Employers' Obligations Under the PDPA
Employers have several obligations under the PDPA:
Consent, Notification, and Data Collection Requirements:
According to Section 19 of the PDPA, an employer shall not collect, use, or disclose personal data on employees unless the employee has given consent before or at the time of the collection, use, or disclosure.
Unless it is impossible by nature, a request for consent must be given expressly in a written statement or via technological means. According to Section 26 of the PDPA, an employer shall not acquire the following sensitive personal data without the employee's specific consent:
- Racial information,
- Ethnic origin,
- Political opinions,
- Cult, religious or philosophical beliefs,
- Sexual behavior,
- Criminal records,
- Health data, disability,
- Trade union information,
- Genetic data,
- Biometric data, or
- Any data which may affect the employee in the same manner.
Exemptions
However, the PDPA provides few exceptions regarding the consent and data collection requirements. Employers can process employees’ personal data when there is a legitimate reason, such as a medical emergency or for workers’ compensation claims, public interest, to meet contractual obligations, or to ensure employment protection.
As of now, the PDPA does not define employment protection as an exception for the above requirement. Employers must notify employees prior to collecting their personal data, even where consent is not required. Employers should consider the following to stay compliant with the PDPA:
- Consent of employees should be explicit;
- Employees should be informed about the purpose of collection, processing, retention period, and/or disclosure;
- The collection of personal data should be limited to the extent of its purpose of use;
- Employees have the right to withdraw consent at any time;
- Employers need to inform employees of any consequences associated with the withdrawal of consent;
- The employee's right of access and correction (including the contact information of the person who handles any request for access to the data on the employer's behalf).