Expand the lists below to see the breadth and depth of content available:
(Already a customer? Click here to access these documents)
The General Data Protection Regulation (GDPR) came into force throughout the EU on 25 May 2018. The aim of the GDPR is to have a common set of rules on data protection applicable across the EU. It is also intended to put data privacy higher up the agenda for businesses and to establish much tougher penalties for data breaches.
The applicability of the GDPR will not initially be affected by Brexit. The Data Protection Act 2018 has now repealed and replaced the Data Protection Act 1998 and covers some derogations from GDPR. In the longer term, as part of the Brexit process, the UK government will seek to put alternative arrangements (such as a unilateral ‘Privacy Shield’ agreement with the EU) that will allow the UK to share data with EU Member States post Brexit.
This fact sheet provides an overview of how the GDPR (which we use as a coverall term to cover GDPR and the Data Protection Act 2018) may be relevant to employment matters. It is not intended to be a comprehensive guide to an organisation’s obligations under the GDPR and you should seek specialist legal advice on this from a data protection lawyer.
Data protection in the UK before May 2018 was governed by the Data Protection Act 1998 (DPA). The DPA contained eight basic principles:
The GDPR is based on similar concepts to those found in the DPA such as “personal data”, “data subject”, “data processor”, but there will be significantly greater importance placed on the legal basis for processing data and the rights of data subjects.
Under the GDPR, personal data must be (we have added the emphasis below):
Under the GDPR, businesses must establish a lawful basis to process personal data and document this. Lawful bases include:
There are separate lawful bases for the processing of special category data and criminal offence data, which include explicit consent from the data subject and processing which is necessary for carrying out obligations under employment.
Under the GDPR and Data Protection Act 2018, there are three distinct types of data:
Personal data is any information relating to an identified or identifiable natural person. This covers individual pieces of data (such as a name), or combinations of data (such as an email address together with a name) that enables a specific person to be identified from that data.
Special category personal data is any personal data that deals with a person’s:
Criminal offence data is any personal data that relates to a person’s criminal history, including any arrest history, past convictions and any sentences and punishments that may have been imposed upon a person resulting from criminal behaviour.
Consent under the GDPR must be freely given, specific, informed and unambiguous. There must be a positive opt-in by the subject and consent cannot be implied from silence. Consent must also be separate from other terms and conditions and subjects must be given the ability to withdraw consent easily. Subjects will generally have more rights under the GDPR where you rely on consent to process their data.
Whilst employers are not required by the GDPR to automatically seek fresh consent for processing data about employees, employers should consider whether, if they are relying on consent as a lawful basis for processing, any consents obtained in the past are valid under the GDPR. Mainly, employers must be absolutely confident that the consent given was given freely and on a fully informed basis. Given that many employers include a clause in contracts of employment stating that employees consent to the processing of their data, such consents are unlikely to be legally compliant under the GDPR as it is difficult to state legitimately that the consent given was free.
Consent under the GDPR is likely to be far harder to establish as a lawful basis for processing than under the DPA, because of the requirement for consent to be “freely given”. Employers would therefore be wise to consider other grounds for processing, such as the performance of contractual obligations (i.e. the employment contract), compliance with legal obligations and/or legitimate interests.
The position regarding special category and criminal offence data is more complex. For advice on how to handle criminal record data, please see Criminal Records below and FS9.09 Criminal Records and Employment.
With regard to the processing of special category personal data, not only must the controller have a lawful basis for the processing (see above), but it must also separately demonstrate one of 10 conditions for processing the special category data. These are:
For employers, it is likely that only 1, 2 and 6 above will ever be used to justify the processing of an employee’s special category personal data. Given the nature of special category personal data it is best practice to limit the amount that is collected to only that which is needed (for example, if an employee has a disability and information relating to the disability needs to be recorded to assess reasonable adjustments that have been made for that employee) and to seek consent to its collection and storage. Whilst there is an allowance for an employer to process special category personal data in accordance with 2 above, it is incumbent on the employer to be able to demonstrate that the collection and processing of this data was absolutely necessary and not merely beneficial.
Under the GDPR, data subjects have the right to:
Employers must give applicants and employees information about:
This information must be given to the data subject at the time the data is obtained in a clear, concise format. See GDPR – Data Protection Policy [P32.01] for further information.
See GDPR – Subject Access Request Form [TP32.01].
Under the GDPR, subjects will have the right to obtain access to their data and other information about how their data is being processed and by whom. This is similar to the current rights of data subject access under the DPA, however, there are some significant differences.
