Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The Philippine Data Privacy Act of 2012 (Sec. 12), outlines when processing personal employee information is allowed, such as when at least one of the following conditions exist:
- the employee provides consent;
- it’s related to fulfilling a contractual or legal obligation with the employee;
- it’s required for the legitimate interests of the employer or by a third party to whom the personal information will be shared, unless the interests are overridden by fundamental rights and freedoms of the employee;
- the processing is necessary for compliance with a legal obligation to which the employer (personal information controller) is subject; or,
- the processing is necessary to protect vitally important interests of the employee, e.g. his life or health.
When collecting and processing sensitive and privileged information for employees, you must obtain consent, with a few exceptions. Sensitive personal information includes data relating to:
- an employee or applicant’s race, ethnicity, marital status, age, color, religious/ philosophical/political affiliations;
- health, education, genetic/sexual life, court sentences/proceedings/dismissals (alleged or committed);
- government issued data specific to individuals such as social security numbers, cm-rent health records, licenses (including denial/suspension/revocation of licenses), tax returns; and,
- records that have been classified by Congress or an executive order.
Employers do not need to obtain employee consent for sensitive personal information in certain circumstances, including when:
- the sensitive data processing is allowed under existing laws and regulations (and consent is not otherwise required for that data);
- the information is necessary for court proceedings, legal claims, or when information must be provided to the government/legal authority;
- necessary to protect the life and health of the data subject.
Employers must obtain consent when transferring personal information internationally. This is required even if the data is staying within the company. For example, employers must request consent when transferring employee payroll data from the local HR team to the main office, located outside the Philippines. Some companies, in obtaining the consent of the employee at the start of employment, already indicate the other specific purpose/s which may arise thereafter.
Consent should be collected from employees using writing, electronic or other recorded means. When consent is needed, it must be time-bound based on the specific reason for the data being collected.
Regardless of whether consent is required, employees must be informed in advance (or, at the next reasonable opportunity) when personal data is collected. There is no specific form in which the notification must be given to employees. The Implementing Rules and Regulations of the Data Privacy Act of 2012 outlines the information that must be included in the notification:
- the content of the personal data that will be collected;
- the reasons the data is being processed;
- the allowable basis of processing (if not based on consent);
- how the data will be processed (scope and method;
- the possible data recipients (or classes of recipients);
- details and potential significance of any automated processing decisions (for example, using a system to automatically weed-out candidates based on their level of education);
- the contact information of the Personal Information Controller (i.e. the employer) or representatives;
- how long the data will be stored; and,
- their rights as data subjects (rights to access, correction, objection and right to lodge a complaint to the National Privacy Commission).
HR Best Practices: In cases where you are collecting sensitive personal information, request consent in advance and keep a record of the employee’s consent. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.