Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In Vietnam, obtaining the consent of a data subject (such as an employee whose personal data is being processed) is generally required when collecting, storing or using personal data. Vietnamese law is silent on whether consent must be explicit and/or in writing. As a best practice, employers may wish to obtain explicit written consent prior to collecting, storing or using an employee’s (or job applicant’s) personal data.
Note that while employers are permitted to collect certain personal employee data under the Labour Code, the Code is silent on whether the personal data can be disclosed to a third party (such as a third-party service provider) or whether third-parties can directly collect personal information on behalf of the employer, without the employee’s consent.
The Law on Network Information Security (17.1(a)), also requires that entities which collect and/or process personal information in a network environment inform and obtain the data subject’s advanced consent for both the purpose of the collection and the use of personal information.
Under the Law on Information Technology (No. 67/2006/QH11) (as amended) (IT Law, Art. 21) entities can only collect, process and/or use personal data in a network environment with the prior consent of the individual, for purposes approved by that individual. The individual must be notified of the form, scope, location and purpose of the collection/process/use of their personal data.
Consent is not required when the personal data is:
- collected to fulfill obligations provided by other laws (e.g. as requested by competent state authority);
- used to sign, perform or modify a contract relating to the use of information, products or services in the networked environment; or,
- used to calculate charges for use of information, products or services in a networked environment.
HR Best Practices: When HR-related personal data is collected and/or processed in a network environment, employees should be informed of the form, scope, location and purpose and consent should be obtained, when appropriate.
In the future, there may more detailed requirements regarding consent for personal data collection in Vietnam. The Vietnamese Government is drafting a decree on personal data protection (the Draft PDP Decree). In the Draft PDP Decree, there are informed, express and written consent requirements when collecting personal data.