Employers will no longer be able to charge a £10 fee for processing data subject access requests (although they can charge a reasonable fee based on the administrative cost of providing the information if a request is manifestly unfounded or excessive), and they must respond without undue delay and within one monthIt is possible to extend this by a further two months if a request is complex or numerous, however Employers should note that the extension of time runs from the date the initial data access request was made and not from the date they requested additional information about the request. Employers may also refuse to respond to a request where it is considered to be manifestly unfounded or excessive, and in particular where they are repetitive, but the employer must explain why the request has been refused and that the subject has a right to complain to the supervisory authority. For further detailed guidance from the Information Commissioner's Office on dealing with requests please see:
See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03].
The GDPR does not give a right to refuse to answer requests that relate to large amounts of data, but employers can consider whether there are grounds to say that the request is manifestly unfounded or excessive.
If a request is made electronically, the employer should provide the information in an electronic format. The GDPR also suggests that businesses should consider providing remote access to a secure self-service system where subjects can directly view their data. It’s not clear to what extent this is expected but, given GDPR’s risk and resource based approach to regulation, it is likely to be applicable to very few organisations in the near future.
Employees can object to the processing of their data based on legitimate interests on grounds relating to their “particular situation”. If an employee objects, you must cease processing the data immediately unless you can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual, or the processing is for the establishment, exercise or defence of legal claims. The most likely reasons for an objection would be where an employee has provided their employer with details relating to their significant other, as an emergency contact, and is no longer with that person, or, where information relating to a medical condition has been provided and the employee determines that the employer no longer requires that information.
Applicants and employees have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or similarly significant effect on the individual. If such a process applies, subjects must be able to obtain human intervention, express their point of view and challenge the decision. The right does not apply if the decision is necessary for entering into or performing a contract, is authorised by law, or is based on explicit consent.
Automated decision-making may apply in the employment context in recruitment procedures, or in the application of triggers for performance or absence management, for example. However, most employers will routinely still subject such processes to human oversight and/or offer an opportunity for employees to comment on the matter before a final decision is made. Employers would be wise to consider whether they need to introduce any further safeguards or consents (particularly in recruitment, where first stage “sifts” might occur) in order to comply with the GDPR.
Public authorities and employers whose core activities include monitoring or large-scale processing of special category personal data must have a Data Protection Officer. This means that most businesses in the financial services, insurance or other regulated industries will need to make such an appointment. Simply processing special category data about your employees does not necessarily mean that a business must have a Data Protection Officer.
A data protection impact assessment can help businesses to identify the most effective way to comply with the obligations of the GDPR. Businesses are required under the GDPR to undertake a DPIA where processing is taking place that is likely to result in a high risk to the rights and freedoms of individuals.
The ICO has recently published detailed guidance on DPIAs. More information can be found at:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
Personal data can only be transferred outside of the EU where the recipient country has adequate safeguards in place. This may be determined by the European Commission, or where the individual organisation has provided adequate safeguards, such as binding corporate rules, standard data protection clauses in the form adopted by the Commission, etc. If you utilise outsourced payroll providers, for example, you must ensure they handle the personal data you provide to them in a GDPR-compliant manner. With limited exceptions, the employer, as the data controller, will be liable to the data subject and the ICO for the actions of its processors if something goes wrong or a breach occurs.
Under the GDPR, data controllers are required to demonstrate compliance with the data protection principles and therefore employers are advised to ensure that they have a comprehensive set of policies governing data protection within the organisation. See GDPR – Data Protection Policy [P32.01] and GDPR – Data Retention Policy [P32.02]. Employers will also be expected, where possible, to have systems in place to manage data within the purposes for which it is obtained and retained.
Employers often use third parties to process data relating to employees on their behalf, such as payroll providers. Under the GDPR, processors may only process data on behalf of a controller if they have documented instructions. There will be on obligation on the provider to demonstrate compliance with the GDPR and to allow the controller to inspect and audit the processor’s systems. This could make contractual negotiations with third-party providers more complex and expensive.
Many employers currently ask employees to consent to medical reports being obtained on their current medical condition in situations of frequent short-term sickness absence or long-term sickness absence. Such information will constitute special category data under the GDPR but consent will no longer be an appropriate lawful ground for processing such data given the difficulties with consent in the employment relationship. Employers should instead consider the reasons for obtaining such a report and, assuming that the employer is seeking to perform rights and obligations in connection with employment, the employer should be able to rely on Article 9(2)(b) of GDPR as the lawful base for processing, which provides that processing is “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject”.
