Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Singapore’s Personal Data Protection Act (PDPA) is generally based on the premise that an individual must give consent before personal data is processed. That said, employers can collect/use/disclose personal data without an individual’s consent when: required under written laws; when entering into an employment relationship or appointing the individual to an office; or, when employers are collecting “reasonable” personal data for the purpose of managing or terminating employment relationships. Examples of purposes that could fall within managing/terminating an employment relationship include:
- paying employees by using an employee’s bank account details;
- monitoring how employees use the company computer network;
- using employee photographs for a staff directory;
- managing employee benefits (e.g., training and educational subsidies).
Employers must notify employees in advance of the purpose(s) of personal data collection/ use/disclosure, regardless of whether consent is required. There is no required form of notification, but employers must provide the contact information of an individual who can answer questions about the collection/use/disclosure of personal information (PDPA, Sec. 20(5)(b)). Personal data protection policies, employment contracts, employee handbooks, or notices on the company intranet can meet the notification requirement. If the purpose changes, employees should be informed of the new reason for the personal data collection.
As a matter of good practice, employers should notify employees of the purpose for which the employer is collecting/using/disclosing an employee’s personal data in an Employee Handbook and obtain the employee’s written acknowledgement of the same.
Businesses can use and disclose an employee's personal data without consent and without notice when it’s necessary for evaluative purposes. For example, HR teams can obtain references for job applicants to determine whether that applicant is appropriate for a job opportunity. As another example, employers do not need to notify or obtain consent when collecting personal data when evaluating the employee for a promotion.
When Consent is Required
Employers must obtain consent when collecting personal data that is not related to the purpose of (1) entering into an employment relationship with the individual or appointing the individual to any office managing; or (2) terminating an employment relationship (or another allowed exception). For example, employers would need to obtain consent when collecting/using/disclosing personal employee data for other business or client purposes.
Individuals must be notified of the purposes for which their personal information will be collected, used or disclosed prior to giving consent for those purposes. While written consent is encouraged, the PDPA does not require a specific form of consent. Written and recorded consent can provide additional protection for employers in the event that consent is questioned. If consent is obtained verbally, it’s a good practice to document the verbal consent in some way (with date and time).
There are instances where an individual is considered to have deemed to consent, even if the individual has not given official consent for that purpose. The Act allows “deemed consent” when an individual voluntarily gives information to an organization for a specific purpose or, if it’s reasonable to consider that the individual would have voluntarily shared that data.
For example, job applicants who voluntarily share personal data in a job application may be considered to have given deemed consent to the employer for the purpose of assessing the job application. Employers are responsible for ensuring the employee or job applicant is made aware of the purposes for which personal data is being used/collected/disclosed. In cases where a job applicant is required to provide the employer with a third party’s personal data (ex., next of kin), the job applicant should represent that consent was obtained from the third party for the specified purpose.
There are two new exceptions to obtaining consent: legitimate interests (such as for an investigation) and business improvement. When considering the legitimate interest exception, employers would need to assess the potential adverse effect on individuals and ensure the employer’s legitimate interests outweigh any adverse effect. When considering the business improvement exception, employers would need to ensure the purpose cannot reasonably be achieved without using the personal data in an individually identifiable form and, that the purpose would be considered appropriate in the circumstances by a reasonable person. (Advisory Guidelines on Key Concepts in the PDPA, Revised 1 October 2021).
Employees (and other data subjects) have the right to withdraw consent, with reasonable notice. In the event that an employee withdraws consent, the employer should inform the employee of the potential consequences of the withdrawal (as a general practice, this notice should be provided within 10 days of receiving the request).
HR Best Practices: Notify employees of the reasons for collecting, using and disclosing personal data in advance of obtaining consent or processing employee information (except when processing employee/applicant data for evaluative purposes).
The PDPC has posted sample consent clauses for employees and applicants on their Resources page: