With the General Data Protection Regulation (GDPR) coming into effect in May 2018, most organisations in the charity and social business sector and beyond will be thinking about how they collect, use and retain people’s personal information.
For charities, understandably, much of the focus has been on the way fundraising and marketing data are processed. In other sectors, more focus has been given to data sharing arrangements and international transfers of people’s personal information. Ironically, one area that has received less attention is one that will affect almost all organisations, regardless of their size or sector: employee data.
What kind of employee data are we talking about?
In the normal course of employment, an organisation is likely to collect a significant amount of personal data from employees – everything from name and address details to information that the GDPR refers to as ‘special categories’ of data (including information about race or ethnic origin, health, or religious beliefs).
For many years, it has been common practice to have a ‘catch-all’ data protection clause in contracts of employment which says that the employee consents to the organisation using their personal data for administrative, personnel and management purposes, as required.
The GDPR says that consent must be a “freely given, specific, informed” and “unambiguous” indication of an individual’s wishes. This definition has sparked countless discussions and debates as it will require many organisations to provide more detailed information about how they use the personal information at the outset and it will oblige them to update terms of consent if they later decide to use the same data for another reason.
In the employment context, the key problem with the GDPR definition of consent is that consent will rarely be “freely given” where there is such an imbalance in the relationship between the two parties. The Information Commissioner’s Office (ICO) picked up on this conundrum when it published its draft consent guidance earlier this year – it concluded that the imbalance “will make consent particularly difficult for...employers, who should look for an alternative lawful basis”.
What other options are there?
Consent is just one of several legal bases which an organisation can rely upon to lawfully process personal data and ‘special categories’ of personal data.
The alternative bases that are most likely to apply when processing personal data during an employment relationship will be:
- necessary for the performance of the employment contract (for example, monthly payroll)
- necessary for compliance with a legal obligation (for example, deduction of income tax via PAYE or compliance with employer pensions auto-enrolment obligations)
- necessary for the purposes of legitimate interests pursued by the employer (as long those interests do not override the interests, rights or freedoms of the employee)
Where ‘special categories’ of personal data are concerned, there are a different set of conditions for lawful processing, including where it is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
There may still be limited circumstances where consent will be a valid ground for processing employee data, however, employers will need to think carefully before they decide to rely on consent.
What should employers do now?
One of the key themes running through the GDPR is the need for organisations to be transparent about why they collect personal information and how it is used.
This will be a good opportunity for employers to review and update their data protection policies to ensure they provide clear information to employees about how the organisation is using their personal information (for example, monitoring employees’ use of the organisation’s IT systems or monitoring sickness absence).
With the above in mind, data protection clauses in contracts of employment are also likely to be in need of change in order to reflect the ICO’s recommendations, rather than relying on an unspecific blanket consent.
Where an employer decides that it will rely on consent, the GDPR says that it must be kept separate from other terms and conditions, meaning it can no longer be included as one clause among many in the body of an employment contract. Employees must also be told how they can withdraw their consent and employers must make it easy for them to do so.
Organisations will need to set aside some time to review their employee data ahead of May 2018 and to think about whether they need to make changes.
View our charity and social business and employment law pages for more information on data protection issues, including employee data. Contact our specialist teams if you would like to talk about data protection within your organisation.