With apologies for the interruption to this series, here are two further reader questions on the GDPR as it will apply to employers in the UK.
I have heard that my corporate email address is my personal data. Does that mean that a DSAR sent to my employer should bring me copies of everything in its systems sent to or from that address?
This depends on the details of your request. Your corporate email address is indeed personal data but what you get back in response to a DSAR will depend as before on the scope of your request and whether the message containing your email address also contains any other personal data about you. Your employer may ask you to narrow your request by specifying the information or processing activities to which your request relates if it is too broad. The GDPR Recitals indicate that the purpose of the DSAR is for the data subject to be made aware of, and verify, the lawfulness of the processing activities that are the focus of the request.
In addition, you are entitled to know the purposes for which your employer holds personal data about you containing your email address (i.e. emails), the precautions taken to avoid these emails being hacked or disclosed to the wrong people, for how long the emails will be stored and which categories of recipients have access to the emails.
Equally, however, you are and will remain entitled (subject to all the current exceptions) to see personal data about you in emails on your employer’s system even if they are neither sent nor received via your own email address.
If the information you request contains personal data about other people or trade secrets or intellectual property belonging to the employer, such information may be excluded from what you will receive.
My employees sign a standard form of employment contract when they join under which they consent to my processing their personal data as necessary for the operation and maintenance of the employment relationship. Can I continue to rely on this?
In the most practical of practical terms, little risk arises under the GDPR until someone complains. If your employees are comfortable with your existing use of their personal data, then it might be said that you needn’t fix something which isn’t broken. The temptation will therefore be to let matters ride. However, that would be a very brave stance on anything but a short-term interim basis while appropriate GDPR-related revisions are being made to your employee privacy documentation. There are a number of reasons for this:
First, the fact that no-one has complained thus far doesn’t mean that they can’t or won’t in future. Silence to date may be no more than a recognition that current data protection law in the UK would not provide any material remedy even if the validity of that consent were questionable.
Second, even if a complaint about invalid consent remains financially a bit pointless for the employee, it will almost certainly count as a protected disclosure giving him/her the instant protection of whistleblower status.
Third, and most important, from May next year there will no longer be any doubt about whether that contractual consent is valid – it just won’t be. The argument runs like this – the consent required for the processing of personal data must be freely given. “Freely” means without duress (not in the legal sense of gun-to-head, but just where you would rather not but feel that you have no choice). Although reluctance and a sense of being between a rock and a hard place have never been allowed to invalidate consent in any other aspect of English contract law, the view taken for data protection purposes is that if I will miss out on a job if I don’t consent to the recruiter or my new employer using my personal data, that consent is not necessarily freely given. As a result, consent is generally invalid in the employment context under the GDPR due to the perceived imbalance in the relationship between the employer and the employee. From the employer’s standpoint, the fact that consent is not valid unless it can be withdrawn as easily as it is given (i.e. without meaningful downside) means that consent is an unsuitable basis for most of its employee-related processing activities.
Therefore the GDPR-compliant employer will need a different rationale for its holding and processing employee personal data. In most cases, the processing will be necessary for the performance of an employment contract, e.g. using the bank account details of the employee to pay his salary. Also, the processing may be necessary to comply with a statutory or judicial requirement, for example, for example disclosures to the HMRC or under Court orders. Employers may also rely on the processing being necessary for the purposes of their “legitimate interests”, for example, the need to use security to protect safety and property. The “legitimate interests” test requires the employer to apply a balancing test to evaluate any negative impact on individual employee rights before relying on this legal basis. If legitimate interests are used as the basis, the employee has the right to object and if that happens, the burden will be on the employer to show that it nonetheless has a compelling interest in processing the personal data at issue.
In line with the GDPR principles of data minimisation, security and storage limitation (deletion), therefore, employers need to take a cold hard look at what they need, and who needs to see it, and for how long. The retention of mere “nice-to-haves” on your employee files may consequently be an infringement of the GDPR even if the employee has signed that contract with you.
In relation to the holding of special categories of data (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs), consent – even explicit consent – will not likely be valid unless there is a real option on the part of the employee to say no or withdraw consent. The GDPR contains a new provision that authorises the processing of these types of data in order for employers to carry out legal obligations or to exercise specific rights accorded to them by EU or UK employment, social security or social protection laws.
More Practical Guidance on GDPR available Part 2, Part 3, Part 4, Part 5 and Part 7.