The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
In New Zealand, express consent is typically required for job candidates. For current employees, implied ongoing consent may be sufficient if the employee has signed a data privacy consent which provides the employer with the ongoing right to collect any personal information, but only to the extent that the collection is related directly to the employment relationship and only where it is collected and used for reasonable purposes related to that person’s employment. In addition, employers (and other agencies) can only collect personal information by:
In terms of job reference, criminal, credit and medical records, employers should be aware that:
Under the use limitation principle, personal data that has been collected can only be disclosed, made available or used for the purpose the data was originally collected, unless the employee’s (or other individual’s) consent is obtained or the data collection is allowed under the authority of law (The Privacy Act 2020, Schedule 8). In addition, note that consent is required for any overseas transfer of information.
Prior to collecting personal information from an employee or job applicant, employers should take reasonable steps (based on the circumstances) to ensure that the individual is aware (the Privacy Act 2020, Information privacy principle 3):
Employees are generally provided with a written notice advising them of the items above and which seeks the employee’s (or candidate’s) consent. This notice should be provided prior to the information being collected by the employer.
HR Best Practices: Ensure appropriate consent is obtained when collecting personal information from employees. When collecting information from job applicants, obtain express, specific consent. Commit to properly informing employees and offering access and correction where possible.