Processing Employee Data under GDPR?
This month’s article sets out a checklist of points for you to consider to ensure compliance under the General Data Protection Regulations (GDPR) when processing personal data. As you know, the GDPR comes into force on 25th May 2018. All businesses processing employee personal data must ensure that they can demonstrate that they have complied with the regulations.
The GDPR defines personal data as “any information in relation to a data subject”. A data subject is the identified or identifiable natural person to whom the personal data relates. This means that in relation to this article the data subject is the employee.
When considering what personal data you may hold, you should also be considering where you hold such data – is it on a server; hard drive; desktop; laptop; online or a good old fashioned (albeit secure) filing cabinet.
Personal data – what is it?
Typically speaking employers will hold personal data such as the employee’s personal contact details such as their name, title, address(es), telephone number(s) and personal email address(es); their date of birth; gender; marital status and dependants; next of kin and emergency contact information; government identification numbers such as National Insurance Number; driving license number or other identification card; bank account details and payroll information; salary history; appraisals; any disciplinary or grievance information; pension and insurance enrolment information (such as death in service); start date and job title; where their place of work is; any education and training (including that obtained prior to their employment with you); full employment records (including professional memberships, references, work history and proof of their right to work). Some organisation have photographs of their employees.
Applying the Data Protection principles
The GDPR sets out the principles which data controllers and processors must comply with when processing personal data. As a quick reminder, data must be processed lawfully, fairly and in a transparent manner. The personal data must be collected only for a specified, explicit and legitimate purpose. You must not use the data in any manner which is incompatible with the purpose for which you obtained it for. You should only have personal data adequate, relevant and limited to what is necessary in relation to the purpose it is required for processing. The personal data must be accurate and kept up to date. For any inaccurate data, every reasonable step must be taken to ensure that any rectification or erasure is carried out without any delay. Personal data must not be kept in a form which permits identification of employees for any longer than is necessary. Any data processing must be processed in a manner that ensures the appropriate security. And finally, the data controller is responsible for, and must be able to demonstrate compliance with the data protection principles.
Processing personal data
When processing personal data for employees, you should be considering what you do with the personal data once you receive it – where is it stored and who has access to it. You should also be giving consideration to how you collect the data – is it in person, by email, telephone or by some other means? Is there any record of where and how the data is recorded (including telephone voice recordings). Where is the data stored and how do you retrieve any such data if it is required for whatever reason? For what purpose are you processing any of the data and do you need to disclose some or all of the data to third parties (for example your payroll provider). What processes do you have in place to erase or delete any data you no longer require? In all of these, you must have provided your employees with a fair processing notice clearly setting out what will happen to the personal data.
Justification for processing personal data
Under the GDPR, you will need to demonstrate that there is a justifiable reason for you to be processing personal data. As a starting point, you will need to demonstrate that the employee has given valid consent to the processing of their data for one or more specific purposes (see below for more information on consent). For this you will need to ensure that you have provided your employees with a privacy notice to this effect.
The most obvious justification for processing personal data is for the obligations that come with the performance of the employment relationship.
Even though you may have the justification for processing personal data, you must still apply the GDPR principles. Whilst you may feel that there is justification for processing the employee’s data, the employee may not see it the same way and for this reason, at all times, you must assess whether on balance the interests or fundamental rights and freedoms of the employee override the employer’s legitimate interest.
Changes to purpose
On occasions, you may have obtained the personal data for one purpose but that purpose may have changed from when the employee’s data was originally collected. In these circumstances, you will need to consider whether further processing of the personal data is compatible with the original purpose of use. You should take into account whether there is a link between the purpose for which the original data was processed and the purpose of the intended further processing. You should be considering the context in which you collected the personal data – for example recruitment to employment. Processing personal data for the purposes of recruitment will be different to the processing of personal data when the candidate becomes an employee – this will be a change of purpose. You should further consider the nature of the personal data you are processing, in particular whether any special categories of personal data are being processed (for example criminal convictions; offences and medical records) (see below for more information on special categories of personal data).
In circumstances where you find that the new processing of personal data is incompatible to the original purpose, you must obtain the appropriate valid consent for further processing. In certain circumstances, you may even need to reassess your justification for processing the personal data – if there isn’t a legal basis for processing the data, you shouldn’t be processing it!
Special categories of personal data – what is this?
