In the second of the Furley Page Employment Team’s GDPR blog, we look at the implications on the employment lifecycle of the new right to be informed.
As highlighted in our previous blog, employers have historically relied on consent clauses in employment contracts to inform them of the kinds of situations in which their personal data will be used and processed. Many employers also have a data protection policy which provides further details of employee data processing. Under the new GDPR, is this well-established practice enough?
The right to be informed
The new article 13 stipulates that the employee must be informed of 9 things. These include:
- the identity of the employer;
- the purpose and legal basis for processing;
- the recipient of the personal data;
- whether the provision of the personal data is a statutory or contractual requirement;
- whether the employee is obliged to provide the data or not and the consequences of failure to provide such data; and
- whether the personal data will be subject to any automatic processing and if so, the logic involved and the envisaged consequences of such processing.
In addition, all the above must be provided “in a concise, transparent, intelligible and easy accessible form, using clear and plain language...” - simple…right? So how can this be put into practice with employee data?
The new obligations pose an obvious change in the information that must be provided even before an employee is offered a job or starts their employment. Personal data at this stage of a process will usually include an individual’s name, address, contact details and qualifications, work experience and skills. This data is required in order to be able to contact a job applicant and to assess their suitability for a role.
Employers should already be exercising good practice and not asking for personal data which is not required for assessing the best candidate for the role at this early stage such as sex, race, disability and criminal convictions. Given that justification for that data is required at the outset, employers are now being forced to adopt a proactive approach and to consider what information is really required from applicants at this early stage in the employment relationship. This can be done on an application form or via an accompanying data protection notice on a job advert.
After the offer of employment
As the information stipulated in article 13 should be provided to an individual before processing takes place, it will no longer be sufficient to provide these details in a data protection policy that the employee only reads after starting their employment.
We are not suggesting that a data protection policy in a handbook is no longer appropriate, but thought should be given as to whether it will now be more appropriate to provide a copy at the same time as an employment contract when a job offer is made. The policy can be read, signed and returned when accepting the role. By obtaining a signature that the policy has been read, you have proof that you have complied with the article 13 right to be informed.
Although all uses of employee data should be thought of from the outset and included in the policy, it is feasible further uses for personal data may arise throughout an individual’s appointment, or the usage of such data goes beyond that originally envisaged.
Thought should be given to the most appropriate way to inform employees of this – for some employers who have a workforce which does not have ready access to the intranet, this may even be by using a communal notice board. It may also become good practice in certain situations, such as redundancy consultation, to provide further notification as to what personal data will be processed and used in that process and why. An example of this would be justification for redundancy matrix and their weighting.
After employment ends
Although your data protection policy should contain information about how long the employee data is retained and for what purpose, unless it is read regularly throughout the employment relationship, employees will not be aware of the information that will be retained after they leave your organisation.
It is therefore a good idea that you inform the employee separately at this stage as to what information will be retained, why and for how long. This will need to be balanced with the individual’s right to be forgotten, and so usually only information which is absolutely required should be retained and you will need to be able to justify why it is required. In reality, this will be very little.
What should you do?
Most of the information you are required to provide to individuals will already be within your knowledge – the difference is that it now needs to be proactively provided, rather than used as justification once a complaint has been received.
During your data mapping exercise, we recommend including when and how the employee will be informed of the processing, this will make it much simpler to ensure you are providing your employees with the correct notifications at the appropriate times during the employment relationship and that nothing slips through the net.
Adopting this proactive approach as to your employees’ personal data will ensure that both you and your workforce are confident in your compliance with the GDPR. In turn this is likely to lead to fewer complaints and data subject access requests. The parameters of these requests and how they are affected by the GDPR will be examined in our third blog.