Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Singapore’s Personal Data Protection Act (PDPA) is largely based on the premise that an individual must give consent before personal data is processed. Employers can collect/use/disclose personal data without an individual’s consent when required under other written laws or when employers are collecting “reasonable” personal data for the purpose of managing or terminating employment relationships.
Examples of “reasonable” purposes include:
- paying employees by using an employee’s bank account details;
- monitoring company computer network use;
- using employee photographs on a staff directory;
- managing employee benefits (ex. training and educational subsidies).
Employers must notify employees of the reasons for the data collection/use/disclosure prior to requesting consent, and when it is related to managing/terminating an employment relationship. There is no required form of notification. Employment contracts, employee handbooks, or notices on the company intranet can meet the notification requirement. If the purpose changes, employees should be informed of the new reason for the personal data collection.
As a matter of good practice, employers should notify employees of the purpose for which the employer is collecting/using/disclosing an employee’s personal data in an Employee Handbook and obtain the employee’s written acknowledgement of the same.
Businesses can use and disclose personal data without consent and without notice when it’s necessary for evaluative purposes. For example, HR teams can obtain references for job applicants to determine whether that applicant is appropriate for a job opportunity. As another example, employers do not need to notify or obtain consent when collecting personal data when evaluating the employee for a promotion.
When Consent is Required
Employers must obtain consent when collecting personal data that is not related to the purpose of managing or terminating an employment relationship (or another allowed exception). For example, employers would need to obtain consent when collecting/using/disclosing personal employee data for other business or client purposes.
Individuals must be notified of the purposes for which their personal information will be collected, used or disclosed prior to giving consent for those purposes. While written consent is encouraged, the PDPA does not require a specific form of consent. Written and recorded consent can provide additional protection for employers in the event that consent is questioned. If consent is obtained verbally, it’s a good practice to document the verbal consent in some way (with date and time). Employees and other data subjects can generally withdraw consent, with reasonable notice.
The Act allows “deemed consent” when an individual voluntarily gives information to an organization for a specific purpose, or if it’s reasonable to consider that the individual would have voluntarily shared that data. For example, job applicants who voluntarily share personal data may be considered to have given deemed consent to the employer for the purposes of processing their job application.
HR Best Practices: Notify employees of the reasons for collecting, using and disclosing personal data in advance of obtaining consent or processing employee information (except when processing employee/applicant data for evaluative purposes). As a best practice, provide notifications and request consent in writing.
The PDPC has posted sample consent clauses for employees and applicants on their Resources page:
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.