GDPR: Employers could be at risk from new employee data issues
Since March 2020, coronavirus has been the focus for most organisations who have taken the view that regulatory issues such as data protection must take a back seat. It is important to recognise that the law on data protection has not been relaxed. Legal and other enforcement action remains a real risk. A fundamental aspect of the General Data Protection Regulation (GDPR) is the accountability principle which not only requires data controllers to comply with the law but also to demonstrate that they have done so. Malcolm Gregory, an employment law partner at Oxford and London-based law firm Royds Withy King, discusses the GDPR two years on and warns that new data issues, such as health testing employees and managing data when home working, may put many employers at risk.
There was a wave of activity in the lead up to GDPR becoming law in the UK on 25 May 2018. Employers were frantically data mapping, reviewing their policies and preparing privacy notices. This was followed by a significant increase in data subject access requests from employees who became very aware of their data rights and began using them.
Over the last 12 months we have seen a gradual reduction in data protection compliance activity to an almost imperceptible background noise - in particular over the last six months where most things have been overshadowed by issues flowing from the pandemic.
In a recent poll of SMEs, the majority of organisations had not reviewed their data protection policies and procedures in the last 12 months. Worryingly, there was evidence of some organisations not having finished what they started over two years ago.
The Information Commissioner’s Office has issued a statement on its website regarding the approach it is taking during the pandemic. It says: “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you from doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.” It goes on to say that the ICO understands resources are limited and may be diverted away from the usual compliance work and the ICO “won’t penalise organisations that [they] know need to prioritise other areas or adapt their usual approach during this extraordinary period.” Good news and a helpful approach from the ICO.
Organisations have been getting used to dealing with the “new normal” since lockdown was announced on 23 March 2020. Plans have been put in place and we are seeing a drive from the Government to get back to working normally as soon as possible. This means that the ICO will also be expecting organisations to return to normal in terms of data compliance and we expect them to quickly become less tolerant of breaches being blamed on the pandemic.
New data issues have arisen recently such as health testing of employees and how data is managed with homeworking. The speed with which this happened has left many organisations wondering what they have to do to comply with GDPR.
Helpfully, the ICO has published guides on the most common issues. For example, their top ten tips on home working include only using technology approved by the employer, consider confidentiality when using video calls, lock away personal data and don’t mix the organisation’s data with that of the employee. There are also helpful checklists for employers to aid compliance.
As part of an employer’s risk assessment, many are considering whether to implement COVID-19 health screening. It’s important to recognise that an employee’s health data is sensitive and needs to be protected more carefully than other kinds of data. It is worth carrying out a data protection impact assessment which will guide the data controller in deciding whether testing is really necessary and proportionate, what data risks exist and how those risks will be mitigated.
If testing is proportionate and there is no less intrusive way of protecting the health and safety of staff and others, then an employer could rely on legitimate interests as a lawful reason to process the data together with the employment condition in the regulations (Article 9(2)(b) and Schedule 1 condition 1 of the Data Protection Act 2018). Employers should update privacy notices to cover this and ensure they only collect data that is limited to what is actually needed, it is kept securely and not for any longer than is necessary. It isn’t possible to force an employee to undergo a health check but there could be disciplinary consequences if the refusal is unreasonable. Specific legal advice on this issue is key.
When the Brexit transition period ends on 31 December 2020, GDPR principles will not disappear. EU GDPR will be replaced by UK GDPR and the Data Protection Act 2018 will remain. We suggest you put a plan in place to bring data compliance back into focus. This could include:
- Reviewing your existing policies
- Checking and updating your data map particularly looking for new data sources which you are processing
- Checking the lawful basis for processing data are still valid
- Reviewing whether data retention periods being complied with
- Updating privacy notices and publishing them
- Reminding and retraining your employees about the data protection principles
As we move towards the end of the Coronavirus Job Retention Scheme we are likely to see an increase in claims from employees who feel they have been treated unlawfully. This will likely spark an increase in ancillary issues such as data subject access requests. Time limits for complying with data breach reporting (72 hours) and DSAR’s (30 days) have not been relaxed and so employers should ensure they are ready to respond.
For advice on this or any other employment law issue, please contact Malcolm Gregory at Royds Withy King on 01865 792300 or email firstname.lastname@example.org
Malcolm is a regular contributor to the Zoom HR Hubs run by Allen Associates in conjunction with Royds Withy King. To find out more about future HR Hubs, please contact Kate Allen at email@example.com