GDPR for employers
We are sure this not the first blog article you read about GDPR and the threat of its €20,000,000 fine. One of the areas that is very often overlooked is data protection in the employment context. With the GDPR coming into force on 25th May 2018, it is a good time to be considering what you need to do, to ensure that you are GDPR compliant in respect of the information you process about your employees.
Below we outline the principal impact of the GDPR on the way in which you engage with your employees. We will try and present this as clearly as possible to spare you from a nasty case of information overload!
Why is this important? Every employer processes their employee’s personal data. This term covers everything from managing pay, to dealing with sickness absence, to disciplinary issues and grievances. Every time you create a record including any personal data, you are processing it. Consequently, you will be expected to comply with the terms of the GDPR.
With the GDPR’s deadline fast approaching, now is the time to take action.
Data protection principles
The GDPR sets out a number of principles with which any data controller must comply when processing personal data (Article 5). In the employment context, that means you, as an employer, must comply with the principles, when processing your employees’ personal data. We have replaced the term data controller with employer and data subject with employee so that it is specific to the employment context.
The data protection principles are, in summary:
- Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Personal data must be accurate. Where necessary, kept up to date.
- Storage limitation. Personal data which is kept in a form which permits identification must be kept for no longer than is necessary for the purposes for which the data is processed.
- Integrity and confidentiality. Personal data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Responsible for compliance. The employer is responsible for, and must be able to, demonstrate compliance with the other data protection principles.
Conditions for lawful processing
Processing data about employees will be lawful only if, and to the extent that, at least one of the conditions in Article 6 of the GDPR is met. Those conditions are that:
- The employee has given consent to the processing of their personal data for one or more specific purposes; or
- The processing is necessary for the performance of a contract to which the employee is party or in order to take steps at the request of the employee prior to entering into a contract; or
- The processing is necessary to comply with a legal obligation; or
- The processing is necessary to protect the vital interests of the employee or another person; or
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
- The processing is necessary for the purposes of the legitimate interests pursued by the employer or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the employee which require protection of personal data.
The first condition above is consent, which is what we all generally rely on at the moment. For many years we have included a clause in employment contracts, requiring employees to give the employer general consent to allow the employer to process personal data and sensitive personal data. If you look in your precedent contract, you are likely to find something along the lines of ‘you consent to the processing of personal data including sensitive personal data of which you are the subject’. This kind of wide ranging general consent was very common and is no longer going to be sufficient to lawfully process your employees’ data, for the reasons explained below.
The GDPR doesn’t define consent, but the Directive underpinning it, states that consent must be unambiguous, specific and informed. The Information Commissioners Office in the UK has stated that the extent to which consent can be relied on in the context of employment is limited. This is because it is assumed that any general consent in the employment contract is unlikely to be freely given, as the bargaining power between you as an employer and your employees is not equal.
Instead, you will need to rely on one of the other conditions listed above. For most day to day processing, for example, payroll, absences or disciplinary or grievance matters, the conditions that relate to the performance of a contract and for compliance with a legal obligation should be sufficient.
Consent for sensitive personal data
If you do seek consent for processing certain information, the request for consent must be specific and informed. Employees should be permitted to withdraw their consent without penalty and the consent must be freely given with an unambiguous and affirmative choice for the employee (no preselected yes box). If the data is sensitive, the explanation about the reason for the processing must also be explicit.
- Type of data collected
- Right to withdraw consent
- If the data will be processed automatically
- Whether there is a risk of data transfer to other countries
- What are the reasons for the processing?
Consent won’t be freely given if:
- There is no real free choice or the employee can’t refuse or withdraw
- Clear imbalance of power between the parties
- No separate consent for different processes or where the reasons for processing is not linked
- Job offer or bonus or other benefit is conditional on the consent
- use consent with other documents such as contract of employment
- threaten disciplinary for refusing to sign
- rely on consent when you have a valid justification
Employers will be expected to provide all employees or job applicants with a notice of data processing (called a privacy notice), when data is first collected. Typically, this should be done at a very early stage in the recruitment process and not just given to the newly employed. The notice should be concise, transparent, in plain language and accessible. It should include the conditions discussed above that you rely on to justify the data processing and should also include the following:
- identity and contact details of the employer
- the category of recipients of the data
- whether the employer intends to transfer the data to another country and if so, for what purpose
- the period the data will be stored and why
- how employees can exercise the rights of access, correction, erasure and objection
- how to raise a complaint
- whether the employee is obliged to provide the information by statute, contract or otherwise and the consequences of failing to do so
- whether the personal information will be subject to automated processing.
It will be important to keep the privacy notice under review to ensure that it grows with the business, reflects your day to day practice and complies with the ICO guidance as and when they are issued.
Other rights for employees
As data subjects, all employees will have the right to ask for rectification, deletion or restricting the data processed in respect of them. Until these rights come into force, it is difficult to say how much use employees will make of them but it is expected that employees will use these rights to challenge information gathered about them in relation to a grievance or disciplinary hearing.
Subject access requests
Currently, employees can make subject access requests (SARs). Typically, this will happen during the course of an employee or ex employee making a claim to the employment tribunals or threatening to do so. We can confirm that these seem very fashionable in the employment law field, as they represent a cheap way to increase the burden of administrative work to be carried out by employers. Cases attempting to limit the right of disgruntled employees to use SARs in bad faith have failed.
The GDPR makes some changes to the way SARs work, for example, the GDPR removes the £10 fee that can be charged by an employer to comply with an SAR. However, where a request is manifestly unfounded or excessive, employers will be able to charge a reasonable fee to comply with the request.
The time limits for compliance are also changing from 40 days to ‘without undue delay’ and no later than within a month of the request. Where the SAR is complex or if there are numerous requests, the time limit can be extended for up to a further two months.
All employers should consider the terms of their:
- staff handbook
- privacy notices
You will almost certainly have to look at your lawful basis for processing data – this has to be declared under the GDPR, and it has to be declared right at the outset as it can be difficult to change so it is important to be clear and to get it right.
Your contracts and staff handbook may need to be revisited. You may need to perform a company-wide data audit so that you are clear about what data you hold, how you use it, how you protect it, who has access to it and how long you should keep it.
You will need to review the terms of a privacy notice that can be provided to all your employees and through your recruitment process.
The GDPR applies to all the data a company holds or processes and we cannot advise you on the broader issues of the GDPR, but we can assist you where it relates to your employment practices.
If you have any questions relating to how the GDPR will affect you, please do not hesitate to contact us.
With over 20 years of experience advising Small and Medium Businesses from our offices in London and Scotland, you can confidentially speak to one of our specialist employment lawyers at any time. Call us on 0333 939 8741, or email us at firstname.lastname@example.org.
We hope you find this update useful. This blog does not constitute legal advice on any particular situation you may have.
© Employease: The Employment Practice Ltd 2017
Company registered in England Reg No: 2931940
Registered Office: 40 Woodford Avenue, Gants Hill, Essex IG2 6XQ