Subject to any big Brexit changes in the near future, the UK GDPR and Data Protection Act 2018 (DPA) together set out the obligations that UK companies / employers have when holding and using employee personal data.
Data protection and GDPR in the workplace is a key area for employers and it is important to be aware of your obligations under the GDPR and to take steps to ensure that you are compliant. This will not only help to protect the personal data of your employees but will also help to avoid costly fines and other penalties that can result from non-compliance.
Most of the time, an employer will be deemed to be a data ‘controller’, processing the ‘personal data’ of the employee, who will be the data ‘subject’ under the DPA.
- A data controller is a person who specifically controls the way personal data is processed.
- Processing means an ‘operation performed on personal data’, such as collecting, recording, organising, storing, adapting, transmitting or even destroying the personal data.
- Personal data is ‘any information relating to an identified or identifiable living individual’, such as a name, location data, identification number or an online identifier (e.g. IP address).
- A data subject is simply the individual the Personal Data identifies.
What GDPR obligations do employers have and how can they stick to them
Data controllers / employers are responsible for, and must be able to demonstrate, compliance with the Article 5 data protection principles (https://www.legislation.gov.uk/eur/2016/679/article/5). These state that employers must:
- Process personal data in a fair, lawful and transparent manner – being transparent about how you collect, use, and share the personal data of your employees, and providing them with easy-to-understand information about their rights under the GDPR and responding to requests from your employees to access, rectify, or erase their personal data in a timely and effective manner;
- Collect personal data only for specified, explicit and legitimate purposes (explained below);
- Make sure that personal data is adequate, relevant and limited to only the data which is necessary to the purposes for which it is processed;
- Ensure personal data is accurate and kept up to date;
- Keep personal data in a form which enables them to identify the relevant data subject and keep this data only as long as is necessary for the purpose it is being processed. There may be exceptions for this ‘as long as necessary’ timeframe, but these are rarely valid; and
- Maintain integrity and confidentiality of the personal data by making sure there are appropriate security measures. Making sure that there are processes in place to detect, report, and investigate any potential breaches of personal data, and to notify the relevant authorities if necessary.
In order for employers to comply with their requirement to process personal data in a ‘fair, lawful and transparent’ (in point i. above), an employer must satisfy one of the grounds set out in Article 6(1) of the UK GDPR, which are:
- The data subject has given their consent for the employer to process their personal data for one or more specific purposes;
- Processing the data is necessary either for the employer’s performance of a contract to which the employee is party, or in order for the employer to take steps at the request of the employee before entering into a contract (however, if the employer could practically do what they want by processing less data, or using their data in a less intrusive way, this basis will not apply);
- Processing the data is necessary for the employer to comply with its legal obligation (e.g. disclosing employee salary details to HMRC);
- Processing the data is necessary to protect the vital interests of the data subject or another person (matters of life and death).
- Processing the data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority entrusted in the employer (mostly relevant to public authorities).
- The employer can claim that it has a legitimate interest in processing the data (e.g. employee monitoring for safety), except where the interests are overridden by the interests and fundamental rights and freedoms of the employee.
Finally, when employers are processing ‘special categories’ of employee personal data, the default position is that this is prohibited unless an Article 9(2) exception applies. Special category data could include data relating to racial or ethnic origin, political opinions or religious or philosophical beliefs. Some pertinent examples of Article 9(2) exceptions are:
- Where the data subject has given explicit consent (explained further below);
- Where it is necessary for carrying out rights and obligations under employment law (explained further below);
- Where it relates to personal data which has been made deliberately public by the data subject;
- Where the processing is necessary for the establishment, exercise or defence of legal claims; and
- Where processing is necessary for the assessment of the working capacity of the employee.
Explicit consent. Employers used to rely heavily on consent in order to process employee data, by simply adding wording to their employment contracts. The UK GDPR changed this by saying – where consent is given in a written declaration which also deals with other matters, the request for consent must be clearly distinguished from the other matters. Also, it must be as easy for the employee to withdraw consent as it is to give it, and if there is a clear imbalance between the parties, such as in an employment relationship, consent is very likely to be presumed as not freely given. Due to all of this ambiguity and changeability, employment contracts do not tend to contain consent clauses anymore and choose to opt for other special category exceptions.
