Posted by Malcolm Gregory, Partner
GDPR and employee data: two years on
There was a wave of activity in the lead up to GDPR becoming law in the UK on 25 May 2018. Employers were frantically data mapping, reviewing their policies and preparing privacy notices. This was followed by a significant increase in data subject access requests from employees who became very aware of their data rights and began using them.
Remember: the data protection law hasn’t been relaxed
Over the last 12 months we have seen a gradual reduction in data protection compliance activity to an almost imperceptible background noise – in particular over the last six months where most things have been overshadowed by issues flowing from the pandemic.
In a recent poll of SMEs, the majority of organisations had not reviewed their data protection policies and procedures in the last 12 months. Worryingly, there was evidence of some organisations not having finished what they started over two years ago.
Since March 2020, coronavirus has been the focus for most organisations who have taken the view that regulatory issues such as data protection must take a back seat. It is important to recognise that the law on data protection has not been relaxed. Legal and other enforcement action remains a real risk. A fundamental aspect of GDPR is the accountability principle which not only requires data controllers to comply with the law but also to demonstrate that they have done so.
The ICO’s approach
The Information Commissioner’s Office (ICO) has issued a statement on its website regarding the approach it is taking during the pandemic. It says,
“We know you might need to share information quickly or adapt the way you work. Data protection will not stop you from doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is”.
It goes on to say that the ICO understands that resources are limited and may be diverted away from the usual compliance work and the ICO “won’t penalise organisations that [they] know need to prioritise other areas or adapt their usual approach during this extraordinary period”. Good news and a helpful approach from the ICO.
Organisations have been getting used to dealing with the “new normal” since lockdown was announced on 23 March 2020. Plans have been put in place and we are seeing a drive from the Government to get back to working normally as soon as possible. This means that the ICO will also be expecting organisations to return to normal in terms of data compliance and we expect them to quickly become less tolerant of breaches being blamed on the pandemic.
New data issues have arisen recently such as health testing of employees and how data is managed with homeworking. The speed with which this happened has left many organisations wondering what they have to do to comply with GDPR.
Helpfully, the ICO has published guides on the most common issues. For example, their top ten tips on homeworking include only using technology approved by the employer, considering confidentiality when using video calls, locking away personal data and not mixing the organisations data with that of the employee. There are also helpful checklists for employers to aid compliance.
Heath screening data
As part of an employer’s risk assessment, many are considering whether to implement COVID-19 health screening. It’s important to recognise that an employee’s health data is sensitive and needs to be protected more carefully than other kinds of data. It is worth carrying out a data protection impact assessment which will guide the data controller in deciding whether testing is really necessary and proportionate, what data risks exist and how those risks will be mitigated.
If testing is proportionate and there is no less intrusive way of protecting the health and safety of staff and others, then an employer could rely on legitimate interests as a lawful reason to process the data together with the employment condition in the regulations (Article 9(2)(b) and Schedule 1 condition 1 of the Data Protection Act 2018). Employers should update privacy notices to cover this and ensure they only collect data that is limited to what is actually needed, it is kept securely and not for any longer than is necessary. It isn’t possible to force an employee to undergo a health check but there could be disciplinary consequence if the refusal is unreasonable. Specific legal advice on this issue is key.
GDPR and Brexit
When the Brexit transition period ends on 31 December 2020, GDPR principles will not disappear. EU GDPR will be replaced by UK GDPR and the Data Protection Act 2018 will remain. We suggest you put a plan in place to bring data compliance back into focus. This could include:
- reviewing your existing policies
- checking and updating your data map particularly looking for new data sources which you are processing
- checking the lawful basis for processing data are still valid
- reviewing whether data retention periods being complied with
- updating privacy notices and publishing them
- reminding and retraining your employees about the data protection principles.
As we move towards the end of the Coronavirus Job Retention Scheme, we are likely to see an increase in claims from employees who feel they have been treated unlawfully. This will likely spark an increase in ancillary issues such as data subject access requests. Time limits for complying with data breach reporting (72 hours) and DSARs (30 days) have not been relaxed and so employers should ensure they are ready to respond.
If you want to speak to an expert about data protection in the workplace please contact us
0800 923 2073 Email us
Employment & HR
It pays to employ the right employment solicitor