As part of GDPR compliance, data subjects need to have a very clear explanation of how their information is processed, in the form of a Data Privacy Notice (DPN) (sometimes known as fair processing notices). HR teams will naturally be in the front line to produce these for those working in the business. In our experience the minority of employers currently issue DPN’s in anything more than very brief terms, and this is therefore likely to involve a new rather than updated document/approach in most cases.
What has changed?
The GDPR requires more detailed information to be included in DPNs. Many employers have simply dealt with this issue until now through simple clauses in contracts which have set out quite generic information, and normally been combined with an attempt to document consent. Now, as a result of:
- the right to be informed of processing, and the requirement to be transparent and provide accessible information
- a new accountability requirement where employers have to be able to demonstrate compliance
- a move away from consent (see our last GDPR Bitesize)
- enhanced data subject rights;
a compliant DPN for the processing of employee personal data is essential.
Who should receive a DPN?
All those whose data is processed! In the context of HR teams the most obvious groups will be both job applicants and employees/workers, who should be issued with a DPN at the point the employer collects the personal data. So, for example, recruitment processes will require to be adapted to issue applicants with a DPN. Further DPNs may be needed when there is new or amended processing, not dealt with under the original.
What information should be included in a DPN?
The DPN must be concise, understandable and accessible. Information to be provided includes:
- The legal basis for processing;
- How long the personal data will be kept;
- If the personal data will be transferred overseas; and
- The data subject’s rights.
DPN’s must also explain whether data has been obtained by a third party source. For example, external medical information or pre-employment checks.
What should employers do now?
- Identify which groups you will need DPNs for and how/when you will deal with this
- Update template DPN’s or draft new ones
- Train HR staff on the need to understand the legal basis for processing and to ensure that there is fair processing in line with the DPN.
The ICO explain that providing a privacy notice does not by itself mean that the employer’s processing is fair. Employers also need to consider the effect of their processing. HR teams should remember to review the legal basis of processing at the start of different projects where they are processing new categories of data or processing existing data for a new purpose, particularly special category (sensitive) personal data (e.g. criminal records, medical information, information about sexual orientation) in order to ensure that the DPN covers this processing.