Data protection law is changing from 25 May 2018, when the new General Data Protection Regulation (GDPR) comes into force. Implementation and compliance with the GDPR will lie with the Information Commissioner’s Office (ICO).
Penalties for breaching the GDPR are potentially onerous – up to 20 million Euros or 4% of the company’s total annual worldwide turnover in the preceding financial year, whichever is higher.
What will be changing from an employment perspective?
Lawful bases for processing personal data – relying on consent
At present, most employers rely on consent given by employees, often in employment contracts, to collect and process personal data concerning their employees. From 25 May 2018, it will be much harder to rely on consent, and where an employer does choose to do so, the consent must be “freely given, specific, informed and unambiguous.” In other words, you will no longer be able to rely on a blanket consent given at the start of employment.
From 25 May 2018, we recommend that employers first consider whether they can rely on one of the other lawful bases for processing data as set out below, and only rely on express consent from employees as a last resort. Our view is that most of the circumstances in which you legitimately collect data for the purposes of the employment will fall within these reasons:
Contract: the processing is necessary for the employment contract you have with the individual, or because they have asked you to take specific steps before entering into the contract.
Legal obligation: the processing is necessary for you to comply with the law.
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest (e.g. equal opportunities monitoring) or for your official functions.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless the individual’s data rights override those legitimate interests.
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Special Categories of Personal Data
Stricter rules apply to the collection and processing of special categories of personal data, which was previously known as “sensitive personal data”. This included racial or ethnic origin, religious or similar beliefs, sexual life, political opinions, trade union membership, physical or mental health or condition, and details relating to criminal offences. The list has been expanded to include genetic data, philosophical beliefs, biometric data, sex life and sexual orientation. Details around criminal offences have been removed from this list and are dealt with separately in the legislation.
We recommend that employers consider carefully whether they need to collect or process this data. If you do, can it be anonymised? There may be circumstances where employers need to collect this data (for example in the case of sickness absence or a disability), but you may need to adapt your policies and practices to give particular protection to special categories of personal data.
Notifying employees of data held and processed by an employer
Employers already have to inform individuals when they are collecting and processing their personal data, and this notification is usually given in a privacy notice. This will also apply to job applicants, not just successful candidates. The GDPR takes this further, and extends the detail that an employer is required to provide, including the purposes for processing the personal data, the retention periods for that personal data, and with whom the data will be shared. The GDPR requires that employers provide privacy information to individuals at the time employers collect the personal data, and, if you obtain the personal data from other sources (for example an employment agency), you must provide the information within one month.
It is a new requirement under the GDPR that employers demonstrate that they comply with the GDPR. We recommend that employers update their existing data protection policies/draft new policies to ensure compliance. Other ways that employers might demonstrate compliance is through regular audits, data impact assessments and training for staff.
Appointing a Data Protection Officer/Data Protection Manager
Employers will need to appoint a data protection officer (DPO) if any of the following circumstances apply:
- The employer is public authority (except for courts acting in their judicial capacity).
- Where the employer’s core activities consist of processing operations which, given their nature, scope and purpose, require regular and systematic monitoring of data subjects on a large scale
- Where the employer’s core activities consist of large-scale processing of special categories of personal data.
If these circumstances do not apply, an employer can still choose to appoint a DPO. The DPO once appointed will have certain responsibilities and standards, for example the DPO must be an expert in data protection, they must report to the highest level of the employer, and they must be impartial, with no potential conflicts of interest. The DPO’s details must be published and reported to the ICO.
If an employer is not required to appoint a DPO, we recommend employers consider appointing a data protection manager. This is not a role that is set out in the legislation, but is a way of ensuring that there is one point of contact for data protection queries and for overseeing data protection issues such as policies, training, audits, risk assessments and reporting breaches.
An employer may have to notify the individual(s) affected and the ICO in the event of a personal data breach, depending on the risk to the rights and freedoms of individuals.
Right to be forgotten
Individuals have the right to erasure, and this may mean that employers will have to delete some or all personal data held and processed about them, particularly after termination of employment. Employers have a month to respond, and exceptions to this right do apply, so we recommend you take legal advice promptly if you do receive such a request.
Subject Access Requests
Subject access requests (SAR) are changing. The £10 fee is being abolished, although in the case of a SAR being “manifestly unfounded or excessive, in particular because of its repetitive character,” an employer may be able to charge a “reasonable fee”, bearing in mind admin costs.
The deadline for responding to a SAR is being reduced from 40 days to compliance without “undue delay” and within a month at the longest, although in particularly complex cases this may be extended by up to a further two months.
There is also a provision for employers to be able to require individuals to specify the information that the request relates to.
Should Shared Parental Leave Pay be enhanced in line with enhanced Maternity Pay?
Many of our clients pay enhanced maternity pay to women taking maternity leave. Following the introduction of Shared Parental Leave (SPL) for babies born on or after 5 April 2015, we have been asked whether employers should consider paying enhanced pay to those parents taking SPL. If not, does that amount to sex discrimination on the ground that male parents taking SPL are not receiving enhanced pay, compared to female parents taking maternity leave?
The government guidance has always been that maternity leave and SPL are two different types of leave and therefore it is acceptable to pay employees taking such leave on a different basis.
However, it has always been possible that a challenge may be made on the basis of sex discrimination, and this happened in the recent case of Capita v Ali. Helpfully, the EAT in this case has confirmed that not paying enhanced SPL pay in line with enhanced maternity pay is not direct sex discrimination.
The EAT concluded that the purpose of maternity leave and pay is to protect the health and wellbeing of a woman during pregnancy and following childbirth. The level of maternity pay is linked to the purpose of the leave.
The purpose of Shared Parental Leave is different from that of maternity leave/pay, and so a father taking SPL is not in a comparable position to a woman taking maternity leave. The EAT also noted that SPL is given on the same terms for both men and women. There is therefore no direct discrimination when a higher level of maternity pay is given than would be given to either sex on SPL.
The EAT also held that payment of maternity pay at a higher rate falls under s13(6)(b) of the Equality Act 2010 as special treatment afforded to a woman in connection with pregnancy or childbirth, and it is therefore permissible to treat men and women differently on this basis.
Scully Twiss GDPR Recommendations
- Review and update or replace your data protection policy
- Carry out a data impact assessment to consider what data you process, how, and why, and what changes you need to make to your current practices
- Update your privacy notices
- Update your employment contracts to remove provisions relating to blanket consent
- Provide sufficient training for all your staff on the implications of GDPR for your business
- Prepare an action plan in the event of a data breach
- Ensure staff can withdraw their consent simply, where appropriate
- Update your policies/practices on dealing with subject access requests
- Consider whether you need to appoint a DPO, or if not, whether you wish to appoint a data protection manager