The General Data Protection Regulation (GDPR) is a European legislation affecting all organisations that hold personal data on living individuals. It aims to ensure that organisations using and processing personal data do so fairly and lawfully and gives a number of rights to individuals in terms of how they can access their data and influence its use.
British businesses can't count on Brexit to let them off the hook. The introduction of the UK GDPR via the Data Protection Act 2018 has largely meant that the provisions of the GDPR still apply to the UK with potential fines of £17.5 million or 4% of annual global turnover still being applicable to organisations in the UK.
The legislation is very much relevant for employers – all of whom will process data on their staff. Data protection compliance is necessarily becoming a high priority for many organisations as there is a potential for significant fines and reputational damage where organisations fail to comply.
This Inbrief looks at some of the key issues within Data Protection and Employment.
The "Data controller" is the person who has control of the purposes and ways in which personal data are processed. Employers will be data controllers in respect of the data they process about their staff.
"Personal data" is data relating to an identifiable natural person (the "Data subject"). A person will be identifiable if they can be identified by reference to their name but also other things such as ID numbers, location data or online identifiers, as well as information relating to their physical, physiological, genetic, mental, economic, cultural or social identity.
Personal data can be information processed on a computer (including e-mails and documents) as well as information held within structured paper filing systems, such as a set of employee files organised by name.
The old law made it clear that the definition included expressions of opinion about a data subject and whilst the GDPR and UK GDPR does not state this explicitly, the UK data regulator (the Information Commissioner's Office, or 'ICO') has published guidance making clear that expressions of opinion will still be caught.
"Processing" personal data includes obtaining, holding, and using data, as well as changing and deleting it; essentially everything an organisation might do to data.
"Special personal data" is a category of data to which more stringent conditions apply. This includes data revealing ethnic origin, religious or philosophical beliefs, trade union membership and political opinions, generic and biometric data and data concerning health, sex life, and sexuality.
Data Protection Principles
All data controllers must comply with the data protection principles. In summary, data must be:
- Processed fairly and lawfully and in a transparent manner;
- Obtained only for specified, explicit and legitimate purposes and must not be processed in any manner incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for said purposes;
- Kept in a form which permits identification of data subjects for no longer than is necessary for said purposes;
- Accurate and kept up to date, with every reasonable step taken to rectify inaccurate data without delay; or
- Processed in a manner that ensures appropriate security.
Ensuring you have a legal basis for processing
Data controllers must ensure that they have a valid legal basis for processing data. This means that at least one of several statutory conditions must be satisfied. These conditions include:
- The process is necessary for the performance of a contract to which the data subject is party (for example, processing an employee's bank account details for the purposes of paying them);
- The process is necessary to comply with a legal obligation to which the controller is subject (for example, processing an employee's NI number for tax purposes);
- The process is necessary for the purposes of 'legitimate interests' pursued by the controller or by a third party (for example, processing information about an employee's performance); and
- Where the data subject has given consent.
As a general rule, where legitimate interests are relied upon, employers need to record how they balance the conflicting interests and rights of data subjects against the business's rights or those of other data subjects. Legitimate interest assessments which record how you arrive at a particular decision are recommended.
Where special personal data is processed there are additional conditions which must also be satisfied. These include:
- Where the data subject has given explicit consent (note this will generally not be appropriate to rely on in an employee/employer relationship (see below));
- Where the processing is necessary for the purpose of rights or obligations conferred by law on an employer or employee in relation to employment (this could include the employer processing sick notes for statutory sick pay purposes); and
- Where the processing is necessary for the establishment, exercise or defence of legal claims.
Historically, employers have often relied on consent to process employee data, often in the form of very general consent wording in the employment contract.
Under the GDPR and UK GDPR, consent must be actively and freely given to be valid. Where consent is given in a written declaration that also deals with other matters, the request for consent must be clearly distinguishable from the other matters. It must be as easy to withdraw consent as it is to give it, and if there is a clear imbalance between the parties, such as in an employment relationship, consent is presumed not to be freely given at all. It is clear from all these factors that signing an employment contract with a general consent clause is not going to be effective.
Even where a valid consent can be shown, subjects have the right to withdraw this at any time. Employers are therefore advised to move away from consent and focus on other legal bases.
