Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The United States does not have an overarching consent requirement in order to process individual or employee personal data. Instead, employers follow consent or notice requirements based on the type of personal information that is being collected or processed.
Background Checks: Under the Fair Credit Reporting Act (FCRA) and a number of state laws, employers must provide a disclosure notice and receive express consent prior to conducting background checks.
Biometric Data: In Illinois and Texas, employers must obtain consent prior to collecting biometric data on employees (such as hand/face geometry and finger printing).
Automated Text and Voice Messages: Under the Telephone Consumer Protection Act (TCPA), prior express consent is required before employers send informational text messages or voicemails using an automated telephone dialing system (ATDS). If employers would like to engage in such communications with employees or job applicants, they should track consent and any subsequent opt-outs.
Separate from consent, there are certain areas relating to employee data where privacy policies are either necessary or considered to be best practice. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that employers provide privacy notices to employees who participate in employer-sponsored benefit plans that include HIPAA-covered benefits.
If sending automated voicemails or text message reminders to employees, make sure to obtain and track express consent along with any subsequent opt-outs.