Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
Under the Nigeria Data Protection Regulation (The Regulation, 2019, 2.2), processing an individual’s personal data is only permitted if one of the following conditions is met:
- the employee (or other data subject) has given their consent for the specific purpose(s) of the personal data collection after being informed of the specific reason the data is being collected;
- when necessary for the performance of a contract to which the employee (or other data subject) is a party or, in order to take steps at the request of the employee prior to entering a contract;
- when necessary to comply with a legal obligation to which the employer (or other Data Controller) is subject;
- when necessary to protect the vital interests of the employee or another natural person; or,
- when necessary to perform a task in the public interest or to exercise an official public mandate to which the employer (or other Data Controller) is subject.
- what constitutes the employee’s consent (ex., checking a box);
- a description of the personal employee information that’s being collected and the purpose(s) for the collection;
- technical method(s) (ex. cookies) used to collect and store personal information;
- any third parties who have access to personal data and the reason for their access;
- a summary of the principles of processing under the Regulation; and,
When consent is used as the permitted reason to collect personal data, employers (and other Data Controllers) must be able to ensure that consent is obtained freely (without fraud, coercion or undue influence) (The Regulation, 2019, 2.3). If personal data is being transferred to a third-party, it should be clear that the employee freely consented to the transfer. When requesting an employee’s consent, the employee should be informed of:
- the name of the employer (or other Data Controller) and any third parties that will be involved in processing/handling the data;
- why the personal data is being requested;
- what will be done with the personal data; and,
- their right to withdraw consent at any time.
HR Best Practices: To show that employees have freely given their consent to the personal data processing, employers should consider:
- the ability to demonstrate that the employee gave consent to have personal data processed and has the legal capacity to give consent (i.e., pre-checked boxes should not be used);
- if consent is requested in writing and declaration includes other items, the consent request should be prominent and separate from other terms and conditions. Written documents should be provided to employees in an intelligible and accessible format, using clear and plain language;
- whether the performance of a contract (including the provision of a service) is based on the employee’s consent (i.e., consent shouldn’t be required to fulfill a contract or a portion of a contract). The personal data that’s collected should be necessary, and not excessive;
- giving multiple ways to consent when possible (i.e. the employee should be able to consent separately to different purposes and types of data processing;
- maintaining detailed records of consent (including who consented, how they consented, and what they were told);
- making it easy for employees to withdraw consent at any time; and,
- regularly reviewing consent processes and assessing whether a refresh is needed.