However, whilst employers may begin to move way from having a general, all encompassing "data protection" clause in the employment contract, there are some data protection related contractual clauses that they should retain – in particular, ensuring that employees are aware of their own responsibility to process personal data properly and the consequences of failing to do so.
Other policies (such as "bring your own device" and data security policies), training rules and disciplinary procedures should also be double-checked to ensure that they address the issue of employee accountability.
Data must be limited to what is necessary in relation to the purposes for which they are processed.
Employers must ensure that they do not process more data than they need to – for example by collecting too much extraneous information during recruitment or background checks.
Employers should have a policy which sets out the maximum periods for which different categories of data should be stored and should ensure this is followed.
In the employment sphere it will often be necessary to retain data for the purpose of defending against legal claims and many retention periods can be based on the limitation periods for said claims – for example this could mean keeping employee contracts for six years after the employment relationship ends.
Data subjects are entitled to receive significant information about their data and how it is handled. This "fair processing information" includes information about what data is processed, why, the legal basis for the processing, who has access to the data and how long it will be held for.
Controllers will also have to spell out the rights of the data subject – such as the right to withdraw consent to the data processing and to lodge a complaint with the ICO.
To meet transparency requirements, the notice should go into sufficient detail for each category of the data. For example, an employer may need to inform employees that their bank details would be processed for the purposes of paying them and that the legal basis for this is that it is necessary for the performance of the employment contract.
Meeting the accountability principle
The accountability principle requires a data controller to be able to demonstrate compliance with the relevant legislation (be it GDPR or UK GDPR), usually by means of appropriate policies and practices. This should involve:
- Undertaking internal audits of what data they process, assessing risks, implementing clear policies and procedures, ensuring these are kept under review, and training staff;
- Keeping a record of processing activities carried out. This is explicitly required for employers who employ over 250 people, or who process special data (in practice this will essentially include all employers);
- Appointing a Data Protection Officer ('DPO') where required, namely where a controller's core activities requires systematic monitoring or the processing of sensitive data on a large scale. Even if a DPO is not required, controllers should ensure there is clear responsibility for data protection compliance within the organisation, although the title of "DPO" should be avoided save where a DPO is required; and
- Carrying out privacy impact assessments ('PIAs') where processing is likely to result in a high risk to individuals (see below).
Under the GDPR and UK GDPR, data controllers have a responsibility to ensure the security of the personal data they hold.
A range of measures will be appropriate ranging from physical security measures (locks, access controllers etc.) to sophisticated technological solutions. Ensuring that the workforce receives targeted training and guidance about their responsibilities when handling personal data is a pre-requisite.
Third party processors also need to be vetted and certain contractual obligations imposed on them. This should begin with identifying the data processors, such as payroll providers, and reviewing the contractual terms.
The audit should review what due diligence there is in place to vet third-party processors prior to appointment and check that the written agreements that are in place with them meet compliance requirements. Where they do not, terms will need to be established which include the requirements set out in the checklist.
Compliance checklist for an agreement with third party processors
Under the GDPR, the agreement must:
- Set out the subject-matter, duration, nature and purpose of the processing, type of data, categories of subjects, and obligations and rights of the controller.
- Stipulate that the processor must: " Process the personal data only on documented instructions from the controller;
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality;
- Comply with data security obligations;
- Not engage another processor without consent (and ensure any sub-processor commits to the same contractual obligations);
- Assist in fulfilling data subject rights request through appropriate technical and organisational measures;
- Assist the controller with certain obligations including data security and the obligations to undertake impact assessments;
- Delete or return all the personal data to the controller after the end of the provision of services; and
- Make available to the controller all information necessary to demonstrate compliance and allow audits by the controller.
Where a data breach occurs, a data controller must document the facts relating to the breach, its effects and the remedial action taken.
Where the breach is likely to lead to a risk to the rights and freedoms of individuals (this could include theft or fraud, reputational damage, loss of confidentiality or other disadvantages), the controller must notify the ICO within 72 hours. Because of the tight timeframe, controllers should have a taskforce trained and ready to respond to a breach and a clear and well publicised policy informing staff of what to do.
Where businesses are established in more than one EU member state, they may need to consider whether to take steps to appoint a lead regulator if they have not done so already. The lead regulator is the supervisory authority in the country where the controller/ processor has its main establishment.
