The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In South Africa, personal information can only be processed when (Protection of Personal Information Act, 2013, Sec. 11)(POPIA):
Where consent is used, it must be voluntary, specific and an informed expression of will. Consent may be withdrawn at any time.
Processing special personal information includes additional restrictions, and generally requires the consent of the employee or an approved reason such as the establishment/exercise/defense of a legal right or obligation. Sensitive personal information includes information concerning religious/philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and/or criminal behavior. Employee consent is not required to process special personal information relating to:
Employers must take reasonable steps to notify employees when collecting their personal information (POPIA, Sec. 18, 1). Employees should be informed in advance of:
HR Best Practices: Before processing personal employee information, assess whether there is a legal, contractual or legitimate interest that would justify the processing. Consent may be necessary in certain cases.
When an employee or job applicant’s consent is questioned, the burden of proof will remain with the employer.