Rights and obligations in connection with employment in the context of medical reports could include:
Employers will still need to inform employees of their rights under the Access to Medical Reports Act 1988 (see FS3-05 Medical Evidence and Access to Medical Reports).
Information about an employee’s criminal convictions is personal data and cannot be processed unless there is a lawful basis for doing so. Therefore, employers will need to ensure they comply with their obligations under data protection law in respect of their obligations as data controllers.
Under GDPR, employers can only process personal data relating to criminal convictions and offences if:
In all cases, the processing must be carried out by a legal authority or official authority. Employers appointing individuals to roles to which the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 and/or the Police Act 1997 apply can therefore continue to process such information obtained via a standard or enhanced disclosure.
In contrast, there is no legal obligation for any employer to request a basic disclosure (although many may think it prudent to do so). Under the GDPR and Data Protection Act 2018, there is therefore no permission to process basic disclosures. On this basis, a blanket policy requiring all employees to undertake basic disclosures is unlikely to be GDPR compliant and is also unlikely to be viewed favourably by the ICO.
An employer may be able to argue that a request for a basic disclosure is in pursuit of a legitimate interest, namely to protect its reputation and/or to gain the confidence of the public in the reliability of its staff, given the high degree of trust required for the role and/or the sector, however, this is untested in the courts. If an employer is looking at undertaking basic disclosures on this basis then a legitimate interest assessment must be completed to consider whether or not those legitimate interests are outweighed by the applicant’s right to privacy. In addition, consent will still be required from the data subject to undertake this processing. It is recommended that you take advice from your Legal Advisor before pursuing this approach.
Where checks are undertaken, the information obtained should only be retained for as long as is necessary for the purpose for which it was obtained. As an example, if an employer is relying on legitimate interests as a lawful basis for undertaking a check, once a decision is made regarding the prospective employment i.e. whether or not to employ them, the information should be destroyed.
In addition to the above, the data controller must have in place a clear policy that details why information relating to criminal convictions and offences is collected and processed, together with how long it will be held. This policy must be reviewed and updated regularly. See See GDPR – Data Protection Policy [P32.01] and GDPR – Data Retention Policy [P32.02] for wording that deals with this requirement.
A data protection breach means a breach of security resulting in the loss, alteration, destruction, disclosure of or access to personal data. There will be a duty on employers to report certain breaches to the ICO within 72 hours of the breach, and in some cases, to the data subject affected.
The notification provisions require businesses to notify the ICO of the facts of the breach, how many people are likely to have been affected, the likely consequences of the breach and the remedial steps that the company is taking to mitigate any damage.
Businesses are required to keep a record of all data breaches (whether or not notified to the ICO) and the action that was taken.
The maximum penalty for non-compliance with the GDPR is €20million or 4% of an undertaking’s global turnover, whichever is higher.
Failure to notify a breach can result in a fine of up to €10million or 2% of the company’s global turnover.
Ensure that all data subjects are provided with the information about the processing of their data in a clear and concise format. See GDPR – Data Protection Policy [P32.01], GDPR – Data Retention Policy [P32.02] and GDPR – Fair Processing Notice for Applicants [TP32.04];
Review and amend data protection policies and contracts of employment to address the new rights and obligations. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03];
Revise procedures for handling data subject access requests under the new regime. See GDPR – Holding Respondent to a data subject access request [SL32.02], GDPR – Detailed response to a data subject access request [SL32.03] and GDPR – Guidance note for employees dealing with a DSAR [TP32.03];
Identify whether any processing constitutes automated decision-making and if so, consider whether you need to revise your procedures;
Prepare a procedure for recognising and notifying breaches within the necessary timescales;
Review arrangements for the retention and storage of data. See GDPR – Data Retention Policy [P32.02]; and
Train staff on the new requirements.
This document has been created by, or on behalf of ESP Ltd, as a general document and as a guide in relation to its subject matter and has not been bespoke drafted for you or the specific circumstances in which you are looking to use it. Prior to using this document and undertaking any HR process you must consult your organisation’s own policies and procedures to ensure that you do not do anything in conflict with your own policies and procedures. If in any doubt as to how to use this document or, if you require any legal advice, please feel free to contact ESP Ltd on 0333 006 2929 and our legal team will be more than happy to assist. ESP Ltd will not be liable in any way for any actions undertaken by you or your use of this document unless we have been consulted regarding your use of this document as legal advisor to your business or have bespoke drafted any documentation in response to a specific support request.