Change of basis for processing
[page 13]If the employer subsequently finds that it has not chosen an appropriate basis for processing data, they cannot simply switch and start processing under another lawful basis (Article 6 UK GDPR). However, if there is a genuine change in circumstances or a new and unanticipated purpose arises which means there is a good reason to review the lawful basis and make a change, they must inform the individual and document the change.
Unless the initial basis for processing was consent, an employer may still be able to continue with the processing if the new purpose is compatible with the old one. Establishing that it is compatible takes the following into account:
• any link between the purposes for which the personal data has been collected and the purposes of the intended further processing;
• the context in which the personal data was collected;
• the nature of the personal data;
• the possible consequences of the intended further processing for workers;
• what safeguards are in place (such as encryption or pseudonymisation).
The relationship between employer and worker is inherently unbalanced, which makes it likely that a change of purpose by the employer can be challenged on the basis that the “context” makes it unfair.
The ICO says that even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.