Designed to be of interest to small and medium sized companies, Jon Curtis analyses some of the issues that the General Data Protection Regulation (GDPR) brings for employers, HR Software companies and HR software users.
The GDPR have real teeth in the case of serious breach. Failure to comply may result in fines of up to EUR20 million or 4% of the organisation’s turnover (whoever is the higher) so it's worth taking seriously!
This report should be no substitute for legal advice – its purpose is to assist with your training and to highlight some of the key issues. With legislation as complex and meaty as the GDPR it is important to get specific legal advice on any questions you might have.
Before getting into the meat of the new Regulation, let is just remined ourselves of some the key terms – which actually have not changed very much under GDPR.
Adequate, relevant and limited to what is necessary;
Accurate and where necessary kept up to date, errors corrected quickly;
Kept for no longer than is necessary;
Processed with adequate security.
For employers, this is probably the most important concept to grasp.
Under the DPA, employers (and many HR software companies) relied on consent to process employees’ data. It was an easy way to lawfully process data and was normally managed using a “catch all” data protection clause in the contract of employment.
The ICO has made clear for some time that they have felt that the catch-all basis for consent was not suitable for employers in any event because of the disparity in power between the employee and the employer.
Under the GDPR, the situation has now been clarified. Consent will rarely be a suitable lawful basis for processing. Some key related points:
This does not mean you will never use consent as a basis, you probably will, but for a specific purpose and not in a “catch-all” manner.
The GDPR (very similar to the DPA before it) Article 6 gives 6 lawful bases for processing data; and consent is only one possible option (again, the list is very paraphrased):
As can be seen from the above, there is lots of scope for processing employee data without consent. The key bases for private employers and HR companies will be numbers 2, 3 and 6.
You will note that the word “necessary” features quite highly in this list. The ICO’s Guide to the GDPR (link here) explains that saying the processing is “necessary” does not mean to say that it is “essential”. The ICO explains:
The guidance also makes clear that a party should not expect to use just one basis to cover all data points – so, for HR software providers and users it is important that data is broken down into categories and the relevant basis considered.
Consent should still be sought where it is appropriate and easy. However, an employer should be careful to explain which data is kept, and how it is processed. Clearly it is also important to make sure that the data collected is actually needed.
Check out this short paragraph found at page 12 of the ICO guidance:
However, be warned; the category you choose does have implications. As the ICO guidance points out:
As can be seen from above, “legal obligation” will likely become a favourite basis for employers as none of these rights apply. Employers clearly have legal obligations in respect of their employees which will cover much employee / employer data. For example: pay, holiday and working time, health and safety, and rules relating to discrimination to name but a few.
It is probably worth saying a few extra words about the “legitimate interests” basis as this is one of the more flexible bases. Firstly, there is a three-part test:
The “legitimate interests” referred to can be yours, the employee’s or even a third party, as long as you pass the three-part test. They can even be trivial interests, but these would be more easily overridden by part three of the test.
You should not seek to rely on the legitimate interests basis if there is another reasonable way to achieve the same result.
The key element concerns “reasonable expectations”. Arguably, an employee will expect an employer to process information about performance (for example, appraisals) and there is clearly an interest in doing so. Finally, it is doubtful that the individual’s interests override the legitimate interest unless the appraisal is particularly intrusive.
If you rely on this basis, you must have some written evidence to prove you have properly considered the employees’ interests. The ICO guidance refers to this as a “legitimate interests assessment” which should be undertaken prior to the processing begins. The ICO guidance sets out a number of detailed factors to look at.
Note that the employee has the right to object to processing on the basis of legitimate interests (see below).
This used to be called “sensitive personal data.” The GDPR set outs special rules about data concerning:
Religious and philosophical beliefs.
Such processing is only allowed where:
Whilst we await the detail of the UK rules on this, it seems clear that the intention is that there is a carve-out intended to allow employers to process even sensitive personal data without needing express consent on each occasion.
Note that the processing of special category data is only lawful if you have both a lawful basis for processing and one of the special exemptions apply. So, for example, the process information concerning the dates of sickness absence the lawful basis might be “Lawful Obligation” (to process and pay SSP) and clearly such processing is necessary for the purpose of carrying out the obligations … of the controller … in the field of employment and social security law.
Criminal offence data is not special category data as set out above (however it was treated as sensitive personal data under the DPA, so that has changed). It has its own rules although it is dealt with in a similar way to the other special category data.
These rights apply to data controllers, not data processors, but data processors will have a required contractual obligation to assist where necessary.
|Data field||Detail of data stored||Reasons for processing||Lawful basis for processing|
|Holiday information||Entitlement, dates, historical records, related payments, reasons for refusal, related correspondence.||To comply with the Working Time Regs requirement to give paid holidays, and to fairly manage holidays, to keep reasonable historical records||Legal obligation|
The right of access is broadly similar to the Subject Access Request under the DPA, with some small changes:
Individuals can have their data rectified if it is incomplete or inaccurate by request and such requests should be dealt with within one month.
Also known as the right to be forgotten, the Regulation set out various circumstances which the right applies – for example when the individual withdraws consent.
The GDPR also sets out the circumstances in which a request for erasure does not need to be complied with, for example: to comply with a legal obligation or the exercise or defence of legal claims.
Under certain circumstances an employer or HR software company is required to restrict the processing of personal data, for example:
The right to data portability only applies:
Data must be provided in a commonly used format, for example CSV and it must be provided free of charge. There is no necessity to provide systems that are compatible with other organisations.
Individuals have the right to object to processing based on legitimate interests (and other grounds too, beyond the scope of this paper).
In such circumstances, the processing must cease unless the employer can demonstrate compelling legitimate grounds for the processing which overrides the interests of the individual or, the processing is for the establishment, exercise or defence of legal claims.
Individuals must be informed of their right to object in writing, and this will normally take place in the privacy statement.
Automated decision making is where a decision is made solely using automated means without any human involvement. For example, if a pay calculation is made using a coded script of some kind, this is an automated decision-making process.
Profiling is where personal data is automatically processed to evaluate certain things about an individual. For example, a program may use demographic data, appraisal scores and salary information to identify high or low achievers.
You can only carry out automated decision making and profiling where the decision is:
The accountability principle at article 5(2) of GDPR means that you must demonstrate that you comply with the principles and states explicitly that this is your responsibility.
The ICO guidance sets out a list of actions which would evidence compliance including:
This is an area where the GDPR will have a big impact on software providers.
Under the GDPR, as with the DPA, employers will normally be “data controllers” and normally, HR software providers will “just” be data processors.
However, the rules concerning data processors are enhanced as are the consequences for breaches. As a data processor, the GDPR requires specific record keeping, certain contractual terms between you and your client, and there are also significantly increased fines for data breaches, as well as a requirement to “self-report” under certain circumstances.
Note also that the GDPR applies even if your HR software provider is situated outside the EU.
If you use a third party HR software application you need to ensure that you have in place contractual terms and conditions which comply with the GPDR – your provider should sort that, and if they do not, you need to be very wary. The HR software company should also have a GDPR compliant data protection policy, and some sort of data protection lead or ideally a Data Protection Officer.
You should also be asking which sub-processors your provider works with and ensure that you agree with those choices.
Your provider should also commit to assisting you with any of the individual employee rights – for example the right to access and for rectification described above (although often these will be in your own hands).
You will want to ensure that all of your data is properly deleted once your contract with the HR software company is concluded.
Finally, of course, you will want to ensure that the HR software company has given a commitment to ensuring that the data they hold on your behalf is held securely.
233 Edmund Road
If you are interested in HR software, please take a look at www.myhrtoolkit.com