Data protection is relevant to HR records and the handling of personal data at all stages of the employment lifecycle (as well as in relation to job applicants, former staff members, volunteers and consultants).
The Applied GDPR and the obligations and responsibilities it places on data controllers – including employers – require you to “think privacy first”. Effective records management and ensuring compliance with data protection legislation means being proactive about auditing HR data, having appropriate systems, controls and policies in place concerning its use, and ensuring individuals have clear information about how their information is used, with whom it may be shared, and how long it is to be kept.
Examples of when GDPR is engaged at work include the following situations:
| Recruitment/engagement | Pre-employment data collection, employee document checks & vetting and possible need to make reasonable adjustments at interview |
| Induction and training | Further employee data capture – additionally, GDPR compliance training should form part of onboarding (with later refresher/update training) |
| Day-to-day employee management | Staff administration and general record keeping (likely to include handling special category personal data[1]), employee monitoring, performance assessment, information arising from, or used within, disciplinary & grievance processes |
| “Strategic” events (e.g. mergers & acquisitions, outsourcing and redundancies) | Requires consideration of the legal bases for disclosing/sharing employee personal data, possible application of management forecasting and other relevant exemptions |
| Termination | References, leaver processing, record retention, negotiations and settlements, potentially litigation (NB legal advice and/or litigation privilege plus use of DSARS as early disclosure tools) |
Key employer GDPR obligations under the Applied GDPR
- Employers, like all data controllers, must comply with the data protection principles under Article 5 of the Applied GDPR (see text box) – these are general rules for the handling of personal data.
- It is also necessary to have – and be able to identify – a lawful basis for processing (Article 6 for “regular” personal data and, additionally, Article 9 if “special category” personal data are involved – see further below).
- Employers must provide required transparency or “fair processing” information to enable individuals to understand the scope and nature of processing and how it may affect them, usually via a privacy notice.
- Where required, employers will need to give effect to individual rights such as correction of incomplete or inaccurate personal data and the right of subject access.
- At all stages of the employment relationship, it will be necessary to store personal data with appropriate safeguards, implement document retention policies and ensure that the eventual destruction of records is carried out securely.
Article 5 Data Protection Principles – i.e. “personal data” must be:
| a) | processed lawfully, fairly and in a transparent manner |
| b) | processed only for specified, explicit and legitimate purposes |
| c) | adequate, relevant and limited to what is necessary for the processing purposes |
| d) | accurate and, where necessary, kept up to date (NB rectification & erasure) |
| e) | not kept for longer than is necessary for the purposes for which it is processed |
| f) | processed in a manner that ensures appropriate security for the data |
Employee health information
Whilst not the only type of special category personal data, health information is routinely provided to, and handled by, employers. Such information will potentially be relevant in absence management, health and safety risk assessments plus medical reasons can also be a causal factor (or claimed factor) in underperformance issues. The following tips may be useful to employers in handling employee health information.
- Employers should not set out to process health or medical information about employees that they do not need and/or cannot justify collecting. If a job has a requirement that is specific to the role, e.g. the employee needs to work at heights or have eyesight of a particular standard, they can ask the individual. However, employers should avoid comprehensive medical questionnaires when onboarding an employee as the data collected will likely extend beyond what is reasonable to establish whether a job applicant can perform the role.
- In terms of identifying an Article 9 processing ground, the employer may be able to rely on the reason that it is necessary for carrying out obligations or exercising rights (of the controller or data subject) in the field of employment, that the information has “manifestly” been made public by the individual or that processing is necessary for the establishment, exercise or defence of legal claims.
- In situations where employee health data may be relevant or needed in order to provide a benefit, employers may consider putting employees in touch with the benefit provider or using a “self-serve” system to minimise processing that they, directly, need to carry out.
- Organisations should have systems and processes that control who has access to employees’ health information and ensure that such access is limited to what is strictly necessary. It will usually be appropriate to separate absence data (which line managers will need to know for resource planning) and the reasons for absence (which HR may need to be aware of in order to assess eligibility for benefits, determine return to work strategy and make reasonable adjustments in HR processes, where needed).
Employee monitoring at work
Another area employers need to be aware of relating to GDPR and its impact in the workplace concerns the monitoring and surveillance of staff. This can take different forms, e.g. recording arrival and departure times via key fobs or tokens, the use of CCTV on the employer’s premises, checking logs of websites visited during internet browsing sessions and performance monitoring via keystrokes. Clearly, this can be intrusive and will amount to processing of personal data to the extent it provides information about individuals who can be identified from the data collected.
Enabling individuals to understand what data is being collected, and being clear about the purposes of processing, are important in achieving compliance with the employer’s obligations under the Applied GDPR. The below points should additionally be borne in mind:
- The monitoring or surveillance must be necessary and proportionate to be lawful (consider if there is a less intrusive way of achieving the same purpose or addressing the same concern);
- A data protection impact assessment (DPIA) may be advisable or required, depending on whether the processing is likely to result in high risk to individuals. A DPIA will definitely be required if the processing involves, for example, use of special category personal data on a large scale or profiling/automated decision making with significant impacts on individuals. It is almost always advisable to carry out a DPIA where a major project is proposed involving the use of personal data whether it has “special” risk factors or not.
- Employees should be informed about the use of monitoring and surveillance techniques unless – exceptionally – covert monitoring is justified. Employers should check IT and communications policies as staff have a reasonable expectation of privacy in the workplace even when using company equipment (any interference with that right should usually be made clear).
Balancing individual rights and business purposes when processing personal data
The UK ICO published an Employment Practices Code which sets out guidance and best practice recommendations and aims to balance employees’ legitimate expectations about handling of their information and employers’ legitimate interests in deciding how best, within the law, to run their own businesses. It is not Isle of Man guidance but may be of assistance to employers in the Island given the principles and requirements under the respective data protection laws are similar. (NB The guidance is not updated for GDPR but still has relevance nevertheless – readers are advised to bear this in mind.) There is no direct Isle of Man equivalent to the guidance at this time.
The Employment Practices Code has sections on recruitment and selection, employment records, monitoring at work and information about workers’ health.
https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf
Did you know: Cains’ lawyers can help draft and review privacy notices, advise on the content of relevant policies and on procedural steps involving data handling, help employers respond to subject access requests (DSARs) and advise on records management practices plus deal with more contentious data-related issues such as formal challenges and complaints by individuals.
_________________________________________________________________________________________________________
Reference:-
[1] Information which, by its nature, is more sensitive or could cause greater harm if used inappropriately or in an unauthorised way – see Article 9 of the Applied GDPR. It includes information revealing racial or ethnic origin, about membership of a trade union, relating to the physical or mental health of an individual or concerning a person’s sex life or sexual orientation.
