Earlier this month, H&M were fined, an eye watering, 35 million Euros by the Hamburg Data Protection Authority because it had seriously breached the privacy of its staff in a service centre in Nuremburg. This blog looks at the lessons UK employers can learn.
What information did H&M process about its staff?
According to reports, H&M conducted 'welcome back talks' with employees returning from sick leave or holiday. It then recorded their vacation 'experiences', symptoms of illness and diagnoses. Plus, its supervisors acquired a broad knowledge of their employees' private lives (including information about their families and religious beliefs) through personal and floor talks. This information was used to build a profile of employees which was then used in making employment decisions. Some of the information could be accessed by up to 50 managers throughout the company.
The Hamburg Data Protection Authority were unhappy with this as it considered the information collected was excessive and intrusive and therefore in breach of GDPR which requires that you only collect the personal data that is necessary to meet your legitimate requirements.
H&M have apologised and has agreed to pay staff "considerable compensation".
Does this decision mean that UK employers can't process health or other personal information in respect of their staff?
No, but UK employers must comply with the GDPR and Data Protection Act 2018 and process data lawfully, fairly and transparently. You will need one or more of the six legal bases available for processing each 'type' of information. The most relevant in an employment context are complying with a contractual term (such as deciding how much to pay the employee), being subject to a legal obligation (such as complying with SSP or family related leave rights) or because you have legitimate interest in processing their data. You can't usually rely on consent because of the disparity of power between you and your staff.
Information about someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data are special category data and you have to comply with additional safeguards.
There are six key steps the ICO will expect you to follow:
- Make sure your collection and use of personal data is lawful i.e. you have a legal basis to do what you are doing
- Be clear, open and honest with staff about how their data is used and don’t start using their personal data for additional purposes without ensuring this is legal
- Only collect and use what information is necessary – don’t collect personal data “just in case”
- Ensure the personal data you hold is accurate and kept up to date
- Keep people's information secure
- Don’t keep personal data for longer than is necessary – the days of keeping personal data indefinitely are long gone.
Provided you have a legal basis to use the personal data, can demonstrate that you have complied with these requirements, and have told your employees, in advance, why you are collecting data about them, what you are doing with it and how long you intend to keep it, you can continue to ask legitimate questions about their health and other private information and retain that information.
However, you must also make sure that only people who actually need the information can access it.
What level of fines could the ICO impose on UK companies for something similar?
The award against H&M needs to be put in context. Our data protection expert, Joanne Bone says that Germany has a particularly rigorous approach to data protection and privacy which stems from how information was used against its population during the Third Reich and German Democratic Republic. Data breaches cause stronger reactions in Germany and fines tend to be higher there than in other EU countries.
In the UK, the Information Commissioner can impose a maximum fine of 20 million Euro, or 4% of annual global turnover if higher, against organisations that breach data protection laws. So far, the highest fines have been issued in relation to data breaches. That is not to say that the ICO won’t fine for things like breaching obligations to employees but, on the basis that they consider themselves to be a “pragmatic and proportionate” regulator, we'd expect them to try and engage with the employer before issuing any fine.