Processing employee data under the GDPR
The new EU Data Protection Regulation (GDPR) will take effect in the UK from 25 May. Key changes include a wider definition of personal data, a “right to be forgotten” in some circumstances, tighter rules on the issue of consent and significant fines of 4% of worldwide turnover, or 20 million Euros (whichever is the greater). With potential penalties at such a high level this is not something that any organisation can afford to ignore.
In a series of Insights we will look at some of the key areas for HR, focusing here on the legal basis that employers can seek to rely on when processing employee data, and the difficulties that may arise.
The legal basis for processing
One of the principles underpinning the GDPR is that personal data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”. To meet this, it is essential that organisations consider why they are processing the data and what lawful basis they can rely on. In the employment context, the potential bases are likely to be:
- that the data subject has given consent
- processing is necessary for the performance of the employment contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Of these options, consent may appear the obvious choice for employers, but there are some difficulties with this in the employment context, which we look at below.
Consent – the problems and the pitfalls
Historically, many organisations have relied on general consent clauses contained in employment contracts as the basis for processing employee data. The Information Commissioners Office (ICO) have always thought this to be problematic as an employee entering into an employment contract is rarely on an equal footing with the employer, and so has no real choice, meaning the consent is not freely given.
Under the GDPR things get even trickier. There is a new, tighter, definition of consent, which is: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. There is also a requirement that it must be as easy to withdraw the consent as it was to give it and that employees be notified of this right, meaning that any existing consents are unlikely to meet these requirements.
The ICO has indicated in draft guidance that freely given consent in the employment context will be difficult to establish as an employer is in a position of power. The guidance states that where there is an imbalance of power, there is a lack of real choice for the employee and as such “it follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing”.
Some organisations may think that the answer is to get consent, but then rely on another basis if the “consent” is successfully challenged, but the ICO have made clear they intend to discourage this type of behaviour. The draft guidance states that if you would still process the data on a different basis even if consent were refused, or withdrawn then seeking consent in the first place is “misleading and inherently unfair” as it presents the individual with a false choice and only the “illusion” of control and may lead to an employer being sanctioned. You need to identify the most appropriate lawful basis from the start.
So, what will be the most appropriate lawful basis?
In the case of ordinary personal data, it seems likely that an employer will be able to rely on the processing being necessary for the performance of the employment contract. This would enable processing of data for day to day activities such as payroll, benefits and certain disciplinary issues. For processing outside of the everyday, specific consent will be required, and this can be withdrawn at any time.
There are additional hurdles in relation to “special categories of personal data” which is a similar, but slightly broader, version of what is currently known as “sensitive personal data”. This will cover information relating to employees’ racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information and data relating to sex life and sexual orientation.
Some of this can be processed on the basis that it is necessary for carrying out obligations in the employment field, so would cover, for example, processing health information to comply with disability discrimination obligations and to administer sickness benefits. For other things, specific consent will be needed on a one off basis. The consent needs to be in a separate document, clear as to what processing is taking place and must also include information about withdrawing consent at any time. Consent will need to be obtained on each occasion processing takes place.
What should employers do?
Employers should be reviewing their current policies in relation to processing. For those employers relying on general consents contained in the employment contract to process ordinary personal data, a new approach will be needed. One of the other lawful bases should be relied on – most commonly this is likely to be that the processing is necessary for the performance of the contract.
Where consent is required, ensure that this is contained in a separate, clear document and that the right to withdraw that consent is clear.
This article was written by David Green. For more information please contcat David on +44 (0)20 7203 5066 or via firstname.lastname@example.org
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Nick Hurley quoted by the Society for HR Management on the UK government's proposals to prevent workplace sexual harassment
The U.K. government introduced legislation in July 2021 for employers to take proactive steps to prevent sexual harassment on the job.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Returning to work post-lockdown: FAQs for employers
We look at some of the main issues employers may face and the key steps to consider as restrictions ease.
Amelia Goodwin writes for Civil Society on a recent employment tribunal ruling which found that anxiety constitutes a disability
The tribunal found that an anxiety state constitutes a disability for the purposes of the Equality Act 2010.
Face coverings at work post lockdown
While the legal requirement has been lifted, employers may consider face coverings as an appropriate safety measure in certain workplaces.
Charles Russell Speechlys advises Apposite Capital on acquisition of i2a Diagnostics
i2a is a leading provider of laboratory instruments, software and reagents for the clinical microbiology market in France.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Nick Hurley interviewed by GB News on the legal ramifications of employers insisting employees have the COVID-19 vaccine
Nick considers the potential dangers of employers setting a precedent by adopting a 'No Jab, No Job' policy.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Post-Brexit business visitors and working in France, Germany, Spain and the UK
Watch the final session in a series of webinars on post-Brexit mobility.
Sponsor Licence Compliance: Key considerations
Watch our fourth in a series of webinars on post-Brexit mobility.
The UK’s New Skilled Worker & Intra-Company Visa Routes
Watch our third in a series of webinars on post-Brexit mobility.
Planning for EU to UK Work & Business Travel
Watch our second in a series of webinars on post-Brexit mobility.
UK work and business mobility in a post-Brexit world
Watch our first in a series of webinars on post-Brexit mobility.