LRD guides and handbook May 2019

Law at Work 2019 - the trade union guide to employment law

Chapter 15

The General Data Protection Regulation (GDPR)


[ch 15: pages 492-497]

Under the GDPR, an employer can be a data controller or a data processor. The individual is described as a data subject. The GDPR applies to personal data. This is defined slightly wider than under the old law, as any information relating to an “identified or identifiable living individual”. It includes, for example, an online identifier, such as an IP address. All employment data that was covered by the old law will be captured by its replacement. 



Common examples of personal data held by an employer include:


• information on a job application form;


• your answers in an online recruitment psychometric test;


• notes about you at a recruitment assessment centre;





• salary and bank account details and other payroll information, such as date of birth, National Insurance number, address and so on;





• payroll deduction information such as DOCAS (deduction of contributions at source) details;





• an email about an incident involving you;





• your disciplinary record;





• your staff appraisal;





• your redundancy selection scores;





• your image on a CCTV recording; 


• a sound recording of you speaking; and





• your employer’s opinion of your performance in a work reference.




The GDPR applies both to automated personal data and to a manual filing system where personal data can be accessed using specific criteria, such as chronologically.



The GDPR regime is built around a set of data protection principles. Specifically, it requires all personal data to be:



• processed lawfully, fairly and transparently;



• collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes;



• adequate, relevant and limited to what is needed to achieve those purposes;



• accurate and up to date. (Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay);



• kept in a form that allows for identification of data subjects for no longer than necessary, considering the purposes for which data is processed; and



• processed securely, with protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures. 



Any processing of personal data can only be transferred outside the EU to third countries or international organisations if the European Commission considers that the new destination provides adequate protection. 



Under the GDPR, any processing of personal data must be preceded by a clear notice to the data subject (in a work setting, this means the job applicant or worker) when their data is first collected, clearly explaining the basis for processing. If consent is relied on to collect the data (see below), the notice must explain the data subject’s right to withdraw that consent. The employer must also provide extra information, including the data controller’s identity and contact details, and information about new or strengthened rights available under the GDPR, including the right to complain to the ICO. 



Under the GDPR, personal data can only be processed if the employer has a lawful basis, namely:



• consent of the data subject (the rules on what amounts to consent are much stricter than under the old law — see below); 



• compliance with a legal obligation such as the employment contract, or a statutory obligation such as tax or National Insurance; 



• to protect the vital (health) interests of a data subject or another person; 



• to perform a task in the public interest or to exercise official authority vested in the data controller, for example, a public body; or 



• where necessary in the legitimate interests of the data controller or a third party, unless those interests are overridden by the interests, rights or freedoms of the data subject.



The GDPR provides stronger protection for “special categories of data” (these used to be called “sensitive personal data”). This data can only be processed under limited conditions. In the workplace, the most relevant conditions are:



• consent (see below);



• to comply with employment, tax or social security laws; or



• to protect someone’s vital (health) interests if they cannot give consent or if processing is necessary for medical purposes and is carried out by a health professional or someone else under a duty of confidentiality.



“Special categories of data” include information about racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, physical or mental health, sex life or sexual orientation. 



Information about criminal (or alleged criminal) activities, proceedings, convictions and cautions, although not classified as “special categories of data”, is subject to similar restrictions.



Under the GDPR, consent, where relied upon, must be a freely given, specific, informed and must provide a clear indication of the person’s wishes. In other words, there must be a positive “opt-in”. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent must be kept separate from other terms and conditions. It cannot, for example, be a term of the employment contract. Consent will be invalid if there is “a clear imbalance between the data subject and the data controller”. There must be simple ways to withdraw consent. 



