The General Data Protection Regulations (GDPR) will come into force on 25 May 2018.
The GDPR will substantially change the law relating to the holding and processing of personal data. So what do you need to do to be ready for the forthcoming changes?
Initial data audit
A good starting point is to identify all of the personal data that you hold in the organisation. Create a spreadsheet of all of the personal data, including names and address, sickness records, next of kin details, details of dependents for health benefits, payroll information, training records, CVs etc.
Consider other information that you might hold elsewhere in the organisation, including contact details of suppliers and customers.
When you have identified the data that you hold, consider whether it is accurate and up to date, whether you have permission to hold it, where it came from and what you will do with it.
Do you have the right to hold the data?
Most of the processing carried out by organisations about their employees will be for usual HR, administrative and management purposes.
In those cases, you should rely on a ground other than consent to process the data, such as legitimate interests, fulfilment of a contract, compliance with a legal obligation (for example, obtaining right to work documentation) or, in the case of special categories of data, processing in the field of employment. From an organisation’s perspective, it is preferable to rely on a ground other than consent because consent cannot be withdrawn. In addition, in some circumstances, the rights of data subjects are more limited when relying on the ground of legitimate interests.
In any event, it is unlikely that obtaining consent in an employment contract would comply with GDPR. Consent under GDPR must be freely given. Seeking consent in an employment contract is unlikely to constitute freely given consent, because the contract has to be signed in order for the individual to start their employment.
However, if you intend to process employee personal data for a reason other than usual HR, administrative or management purposes, you should seek consent from the employee to do so. This type of specific consent will need to be given in a separate document that sits outside of the employment contract. Examples of processing that may require specific consent include the collection of racial or ethnic origin information on a non-anonymous basis and carrying out occupational health assessments
GDPR in recruitment
You will also need to review the consent that you have from other individuals, including applicants. If an individual applies for a specific job you cannot forward that application to another part of the organisation if you think they would be more suited there, without the applicant’s permission. Similarly, if the applicant is unsuccessful, but you want to keep their details on file for future vacancies, you will need their express permission. You should also have a process in place for destroying applications when you have kept them for the agreed period of time.
If you place an advertisement without using your company name, or you use a recruitment agency to place an advertisement for you, the applicant must be made aware of your identity before you proceed with any processing of their application.
Another area to note is that of automatic decision-making. If you use any automatic processes, for example in your shortlisting, you must tell the applicant what process you are using. The applicant then has the right to ask for ‘human intervention’ to the process.
It is likely that you need to review your recruitment procedures to incorporate these requirements and ensure you are GDPR compliant.
Do you have personnel files brimming with information relating to employees that left your organisation years ago? You should only keep data for as long as is necessary, and you should have an employee’s permission to retain their HR file after they have left. You do need to keep payroll files for 3 years to comply with HMRC requirements, but a lot of general HR information does not need to be kept for this long.
We recommend that you add a stage to your leavers’ process, seeking the leavers’ permission for you to retain the information about them that you want to keep. You do not want to destroy everything immediately and then find the employee brings a claim against the organisation which you cannot defend because you have no documentation. Create a new data retention permission form which you can work through with the leaver in your exit interviews.
Subject access requests
Employees have had the right to access the data you hold about them for some time. Currently you can charge them a nominal sum for this, and you have to respond to any request within 40 days. The GDPR changes this.
Once GDPR comes into force, you will not be able to charge an employee anything, and will have to respond within 1 month (unless the request is particularly arduous).
GDPR does allow for a request to be refused if it is particularly difficult or time consuming for you to comply with, but always check with us first before you make the refusal.
Absence and health data
Remember that absence and health data are two different things, and therefore they need to be treated differently. Absence data simply records the days of absence, and is not sensitive data. However, health data (which could include medical reports) is sensitive data and therefore specific permission is required to hold and process this data.
Make sure that you have your files arranged such that a line manager could check absence data without having access to sensitive health data. An employee should be made aware who can access their health data, and should give their permission for this access to take place.
Design data protection into your processes
In the future, as you develop any new HR processes, think about the likely impact on personal data that you hold about individuals. Design data protection into the processes - think about consent or legitimate interests and how long you will need to retain the data.
If you have any questions please get in touch with the employment team.
Our GDPR specialist
If you have any questions about data protection, or need any help with revising your processes, please get in touch with Matthew Hattersley on 0113 336 3351 or via email at firstname.lastname@example.org
You can also visit our GDPR section on our website.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.