- if consent is given (consent may however be withdrawn);
- if processing is necessary to carry out a contract to which the data subject is party;
- if the processing complies with an obligation imposed by law on the responsible party;
- if processing protects a legitimate interest of the data subject;
- if processing is necessary for the performance of a public duty by a public body; or
- in pursuit of the legitimate interest of the responsible party or of a third party to whom the information is applied.
Most people think that consent is the easiest way to be able to lawfully process personal information, and in some instances it is indeed necessary. When you think about situations where people apply for enrolment, or for a job, it makes sense that they will have to voluntarily provide the necessary information in order for their application to be considered - as long as the information that is requested is 'adequate, relevant and not excessive' in relation to the purpose for which it is needed.
Consent must however be voluntary, specific and informed. In accordance with the "openness" condition and apart from a few exceptions, the Responsible Party is required to inform the data subject (generally at the time of collecting the information) of certain prescribed details as set out in s18 of POPIA:
- the information collected and the source of the information (if not from the data subject directly),
- the name and address of the responsible party,
- the purpose for which it is collected,
- whether the data subject is obliged to supply the information or if it is voluntary (e.g. if any law prescribes, authorises or requires the collection of the information),
- the consequences of failure to provide the information,
- where applicable, that the responsible party intends to transfer the information trans-border and the level of protection afforded by the recipient,
- any further information, such as the recipients of the information, its nature and category, and the right of the data subject to access and rectify the information collected, to object to the processing of the information, or to complain to the Regulator.
[Note that the s18 'privacy notice' does not only apply in situations where consent is required, but whenever personal information is collected.]
Consent is therefore a fragile ground for lawful processing:
(1) A blanket, general consent for the processing of personal information is not acceptable, due to the specificity requirement.
(2) It has to be truly 'free' and voluntary in order to be valid.
(3) Since it can be refused or withdrawn at any stage, the Responsible Party will be obliged to stop processing that information if this happens.
Turning to employment specifically and collecting the personal information of newly appointed or existing employees, the situation becomes particularly complicated.
- As regards the 'voluntary' part of the consent requirement, whilst we have not had any guidance from the Information Regulator in this regard as yet, under the GDPR there have been a number of cases where the courts have found that the ‘power imbalance’ at the stage of collection of personal information (such as when an employee commences work and the employer requires consent to process certain types of personal information) may mean that such consent is not truly voluntary and therefore invalid.
- As consent may be refused or withdrawn at any stage, a further question is what happens if an employee decides to do so in respect of necessary employment-related information. One might think that the employer could just get consent for everything “in case” and then, if the employee at some stage wishes to withdraw consent, a case could be made that there is another lawful ground to keep on processing the information. However, a recent case decided under the GDPR indicated that this would amount to processing of personal information under false pretences. Employees cannot be given the impression up front that they consent to the processing of the information and can withdraw the consent at any point, only to find out later that the lawful processing ground is in fact something else and that withdrawing consent makes no difference.
Therefore, most employee-consents (assuming it is specific enough) might still be invalid as not being truly voluntary, even if given, if the EU guidelines are anything to go by. There are not really many types of personal information of employees that an employer justifiably needs
, that will truly be voluntary and without consequences if not given and for which the employee's consent could be asked (an example would be whether photos of the employee may be used on social media for marketing purposes).
It seems that most employment-related information typically required upon engagement and through the course of employment, will therefore have to be explicitly and transparently processed on one of the other lawful grounds – i.e. either required by law, or for the execution of the employment contract, or based on the legitimate interests of the employee / employer / relevant third party. This in turn means that employers will first have to classify
all of their personal information (data flow mapping) and determine on which basis they are allowed to lawfully process it, before they are able to identify what information they may need the employee’s consent for – and then only ask consent for those aspects where it truly is optional and there are no consequences to the employee if the information is not provided.
This is another reason why the proper mapping of personal information in your business environment
is such an important first step, as explained here
. Once you know what information you process (in this case in HR) and why you need it, you will be able to determine which of the 6 lawful processing grounds apply to it. This will form the basis for going forward with your gap analysis and also for compiling your s18 'privacy notices' to employees and the other categories of data subjects you have a business relationship with.
This is a lot to take in and to process (pun intended!). But it would seem that this amount of detailed preparation will be required to meet challenges relating to the processing of employees' personal information and consent clauses.
© Judith Griessel
[If you need assistance, our updated POPIA support options are listed here, but we are happy to just advise or to discuss bespoke options.]