Do you have a consent clause in any of your policies or contracts?
If you are relying on the consent of your employees in order to collect and process their personal data these provisions should be reviewed in light of the upcoming changes to data regulation in the EU.
By now you are aware that new EU data protection law, the GDPR, will come into effect on 25 May 2018, imposing new data protection obligations in Ireland and across the EU. Under current data protection rules, as data controllers, you may be relying on the consent of your employees in order to justify and legitimise the collection, retention and use of their personal data for a myriad of different purposes.
However, while consent still remains a legitimate ground for processing both sensitive and non-sensitive data, the GDPR sets out clearly defined requirements around consent. Consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes represented by a clear affirmative action. Consent must also be obtained for specific purposes. Under the new regulations, you will be required to seek multiple consents from your employees where the data collected could be used for a number of different purposes and, as with the current rules, this consent may be withdrawn at any point by the employee.
However, the GDPR also provides for the processing of data on the grounds of legitimate interests. The legitimate interest must be balanced and must not disproportionately interfere with the fundamental rights or freedoms of the individual employee.
In order to navigate this more onerous burden surrounding consent, we advise that you review your contracts, policies and procedures now for any references to a consent-based system.
The two main overarching principles of the GDPR are accountability and transparency. Therefore, employees should be made aware of the types of personal data you process or hold, for how long it will be retained, and that it will be stored securely and confidentially.
Any references to employee consent should be replaced or supplemented with provisions notifying employees of the forms of data you may collect from them including sensitive personal data, e.g. medical certificates and reports; the multitude of purposes that this data may be used for; and include details of the legal basis on which such data is processed.