Currently, many companies rely on their employees’ consent to process their personal data and short consents are often included in employment contracts for that purpose. The benefits of this approach are obvious: rather than having to determine which legal basis (from a number of potential legal bases for the processing of employee data) applies to each category of employees’ personal data, an employer can simply rely on an all-encompassing consent (see Practice note, Employer obligations under the Data Protection Act 1998: Schedule 2 conditions).
However, there have already been a number of challenges to such an approach. For example, as far back as 2001, the Article 29 Working Party, in its Opinion 8/2001 (on the processing of personal data in the employment context, WP48, 13 September 2001), indicated that consent would only be viable where employees have a genuine free choice and are subsequently able to withdraw their consent without detriment. Since then, some data protection authorities have rejected consent as a basis for the processing of employee personal data, and the Information Commissioner’s Office took a similarly strict approach in its consultation on its draft guidance on consent earlier this year, holding that the consent basis is very likely to be inappropriate in an employment context (see Legal update, ICO consults on GDPR consent guidance). Even where an employer is actually able to rely on consent, the fact that employees can withdraw their consent at any time means that employers will need to structure centralised HR processing practices to accommodate such withdrawals.
Under the General Data Protection Regulation (GDPR), the requirements for valid consent have been made much stricter. Consent must be freely-given, specific, informed and revocable. The GDPR expressly states that, where there is an imbalance of power between the party giving consent and the party receiving it, consent will not be valid. In the employment context, it has long been acknowledged that there is such an imbalance between employer and employee. This means that it will be very difficult indeed for employers to rely on consent to process employees’ personal data under the GDPR.
So what should employers do instead of relying on employees’ consent to process their personal data? As noted above, consent is only one of a number of potential legal bases for processing employees’ personal data. Employers will therefore need to consider which alternative legal basis is appropriate for each category of employees’ personal data. For example, employers can rely on processing being necessary for the performance of the employment contract, to cover the processing of employees’ bank account data which they require to pay employees. To take another example: employers are required by law to process sickness absence data to facilitate the payment of statutory sick pay and there are other legal obligations on which employers can rely to legitimise some of their processing of employees’ personal data. Employers can also process personal data based on the vital interests of the employee.
However, in reality the legal basis to which most commercial employers are likely to turn is “legitimate interests”, that is, that their legitimate interests in processing employees’ personal data outweigh the general privacy rights of employees. This is potentially very wide in scope and will no doubt assume much greater prominence under the GDPR.
There are, however, limits on how far employers can legitimately extend their interests. Firstly, the legitimate interests basis does not apply to processing carried out by public sector authorities in the performance of their tasks (as an alternative, they might consider whether processing on the basis of carrying out a public function justifies the processing). For private sector employers, as well as being strictly necessary for a legitimate purpose, processing under this legal basis must comply with the principles of proportionality and subsidiarity. Employers will therefore need to conduct a proportionality test to consider whether all personal data collected are necessary, whether the processing outweighs the general privacy rights that employees have in the workplace and what measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary.
Processing, therefore, must not only be legitimate, but must also be necessary, proportionate and implemented in the least intrusive manner possible.
The Article 29 Working Party’s recent Opinion 2/2017 (on data processing at work, WP249, 8 June 2017) provides some helpful examples of the likely limits of this legal basis. For example, if an employer deploys a data loss prevention tool to monitor employees’ outgoing emails automatically to prevent unauthorised transmission of proprietary data, in order to rely on legitimate interests it will need to ensure, amongst other things, that the rules that the system follows to characterise an email as a potential data breach are fully transparent to employees and that employees are warned in advance if the tool recognises an email that is to be sent as a possible data breach, so as to give the sender the option to cancel this transmission (see Legal update, Article 29 Working Party adopts opinion on employee monitoring).
Another example of the limits of legitimate interests is an employer maintaining a server room in which business-sensitive data, personal data relating to employees and personal data relating to customers are stored. The employer can rely on its legitimate interests in preventing unauthorised access, loss or theft of the data when installing an access control system that records employees’ entrance and exit details, assuming employees have been adequately informed about the processing. However, this continuous monitoring cannot be justified if these data are also used for other purposes, such as employee performance evaluation.
So what steps should employers take now to comply with the GDPR? First of all, companies need to review their template employee documentation such as employment contracts and any free-standing employee data processing consents.
For new hires, companies should replace the consent language in these documents by new language referencing one or more of the alternative legal bases referred to above. For existing employees, companies will need to roll out employee data processing notices which refer to these alternative legal bases.
Finally, employers should be aware that their choice of legal basis may also affect employees’ rights and their obligations to employees. Under the GDPR, employees’ rights regarding their personal data are expanded and strengthened; for example, there are new rights to data portability and to be forgotten (see Practice note, Data subject rights under the GDPR). However, the former right only applies to data processed by consent and the latter right only applies, amongst other things, when consent is withdrawn.
Accordingly, by relying on the “legitimate interests” legal basis, an employer can reduce its compliance obligations vis-à-vis its employees. Every cloud does in fact have a silver lining!
In summary, it is likely that employers will turn to “legitimate interests” to process employee data under the GDPR. To ensure that such processing is valid, employers will need to conduct proportionality tests to establish that: (i) all personal data collected are necessary; (ii) the processing outweighs the general privacy rights that employees have in the workplace; and (iii) measures have been taken to ensure that infringements of employees’ right to private life and secrecy of communications are limited to the minimum necessary.
For further information, see Practice notes, EU General Data Protection Regulation: implications for employers,and Employee consent under the GDPR.