Special categories of personal data includes racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union memberships; genetic/ biometrics data (eg fingerprints, blood type); health/mental health data; and sexual orientation. You may hold some or all of these special categories of personal data in an employment relationship.
The big question you should be asking yourself if you are processing any special category of personal data is - is the processing necessary?
In all cases of processing any special category of personal data, you must ensure you have the valid explicit consent from the employee (see consent below) and ensure that there is a legitimate justification for you to process the special category of personal data and at all times complying with the GDPR core principles.
It may come as a surprise that data processing based on employee consent is unlikely to be valid under GDPR. The simple reason for this is because the employee is unlikely to have a meaningful choice in giving their consent due to the imbalance of power between employer and employee. Where there is an imbalance of power, consent will not be freely given. It will be extremely difficult for an employer to rely on employee consent alone. This means that you should consider relying on alternative justifications for processing employee personal data, except in a one-off context such as the consent to an employer sending health information to a specialist.
If you are going to be relying on consent to process employee personal data, you must ensure that the consent is specific and informed, in other words, the employee has been given information about their right to withdraw their consent at any stage. You must ensure that the consent has been given freely, unambiguous and takes the form of affirmative action (or statement).
If there is no other lawful basis for processing the personal data, you must ensure that the employee has given explicit consent to enable you to process special categories of personal data; transfer data cross-border or in circumstances where decisions are made on automated personal data processing.
In circumstances where consent has been given in a document, for example the employment contract, which also concerns other matters, you must ensure that the request for consent was presented in a manner that is clearly distinguishable from the other matters in an intelligible and easily accessible format and, importantly, in clear and plain language.
At all times, when relying on consent for processing personal data, you must be able to demonstrate and provide evidence that you obtained valid consent from the employee.
Explicit consent has not been specifically defined in the GDPR, but the Information Commissioner’s Office guidance indicates that it must be confirmed in writing.
Automated data processing
Employees have the right not to be subjected to decisions based on automated data processing if the decisions produce legal effects or may significantly otherwise affect the employee.
You will need to consider if you are going to subject an employee to decisions based on automated data processing. If so, you will need to consider whether it is necessary to carry out the employment contract and also whether you have obtained explicit employee consent. Suitable measures must be implemented to safeguard the employee’s rights and freedoms and legitimate interests, including the right to obtain human intervention, the right to express the employee’s point of view and the right to appeal any automated decision. If an employee is subjected to automated data processing, the employee must be notified (in writing) of the decision based on automated processing and allow the employee to request a consideration within 21 days.
In many organisations the employee’s personal data may be shared with third parties, for example, a payroll provider and HMRC. Whenever an employee’s personal data is shared with a third party, you as the employer must have an audit trail documenting exactly what personal data is being shared with any third party and who the third parties are in relation to each category of data.
In situations where employers have entered into a contract or other legally binding act with a third party (such as your payroll provider or HMRC) it is your duty to ensure that they follow the mandatory obligations as a processor when processing the data. To this end, the personal data should only be processed in the manner as specifically instructed by you (in writing or by documented process or procedure). This means that third party processors cannot use cloud computing technology without your approval.
Any third party processor must comply with the same security obligations as those imposed on you as an employer and if there is any breach of the personal data, they must notify you in relation to the breach.
You should only use staff and any other person who have committed themselves to confidentiality or are under a statutory obligation of confidentially to process personal data.
Third party processors should ensure that they can assist you in carrying out your obligations with regards to requests by employees to exercise their rights (including the right to transparency and information; data subject access rights; the right to rectification, erasure, restriction of processing and the right to data portability).
At your request, the third party processors must have the ability to delete or return all personal data at the end of the service provision.
You must ensure that you have systems and processes in place to communicate any rectification, erasure, restriction of processing requests from employees to any to any third party processor whose services you engage to process personal data.
Cross-border data transfers
If your business has offices or entities in other jurisdictions or is part of a group which includes entitled in other jurisdictions, you will need to consider whether personal data will be transferred across international borders (internally and/or externally). Different jurisdictions have different requirements as far as data protection is concerned and you will need to assess whether there are sufficient safeguards in place that are essentially equivalent to that ensured within the Union to protect the transfer of personal data.
Data security is likely to be one of the biggest challenges employers will face in ensuring that personal data is protected and all businesses will need to consider what technical and organisational measures they will need to have in place to ensure the security of the personal data it holds.
