GDPR & Employment - Advice for Employers
Since the commencement of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018, many employers have updated their external, client-facing GDPR policies and privacy notices. When speaking to clients we often find, however, that they have not updated their internal employee-facing policies and procedures and very often do not have employee privacy notices in place. This overview is intended to help give a basic understanding of employers’ obligations under the GDPR / Data Protection Act 2018.
Data protection principles
Any employer will be a ‘data controller’ as they will be responsible for determining the reasons for and the means by which employees’ personal data will be processed. This means that employers are subject to the requirements under the Data Protection Act 2018 to comply with the following data protection principles when processing personal data:
1. Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. Purpose limitation
Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
5. Storage limitation
Personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed (subject to certain limited exceptions).
6. Integrity and confidentiality
Personal data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security; including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.
In the context of these principles:
- Personal data is any information relating to an identified or identifiable living individual.
- Processing means any actions taken in relation to data such as collection, storing, use, erasure, disclosure etc.
Employers should set out their data protection policies in the following suite of documents:
Data Protection Policy
Employers should ensure that they have an up-to-date Data Protection Policy, setting out the rules which apply in relation to staff when processing personal data. This should also set out what processes are in place in order to prevent any data breach and what steps must be taken in the event of any data breach occurring. It is sensible to include details of the rights which employees have in relation to the processing of their personal data; and their obligations when processing other people’s personal data.
Special category data and criminal records information
As all employers will, from time to time, be processing special categories of data (previously known as ‘sensitive personal data’) such as health information, the Data Protection Policy should also set out the particular conditions which will apply and measures that will be taken by the company when processing such special categories of data, in line with the requirements of the Data Protection Act.
If employers are also processing criminal records information, they will also require a criminal records information policy, setting out when and how such information will be processed.
The first data protection principle requires that data is processed transparently - that is, it must be clear what data is processed, how it is used, and why. In order to comply with this first principle, employers should have a privacy notice applicable to employees which sets out: what they are using; how they are collecting it; how they are using it and why; and the grounds on which they are relying to carry out that processing. In respect of special categories of data, it should also set out the condition upon which the employer is relying for the processing activities.
Many employers - either in their privacy notices if they have them, or in their contracts of employment - will say that they are relying on their employees’ consent in order to carry out their processing activities. Whilst employees may apparently ‘consent’ to that processing, the problems with relying on consent as the basis for processing are that:
- It must be freely given. In an employment context that is not often the case as, of course, the employer will be in a much stronger position than the employee and can, if the employee does not consent, withhold certain benefits - such as sick pay, for example; and
- Consent can be withdrawn at any time. If an employer is relying on consent then, arguably, if this consent is withdrawn then the processing must normally stop, which could cause significant issues for employers in trying to manage the workforce.
It is therefore sensible to rely on another basis for processing, such as legal obligation or legitimate interest, when processing employee data.
This can be a complex area of law and we recommend taking advice if you are at all unsure.
Subject access requests
All employers will, from time to time, receive subject access requests requiring personal data they hold on the individual to be disclosed. Under the Data Protection Act 2018, any such requests must be responded to without unreasonable delay and in any case, within one month. The time limit starts to run on the date on which the request is received - ie. a request received on 1 January must be responded to no later than 1 February. It is possible to extend this period by two months if ‘necessary’, taking into account the complexity and number of requests. In this case, the individual making the request must be notified of the delay and the reasons for this within the original one month deadline.
It is no longer possible to charge for responding to a request unless the request is manifestly unfounded or excessive; in which case an employer may either charge for the information or refuse to comply with the request. However, it is important to take advice before refusing a request or insisting on a charge for the information to ensure that it will fall within this very limited exception.
Employers should always be careful when disclosing any information which might identify another individual. Generally speaking, such information should not be disclosed without that individual’s consent. Although there are some exceptions to this, we would always recommend taking advice in any given case.
How can we help?
James Sarjantson has dealt with Data Protection matters on behalf of clients for many years and is able to provide practical and commercial solutions to issues raised by the General Data Protection Regulations [GDPR], and to advise on the steps that businesses can take themselves to move towards compliance.
Call Us Now
Our solicitors are ready to help you. Click on Contact Us, use the Contact form above, or send a message direct to one of the team working in this area from their business cards below.