GDPR and special category data: tips for employers
When the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it will mark a significant change in data protection obligations for employers in the UK, affecting, for example, how they handle sensitive information about employees’ physical or mental health, such as in the context of managing sickness absence.
The Information Commissioner’s Office (ICO) will be able to impose substantial fines of up to €20m, or 4 per cent of annual worldwide turnover, for the most serious breaches of the GDPR – meaning compliance is of high importance. To process your employees’ personal data, you must comply with the six ‘data protection principles’. Personal data must be:
- processed lawfully, fairly and in a transparent manner;
- collected only for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary for the purpose for which it is collected;
- accurate and kept up to date;
- kept for no longer than is necessary; and
- kept securely.
There is a further overarching ‘accountability principle’ that requires you to demonstrate your compliance with the six data protection principles.
For personal data to be processed lawfully, you must establish at least one lawful basis for the processing. Those that are relevant in an employment context include:
- Consent: the employee has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for you to comply with your contractual obligations to the employee.
- Legal obligation: the processing is necessary for you to comply with your legal obligations.
- Legitimate interest: the processing is necessary for the legitimate interests of you or a third party and is balanced against any impact on the employee’s interests.
Special category data
Information about an employee’s health will be ‘special category data’. This is personal data that the GDPR says is more sensitive, and so needs additional protection. As well as the above lawful bases for processing, special category data can only be processed where at least one further condition for processing special category data is fulfilled.
Those potentially relevant in the context of handling information about an employee’s health when managing sickness absence include where the employee has given explicit consent. However, a problem for employers in relying on consent as a lawful basis for processing personal data under the GDPR is that consent must be ‘freely given’ and as easy for the data subject to withdraw as it is to give. The ICO has stated that it will be difficult for employers to rely upon consent given the imbalance in the relationship between employer and employee. Businesses are therefore advised to avoid relying on consent where possible and look for another legitimate basis for processing.
Alternative conditions under which special category data can be processed include where the processing is necessary for:
- the purposes of performing or exercising obligations or rights of the employer or employee under employment law, such as not to discriminate against an employee or dismiss them unfairly;
- establishing, exercising or defending legal claims; or
- the assessment of an employee’s working capacity, subject to confidentiality safeguards.
You must inform your employees of the nature of any processing you carry out – including the lawful bases you are relying upon for any processing – in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This should be done by way of a privacy notice available to all employees.
Where you intend to rely on the ‘necessary for employment obligations or rights’ or ‘assessment of an employee’s working capacity’ conditions for processing special category data, you must have an appropriate policy document in place explaining your procedures for complying with the data protection principles, and your policies for retention and erasure of the special category data. You must also maintain a record of your processing activities. You may be required to make these documents available to the ICO upon request.
Chris Weaver is an associate at Payne Hicks Beach