Processing employee data under the GDPR

The new EU Data Protection Regulation (GDPR) will take effect in the UK from 25 May. Key changes include a wider definition of personal data, a “right to be forgotten” in some circumstances, tighter rules on the issue of consent and significant fines of 4% of worldwide turnover, or 20 million Euros (whichever is the greater). With potential penalties at such a high level this is not something that any organisation can afford to ignore.

In a series of Insights we will look at some of the key areas for HR, focusing here on the legal basis that employers can seek to rely on when processing employee data, and the difficulties that may arise.

The legal basis for processing

One of the principles underpinning the GDPR is that personal data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”.  To meet this, it is essential that organisations consider why they are processing the data and what lawful basis they can rely on.  In the employment context, the potential bases are likely to be:

• that the data subject has given consent
• processing is necessary for the performance of the employment contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Of these options, consent may appear the obvious choice for employers, but there are some difficulties with this in the employment context, which we look at below.

Consent – the problems and the pitfalls

Historically, many organisations have relied on general consent clauses contained in employment contracts as the basis for processing employee data. The Information Commissioners Office (ICO) have always thought this to be problematic as an employee entering into an employment contract is rarely on an equal footing with the employer, and so has no real choice, meaning the consent is not freely given.

Under the GDPR things get even trickier. There is a new, tighter, definition of consent, which is: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. There is also a requirement that it must be as easy to withdraw the consent as it was to give it and that employees be notified of this right, meaning that any existing consents are unlikely to meet these requirements.

The ICO has indicated in draft guidance that freely given consent in the employment context will be difficult to establish as an employer is in a position of power. The guidance states that where there is an imbalance of power, there is a lack of real choice for the employee and as such “it follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing”.

Some organisations may think that the answer is to get consent, but then rely on another basis if the “consent” is successfully challenged, but the ICO have made clear they intend to discourage this type of behaviour. The draft guidance states that if you would still process the data on a different basis even if consent were refused, or withdrawn then seeking consent in the first place is “misleading and inherently unfair” as it presents the individual with a false choice and only the “illusion” of control and may lead to an employer being sanctioned. You need to identify the most appropriate lawful basis from the start.

So, what will be the most appropriate lawful basis?

In the case of ordinary personal data, it seems likely that an employer will be able to rely on the processing being necessary for the performance of the employment contract. This would enable processing of data for day to day activities such as payroll, benefits and certain disciplinary issues.  For processing outside of the everyday, specific consent will be required, and this can be withdrawn at any time.

There are additional hurdles in relation to “special categories of personal data” which is a similar, but slightly broader, version of what is currently known as “sensitive personal data”. This will cover information relating to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information and data relating to sex life and sexual orientation.

Some of this can be processed on the basis that it is necessary for carrying out obligations in the employment field, so would cover, for example, processing health information to comply with disability discrimination obligations and to administer sickness benefits. For other things, specific consent will be needed on a one off basis. The consent needs to be in a separate document, clear as to what processing is taking place and must also include information about withdrawing consent at any time. Consent will need to be obtained on each occasion processing takes place.

What should employers do?

Employers should be reviewing their current policies in relation to processing. For those employers relying on general consents contained in the employment contract to process ordinary personal data, a new approach will be needed. One of the other lawful bases should be relied on – most commonly this is likely to be that the processing is necessary for the performance of the contract.

Where consent is required, ensure that this is contained in a separate, clear document and that the right to withdraw that consent is clear.