The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and brought with it considerable changes to the law on the processing, collection and use of personal data.
Whilst many organisations have published Privacy Standards and Data Protection Policies to ensure compliance regarding clients and third parties on use of personal data, they often overlook implementing or updating similar policies covering employees or workers.
An organisation is likely to use, transfer, process and disclose personal data about its staff regularly through the contract of employment, payroll, disclosures to HMRC, recording of holiday and sickness absence, payment of benefits, and in many other areas.
Furthermore, personal information is broadly defined under the GDPR. The Information Commissioner’s Office considers it to be “information that relates to an identified or identifiable individual” and it could be as simple as “a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors”.
An employer is also more likely to use special categories of data (race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation) in relation to staff, than it is when dealing with customers. For example, information about health is likely to be processed when managing a sickness absence.
Compliance with GDPR must be evidenced in all instances of data processing. Such data processing is likely to last for the entire duration of the employment relationship and even after termination.
We take a look at what we have learnt since GDPR was introduced in 2018.
What have we learnt?
Be transparent
It is a key principle of GDPR that employers must be transparent with staff about their processing activities. If employer’s policies and documentation do not give examples of the type of personal data or special categories of personal data that employers hold, they are unlikely to be compliant with the transparency principle.
It has become apparent that common areas where employees may not understand how, why and how long their personal data is being processed by the employer organisation (and third parties) include:
- through a recruitment process;
- management of pension scheme of other external benefits;
- premises access logs;
- DBS checks;
- social media posts, usage and content;
- biometric and location data through use of company devices;
- premises or vehicle CCTV and location data;
- after employment ends, for example giving references or making statutory disclosures to the Job Centre.
Organisations can evidence transparency by recording and publicising their justifications about why they need to gather, use or disclose particular personal data. If you cannot find a justification for processing the personal data, then you are unlikely to need it and continued retention and use of that personal data is likely to be unlawful.
Justifications should be reviewed regularly, to ensure that they still apply and to record any changes of purpose.
Update your polices and employment contract
Many employers still do not have an appropriate data protection policy or privacy notice in place, and of those that do have policies in place, many are outdated. A policy compliant with the old legislation (Data Protection Act 1998), but not with the Data Protection Act 2018 and GDPR may lead to liability for the employer and complaints to the Information Commissioner.
Organisations are obliged to inform staff of all of their rights in relation to their personal data, and how to exercise those rights. Old policies may not cover the extended rights that individual data subjects are awarded under GDPR.
Employers are legally required to notify data subject about how it processes their personal data under a privacy notice. However, a standard template is unlikely to be sufficient as a privacy notice should be tailored specifically to the organisation. It is therefore recommended that employers conduct a detailed data protection audit before creating a privacy notice in order to establish what personal data is used, whose data it is, how it is used and why. This would include determining the types of personal data is holds, any third parties to whom this data is transferred, and how it is stored and collected.
Furthermore, contractual clauses giving blanket consent to process personal data are not compliant with the GDPR regime, which requires consent to be explicit and freely given, not hidden away in lengthy contractual terms.
If your documents do not contain all the relevant prescribed information, your organisation is vulnerable to enforcement action from the Information Commissioner and potential fines.
Conduct Data Protection Impact Assessments
Employers should ensure they are carrying out a Data Protection Impact Assessment where the processing of data is likely to result in a high risk to the rights and freedoms of data subjects. This can include introduction of new processing (such as introducing CCTV cameras), a change to existing data processing (e.g. the introduction of new HR software), or where special category data is being processed (such as data relating to an individual’s health).
A Data Protection Impact Assessment is a similar concept to a health and safety risk assessment. The organisation is required to weigh up the rights of their staff to privacy, against their own reasons and justifications for particular data processing activities.
Failure to document consideration of data subject rights will cause difficulties in the event the employer needs to evidence compliance to the Information Commissioner.
Be wary of data subject access requests (DSARs) as a litigation tool
As a result of the publicity around data protection and GDPR, we have seen a rise in individuals utilising DSARs. These are where an individual asks an organisation for a copy of all of personal data which the organisation holds about them.
These are popular as a negotiation tool when trying to reach settlement, but also used in the search for documents to help their case, in the hope that they will find key documents in support of their claim.
Employers must comply with the request without undue delay and within one month of receiving the request. Unfortunately, employers cannot ignore such a request, as this could give rise to a civil claim under GDPR or a complaint to the ICO. In fact, in March 2022, the ICO issued the Ministry of Justice with an enforcement notice as a result of failing to respond to DSARs without undue delay. This was on the basis that some DSARs had received no response, and some had received only a partial response.
We recommend that employers have a clear process in place for handling DSARs in order to assist with complying with the request in one month. If the request is extremely broad or onerous, employers may be able to discuss narrowing down the request with the individual to certain key words or criteria.
Employers should remember that the individual is only entitled to receive their own personal data. This means that they do not have to receive every document that refers to them in their entirety. For instance, if the document includes information about the business and how it operates, this can be redacted. Likewise, individuals are only entitled to their own personal data, not that of others.
Employers should also consider if there are any exemptions which might apply and assist in limiting the scope of a request. For example, emails with a legal adviser would not be disclosable as they are legally privileged. A list of further exemptions can be found on the ICO website.