As mentioned in our previous GDPR update, the fourth update in this series will deal with employee consent in the employment relationship post 25 May next.
Under the GDPR, consent remains a legitimate processing ground for processing of both sensitive and non-sensitive data. However, the GDPR, unlike existing rules, sets out clearly defined requirements around consent, and mandates that consent may only be obtained for one or more specific purposes, with multiple consents required where the employer intends using data for multiple purposes.
For consent to be valid, the GDPR requires an employer to demonstrate amongst other things that consent is:
- freely given;
- specific and informed (clear language);
- unambiguous indication of wishes by statement or other clear affirmative action;
- cannot be a detriment;
- cannot be bundled;
- cannot be a condition of a contract where not necessary to the contract; and
- as easy to withdraw as it was to give.
Consent will only meet the “freely given” criterion where an employee has genuine or free choice and the ability to refuse or withdraw consent without detriment. As things currently stand, most employees would not feel that they can freely refuse or withdraw their consent. This is due to the perceived imbalance of power that exists in the employer-employee relationship. For employers wishing to rely on ‘consent’ as the legal basis for processing employee personal data, European guidance has flagged this approach as “problematic”. In fact, the guidance states that employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not the employees give consent. Indeed, the European guidance notes that for the majority of data processing at work, the lawful basis “cannot and should not be the consent of employees”. Furthermore, the GDPR makes clear that it is not permissible to rely on consent if a contract is made conditional on the consent, notwithstanding that the consent is not strictly necessary for the performance of the contract.
For these reasons, we would recommend that consent is not relied on by an employer as a basis for processing employee personal data. Trying to rely on consent against these clear restrictions, will only therefore cause greater difficulties for employers in practice. For example, it will give an employee strong grounds to delay or even prevent an investigation, grievance or disciplinary process if based on monitoring which the employee had invalidly consented to.
Instead employers should identify in advance another legal basis for processing employees’ personal data. Examples of other legal bases would include where the processing is necessary for the performance of a contract between an employer and employee. This would cover use of bank account details to pay salary. Alternatively, the basis could be where the processing is necessary for the purposes of the legitimate interests pursued by the employer (except where such interests are overridden by the fundamental rights and freedoms of the employee). In practice, this could permit monitoring of an employee’s email or internet usage at work, as the employer has a legitimate interest in ensuring it is not being used to bully or harass fellow employees. This should avoid employers operating in breach of the GDPR or being prevented from taking what may seem to be otherwise necessary steps in running the organisation. Where employers do wish to rely on consent, such as for the purpose of obtaining an occupational health report, employers should obtain separate consents outside of the contract of employment to deal with the processing of such data.
The key takeaway from this update is that employers should only rely on employee consent when processing personal data where it is absolutely necessary and such cases should be the exception rather than the norm. All employees should instead always have a legitimate processing ground as its “Plan B”.
But how do employers deal with employees’ sensitive personal data?This raises the question of ‘Special Category’ data under the GDPR which is broadly similar to the concept of sensitive personal data under the existing rules. Our next update will examine the conditions that employers must comply with when processing such ‘Special Category’ data which includes for example information relating to an employee’s race, ethnic origin etc.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.