The General Data Protection Regulation (GDPR)
[ch 15: pages 474-479]Under the GDPR (as with the predecessor regime) the employer can be a “data controller” or a “data processor”. The individual is described as a “data subject”.
Like the DPA 98, the GDPR applies to “personal data”, although the definition is slightly wider. Under the GDPR, “personal data” is any information relating to an “identified or identifiable living individual” and includes, for example, an online identifier, such as an IP address. This change makes little practical difference to workplace data protection. All employment data covered by the DPA 98 will also be covered by the GDPR (and by the new Data Protection Bill, once in force).
Common examples of personal data held by an employer include:
• information on a job application form;
• salary and bank account details and other payroll information, such as dates of birth, National Insurance number, address and so on;
• payroll deduction information, such as DOCAS details;
• an email about an incident involving you;
• your disciplinary record;
• your staff appraisal;
• your redundancy selection scores;
• your image on a CCTV recording; and
• your employer’s opinion of your performance expressed in a reference.
The GDPR applies to automated personal data and to a manual filing system where personal data can be accessed using specific criteria, such as chronologically organised manual records.
Like the DPA 98, the GDPR regime is built around a set of data protection principles. Specifically, the GDPR requires all personal data to be:
• processed lawfully, fairly and transparently;
• collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes;
• adequate, relevant and limited to what is needed to achieve those purposes;
• accurate and kept up to date. (Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay);
• kept in a form that allows for identification of data subjects for no longer than necessary, considering the purposes for which the data is processed; and
• processed securely, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
Any processing of personal data can only be transferred outside the EU to third countries or international organisations if the European Commission considers that the new destination provides adequate protection.
Under the GDPR, any processing of personal data must be preceded by a clear notice to the data subject (in a work context, the job applicant or worker) when their data is first collected, clearly explaining the basis for processing. If consent is relied on to collect the data (see below), the notice must explain the right to withdraw that consent. The employer must also provide extra information, including the data controller’s identity and contact details, and information about new or strengthened rights available under the GDPR (see page 477), including the right to complain to the ICO.
Under the GDPR, personal data can only be processed if the employer has a lawful basis, namely:
• consent of the data subject (see below);
• compliance with a legal obligation such as the employment contract, or a statutory obligation such as tax or National Insurance;
• to protect the vital (health) interests of a data subject or another person;
• to perform a task in the public interest, or to exercise official authority vested in the data controller, for example a public body; or
• where necessary in the legitimate interests of the data controller or a third party, unless those interests are overridden by the interests, rights or freedoms of the data subject.
The GDPR provides extra protection for “special categories of data” (which the DPA 98 terms “sensitive data”). This data can only be processed under limited conditions. In the workplace, the most relevant conditions are:
• consent (see below);
• to comply with employment, tax or social security laws; or
• to protect someone’s vital (health) interests if they cannot give consent, or if processing is necessary for medical purposes and is carried out by a health professional or someone else who is under a duty of confidentiality.
“Special categories of data” include information about racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, physical or mental health, sex life or sexual orientation.
Criminal (or alleged criminal) activities, proceedings or convictions, although not classified as “special categories of data” are subject to similar restrictions.
Under the GDPR, consent, where relied upon, must be a freely given, specific, informed and provide a clear indication of the person’s wishes. In other words, there must be a positive “opt-in”. Consent cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent must also be kept separate from other terms and conditions. It cannot, for example, be a term of the employment contract. Consent will be invalid if there is “a clear imbalance between the data subject and the data controller”. There must also be simple ways for someone to withdraw their consent.
The GDPR creates new rights for individuals, and strengthens existing rights. Rights relevant to the employment relationship include:
• the right to be informed about your personal data that is processed or held;
• the right to access your personal data;
• the right to have mistakes corrected within one month, or two months if the request is complex;
• the right to erasure (the so-called “right to be forgotten”) in some circumstances. This is not an absolute right but it strengthens the existing duty on employers to hold onto identifiable data for no longer than reasonably necessary;
• the right to data portability, in other words, to receive your data in a structured, commonly used and machine-readable form, and to be able to transmit it to another data controller without hindrance. This might be relevant when changing job;
• the right to restrict processing in some circumstances, for example, if the employer no longer needs data but you need it retained to pursue a legal claim;
• new safeguards to protect people from the risk of damaging decisions taken on an automated basis (that is, without human intervention); and
• new safeguards where an organisation engages in automated processing to “profile” personal characteristics, such as psychometric testing, to analyse or predict factors such as your likely work performance or health.
The GDPR also imposes new record keeping duties on the employer.
The GDPR introduces new mandatory duties on organisations to report certain types of data breach to the ICO and to the affected individual. However, a “breach” is more than a simple loss of personal data. The duty to report (which must be done without delay and if feasible, within 72 hours of finding out about it) is only triggered if a breach places those affected at risk. The GDPR also includes new powers for mandatory data protection audits of businesses by the ICO.
Penalties for organisations that breach the GDPR are significantly higher than under the DPA 98 — up to 20 million Euros or 4% of annual worldwide turnover, whichever is greater. However, the ICO has indicated that the GDPR will not change its main methods of operating, namely through issuing guidance and advice on how to achieve compliance, rather than fines. In 2016-17, the ICO concluded 17,300 cases, but only 16 resulted in fines.
As well as statutory data protection obligations, the employer owes common law duties to keep workers' personal data secure (see Chapter 3). These include a duty to protect workers from risks such as identity theft or hacking. Employers will be vicariously liable for negligent data breaches, even if the person responsible was an ex-employee or a volunteer, or an external contractor such as a payroll company with inadequate internal data protection standards. For example:
A disgruntled internal IT auditor at supermarket Morrisons was instructed to send the payroll data of 100,000 employees to the external auditor. Instead, he copied and published it online. He was later convicted of criminal offences.
A total of 5,518 employees and former employees brought a group claim against Morrisons for data protection breaches, misuse of private information and breach of confidence. The court ruled that Morrisons was vicariously liable for all these offences. There was enough connection between the employee’s role and his wrongful conduct to fix Morrisons with responsibility, since Morrisons gave him access to the data. Applying broad principles of social justice, it was right, said the High Court, for the supermarket to be held responsible.
Various Claimants v Morrisons [2017] EWHC3113
All employers must have proper data security policies in place and should regularly risk assess their systems, as well as the security standards of third parties such as payroll providers entrusted with their workers’ personal data. Employers should also have proper plans to respond quickly to any theft or leak of staff data, to minimise its impact.
Employers should also take steps to raise internal awareness among staff of the importance of data security. This might include simple measures such as reminder stickers, notices and posters and providing regular training on data security, including, for example, how to spot bogus emails and viruses.
The GDPR imposes a new legal accountability obligation on employers to demonstrate compliance with minimum standards of data protection, including as regards employment records. Sensible compliance measures include:
• having a data protection policy, publishing it to staff and keeping it under review;
• where appropriate, appointing a data protection officer;
• implementing other measures proportionate to the employer’s size and activities, including staff training, internal audits and periodic reviews of HR activities;
• maintaining a proper record of processing activities;
• applying data protection and data security by “design and default” principles such as pseudonymisation and data minimisation, in other words, building data protection into the design of all policies and processes, for example, when ordering new potentially intrusive equipment like CCTV systems; and
• using data protection (privacy) impact assessments, and following relevant codes of conduct.
Unions and/or individual union reps have a potential role in workplaces where a union is recognised, to help ensure that accountability standards are maintained and to help raise awareness of the need to take care of personal data at work.