Top 10 HR Questions About GDPR | Processing Personal Data
Nearly 4 months after the legislation came into force, business owners and HR departments should be well underway with GDPR by now and ensuring they are processing their employee’s personal data fairly and lawfully. Whilst advising on HR and data protection, common queries have arisen regarding the processing of employee data, this guide tackles the top 10 FAQ’s from HR professionals.
1. Do I need to send anything out to my employees about GDPR?
- No, not necessarily. We had the Data Protection Act 1998 and now we have GDPR and the Data Protection Act 2018 so it’s not a completely new concept, there have just been some updates to the law. As long as you have undertaken an audit as to what changes you may need to make to how you process personal data, you don’t have to communicate this out to your employees. You may have revamped your employee contracts and handbooks in light of the changes (and if you’re a documentation client of ours, we’ll have helped with the necessary changes) and put in place an easily accessible employee privacy notice, but you don’t have to send out blanket information to your staff about GDPR as a whole. You may have identified that certain roles in the organisation need to be aware of certain GDPR rules but that will depend specifically on which roles you feel any changes will impact.
2. An employee has asked to see or receive copies of personal data held on them; do I have to provide it?
- Typically, yes. This is known as a “Subject Data Access Request”. If you have good reason for not wanting to provide their data to them (i.e. it would impact someone else’s privacy rights) then you can look to refuse to do so however we would strongly recommend seeking advice before doing so because in the majority of cases, employees are entitled to have copies of the information requested. If you are a Wirehouse GDPR client, you can seek advice from us on our Advice Line however if you aren’t, you can enquire with the supervisory authority, the ICO. This means that employees can request copies of emails sent between colleagues, management etc. that contain their name or other identifying words. Therefore, be mindful of what you are saying on any internal communications. Since GDPR, you can no longer charge £10 for providing the information and you now only have up to 1 month to respond in most cases. One of the most important changes is that now, a verbal request is regarded as a subject access request meaning the 1 month clock starts ticking from when they verbally request such information and they are not obliged to put it in writing. Make sure your management or anyone else likely to receive a request is informed of this.
3. What has changed in relation to references?
- Not much. You still provide and receive them in the same way. Make sure you have obtained consent from an applicant before requesting a reference – we would advise being clear about who you will obtain references from rather than a free for all consent to contact whoever you like. Before providing a reference to another organisation, you may also want to ask for evidence that they have sought your ex-employee’s (or current employees) consent, before providing. The ICO have updated their guidance in relation to providing a copy of a reference to an employee who requests it. If you are the organisation who wrote the reference, you don’t have to provide a copy. If you are the organisation who received a copy; previously you’d have had to provide this to the employee upon request. However, guidance now states that unless you can successfully anonymise the reference or have obtained consent from the person who wrote it, you are not allowed to disclose the reference to the employee.
4. My employee (or ex-employee) has asked that I delete all personal data we hold on them. Do we have to do this?
- No, not if you can justify retaining it. Some data rights can be rejected. If you have a reason to keep the data for a specified period (i.e. legal obligation) then you can reject their request for their data to be deleted. In the majority of cases, you will have sound reason to keep their personal data.
5. Do we have to get employee’s consent to process all the data we have on them?
- Generally, no. For most of the data you hold on your employees, you won’t be using consent. This is because of the imbalance of power between employer and employee, rendering consent invalid in many circumstances. You’d only use consent where there would be no possibility of detriment to the employee if they withdrew consent; such as employee benefits like healthcare schemes. For the majority of day to day employee data processing, you will rely on another “lawful basis” for processing their data. Consent is only one of the six lawful bases. For example, you will retain a lot of their data as a legal obligation; you will process other data in order to perform the employment contract. Don’t fall into the trap of asking for “consent” in their contracts in order to use their information. Remember, individuals can withdraw consent at any time therefore if it would cause hardship should an employee withdraw their consent to you processing their data; you’ve chosen the wrong lawful basis and should choose one of the others.
6. How do I keep employee data secure?
- You’ll need to conduct a Risk Assessment and then as an organisation, decide on what level of risk you’re willing to tolerate weighed up against the cost and practicalities of various security measures.
7. Can I have CCTV that captures my employee’s images?
- You’ll need to conduct a data protection impact assessment to decide. Any claim for unlawful CCTV use would be under data protection and not HR / Employment Law. Broadly speaking, you’ll need good reason for CCTV recording (usually for “legitimate interests”). If you’re going to do it; limit it to what is necessary. If they are captured on CCTV now and then because it is in operation for security purposes and only viewed in the event of an incident, this will usually be okay. If you are using it for monitoring purposes then you need very strong reasons for doing so which you’ll need to justify in your data protection impact assessment and monitoring policy. You should also consider limiting what you capture on CCTV to that which is necessary; i.e. don’t record audio if images are sufficient for your purpose.
8. Can I share employee personal data with third parties?
- Yes provided you have established a lawful basis for doing so and provided you are transparent about this data sharing in the employee privacy notice. For example, you will have a “legal obligation” to share certain information with HMRC which would be your lawful basis for sharing with them. You may also want to put something in your commercial contracts or agreements with any companies you share personal data with detailing your expectations of their GDPR compliance.
9. Does GDPR now mean we can’t send payslips out via email?
- Nothing within GDPR says this but the legislation does say there should be “appropriate technical and organisational measures in place” to secure the data therefore it is up to each organisation to decide whether they feel they have sufficient measures in place for their process of issuing payslips. It’s also up to each organisation to decide what level of risk they’re willing to tolerate. If you’re going to password protect them, make sure you have a secure “password reset” process, keep passwords safe and secure and arguably, change passwords every now and then to maintain security. There are some companies offering secure systems for the issuing of payslips which may give peace of mind.
10. Can I use biometric data? (I.e. finger print scanning, eye recognition for clocking in)
- You’d need to undertake a data protection impact assessment before deciding. You need to be able to rely on a “lawful basis” plus an “additional condition” as laid out in the legislation, since biometric data is considered “special category data” (previously known as sensitive personal data).
Contact us today for information about our GDPR Legal Advisory Service which extends to all personal data processed in your organisation, not just your employees. We can also offer a GDPR Compliance Report specific to your organisation or an ongoing advice service with access to various template documentation.