Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The United States does not have an overarching consent requirement in order to process individual or employee personal data. Instead, employers follow consent or notice requirements based on the type of personal information that is being collected or processed.
Background Checks: In order to request background check reports on applicants or employees from consumer reporting agencies, companies must comply with the requirements of the Fair Credit Reporting Act (FCRA) and state laws. Before obtaining a background check report, an employer must obtain the employee or job applicant’s written authorization using a stand-alone form with a clear and conspicuous disclosure notifying the individual that the employer may use the report for decisions related to employment.
Biometric Data: In Illinois and Texas, employers must obtain consent prior to collecting biometric data on employees (such as hand/face geometry and finger printing).
Automated Text and Voice Messages: Under the Telephone Consumer Protection Act (TCPA), prior express consent is required before employers send informational text messages or voicemails using an automated telephone dialing system (ATDS). Employers who rely on automated text messages to communicate with employees about human resources matters must obtain “prior express consent.” Courts have generally held that an individual can provide prior express consent by sharing his or her mobile number with the sender of the automated texts.
Real-time monitoring: Real-time workplace monitoring may constitute an interception for purposes of federal and state wiretap laws, and thus require consent. Employers should obtain employee consent to real-time monitoring techniques (such as keystroke logging and electronic communication monitoring), and when legally required, obtain the consent of all parties to the communication. The level of consent that is necessary can vary based on the type of monitoring, but express consent is a best practice to help protect the employer in the event of a dispute.
Separate from consent, there are certain areas relating to employee data where privacy policies are either necessary or considered to be best practice. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that employers provide privacy notices to employees who participate in employer-sponsored benefit plans that include HIPAA-covered benefits.
Some states have additional requirements. For example, businesses located in New York must provide a notice of monitoring telephone calls, email or internet access or usage. California laws (the California Consumer Privacy Act and the California Privacy Rights and Enforcement Act) requires giving consumers notice at the time of data collection, including a description of the categories of personal information to be collected and how the data will be used.
If sending automated voicemails or text message reminders to employees, make sure to obtain and track express consent along with any subsequent opt-outs.