Employment law rights and obligations. Processing special category personal data is permitted where it is necessary in carrying out the rights or obligations conferred by domestic law on an employer or employee in connection with employment (for example an employer processing sick notes for statutory sick pay purposes).
General GDPR tips for employers
- There are some data protection related contractual clauses that employers should keep in their employee contracts, for example – ensuring employees are aware of their own responsibility to process personal data properly and the consequences of failing to do so;
- Ensuring that employees receive specific training and guidance about their responsibilities when handling personal data;
- Any employee data held by an employer should be strictly limited to what is necessary in relation to the purposes for which they are holding / processing it;
- Employers should have a policy which sets out the maximum storage periods for each different category of data;
- Keeping personal data well organised can be helpful, as employers are entitled to receive significant information from an employer about their data and how it is handled;
- Employers may also need to spell out the rights of the employee – such as the right to withdraw consent to the employer’s data processing and to lodge a complaint with the ICO;
- Try to keep a record of processing activities which have been carried out. This is currently a legal requirement for employers who employ over 250 people, or who process special category data (in practice this could effectively include all employers); and
- Consider carrying out privacy impact assessments where processing is likely to result in a high risk to individuals.
Has anything changed for employers in the last 2 years?
In July 2022 the UK government brought forward and began discussing the ‘Data Protection and Digital Information Bill’ in an attempt to simplify the inconvenience of data protection legislation for UK businesses, whilst also staying within the scope of the EU GDPR and retaining its adequacy status.
Key proposed changes for employers:
- Removal of data protection impact assessments (DPIAs) – employers would no longer need to conduct full DPIAs, but instead ‘assessments of high risk processing’. The aim is to reduce the administrative burden for companies, however we have not been given the details regarding the practical differences between these assessments.
- Data subject access requests changes: changing the test for refusing and charging for access requests from “manifestly unfounded and excessive” to “vexatious and excessive“. This change should mean that employers will have more control over refusing subject access requests, when it is clear that they are being misused. As any employer who has regularly dealt with subject access requests will know – they can be incredibly time consuming and therefore any increased control over refusing them will be welcome!
- Increase in maximum fines under The Privacy and Electronic Communications Regulations (PECR) – the fines are currently ‘up to £500,000’, but these will be brought in line with the UK GDPR, enabling the ICO to issue fines of up to £17.5 million or 4% of a business’s global turnover for specific significant breaches of PECR.
Following consultations last year, the ICO has published a draft guidance covering employer ‘monitoring (of employees) at work’ on 12 October 2022 (https://ico.org.uk/media/about-the-ico/consultations/4021868/draft-monitoring-at-work-20221011.pdf), which aims to protect employees ‘in a digital age’. A snapshot of the guidance:
- Monitoring at work is not prevented under data protection legislation, but there must be a balance between an employer’s commercial interests and a worker’s rights and freedoms;
- Employers must be able to identify the specific lawful basis being relied upon to monitor their workers. Owing to the nature of monitoring activities, it is likely that employers will collect ‘special category data’, which will require extra considerations / protections – as explained above in this article;
- If an employer is considering monitoring the emails and messages on an employee, they should complete a DPIA as this poses a high risk to the worker’s data protection rights and freedoms and is likely to capture special category data; and
- If an employer is considering monitoring its workers remotely, keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so employers should factor this risk into their planning.
More information on GDPR
Do check the old ICO guidance for companies – https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf. Whilst this has not been updated since the Data Protection Act 2018 came into force, the ICO ‘still consider the information useful’ guidance for employers.
The ICO’s ‘Employment Practices Code’ provides further information, examples and frequently asked questions to the guidance above: https://ico.org.uk/media/for-organisations/documents/1066/employment_practice_code_supplementary_guidance.pdf
Other GDPR factors to consider
- Situations where an employer may be a data ‘processor’, rather than a data controller;
- Branches of the business outside the UK and transfers of employee personal data to them; and
- The broader employer risks when handling ‘special category data’.
How can Moore Barlow help you?
This article reflects a narrow snapshot of the law at the date of publication and does not contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.