Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The Philippine Data Privacy Act of 2012 (Republic Act No. 10173, Sec. 12), outlines when processing personal employee information is allowed, such as when at least one of the following conditions exist:
- the employee provides consent;
- it’s necessary in order to fulfill a contractual or legal obligation with the employee or, it’s necessary in order to take steps at the request of the employee prior to entering into a contract;
- it’s required for the legitimate interests of the employer or by a third party to whom the personal information will be shared, unless the interests are overridden by fundamental rights and freedoms of the employee;
- the processing is necessary for compliance with a legal obligation to which the employer (personal information controller) is subject;
- the processing is necessary to protect vitally important interests of the employee, including life or health; or,
- when necessary to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which require the processing of personal data.
When collecting and processing sensitive and privileged information for employees, you must obtain consent, with a few exceptions. Sensitive personal information includes data relating to:
- an employee or applicant’s race, ethnicity, marital status, age, color, religious/ philosophical/political affiliations;
- health, education, genetic or sexual life, court sentences/proceedings/dismissals (alleged or committed);
- government issued data specific to individuals such as social security numbers, cm-rent health records, licenses (including denial/suspension/revocation of licenses), tax returns; and,
- records that have been classified by Congress or an executive order.
Employers do not need to obtain employee consent for sensitive personal information in certain circumstances. The circumstances most relevant for employers include when:
- the sensitive data processing is allowed under existing laws and regulations and: (a) the regulation or law guarantees the protection of sensitive personal information; (b) consent is not otherwise required for that data;
- the information is necessary for court proceedings, legal claims, or when information must be provided to the government/legal authority;
- necessary to protect the life and health of the data subject and the individual can't express consent in advance of the data being processed.
Employers must obtain consent when transferring personal information internationally. This is required even if the data is staying within the company. For example, employers must request consent when transferring employee payroll data from the local HR team to the main office, located outside the Philippines. Some companies, in obtaining the consent of the employee at the start of employment, already indicate the other specific purpose/s which may arise thereafter.
Consent should be collected from employees using written, electronic or other recorded means. When consent is needed, it must be time-bound based on the specific reason for the data being collected. Consent can be withdrawn at a later date.
Regardless of whether consent is required, employees must be informed in advance (or, at the next reasonable opportunity) when personal data is collected. There is no specific form in which the notification must be given to employees. The Implementing Rules and Regulations of the Data Privacy Act of 2012 outlines the information that must be included in the notification:
- a description of the personal data that's being collected;
- the purpose(s) the data is being processed;
- the allowable basis of processing (if not based on consent);
- how the data will be processed (scope and method);
- the possible data recipients (or classes of recipients);
- methods used for automated access, whether the same is allowed by the employee, and the extent to which this access is authorized, including (a) information about the logic involved in the processing; (b) the significance of the processing; and (c) potential consequences to the employee;
- the contact information of the Personal Information Controller (i.e. the employer) or representatives;
- how long the data will be stored; and,
- their rights as data subjects (rights to access, correction, objection and right to lodge a complaint to the National Privacy Commission).
Employees, and other data subjects who have previously given consent to having personal data processed by the employer, can withdraw their consent at a later date. In the event that there is a change to the processing of personal data or an amendment to the information supplied to the employee about the processing of their personal data, they should be notified of the change. If consent was used as the legal reason to process the personal data, the individual should also be given the opportunity to withdraw consent.
In the event that an employee (as the data subject) objects or withholds consent, the employer should no longer process the personal data unless:
- the data is required pursuant to a subpoena;
- the collection and processing are for obvious purposes (for example, when necessary or desirable in the context of the employee-employer relationship or, for the performance of a contract/service to which the employee is a party); or,
- the information is being collected and processed to meet a legal obligation.
HR Best Practices: In cases where you are collecting sensitive personal information, request consent in advance and keep a record of the employee’s consent. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.