Under the GDPR – which comes into force on 25 May 2018 – consent needs to be specific, informed and freely given. That means individuals should have a genuine and free choice as to whether or not to consent to the processing, and should be able to refuse or withdraw consent without detriment.
Current draft guidance from the Information Commissioner’s Office (ICO) indicates that employers are unlikely to be able to rely on consent as the lawful purpose for processing most personal data, because of the imbalance of power in the employer-employee relationship.
Most employer processing activities will fall under the ‘other lawful purposes’ but, in accordance with the new accountability principles, an employer needs to be clear from the outset of the lawful purpose on which they are relying. GDPR lawful purposes for ordinary personal data include processing on the basis of:
- legitimate interest of the data controller;
- necessity for the performance of a contract;
- compliance with a legal obligation;
- protecting the vital interests of the data subject or of another natural person; or
- necessity for the performance of a task carried out in the public interest.
If an employer will still be relying on consent for any aspect of employee data processing then, in accordance with the guidance as currently drafted, they need to ensure that:
- consent is a positive ‘opt in’, separate from the other terms and conditions of employment. It must not be vague and must be refreshed every two years;
- consent is specific to the data in question and what the employer is using it for;
- if the employer is sharing the data, each third party is named and specific consent is sought;
- the employer advises that consent may be withdrawn and the method of doing this; and
- the employer keeps specific records regarding consent to demonstrate compliance.
Subject access requests
Subject access request (SARs) are often used as leverage in employment disputes. The GDPR will enhance employees’ rights to access personal data held by their employers, will entitle them to more detailed information regarding the way in which their data is processed, will reduce the time limits for the employer’s response and will abolish the current £10 fee for responding to a SAR.
Employers are currently obliged to comply with a SAR within 40 days of the request. The GDPR will shorten this period, obliging employers to comply without undue delay and at the latest within 30 days, although this can be extended for up to two additional months for particularly complex or numerous requests.
It is possible to request a reasonable administration fee where the SAR is ‘manifestly unfounded or excessive’. Detailed guidance from the ICO regarding the type of requests that could be viewed as ‘manifestly unfounded or excessive’, and that may even allow an employer to refuse to comply with the employee’s SAR, is currently awaited.
Employers should consider putting into place specific SAR protocols including template letters, and carry out an assessment of the organisation’s ability to isolate data relating to a specific individual quickly. As a minimum, appropriate training and guidance should be in place to ensure that staff can recognise and respond to SARs quickly and efficiently and, if they are considering refusing a request, that they are aware of the legal basis on which they may do so.
Sybille Steiner is an employment partner at Irwin Mitchell