Privacy impact assessments
The GDPR and UK GDPR impose an obligation on data controllers to carry out a privacy impact assessment (PIA) where a processing activity is 'high risk'.
An activity will always be considered high risk in the case of large-scale monitoring of a publicly accessible area, large scale processing of sensitive data, and some types of automated decision making.
However, guidance suggest that other factors will also point to activities being high risk; this is where the processing includes:
- Evaluation or scoring (this would include evaluation of an employee's performance at work);
- Systematic monitoring (which could include routinely monitoring employees' emails or computer use); or
- Processing special categories of data (such as sickness records) or the data of vulnerable subjects (which, notably includes employees).
The guidance indicates that where two or more factors are present, a PIA will be necessary. As such it is likely that employers will need to carry out a number of PIAs in respect of the processing activities they undertake.
A PIA should describe the processing activity, its purpose, and consider why it is necessary. It should then consider the risks posed in respect of affected data subjects and (i) any existing measures to address these and (ii) whether any further measures could be implemented to reduce the risks.
Transfers of data outside the EEA
Data must not be transferred outside the EEA unless there is adequate protection in the receiving state. Transferring for this purpose includes the hosting of data on servers outside the EEA. Since very few countries outside the EEA have adequate protection (not even the USA), there are certain exceptions that permit disclosure.
The organisation's approach to, and reliance on, these exceptions should be given careful thought and it is again important not to overly rely on consent in this context.
The transfer of data outside of the EEA can also be legitimised by implementation of particular legal safeguards, such as putting into place EU approved contracts between the person sending the data and the person receiving it in the form of the EU's Standard Contractual Clauses (SCCs) or the UKs International Data Transfer Agreement (IDTA).
There are additional grounds for transfers such as through Binding Corporate Rules (BCRs) (although these are less common). Alternatively, consider whether transfers are justified by one of the 'ad hoc' grounds for transfer permitted by the GDPR and UK GDPR. These requirements will need to be met even intra-group for transfers to affiliates overseas.
Responding to a DSAR and what information to provide
An individual is entitled to be given a copy of information constituting personal data, of which they are the subject, within one month of making a data subject access request ("DSAR").
If the DSAR is complex or there are a number of requests from the same source, this limit can be extended by a further two months. In that case the controller would need to write within the first month explaining that they intend to take advantage of the extension, and the basis for doing so.
Although it is normally easiest to supply a copy of the documents, it is permissible to create new documents setting out all the information constituting personal data. Where the data subjects make the request by electronic means such as email, the data should be provided in electronic form unless otherwise agreed. The data subject must also be given specific information about the source of the data, how long it will be kept for, who it might be disclosed to, etc.
Our advice is that data controllers should explain to the data subject, in appropriate situations, the complex nature of the request and the consequences which flow from that. In many cases data controllers will be able to limit the scope in order to make the response is reasonable and proportionate.
Third party information
There are complex rules about a subject access request which might result in disclosure of information relating to another individual (a "third party"). If they do not consent, or if it is impracticable or inappropriate to seek consent in the first place, the controller should disclose the information if it is reasonable to do so in all the circumstances.
There are certain circumstances where it would be reasonable to disclose data without consent – for example, where the third party is the data subject's line manager, and the data consists of comments made about the subject in a work context.
Controllers should always be careful when dealing with third party information as getting this wrong can have serious consequences. If the data controller decides it must withhold the third-party information, it should still supply as much of the subject's data as it can, redacting where necessary.
Good places to start
Helpful information can be found at www.ico.gov.uk. In addition, you should:
- Audit the data you process and determine what you do with it, who has access to it, how secure it is, how long you keep it and why, who it is shared with and why, and so on;
- Provide privacy notices to employees as above;
- Audit IT usage policies, BYOD and social media policies, to check sufficient information is given;
- Audit employment contracts to ensure that a generic consent is no longer relied on;
- Put in place training for employees;
- Consider how to log, track and comply with subject access requests;
- Ensure data is kept securely and put in place a data breach protocol;
- Consider which of your processing activities may be 'high risk' and carry out PIAs where necessary; and
- Audit your contracts with third party providers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.