Data protection update
Since the EU General Data Protection Regulation (GDPR) came into force in May 2018, the Information Commissioner’s Office (ICO) has been working steadily to educate and inform data controllers about its requirements. Below, we take a look at some of the ICO’s most recent guidance and its implications for employers, as well as the impact of Brexit.
Data protection post-Brexit
The UK is scheduled to leave the EU on 31 January 2020, under a withdrawal agreement negotiated between the UK Government and its EU counterparts. Understandably, businesses are concerned about what Brexit means for their data protection compliance requirements, particularly in relation to international transfers of personal data between the UK and other countries both in and outside the EU.
In the short-term, at least, there is no need to worry, as the negotiated withdrawal agreement provides for the UK to enter a transition period until 31 December 2020, during which the UK remains subject to EU laws, including the GDPR. Organisations may choose to make minor tweaks to some of their data protection documentation (e.g. privacy notices) at this stage, to reflect the fact that the UK will technically no longer be an EU member state after 31 January. However, besides this, we understand from our contacts at the ICO that nothing will change from a data protection perspective during the transition period, save that the ICO will not be able to participate fully in meetings of the European Data Protection Board (the EU level group comprised of representatives from the data protection authorities of all EU member states, which is responsible for issuing guidance on the GDPR and acts as an overarching supervisory authority).
That said, we do not yet know what, if any agreement will be reached with the EU on the nature of its future relationship with the UK and whether any such agreement will include provisions on data protection. We anticipate that some changes will ultimately be required to UK organisations’ arrangements for transferring personal data overseas, as well as to the process for reporting cross-border personal data breaches, and – in some circumstances – UK companies who do not have a presence in the EEA may end up having to appoint a representative in the EEA.
Subject Access Requests (SARs)
In the meantime, the ICO is continuing to expand upon its GDPR guidance. In December 2019, it published a draft version of new detailed guidance on SARs, which is open for consultation until 12 February 2020. The draft guidance explains the rights that individuals have to access their personal data and the obligations on controllers when responding to a SAR. This includes suggestions for how organisations should ensure they are prepared to handle SARs promptly and properly, as well as guidance on the extent of the searches an organisation may be required to carry out to locate the requested data. The guidance also addresses how to deal with requests involving third-parties’ personal data and the exemptions that are most likely to apply in practice when handling a request.
Make UK will be responding to the consultation on behalf of manufacturing employers, both to affirm where the draft guidance is particularly helpful and to highlight areas which would benefit from further explanation and/or additional examples. If you have any comments on the draft guidance that you would like us to reflect in our response, please email Sara Meyer, Principal Legal Adviser.
Criminal records data
On 20 January 2020, the ICO launched an online survey to find out if gaps exist in controllers’ awareness and understanding of the data protection requirements for processing criminal records data, an area it recognises as particularly complex.
The rules around processing criminal records data do not readily appear to allow employers to conduct criminal records checks on job applicants or existing employees in most cases. Employers whose recruitment practices have historically included such checks have previously relied on the consent of the job applicant or employee but, strictly speaking, that is no longer permissible under the GDPR and DPA 2018. In addition, guidance produced by the ICO in conjunction with Unlock (a charity involved in the rehabilitation of ex-offenders) on criminal record checks in recruitment emphasises that employers should only conduct such checks where this is really necessary. Accordingly, employers that have previously obtained criminal records data for all job applicants may need to consider scaling back and only doing so in respect of applicants for certain positions, such as those involving significant financial responsibility or handling large customer payments, in order to reduce their data protection compliance risk.
Although it does not say so expressly, we presume that the ICO will use the results of its survey to inform its future work and may produce further detailed guidance in this area if there is sufficient need. We therefore encourage employers to respond to the survey in order to make the ICO aware of any difficulties they have experienced with regard to the processing of criminal records data under the GDPR and DPA 2018. If you wish to respond to the survey, you can access it here.
Special category data
Another topic on which the ICO has recently published detailed guidance is special category data (i.e. personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sex life or sexual orientation, biometric data that is used to identify an individual, or genetic data).
The new guidance aims to assist organisations by providing more in-depth information on the additional conditions that must be satisfied in order to process special category data lawfully, including the documentation requirements and the parameters of the applicable legal bases for processing. For example, when discussing the legal bases for processing special category personal data that refer to the processing being ‘necessary’ for a particular purpose, the guidance emphasises the importance of being able to demonstrate such necessity. This does not mean that the processing has to be absolutely essential, but it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving your purpose and, if you can reasonably achieve your purpose by less intrusive means – in particular if you can do so without using special category data – then the requirements of the special category legal bases that are based on necessity will not be met.
The guidance gives the example of a coach company that wants to undertake random drug and alcohol testing of its drivers. As an employer, the company has a health and safety obligation to ensure that its drivers are not under the influence of drugs or alcohol while working. The coach company can therefore rely on the 'legal obligations in relation to employment' legal basis to process the drivers’ special category data produced by such testing. However, if the company were to widen the testing to include staff who don’t have a safety-critical role, such as its administrative or HR staff, it would not be able to justify the processing of those employees’ special category data as ‘necessary’ to comply with a legal obligation in relation to employment.
Employers will need to be mindful of this ‘necessity’ requirement when processing employees’ special category data.
How we can help
Make UK members can access guidance on the GDPR, including on the requirements for processing special category and criminal records data, and responding to SARs, in the resources section of our website. In addition, our national team of specialist lawyers and HR advisers can provide template documentation and tailored advice to support you in remaining compliant with data protection law in relation to your employee data. For more information, contact us on 0808 168 5874 or [email protected].
For further updates on data protection, Brexit and other key legal developments for employers, come to one of our free Employment Law Updates (sessions running at various locations on multiple dates in March). For more information and to book your place, click here.