The GDPR creates new rights for individuals and strengthens existing rights. Rights relevant to the employment relationship include:



• the right to be informed about your personal data that is processed or held;



• the right to access your personal data;



• the right for mistakes to be corrected within one month, or two months if the request is complex;



• the right to erasure (the so-called “right to be forgotten”). This is not an absolute right. Instead, it strengthens the existing duty on employers to retain identifiable data for no longer than reasonably necessary;



• the right to data portability, in other words, to receive your data in a structured, commonly used and machine-readable form and to be able to transmit it to another data controller without hindrance. This might be relevant in the future when changing job; 



• the right to restrict processing in some circumstances, for example, if the employer no longer needs data but you need it retained to pursue a legal claim;



• new safeguards to protect people from the risk of harmful decisions taken on an automated basis (that is, without human intervention); and



• new safeguards where an organisation uses automated processing to “profile” personal characteristics, such as psychometric testing, to analyse or predict factors such as likely work performance or health. 



The GDPR also imposes new record keeping duties on the employer. 



The GDPR introduces new mandatory duties on organisations to report certain types of data breach to the ICO and to the affected individual. A “breach” is more than a simple loss of personal data. The duty to report (which must be done without delay and if feasible, within 72 hours of finding out about the breach) is only triggered if a breach places anyone affected at risk. The GDPR also includes new powers for mandatory data protection audits of businesses by the ICO. 



Penalties for organisations that breach the GDPR are significantly higher than under the old law — up to 20 million Euros or 4% of annual worldwide turnover, whichever is greater. However, the ICO has said that it will not be changing its main operating methods, namely through guidance and advice rather than fines. 


Employers can be vicariously liable to workers for losses caused by breaches of data protection law, even though the employer is not at fault. 



Employers also owe important common law duties in contract and negligence law to keep workers' personal data secure (see Chapter 3). These include a duty to respect workers’ privacy and to take reasonable steps to protect their data from risks such as identity theft or hacking, as the next case demonstrates: 


A senior internal auditor at Morrisons Supermarket, Andrew Skelton, was upset at being given a formal warning for using his employer’s post room to send eBay parcels, so in an act of revenge, he published the store’s payroll data online on an open access forum, including the personal data of about 100,000 employees. Skelton had been given the payroll data for a legitimate reason, which was to pass to the accountants for the annual audit. He went to jail for eight years.


In a group action by 5,518 Morrisons’ staff for breaches of data protection law, misuse of private information and breach of confidence, the Court of Appeal (CA) upheld a ruling that although the supermarket was not at fault, it was vicariously liable for losses caused by Skelton. Since he was given the personal data by Morrisons in the course of his employment, this created a sufficiently “close connection” with his role to make the supermarket liable. The CA rejected an argument that Skelton was no longer “on the job” because he uploaded the data at home on his personal computer on a Sunday, several weeks after secretly downloading the information from work onto a personal memory stick. 


Morrisons is to appeal to the Supreme Court.


WM Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2339


www.bailii.org/ew/cases/EWHC/QB/2018/1123.html

All employers must have proper data security policies and should regularly risk assess their systems, as well as the security standards of third parties such as payroll providers entrusted with workers’ personal data.
Employers should also have proper plans to respond quickly to any theft or leak of staff data, to minimise its impact. 



Employers should also take steps to raise internal awareness among staff of the importance of data security. This might include simple measures such as reminder stickers, notices and posters and regular training on data security, including, for example, how to spot bogus emails and viruses. 





The GDPR imposes a new legal accountability obligation on employers to demonstrate compliance with minimum standards of data protection, including as regards employment records. Sensible compliance measures include: 



• having a data protection policy, publishing it to staff and keeping it under review;



• where appropriate, appointing a data protection officer;



• implementing other measures proportionate to the employer’s size and activities, including staff training, internal audits and periodic reviews of HR activities;



• maintaining a proper record of any processing activities; 



• applying data protection and data security by “design and default” principles such as pseudonymisation and data minimisation, in other words, building data protection into the design of all policies and processes, for example, when ordering new potentially intrusive equipment like CCTV systems; and



• using data protection (privacy) impact assessments, and following relevant codes of conduct. 


Unions and/or individual union reps have a potential role in workplaces with a recognised union, to help ensure that accountability standards are maintained and to help raise awareness of the need to take care of personal data at work.