required to fulfill an obligation between the employee (or other individual) and the employer (ex., when necessary to fulfill an employee contract); or,
- there is an emergency that could harm an individual or an individual’s assets.
The personal data that is collected must be limited to the purpose outlined in the privacy notice. If the data is being processed for a new purpose, the employer must obtain new consent from the employee.
When collecting sensitive personal data, express written consent must be obtained and the notice must specifically state that sensitive personal data is being handled. Sensitive personal data includes information that affects the most intimate sphere of the individual as well as personal information that could cause serious risk or discrimination if revealed. This includes personal information such as: race/ethnicity, health status, genetic information, religious/philosophical/moral beliefs, union affiliations, political opinion and sexual preference.
HR teams should provide individuals with a privacy notice prior to collecting personal information. Notices should include:
- the data controller’s identity and contact information;
- the information that will be collected;
- the purpose of the data collection, specifying which data is necessary for the relationship with the employer (or other data controller), and which data is not necessary;
- the options that the employee/applicant has to limit the use or disclosure of their personal information;
- how the employee can exercise the right to access, correct, request deletion, or express concerns with the data collection, including how the employee can revoke or limit consent when the processing is for purposes that are extraneous;
- whether data may be transferred to a third-party and, express acceptance by the employee (or other data subject) for the transfer;
- information on the use of mechanisms in remote or local electronic, optical or other technological communications that allow personal data to be collected automatically and simultaneously while the employer makes contact with such mechanisms (i.e. cookies or web beacons) and how to disable these features;
- how the employer will communicate changes in the privacy notice; and,
- whether the data collection includes sensitive data (describing the sensitive personal data).
HR Best Practices: Limit the collection of employees’ personal data to information that is clearly outlined in employee privacy notices. When consent is used, ensure there is a way for employees to revoke their consent at a later date and that employees are notified of the revocation process.