Commonly used measures to ensure data security include pseudonymisation and encryption of personal data, but you should also consider your ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing services. One of the key considerations to be had is the ability to restore and have access to personal data in a timely manner in the event of a technical or physical incident.
Employers should have a process for regular testing, assessing and evaluating the effectiveness of technical and organisation measures for ensuring the security of the data processing.
Employers will need to consider what risks they may be exposed to by holding personal data. These risks include accidental or unlawful destruction of data; loss; alteration; unauthorised disclosure or unauthorised access.
Do bear in mind that different categories of personal data expose employers to different risks and you should implement appropriate technical and organisational measures to ensure the level of security is appropriate to the risks for each category of personal data taking into account the amount, nature and sensitivity of the employee’s personal data you maintain; the amount of harm that may result from unauthorised or unlawful access, or disclosure of the personal data.
It is essential that you have a data breach response plan in place that is compliant with the GDPR as data breaches are to be reported to the ICO within 72 hours of the breach if the breach is likely to result in risk to the rights of employees. There must not be any delay in reporting any such breach.
Employers should be considering what personal data they are going to retain, and for how long in relation to their existing employees, particularly in relation to personal data that becomes out of date or obsolete. Employers should also be considering how long they should be keeping personal data for past employees, and unsuccessful job applicants. Different personal data will have different retention requirements, some of which are governed by law (or otherwise).
Consideration should be given, in practical terms to what processes and procedures you have in place to ensure that you comply with any retention policy that you may have.
Data Protection Officer
It is only necessary to appoint a Data Protection Officer where the processing of data is carried out by a public authority or body, except for courts acting in their judicial capacity; where the core activities of the controller or processor consists of processing operations, which, by virtue of their nature, their scope and their purpose, require regular and systematic monitoring of data subjects on a large scale; and where the core activities of the controller or processor consists of processing any special categories of personal data on a large scale relating to criminal convictions and offences.
Many processors, including outsourced service providers, payroll agents and providers of cloud services, will be operating in a market that includes public authorities and bodies so will need to appoint a Data Protection Officer.
You will need to consider whether there is a requirement for you to appoint a Data Protection Officer for your business.
Provision of information
All information provided to employees about their personal data must be concise, transparent, easily accessible and given in plain language.
The type of information to be provided to the employees about their personal data at the time the data was collected includes the company’s identity and any contact details of your representatives (usually the person responsible for HR); details of the Data Protection Officer (if one has been appointed); the intended purpose of, and the legal basis, for the processing; whether there are any recipients or categories of recipients of their personal data. If you are going to be transferring their personal data to a third party processor, the fact that this is your intention must be notified to your employees.
You must also provide your employees with information to ensure fair and transparent processing, for example the period for which the data will be held, or the criteria used to determine the period of retention. Employees must be advised of their rights and information about their rights.
Right to withdraw consent
In circumstances where an employee has given their consent, the employee has the right to withdraw that consent to process their personal data at any time. However, if there is a legal ground for processing their data, for example their pay, you will still have a legal obligation to continue processing their personal data, but it comes back to ensuring compliance with the core GDPR principles.
Documentation requirements for the employer
There are slightly different documentation requirements dependent upon the number of employees you employ. If you employ 250 or more persons, then there are certain documentation requirements for you to adhere to.
For those employers employing less than 250 employees you should have an appropriate policy document in place including at least information about the relevant conditions for processing the personal data; how the processing of the personal data satisfies the requirement of lawful processing; and whether personal data is retained and erased in accordance with your own retention and erasure policies.
It is strongly recommended that all your policy documentation is reviewed to ensure compliance with the GDPR core principles.
All staff who handle employee personal data across the organisation will required training, including, how to respond in the case of a data breach.
All areas touched on above, all should be documented and you ought to have robust policies and procedures in place.
The GDPR principles are the core obligations of everything you do with personal data and is at the heart of every aspect of processing personal data.
Next month’s article will focus on the employee’s rights under GDPR.
This article is intended as a guide and for general information only and is not a substitute for taking specific advice relating to your situation. For specific advice regarding this or any other issue relating to employment law, speak to one of our advisors by calling 01455 444222 or click here and complete our online enquiry form and an advisor will contact you shortly.