HOW IT AFFECTS PROCESSING OF PERSONAL DATA IN THE EMPLOYMENT CONTEXT
This blog will explain obligations that GDPR imposes on employers towards their employees plus the effects of GDPR on the processing of employees’ personal data.
Employers would be wise to ensure they are processing employee data in accordance with GDPR. Under this new regulation, due to be implemented on 25 May 2018, all employers are data controllers and employees are their data subjects. Because the GDPR confers new and expanded rights to all data subjects, there could be potential for data protection to be used as a weapon by a discontented employee or ex-employee in the context of employment disputes. Below you will find information on how to achieve GDPR compliance and keep your staff happy at the same time. Browse through the links below to find what you need.
WHO ARE ‘YOUR EMPLOYEES’
The most obvious ones are the standard full-time employees. Then, depending on what information the company collects, your ‘employees’ under GDPR can also include casual workers, flexi staff, agency workers as well as potentially consultants and other independent contractors. Even if you collect very little personal data on these categories of data subjects, they are entitled to the same rights as any other data subject under GDPR.
Training needs to be provided for all your employees on the relevant aspects of the GDPR plus company policies on privacy and data protection. If their role with you involves processing data for another data controller they must commit themselves to confidentiality as per Article 28 .3 (b) GDPR.
Most firms collect and process personal data relating to their employees to protect and run their business and this is subject to the GDPR. Examples include: salary details for administering payroll, health data where workplace exposure to toxins is a concern, monitoring of email and internet use, trade union membership, sick certs, personal photos collected by CCTV etc.
FAIR AND TRANSPARENT RECRUITMENT AND HIRING
GDPR mandates that certain information must be supplied to data subjects before their personal data is collected and processed. This gives job-candidates a sense of the culture within the company and a sense of control over decision making regarding their personal data.
Employers can meet the obligation to be transparent by providing clear, concise, understandable and accessible information. The means of providing the information is not specified in the text of the GDPR, so for example, it may be in the form of privacy notice on the website plus a letter to the candidate followed by training on the employee data protection policy once on the candidate is on the payroll.
USING CONSENT AS THE LAWFUL BASIS FOR PROCESSING EMPLOYEE DATA
As per GDPR Article 6, processing personal data is only lawful if certain conditions apply. Consent is the basis most employers currently rely on as it is usually part of the employment contract. However, under GDPR, for consent to be valid, it must among other things be “freely given”. However, an employee is rarely able to give free consent, so another one of the other lawful basis should be chosen where possible. For example, the lawful basis for handling payroll data could be based upon the legal basis of performance of a contract with the employee.
Note, that an employee’s health / medical information merits higher protection and should not be processed at all, except where necessary to achieve health-related purposes for the benefit of the employee.
PURPOSE LIMITATION
The purpose limitation principle places an obligation on the data controller (employer) to state the purpose for collecting each item of personal data. To comply with GDPR the data cannot be used for any purpose that is not compatible with the previously stated purpose.
DATA MINIMISATION
The data minimisation principle of GDPR means the range of employee data which can be
collected is confined to only that which is necessary to achieve the stated purpose.
INFORMATION THAT MUST BE PROVIDED TO EMPLOYEES
The language used to convey the following must be clear and straightforward:
1. The identity of the data controller(s) and a contact name for data protection issues
2. List of the personal details that will be collected by the company
3. The purpose(s) and the legal bases for collecting this personal data
4. The company’s legitimate interests if legitimate interests are the legal basis
5. The recipients or categories of recipients of personal data
6. Information on transfers of data outside the EU and the legal basis for the transfer
7. The retention period for personal data
8. Information on the privacy and data protection rights of employees /candidates
9. How employees (or job candidates) can withdraw their consent to processing
10. The contact details and name of the person responsible for data protection issues
11. The right to submit a complaint to the relevant Data Protection Authorities
12. The existence of automated decision-making, including profiling.
A decision must also be made as to how to meet transparency obligations to other data subjects whose data you process, for example job applicants who are not successful or employees’ next of kin.
EMPLOYEE RIGHT TO KNOW WHAT DATA AN EMPLOYER HAS ON FILE
Because employees are data subjects and the employer is a data controller, employees have the right to receive a copy of the personal data which the employer holds about them. An employee has the right to submit a subject access request (SAR) as per Article 15 GDPR. Each employer must have a process tested and approved to ensure the company can comply with its obligations to meet employee SARs.
