The General Data Protection Regulation (GDPR) will be implemented by May 2018 and will have a significant impact on how businesses manage the personal data of their employees. We have assessed a number of the implications for our clients from an employment law perspective and have made some recommendations below.
Processing employee data
GDPR, like the current data protection legislation, permits employers to collect and use data relating to individual employees only if there is a lawful basis for doing so.
Processing personal data in order to perform obligations under the employment contract, or for the purpose of other legitimate interests, or in order to comply with a legal duty imposed on the employer in connection with employment law are all permitted in principle. The processing of personal data with the consent of affected individuals is also permitted by the current Data Protection Act and by the GDPR.
To address the need for a lawful basis of processing, it is very common for UK employers to include a data protection clause in employment contracts whereby the employee is required to consent to the employer's use of their personal data. However, while there is doubt over the extent to which consent can be relied on in the employment context under current data protection rules, GDPR contains more detailed and strict consent provisions which employers should be aware of. In particular:
- GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Bundled consent, or consent wording that is too general to enable individuals to know what is planned, is not sufficient to allow organisations to rely on consent in order to process personal data.
- Consent can only be relied on to legitimise data handling where affected individuals have a genuine free choice and are able to refuse or withdraw consent without detriment; this is often not the case in the employment context.
- Consent should not be relied on where there is a 'clear imbalance' between the data subject and the data controller, as there usually is between employee and employer.
- Consent cannot be relied on for GDPR purposes where the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract; requiring employees to consent contractually to the processing of their data for purposes that is not necessary so that the employer can perform the contract is therefore not permitted (while consent is not required in any event in order to process employee data for the purposes of performing the employment contract).
- Employers should take account of these restrictions when considering whether to rely on consent in order to process employee data and should avoid including general data protection consent wording in employment contracts. Employers that are tempted to seek general consent from employees on a 'cover-all' basis even though other 'conditions of processing' apply, should note that draft guidance on consent published by the Information Commissioner's Office (ICO) in March 2017 indicates that seeking consent where this is not required under GDPR should be avoided (because it will be misleading for affected individuals and therefore unfair).
Subject Access Requests (SARs)
In many ways the GDPR enhances employee rights to access personal data held by their employers; GDPR entitles them to more detailed information regarding the way in which their data are processed, reduces the time limits for the employers response, abolishes the current £10 fee for responding to a SAR and requires employers to give reasons for any refusal to comply. Employers may, however, take some comfort from the fact that, where requests are particularly complex, time for compliance may be extended for up to 3 months. If requests are manifestly unfounded or excessive, employers are entitled to charge a reasonable fee (taking into account the administrative costs of providing the information) or to refuse to act on the request altogether. It is likely that the ICO will publish guidance in due course to give an indication of what sorts of requests could be viewed as 'complex', 'manifestly unfounded' or 'excessive'. Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining this and informing requesters of rights to complain to the ICO or to seek a remedy in the courts.
An additional consideration for employers is that GDPR confers a new right of 'data portability' which applies to data supplied by an individual and then processed, either with a view to entering into a contract with him or her or in order to comply with a contractual duty owed to him or her. This right of data portability is likely to apply not only to personal data supplied directly by employees (e.g. during recruitment or on-boarding) but also to 'observed data' i.e. data collected by the employer as a direct result of its observation of employee activity (e.g. time and attendance data). Where the right applies, employees are entitled on request to receive their data in a structured commonly used and machine-readable format (i.e. a data format that can be automatically read and processed by a computer, for example CSV, JSON and XML data formats but excluding PDF documents and scanned images) and to have the data transferred to other organisations.
In order to prepare for compliance with the GDPR, employers should take steps now to:
- update policies, procedures, privacy notices and consent mechanisms;
- plan how to handle SARs and provide any additional information within the new timescales;
- ensure that employees are trained to recognise and respond quickly and appropriately to SARs;
- develop template response letters;
- assess the organisation's ability to isolate data relating to a specific individual quickly and to provide data in compliance with the GDPR's format obligations;
- consider putting a 'data subject access portal' in place allowing an individual to access their information easily online; and
- ensure that data covered by the portability right can be supplied in the required format.