Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In South Africa, personal information can only be processed when (Protection of Personal Information Act, 2013, Sec. 11)(POPIA):
- the employee (or other data subject) consents to the processing;
- necessary to conclude a contract to which the employee is a party;
- necessary to comply with an obligation imposed by law;
- processing protects the legitimate interest of the employee;
- necessary for the performance of a public law duty by a public body; or,
- necessary for the legitimate interests of the employer or a third party to whom the information is provided.
Where consent is used, it must be voluntary, specific and an informed expression of will. Consent may be withdrawn at any time.
Processing special personal information includes additional restrictions, and generally requires the consent of the employee or an approved reason such as the establishment/exercise/defense of a legal right or obligation. Sensitive personal information includes information concerning religious/philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and/or criminal behavior. Employee consent is not required to process special personal information relating to:
- race or ethnic origin to comply with laws and other measures designed to protect/advance persons, or categories of persons disadvantaged by unfair discrimination; and,
- health/sex life when necessary to implement legal provisions, pension regulations or collective agreements which create rights dependent on the health/sex life of the data subject; or, reintegration/support for employees entitled to benefit in connection with sickness or work incapacity.
Employers must take reasonable steps to notify employees when collecting their personal information (POPIA, Sec. 18, 1). Employees should be informed in advance of:
- the information that will be collected about them and the source of the data, if it’s not provided directly by the individual;
- the name and address of the employer (i.e. the party responsible for the data collection);
- the reason the data is being collected;
- whether the data collection is voluntary or mandatory;
- the consequences of not providing the requested information;
- any law that requires or authorizes the data collection;
- the transfer of data to other countries or international organizations, and the level of protection the data will receive by the other country or international organization (if applicable);
- the recipient(s), or the categories of recipients, and the nature/category of the data;
- rights relating to their personal data including the right to: access personal data that has been collected, correct inaccuracies, object to processing, and lodge complaints with the Information Regulator.
HR Best Practices: Before processing personal employee information, assess whether there is a legal, contractual or legitimate interest that would justify the processing. Consent may be necessary in certain cases.
When an employee or job applicant’s consent is questioned, the burden of proof will remain with the employer.