GDPR: Processing personal data in the workplace
With just under four months until the General Data Protection Regulation comes into effect now is the time for employers to review their use of employee personal data.
Consent in the workplace
In order to lawfully process employees’ personal data, employers have to show that they have a lawful basis for the processing. A lot of employers have historically relied upon employee consent, but the GDPR’s stringent approach to obtaining consent means that relying solely on employees’ consent is risky at best and in many cases simply will not provide a lawful basis for processing.
Relying on consent from employees is problematic for two reasons:
- firstly, the GDPR states that consent is not freely given where there is a clear imbalance of power between the data subject and the data controller. This is likely to be the case in an employment situation, and the ICO’s draft guidance on consent emphasises this point; and
- secondly, consent can be withdrawn at any time.
1 Pre-employment checks
Employers frequently carry out background checks on candidates as part of their recruitment process. Carrying out these checks will almost certainly involve processing candidates’ personal data and special category data. In order to ensure that consent is validly obtained, candidates’ explicit consent to all checks should be obtained from the outset. While it may be possible to carry out some checks on the basis that the employer has a legitimate interest in doing so, the intrusiveness of the checks can mean that the employer’s legitimate interest is outweighed by the candidate’s privacy interest. In any case, the legitimate interests condition does not apply to processing special category personal data, which is often revealed by these kinds of checks. For instance, searching a candidate’s social media profile may well reveal information about his or her sexual orientation, ethnicity, or political or religious beliefs.
2 CCTV and Video Recording
Video recording in the workplace now extends far beyond CCTV, with dashcams and other data recorders being commonly used. Many employers have assumed that employees have consented to being monitored, either expressly or implicitly. Since employees rarely have any genuine choice about this monitoring, consent is not an appropriate basis for this processing. Employers will therefore need to consider whether an alternative basis is available. The use of video recording devices can sometimes be justified as a legitimate interest of the business, for security purposes or to capture transport data. Employers relying on the legitimate interests condition must ensure that the monitoring is proportionate to the aim and only carried out where there is no less invasive method available.
3 Use of biometrics
Of course, technology allowing users to be identified based on physical, physiological or behavioural characters (so called biometric data) is increasingly being used by employers, for example, the use of fingerprint scanners in security systems. However, under the GDPR, biometric data is special category data and is therefore subject to strict limits on its use. Processing biometric data is permitted where the data subject consents, but as explained above, it can be particularly difficult to show that valid consent is obtained in an employment context and, even where it is given, consent can be withdrawn at any time.
The practical effect of this is that employers will only be able to process biometric data in extremely limited circumstances once the GDPR is implemented. Where employers already use biometric data, they should consider whether they should instead implement alternative measures.
4 IT monitoring
The increase in remote working and a desire to prevent data leaks and cyber-attacks has resulted in organisations using increasingly sophisticated techniques for monitoring employees’ use of IT systems.
However, while many employers would claim that they have a legitimate interest in processing personal data in these circumstances (instead of relying on consent), it is important to ensure that any measures taken are proportionate and no more intrusive than necessary. Constant monitoring, the scanning of employees’ devices where an employer operates a ‘bring your own device’ policy or the use of software which logs keystrokes and mouse movements, will not necessarily be proportionate to the legitimate interest. Employers must also keep in mind that legitimate interest does not provide a basis for processing special category data.
Employers should consider methods of avoiding accessing or processing employees’ private information while at work, such as using a virtual private network, offering free Wi-Fi or standalone devices which aren’t monitored.
For certainty, the Information Commissioner’s Office (ICO) recommends that organisations routinely carry out a privacy impact assessment to assess whether the workplace processes and systems in place are lawful and proportionate to the purposes behind the processing of any personal data.
Whether they rely on consent or the legitimate interests condition, employers are under a duty to provide employees with information about how their personal data is used. There are a few exceptions to this duty, but they will rarely apply in an employment context.
The GDPR explains what information must be provided, and when it must be provided. The GDPR is more prescriptive than the current legislation, so existing privacy notices should be reviewed to make sure they include all of the required details.
Now is the time to assess the procedures that your organisation has in place for processing employee data, and keeping employees informed about how their data is used.