Data Protection and Employment law
Christopher Howells looks at the changes on the horizon with Data Protection law and considers how this will impact the workplace.
General Data Protection Regulations
For those of you that struggled to come to terms with the vagaries of the Data Protection Act 1998 there is good news: it will soon be defunct.
Alas that’s where the joy ends since it will only be replaced by new legislation, the General Data Protection Regulations (which goes by the not-so-catchy acronym ‘GDPR’).
The GDPR was agreed by the EU member states back in 2016 and its provisions will take effect from 25 May 2018.
Since it is a Regulation (not a Directive) it will have direct effect in all Member states without the need for domestic legislation to be enacted.
GDPR in the workplace
Under the GDPR employees as data subjects will have the right to:
- Access the personal data held by their employer.
- Rectification of data that is inaccurate or incomplete.
- Be forgotten in certain circumstances.
- Block or suppress processing of personal data.
- Data portability, which allows employees to obtain and re-use their personal data for their own purposes across different services under certain circumstances.
It should be noted that tougher fines for non-compliance and breaches will apply under the GDPR.
The prudent employer will undoubtedly want to review contracts of employment and employee data protection policies to make sure they are GDPR compliant. That will include reviewing policies covering CCTV, social media and IT.
That said the GDPR places an increased emphasis on accountability in the use of and handling of personal data. To satisfy this accountability requirement there should be more than just a paper exercise of reviewing documents. Employees should be trained, should understand their rights and obligations and compliance should be kept under review.
Data processing and consent
A lot of companies process personal data of employees on the basis of their consent.
The GDPR requires that consent be given unambiguously. This means the consent must be given freely, specifically and on an informed basis. For the consent to be given freely the refusal to give the consent should not be detrimental to the data subject. Free consent also means that it may be revoked at any time.
Further, when the consent is given through a declaration that also regulates other matters, the consent to the processing of data has to be clearly distinguishable from other matters to be valid.
Where consent cannot be relied upon as a ground for processing employee data then employers will have to consider whether one of the other legal grounds can justify their actions. These include the following:
- Contractual necessity (e.g. for the processing of employee payment data).
- A legal obligation (e.g. for the processing of employee data in relation to social security)
- The legitimate interest of the employer (e.g. in the context of employee monitoring).
These grounds are all subject to restrictions and must be narrowly construed. Where an employer cannot rely on any of the grounds for processing data then it may have to stop or limit the range of data processed.
Automated decision making
Employees will have the right not to be subjected to a decision based solely on automated processing where the effects significantly affect them. Examples might include profiling for performance or promotion, or triggers for sickness absence procedures.
Data Subject Access Requests
Many employers (not least local authorities) will despair at the mere sight or sound of these words. The GDPR does nothing to alleviate the burden they face.
The right for individuals to receive copies of their personal data remains. However there is now a need to respond within one month (down from 40 days) and a fee can no longer be charged.
There is scope to extend the period of compliance by up to two months where requests are “complex or numerous” or to refuse to respond where requests are “manifestly unfounded or excessive”. An employer may also request “a reasonable fee” where a request is manifestly unfounded or excessive. There is no guidance as to how these concepts are to be defined, but experience suggests that in most cases it is plainly obvious when you are dealing with a complex, excessive or unfounded request for information.
Data Protection Officer
A Data Protection Officer must be appointed if (i) processing is carried out by a public authority; (ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities consist of processing on a large scale of special categories of data.
Unless it can shown that a data security breach (essentially the actual or potential loss, corruption or theft of data) is unlikely to cause harm to individuals, the employer will have to report that breach to the ICO within 72 hours of becoming aware of it. Where the breach is likely to present a high risk to particular individuals, they should be notified directly.The DPA is (nearly) dead. Long live the GDPR!