Personal data of employees is processed in the workplace in a number of different contexts, including, recruitment, performance of the employment contract, management and organisation of work, equality in the workplace, health and safety at work, protection of an employer’s or customer’s property, an employee’s enjoyment and exercise of their employment rights, and termination of the employment relationship.

For processing of personal data to be lawful under the General Data Protection Regulation (the GDPR), employers need to identify and document their lawful basis for the processing.

Employee consent

Consent is one lawful basis for processing. In certain workplaces, employers include a data protection clause as standard in contracts of employment. In other workplaces, the consent of employees who have no data protection clause in the employment contract is obtained by way of a separate data protection document.

However, the GDPR, which comes into effect on 25 May 2018, sets a high standard for employee consent to data processing at work. Consent is highly unlikely to be a legal basis for data processing at work unless employees can refuse to consent with no consequences connected to such refusal. This is because of the imbalance of power which can exist in the relationship between employer and employee.

Legitimate interest of employer

Employers have a legitimate interest to protect their business and this is a lawful basis for processing data at work. Data processing by an employer must be necessary to achieve a legitimate purpose but not infringe employees’ reasonable expectation of privacy. The data must be processed for specific and legitimate purposes that are proportionate and necessary.

The legitimate interest of employers includes complying with their statutory obligations under employment legislation. For example, an employer is obliged to keep records showing their compliance with the provisions of the National Minimum Wage Act 2000 and retain these records for a period of at least three years from the date of their making. One way of employers showing compliance with the provisions of the National Minimum Wage Act 2000 is to retain payslips for the specified period, showing employees were paid at least the national minimum wage.

What should employers do now?

Employers should avoid relying solely on a data protection clause in the employment contract or consent obtained by way of a separate data protection document, because the consent may be not be considered freely given. Employers should have a legitimate interest for data processing at work and not just seek to rely on employee consent.