Understanding Your Data Protection Obligations – An Employers Guide
Date: 12th September 2018 | Categories: GDPR, Health and Safety
Under the new data protection laws, you need to justify your ability to process (including just storing) every bit of personal data in your organisation. In this article, we look specifically at the types of employee personal data that is processed by organisations and what your data protection obligations are.
What is a Lawful Basis?
Processing of employee data means using their data in some way; including just retaining it. For every type of personal data you process, you must be able to rely on a Lawful Basis before doing so. This includes when you are sharing the data with third parties such as external payroll bureaus, HMRC, pension providers and health benefit providers.
There are 6 Lawful Bases to rely on, you are only entitled to process the data if you can rely on one of these:
- 1. Consent
- 2. Performance of a contract
- 3. Compliance with a legal obligation
- 4. Protect the vital interests of the data subject or other person
- 5. Public interest
- 6. Legitimate interests
- 1. Processing payroll data – Basis 2: performance of a contract (you have to process their details for payment in order to fulfil the employment contract).
- 2. Sharing employee data with a pension provider or HMRC – Basis 3: legal obligation (as you’re legally required to share some information with HMRC and legally required to enrol eligible employees into a pension scheme).
- 3. Processing of health data – Basis 6: legitimate interests (depending on the circumstances, but in a lot of scenarios this would be your lawful basis).
- 4. Processing copies of their passports – Basis 3: legal obligation (for right to work checks).
- Ethnic origin
- Political opinions
- Philosophical belief
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Concerning a natural person’s sex life
- Sexual orientation
- Health data you obtain from a medical report, through return to work interviews, on health questionnaires etc.
- Data collected on equal opportunity forms (unless this can be successfully anonymised).
- Data collected through the use of fingerprint scanning or other biometric logging in systems.
- Q. How can you justify the processing of employee health data after obtaining a medical report from an employee’s GP following them being on long term sick?
- A. You’d likely rely on “legitimate interests” as your Lawful Basis. Your additional condition to rely on with it being special category data is likely to be “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law”.
Therefore you need to map out your HR data and decide which Lawful Basis you will rely on for each type of data you hold and for sharing it with any third parties.
The Lawful Basis “Consent” is likely to be invalid where there is an “imbalance of power between parties”. Therefore it is thought that consent will likely be invalid in most processing of employee data; so you should pick another one where possible. Don’t start issuing generic forms asking employee’s to agree or consent to you processing their data; it’s likely to be invalid and they’re entitled to withdraw consent at any time anyway which could leave you in a bit of a dilemma! The only thing you’re likely to use consent for are for truly optional things like having employee photos on your website or the company social media page etc.
Here are a few examples and the Lawful Basis we’d recommend relying on (remember; it’s a new piece of legislation so test cases and examples are yet to be seen):
Special Category Personal Data | Data Protection
Under GDPR, some personal data is regarded as “special category personal data” and is subject to higher safeguards. This means that not only do you have to have a Lawful Basis for processing it, but you also need to rely on an additional “condition” to be able to process it.
What is regarded as special category data?
So, in an employment context, this would include things such as:
Processing an Employees Personal Data
You would first need to rely on a “lawful basis” and then an additional “condition”. There are 10 conditions to choose from and they are written in quite complex legal jargon, so we have tackled an example of a common query which all employers will need to document:
We’ve recently updated all of our forms in relation to the collection of medical data so if you’re a Wirehouse client; make sure you’re downloading the correct ones from the system or asking us for the latest version. If you are not currently a Wirehouse client contact us for more information about our GDPR and other HR services we offer. You need to detail all of your data processing in your privacy notice and for any processing of special category data; you’ll need to detail this in your policy on processing special category personal data. These are documents you’d need to source from a data protection point of view.
GDPR and associated data protection legislation goes outside the remit of Employment Law and HR, even though it relates to your employees as any claims made would fall under that of data protection. If you’re still unsure about GDPR and what your company needs to do in relation to all personal data it holds including employees, customers, suppliers, CCTV recordings, online identifiers and biometric data, we would recommend our GDPR Report Service to give you an idea of how to move towards compliance. If you want the added security of being able to seek advice from a GDPR Practitioner with access to a full range of GDPR template documentation, we would recommend our GDPR Advice Line Service.
For further details about GDPR Services from Wirehouse, contact us today.