Employers collect and process large amounts of personal information about their employees. Data can range from a CV and motivation letter that contain contact details, health and social insurance information, training documents, as well as performance evaluations. In order to assist employers with meeting the legal requirements, the ICO published guidance on how to process employee data at the workplace. We have summarised the main points for you to follow.
The specialty of an employee’s personal data
Special categories of data, such as information about race or ethnic origin, biometric data, or data concerning health, are subject to a higher level of protection. In an employment relationship, you are likely to process such sensitive data, such as health data when an employee gets sick.
As an employer, you have access to much of your employee’s personal information. Therefore, the HR department in particular must carefully observe data protection rules while processing this data.
GDPR legal basis for processing personal data in employment relations
If employers wish to process an employee’s personal data, they will need to demonstrate legal justification. Art. 6 GDPR (General Data Protection Regulation) provides for several possible grounds for lawful processing. Employers will need at least one of the following legal grounds to process the personal data of employees, the most relevant of which are as follows:
- Consent: If the data subject has given consent to the processing of his/her data for a specific purpose.
- Performance of a contract: If the processing is necessary for the performance of, or prior to entering, a contract to which the data subject is a party.
- Legal obligation: If the processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interest: If the processing is necessary for the legitimate interest pursued by the controller.
In an employment relationship, you are likely to process your employee’s information on a legal basis of necessity to perform a contract, namely an employment contract. For instance, you are allowed to process bank details in order to pay your employee’s salary because it is your contractual obligation to do so. Often compliance with a legal obligation to which an employer is subject will constitute a legal basis, such as keeping some information for tax purposes required by national legislation.
Note that Art. 88 GDPR, which refers to the processing of data in the context of employment, provides an opening clause. That means that individual EU member states may provide more specific rules on data protection in the employment context in their countries. You can see an overview of different national provisions by choosing ‘Data protection for employees’ in our comparison tool for the GDPR and national data protection laws.
Employment Practices Code in the United Kingdom
The UK supervisory authority (ICO) published the so-called Employment Practices Code, which contains ICO’s recommendations on how employers can meet the legal requirements of the UK Data Protection Act (DPA 2018) from 2018 updated in the context of the GDPR.
The DPA lays down the rules for employers to follow in processing employees’ data. Please see the following practical considerations:
Understanding the DPA 2018
The DPA 2018 applies to information about identifiable people, including job applicants and employees, and regulates the way their data can be collected, handled and used. Furthermore, the DPA grants individuals rights, including the right to access information about them and the right for compensation in case of data misuse. Lastly, the DPA 2018 applies to computerised information and well-structured manual records, such as files about job applicants.
The DPA 2018 generally applies to information that employers keep on file about their employees. The DPA 2018 does not prohibit the processing of personal data held during employment. While you will not need your employees’ consent for keeping employment records, data subjects must be able to exercise their rights, including the right to obtain information that these records hold about them.
Furthermore, you should limit the number of people that have access to these records, and inform those who do have access about the obligation to keep data secure.
Based on the principle of data minimisation and purpose limitation, the DPA 2018 says that you should only keep data that is relevant and delete data for which you have no genuine business need or legal duty to preserve.
Once you no longer have a business need or legal requirement to keep an employee’s record, make sure you securely dispose of or erase that information.
Monitoring at work
The DPA 2018 applies to the monitoring of employers by collecting or using information about employees, such as checking telephone logs to detect excessive private use, monitoring e-mails or internet use. The DPA 2018 does not prohibit these activities, yet you must justify the monitoring.
The monitoring should only be allowed if there is no less intrusive method to achieve the purpose in question. Furthermore, you need to inform employees about the monitoring activities of the company.
If you monitor e-mails of employees in their absence, you must inform them, and you may not open e-mails that are obviously private or personal. You should check the addressee or subject line of the e-mail to make sure it is business-related.
Employees have a legal right to access information about them. Suppose an employee objects to your holding or using information about them because it causes harm. In that case, you should delete the data in question, unless you have a compelling reason to continue.
Employees can claim compensation if they suffer as a result of a breach of the DPA. Therefore, you should ensure that you treat employees’ data correctly, securely and responsibly.
Recommendations for UK employers
Companies process large amounts of employee personal data. In most cases, the processing will be necessary for the employment relationship in order to carry out a contract or to comply with legal obligations to which the employer is subject. As the ICO laid down in its Employment Practices Code, if the processing is relevant in the employment context, in most cases you will not need to obtain specific consent of the employee.
However, you should make sure that you inform employees about your company’s processing activities and that they can effectively exercise their rights under the data protection regulations.
Make data protection your competitive advantage. Our UK data protection support will help you!