Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
Consent is one of the core rights of data subjects under Korea’s Personal Information Protection Act (PIPA), and individuals have the right to choose whether to consent and elect the scope of the consent relating to the processing of their personal information. Employers are allowed to collect personal information without consent in the following cases:
- where allowed by law or where it’s inevitable in order to observe legal obligations (such as tax obligations);
- where it’s inevitable so public institutions can perform their official duties;
- where it’s necessary in order to fulfill a contractual obligation (such as an employee contract);
- where it’s necessary for the justifiable and reasonable interests of the employer (or other personal information controller) and those interests are explicitly superior to the needs of the employee (the data subject); and,
- when it’s necessary to protect from impending danger, life, body or economic profits and the data subject is not available.
In principle, employers are not allowed to process sensitive information, including: ideology, beliefs, admission to/withdrawal from trade/political parties, political beliefs, health, sexual life or, other personal information that is likely to threaten the privacy of the employee. However, sensitive information may be processed in cases where:
- data subjects give express informed consent (separate from the consent above) to the processing of sensitive information; or
- the processing of sensitive information is specifically permitted by a law or regulation.
When obtaining consent or modifying the purpose of collecting data, employers should inform employees of the:
- purpose of the collection and use of the data;
- details of the personal information that will be collected;
- the period of retention and use;
- the fact that they are entitled to deny consent and, in addition, inform employees of any disadvantage that may stem from the denial of consent.
Consent can be obtained via writing (electronic, fax or paper), telephone, email, the internet or similar manner. Where consent is used, each item that would require consent should be separated so that an individual is able to choose which items to consent to. The mere act of informing individuals of the personal data collection will not suffice. The individuals must be advised of the items above and must provide their explicit consent to the collection of personal information.
HR Best Practices: Even if consent is not required, make sure to properly inform employees and applicants prior to data collection. Although consent in writing is not required, as a best practice obtain employee consent in writing in case it is ever questioned in court.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.