Global privacy laws for employee personal data

Overview

Data privacy issues have an impact on HR activities throughout the entire employment cycle. The pre-employment issues for HR to consider can include the use of automated systems used in order to short-list or screen applicants. For current employees, the use of monitoring and testing during employment requires data privacy considerations. In addition, after employment ends, firms still have data privacy considerations, for example, through the giving of references.

Every employer needs to understand its responsibilities under data privacy law. With multiple rulebooks around the world and the increasing pace of regulatory change, how can employers manage the personal data of their employees in a compliant and responsible way?

This article outlines some of the differing data privacy rules, and outcomes, that HR professionals need to be aware of in three common employee personal data scenarios. The Employment FAQs in Rulefinder Data Privacy (our online legal information service for data privacy) highlights many more. Rulefinder covers additional topics such as handling candidate requests to access interview notes, checking candidates’ social media activity, and requesting details of employees’ Covid-19 vaccination status.

Scenario One: Pre-employment - background checks

Most jurisdictions don’t have legislation which specifically regulates background checks. Instead, local data privacy laws typically govern the processing of employee’s personal data during pre-employment screening.

What is permitted in terms of background checks varies considerably across jurisdictions and regions.  For example:

• In Europe, the general position under GDPR is that background checks should only be conducted where there are particular and significant risks in relation to the job advertised and where a less intrusive and reasonably practicable alternative is not available.  However, it is more varied as to whether background checks can extend to requesting and collecting criminal offence data, with jurisdictions such as Belgium, Italy and Norway permitting collection only when authorised by law. Others such as the Czech Republic and Denmark permit collection in circumstances broadly amounting to the employer having a legitimate interest justification due to the nature of the specific role.
• In the US, the situation is markedly different, with employers routinely carrying out background checks throughout candidate screening and employment. 
• In APAC there is a mixed picture.  For example, Singapore permits employers to carry out background checks without consent if it is reasonable and relevant to assessing suitability for the advertised role, while South Korea requires the consent of the candidate before carrying out background checks.

Scenario Two: During employment – drug and alcohol testing

• In Europe, generally employers may only carry out drug and alcohol testing where it is justified on health and safety grounds relating to the role the employee performs e.g. the safe operation of machinery.
• In the US, federal law does not restrict drug and alcohol testing in the private sector and testing is often carried out in practice, and in some cases mandated in sectors such as transportation on the grounds of health and safety.
• In APAC, there is a mixed picture, with many jurisdictions limiting testing to circumstances where explicit employee consent has been obtained. However, the Philippines adopts a different approach, permitting all employers to carry out testing, and mandating those who employ 10 or more employees to implement drug abuse prevention programs which include random drug testing.

Scenario Three: Post- employment – providing references

The general picture for post-employment references is somewhat more consistent globally. with employers who do provide a reference generally owing the subject of the reference a duty to take reasonable care in ensuring the information provided is true, accurate and fair.  It is important to avoid making any comments in the reference that could amount to discrimination. For example, comments on the individual’s performance, attendance or sickness absence could carry a risk that such comments may give rise to disability discrimination.

There are some local variations to watch out for, for example:

• In the US, where employers should ensure that references do not include any employee sensitive personal information, and
• In Europe, where in most cases unless explicit consent from the individual has been obtained, there is no legal basis for the processing of personal information in the course of providing a reference.  Technically this may well mean that the employee has to consent not just to the principle of an ex-employer providing a reference but also to its wording. However, in practice it would be very hard for an employee to make any sort of complaint about the disclosure by an ex-employer of information which is factually beyond argument.

Therefore, in many jurisdictions the data privacy issues involved in providing references mean employers should consider limiting information provided to brief, factual references, avoid expressions of opinion and only provide references with the consent of the former employee.

This summary was published as part of aosphere's Rulefinder Data Privacy. Nothing in this summary is intended to provide legal or other professional advice: aosphere does not accept responsibility for loss which may arise from reliance on this summary.