As mentioned in our previous GDPR update, the fifth update in this series will deal with how an employer processes sensitive personal data which are now known as ‘special categories’ of personal data under the GDPR.
For the purposes of the GDPR, sensitive personal data include information in relation to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique id purposes, data concerning health or sex life or sexual orientation. Interestingly for employers, the definition of sensitive personal data includes the processing of employee personal data relating to his or her membership of a trade union.
It is important to note that the processing of all personal data (regardless of whether it is sensitive personal data or not) requires a legal basis for processing. There are six legal bases set out in the GDPR. Examples of these legal bases include having the consent of the data subject or where the processing is necessary for the performance of a contract. At least one legal basis is required when processing any kind of personal data.
When it comes to processing sensitive personal data however, an employer will need to satisfy at least one additional condition in order to process the data. There are ten of these additional conditions from which to choose. If an employer cannot meet any one of the ten additional conditions, they will be legally prohibited from processing the sensitive personal data.
The ten additional conditions for processing sensitive personal data include where:
- the employee has given explicit consent to the processing;
- the processing is necessary in connection with rights and obligations under employment, social security and social protection law;
- the data are manifestly made public by the employee;
- the processing is necessary for the establishment, exercise or defence of legal claims; or
- the processing is necessary for reasons of substantial public interest, and the employer provides suitable measures to safeguard the employee’s rights.
The term ‘explicit’ consent above refers to the way consent is expressed by an employee. It means that the employee must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. European guidance also suggests ‘two stage verification’ as a way to make sure explicit consent is valid, eg a verification link must be clicked to clearly signify consent. Keep in mind however, as discussed in our previous GDPR update, that it is difficult for employers to rely on the consent of employees to process their personal data generally.
In light of the GDPR, it is important for employers to examine the basis upon which sensitive personal data are processed. Employers should ask themselves if the processing:
- satisfies one of the six legal bases for processing personal data, and
- meets at least one of the additional ten conditions required for sensitive personal data.
This might be a good time for employers to examine all the sensitive personal data relating to employees that they process. Employers should examine the purpose for which the sensitive personal data are obtained and, importantly, be able to demonstrate that all the requirements of the GDPR for processing sensitive personal data are met. Given the tight restrictions, it is inevitable that over time employers will simply hold less and less sensitive data.
Having considered the requirements for sensitive personal data under the GDPR, our next update will examine privacy considerations in the workplace and how far an employer can go to protect their workplace.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.