Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In New Zealand, express consent is typically required for job candidates. For current employees, implied ongoing consent may be sufficient if the employee has signed a data privacy consent which provides the employer with the ongoing right to collect any personal information, but only to the extent that the collection is related directly to the employment relationship and only where it is collected and used for reasonable purposes related to that person’s employment. In addition, employers (and other agencies) can only collect personal information by:
- lawful means; and,
- by a means that is fair and does not unreasonably intrude upon the personal affairs of the individual (the Privacy Act 2020, Information Privacy Principles 4).
In terms of job reference, criminal, credit and medical records, employers should be aware that:
- Employers may check a job candidate’s references with their consent. The job candidate is deemed to give consent when they provide a prior employer's name and contact details in a job application.
- Employers can check an employee's criminal records with the individual’s consent. However, in certain circumstances, employees do not have to declare criminal convictions. Under the Criminal Records (Clean Slate) Act 2004, if an individual satisfies relevant eligibility criteria, they will be deemed to have no criminal record for the purposes of any question asked about their criminal record.
- Employers can only access credit information about a prospective employee with the individual’s consent and for the purpose of a pre-employment check for a position involving significant financial risk (Credit Reporting Privacy Code 2004).
- Medical records can only be collected with the employee’s consent and only for purposes relating to employment (such as information relevant to a workplace injury and information relating to extended sick leave).
Under the use limitation principle, personal data that has been collected can only be disclosed, made available or used for the purpose the data was originally collected, unless the employee’s (or other individual’s) consent is obtained or the data collection is allowed under the authority of law (The Privacy Act 2020, Schedule 8). In addition, note that consent is required for any overseas transfer of information.
Prior to collecting personal information from an employee or job applicant, employers should take reasonable steps (based on the circumstances) to ensure that the individual is aware (the Privacy Act 2020, Information privacy principle 3):
- that personal information is being collected;
- of the purpose of the personal information collection;
- of who (individuals, roles or entities) may receive the information;
- of the name and address of those collecting and holding the information;
- of the specific law (if applicable) under which the collection is authorized/required and, whether providing the information is required;
- of any consequences if they don’t provide the information;
- that they have the right to access and correct their personal information; and,
- of where the information will be held, for what purposes and for how long. This includes an obligation to advise the employee or candidate if information will be transferred outside of New Zealand.
Employees are generally provided with a written notice advising them of the items above and which seeks the employee’s (or candidate’s) consent. This notice should be provided prior to the information being collected by the employer.
HR Best Practices: Ensure appropriate consent is obtained when collecting personal information from employees. When collecting information from job applicants, obtain express, specific consent. Commit to properly informing employees and offering access and correction where possible.