Article:

HR Countdown to GDPR

16 May 2018

Steve Desmond , Business Advisory Director |

HR Department Checklist

HR departments work with personal data constantly and are among the professionals who have needed to be fluent with the GDPR requirements very quickly. By the 25th May it is important for HR departments to have:

  • Audited the personal data held, both physical and electronic, against the 6 data protection principles
  • Considered the retention policy, removing non-compliant information
  • Considered on what lawful basis employee information is being retained (see below)
  • Developed a suite of GDPR ready policies and procedures including an Employee Data Protection Policy, Privacy Notice and Retention Policy
  • Developed a Subject Access Request (“SAR”) procedure and recommend a suite of response template letters
  • Circulated new privacy notices to employees (not forgetting potential employees)
  • Rolled out training on how to recognise and respond to SARs
  • Removed consent to process personal data from contracts of employment (consent must be freely given and be separate from other terms and conditions)
  • Validated the security of any third-party providers e.g. payroll systems
  • Consolidated the information that is held on file

For personal data to be processed, the legal basis for doing so should be reviewed. The most appropriate legal bases for employers include:

  • Consent by the employee
  • Processing being a required component for the performance of the employee contract
  • Complying with a legal obligation
  • Being part of the legitimate interests of the company

ICO guidance regarding employees is to avoid relying upon consent. This is because under GDPR consent must be freely given and be easily withdrawn. In an employment context consent is rather more necessary for the employee to grant than something that they give freely. Given that consent is a popular legal basis for employee data processing, it is wise to review and re-categorise the legal basis upon which each piece of employee data is being held.

If it is likely that sensitive information (or Special Category Data) is being held, such as health, race, ethnicity, religious beliefs, criminal convictions etc., this requires an additional condition for processing, such as:

  • Explicit employee consent
  • Any need to carry out legal obligations such as using information relating to sickness absence to comply with employment law
  • Where it is needed in the public interest, such as for equal opportunities monitoring
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
  • Establishing, exercising or defending legal claims

Again, relying upon employee consent will not likely be sufficient. This will also impact your retention policy in holding employee records to avoid prejudicing any legal claims.

Data Subject Rights

An employee can request a copy of their personal data which the data controller holds by raising a SAR. In practice, a claim or dispute is the area where such requests will be made where information is requested to assist with any particular proceedings.

What should you do?

  1. Clearly identify who is making the request, otherwise request further information. A Template Subject Access Request Form can be used to glean the correct information.
  2. Consider the scope of the request: is this clear and what information is being requested? Consider the law provides an exemption for requests where parts are manifestly unfounded, frivolous, vexatious, unnecessary repetitive or otherwise excessive, but you must try to meet the requirements in part. The £10 fee has been removed so businesses can charge a reasonable fee if the request is complex and/or multi-layered, the time frame to provide it can be extended from one to three months.
  3. Promptly respond with an acknowledgement letter and ensure you document the entire process.  Having a suite of template response letters is useful. If in any doubt take legal advice (see McWilliams v Citibank where refusing subject access resulted in a successful unfair dismissal claim against the bank).

Remember, the data subject is only permitted to see personal data. This is complex given that in the event of a dispute there may be ongoing disciplinary proceedings that can involve other individuals in the organization whose rights must be protected. This obligation is similar to the existing legislation where requests must be proportionate and not unreasonable.

The GDPR presents a range of challenges and opportunities and from an employment perspective, raising the compliance level of sensitive data for years to come.  

This article was originally published in the Guernsey Press.