TRAINING EMPLOYEES
Training needs to be provided for all employees on the aspects of the GDPR relevant to their role. Additionally, employees need to be trained on company policies on privacy and data protection. HR teams who handle personal and sensitive personal data in relation to staff daily, require HR-specific GDPR training, which should include guidelines on how to receive and respond to subject access requests made by employees and past employees.
EMPLOYEE SURVEILLANCE AND USE OF CCTV IN THE WORKPLACE
Employers are entitled to monitor employee activity, but they need a lawful basis to do it and they need to communicate the monitoring to employees. The most appropriate legal basis for the processing will probably be legitimate business interests or legal obligations.
Images from CCTV cameras, used to monitor for safety and security reasons, and employee surveillance monitoring, such as monitoring of internet access, fall into the personal data category under GDPR and because collecting and handling this information poses high-risks to the rights and freedoms of natural persons, GDPR Article 35 mandates that a data protection impact assessment (DPIA) is required.
Also, under GDPR, employees are considered vulnerable data subjects with respect to the employer because of the increased power imbalance between the data subjects and the data controller (meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights). Therefore, if you are considering using a new CCTV or employee surveillance system, a data protection impact assessment should be performed to see if the processing is appropriate, necessary and proportionate.
The DPIA will then help to reduce the level of privacy intrusion to a minimum through the principle of privacy by design (Article 25 GDPR). It forces employers to ask a range of questions such as does the surveillance need to be continuous or could it be set to activate only at certain times.
Where the monitoring / surveillance system is already in use prior to GDPR implementation date, the Article 29 Data Protection Working Party, which acts as an independent Europe an advisory body on data protection and privacy states, “The requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons”.
Carrying out the DPIA will allow considerations to be made as to whether a less privacy intrusive method could be used to address the reason for collecting personal data. For example, would better flooring, lighting etc. improve the safety record in a warehouse, thus lessening the need for CCTV monitoring.
In terms of access rights, individuals have the right to request a copy of any CCTV footage in which they are in focus and / or clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with that footage within 30 days of the validation. The same is true of other kinds of data relating to employee monitoring.
PENALTIES OF NON-COMPLIANCE
The GDPR arms data protection authorities with powers to tackle non-compliance through fines and prohibition. GDPR also makes it considerably easier for candidates, employees and former-employees to bring private claims against employers, and receive compensation, when their data privacy has been infringed.
BREACHES
Employers should put in place clear policies and well-practiced procedures to ensure that they can react quickly and lawfully to any breach of employee personal data. HR data, financial information, CCTV and audio recordings and other logs must be stored securely and encrypted wherever possible. As per Article 33 GDPR the controller shall document any personal data breach, comprising the facts of the breach, its effects and remedial action.
TERMINATION OF EMPLOYMENT
What happens to employee data when a contract for employment is terminated should be documented in the set of HR policies. If employee personal data is to be retained, then the lawful basis for doing so must be stated and the designated safeguards described. If data retention dates are set, the policy should state what they are and have procedures in place to ensure they are adhered to.
TASKLIST TO ENSURE PROCESSING OF EMPLOYEE DATA IS IN LINE WITH GDPR
• Audit employee files and document what items of personal data are collected, how it is obtained and stored, who accesses it, who it is shared with and how long it is retained
• Document the legal justifications / basis on which you hold data
• Confirm you are only collecting the minimum employee personal data needed
• Consider and document how long you need to keep personal data for
• Identify where it is transferred to and from, including outside the EU
• Review policies, staff handbooks and contracts of employment for compliance
• Update policies to reflect the new subject access request requirement
• Ensure that the policy on breaches / suspected breaches addresses employee data
• Train HR managers and relevant staff on GDPR awareness and compliance
• Implement GDPR training for all employees prior to May 25th
EXTRA BENEFITS OF PROCESSING EMPLOYEE DATA IN LINE WITH GDPR
Apart from the fact that processing employee data in line with GDPR requirements protects the company from litigation and fines, taking care of employee data will help improve employee loyalty and employee happiness, which is directly linked to productivity.
How can GDPR make the employees happier you might ask?
In his study of 24,000 working professionals on job satisfaction, across eight countries, Robert Half, in “The Secrets of the Happiest Companies and Employees” 2017, found that the top three biggest drivers of employee satisfaction and happiness were:
1. Feeling appreciated
2. Pride in their organisation
3. Being treated with fairness and respect
When you comply with GDPR you can demonstrate that your company cares about employee personal data. Being GDPR compliant enables staff to have pride in their organisation as it can act as a quality mark and literally lightens the load (retention, disposal?) Finally, fairness and transparency are the hallmarks of the GDPR.