UK GDPR provisions apply to any entity involved in processing personal data. Given the nature and amount of data that employers collect for employees, employers are obliged to place certain safeguards in place to ensure that they do not fall afoul of the regulations.
Employers must be transparent with how they use and safeguard the employees’ personal data and will be held accountable for their data processing activities. Employers may be required to show how they have complied with data protection principles. Personal data must be:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept for no longer than is necessary where data subjects are identifiable
- processed securely and protected against accidental loss, destruction or damage
What obligations does an Employer have under UK GDPR?
Employers must provide a legal basis for processing an employee’s personal data. For an employer, the most straightforward way to achieve both of these aims is to provide a Privacy Notice to a prospective employee. This should set out the company’s policy and its obligations under the UK GDPR. The legal basis may be:
- The employee has given consent for the processing;
- Processing is vital as part of the employment contract;
- There is a statutory requirement to keep records of employees;
- Processing is necessary to comply with the employee’s vital interests (for example where there is a medical emergency and a hospital disclosure is required);
- For the purposes of the legitimate interests of the employer.
One significant aspect of the UK GDPR is its concept of “consent.” The regulations require “clear affirmative action” before anyone’s personal data can be given over for processing. Prior to the employee giving consent, the employer must show that the employee has been notified of why his/her personal data is being collected, how it will be used and handled. Additionally, a processor has to provide the legal basis for why they’re using the data. For an employer, the most straightforward way to achieve both of these aims is to provide a Privacy Notice to a prospective employee. This should set out the company’s policy and its obligations under the UK GDPR.
What does a Privacy Notice require?
A Privacy Notice can be provided in conjunction with a contract of employment in order to provide sufficient detail around what information may be processed and for what purpose.. When providing prospective employees with a Privacy Notice, there are a few pieces of information to include. This includes:
- The identity and contact details of the employer;
- A description of the personal data that is collected;
- The purposes for processing the data;
- The legal basis on which the processing will take place;
- Who the personal data is shared with;
- Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data;
- How long the personal data will be kept for; and
- The rights that employees have in relation to that personal data, for example the right to request that the employer rectify any incorrect information.
Employers have to make sure that the lawful grounds for processing have to be explained in a way that an employee can easily understand. A privacy notice should not use jargon or corporate speak, and it should be reasonably clear and succinct.
What rights do employees have?
Employees have the right to information about the collection and processing of their personal data, including how it will be collected and for what purpose. In addition, employees also have the right to access the personal data and information held about them by the employer.
Employees should be aware that their consent to having their data processed can be withdrawn at any time, and this should be made clear in the privacy notice. If consent is revoked then an employer is obliged to stop processing that data. Alongside this employees can specifically object to their personal data being processed for the purposes of direct marketing, scientific or historical research.
Under the “right to erasure, an employer may be obliged to delete the personal data records if requested. An employee may also restrict the employer from processing their data if it is considered to be unlawful or the data held is not accurate. Where data held is not accurate, the employee may also request for the data to be rectified.
Employees have the right to data portability and may request the employer to transfer their data (in an accessible and machine-readable format e.g. a csv file) to another organisation, this right only applies to data that is held electronically and has been provided to the employer, by the employee.. This allows the employee to provide necessary data needed over to a new employer. However, the employer is only obligated to do this where it is technically feasible. The Information Commissioner’s Office (ICO) provides examples of how an employee can request this from an employer with an example letter, see here.
How can employers ensure they are compliant with UK GDPR?
An employer can ensure compliance by creating and maintaining an inventory of the personal data held about employees and asking themselves:
- Why is the data being held?
- How was it obtained?
- What was the reason it was initially collected?
- How long will it be held?
- Is the information secure?
- Is the information shared, or will it be shared with third parties?
By asking these questions, the employer ensures they have covered all their bases and can make changes where there may be gaps in complying with the UK GDPR.
Employers should also have a data protection policy in place and train employees on the importance of UK GDPR.
Where employees request information through a Data Subject Access Request, employers must ensure they respond to data requests within 1 month and this may be extended up to a further 2 months where requests are complex.
Given the confidential nature of the information, employers must protect data with appropriate technical and organisational measures to ensure it is secure. Other measures such as anonymisation, encryption and anti-virus security measures may be implemented. Where security measures have been implemented, they must be tested to ensure they are adequate and sufficient for their purpose and the employer must be able to show they have complied with UK GDPR security obligations.
It is imperative that data is only kept for as long as it serves the purpose it was collected for, or as required by law. A retention policy is useful in order to justify why data was retained. Where data is retained, employees have the right to know what data the employer has and to correct this data where there are any errors or omissions.
Often employers may use third parties, this could be a recruitment agency or a HR company that manages payroll and processes employee data. Employers will be responsible for ensuring these third parties are UK GDPR compliant and appropriate agreements are in place to safeguard the data.
It is important you comply with legislation and ensure you have adequate policies and procedures in place to manage the collection, retention and erasure of employee data. Where you fail to comply with UK GDPR you could face significant penalties.
Legislate keeps up to speed with all developments ahead of these legal changes so you don’t have to. Our suite of lawyer-approved contracts put the confidence back into contracting. You can view our contracts here. To start Legislating today, book a demo with a member of our team or sign up!
The opinions on this page are for general information purposes only and do not constitute legal advice on which you should rely.