The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
Consent is one of the core rights of data subjects under South Korea’s Personal Information Protection Act (PIPA), and individuals have the right to choose whether to consent and elect the scope of the consent relating to the processing of their personal information. Employers are allowed to collect personal information without consent in the following cases:
In principle, employers are not allowed to process sensitive information, including: ideology, beliefs, admission to/withdrawal from trade/political parties, political beliefs, health, sexual life or, other personal information that is likely to threaten the privacy of the employee (or any other data subject). However, sensitive information may be processed in cases where:
Employee Health Information: Using employee health information for purposes other than maintaining employee health protection is generally prohibited. That said, in exceptional cases, when processing employee health information is essential, it may be allowed with the employee’s consent.
In cases where processing medical files is permitted in the context of HR, if a health exam is conducted to determine whether a job applicant can perform the necessary duties for a role, only the minimum amount of health information may be collected and consent must be obtained. In addition, the use of health information obtained through an employee health exam is allowed without separate consent when the exam is conducted in accordance with statutes maintaining employee health protection (Note that many employers still obtain consent).
Resident Registration Numbers: Processing resident registration numbers is also limited and can only be processed for certain purposes. In the context of HR, examples of permitted purposes include payment of wages and for year-end tax settlement (Act on the Collection, etc. of Premiums for Employment Insurance and Industrial Accident Compensation Insurance; National Pension Act; National Health Insurance Act to deal with industrial accident compensation insurance, health insurance, employment insurance and national pensions; and, the Income Tax Act).
When obtaining consent or modifying the purpose of collecting data, employers should inform employees of the (PIPA, Arts. 15(2) and 17(2)):
Consent can be obtained via writing (electronic, fax or paper), telephone, email, the internet or similar manner. Where consent is used, each item that would require consent should be separated so that an individual is able to choose which items to consent to. The mere act of informing individuals of the personal data collection will not suffice. The individuals must be advised of the items above and must provide their explicit consent to the collection of personal information. Under the PIPA, employers are not required to obtain the consent of employees when outsourcing the processing of personal information. When providing personal employee data to a third party, employees must be informed of:
Consent is not required if the processing of personal information is outsourced to a foreign entity, but employers must include information on the specific tasks to be outsourced and the name(s) of the outsourced processor(s) in their privacy policy, so that such information is readily available to employees. Employees must be notified when data is being transferred out of South Korea and/or when personal information is being collected from third parties.
HR Best Practices: Even if consent is not required, employees and job applicants should be informed prior to data collection. Although consent in writing is not required, as a best practice, obtain employee consent in writing in case it is ever questioned in court.