GDPR – a refresh
As you may be aware, the General Data Protection Regulation (GDPR) came into force in the UK through the Data Protection Act 1018, on 25 May 2018. Around that time most businesses invested a large amount of time in reviewing their internal practices and creating various documents to ensure compliance. However, many will have done very little since and this creates a number of potential risks for businesses:
- New staff may have joined who are unaware of what GDPR is or what your policies say;
- The data being processed over 3 years ago may have changed;
- Policies and procedures may not reflect what happens in practice;
- Documents are likely to refer to “Europe” or “EEA” and this should be updated following Brexit.
From a practical perspective, we would recommend a regular review of policies and procedures as well as regular training for staff to ensure compliance.
As a refresher, we have set out below the key points from the legislation as well as some practical suggestions for action points.
Why is the Data Protection Act 2018 relevant to HR?
Staff data is likely to be the largest amount of data processed by an organisation. Organisations need to know a lot more about their staff than for example, their customers.
Staff data is also more likely to include special category data which is information relating to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. For example, employers are likely to have information relating to health in the form of occupational health reports in order to make reasonable adjustments. Under data protection legislation as this data is more sensitive, there are stricter provisions in place which employers need to comply with in order to process this information.
The Key Principles
The principles under the legislation require that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
There are six lawful bases for processing data:
- necessary for the performance of a contract to which data subject is a party
- compliance with a legal obligation
- legitimate interests
- performance of a public task
- to protect vital interests of the individual
When relying on consent as the lawful basis, it is worth considering that consent under GDPR has a number of requirements:
- It must be freely given, specific, informed and unambiguous
- It cannot be inferred from silence, a pre-ticked boxed or inactivity
- if processing has multiple purposes, data subjects should give consent to each
- there should be a right to withdraw consent at any time
- it is for businesses to prove that consent was obtained
If your lawful basis is legitimate interests, you will need to carry out a balancing exercise to ensure that your business interests for processing the data do not outweigh the potential negative impact on the individual.
Data subjects: key rights
Under the legislation, individual data subjects have a number of different rights in relation to their data, namely:
- the right to be informed
- the right of access
- the right to rectification
- the right to erase
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
The main right exercised by individuals tends to be the right of access. A subject access request must be responded to within one month of the request and an individual is entitled to all of their, subject to a few specific exemptions, entitled to all of their data. Requests can be extremely time consuming so it is important to ensure all staff are aware of how to recognise one and that they are actioned promptly.
If a breach is likely to impact on the rights and freedoms of the data subject, a report must be made to the ICO within 72 hours. Where the breach is likely to result in a high risk to the individual, you must also report the breach to the data subject.
All breaches should be recorded internally and should include a record of what was decided in relation to reporting obligations and what steps are being taken to remedy the breach and prevent further breaches.
In 2018, the UK was still part of Europe and therefore any transfers of data within Europe were fine. Transfers outside of Europe had to meet additional security requirements such as using specific clauses in contracts or checking the European Commission had deemed a particular country safe. Privacy policies are likely to have referred to data leaving the EEA and the security in place for this.
Following Brexit, the UK is effectively a third country and transfers to and from Europe need to meet security requirements. Policy wording will need to be updated to refer to the UK rather than EEA.
Penalties and Risks
There are a number of potential actions the ICO can take if an organisation is found to be in breach of the legislation. The level of a potential fine is significant with less serious breaches attracting a fine of up to the higher of £8.7 million or 2% of total worldwide annual turnover and more serious breaches being capped at the higher of £17.5 million or 4% of total worldwide annual turnover.
Fines are however only one potential penalty and so far do seem to only be issued for large organisations committing significant breaches. Other more common action would include a requirement to provide the ICO with additional information or to comply with an order. Warnings are also given.
Businesses should already have policies and procedures in place but these should be kept under regular review to ensure that they are up to date, legally compliant and that they reflect what happens in practice.
The key steps to follow now are:
Audit your data and your existing policies and procedures
It is essential to audit your data collection and processing activities and update them if required. Existing policies and procedures should also be reviewed to ensure they are accurate and reflect what happens in practice. Any gaps in policies should also be reviewed.
We would expect you to have the following key documents in place:
- A breach reporting policy
- Retention policy
- Data protection policy setting out obligations for staff
- Subject access policy
- Data processing agreements with all third party processors
- Data Sharing agreements with any third parties with whom you share personal data
Review and update your data map
A data map is a record of your the data you process and will detail things like:
- the lawful basis for the processing;
- the retention period;
- who has access;
- the security measures;
- where the data is sent; and
- whether it leaves the UK.
You are likely to have completed some kind of data map in 2018 but if not, one should definitely be completed now. If you do already have one, it should be reviewed to ensure it remains accurate. Many organisations made changes to their internal processes in 2018 to ensure GDPR compliance (for example adjusted how data is stored or shared internally and who has access). It is important to check that such changes are working and that what is recorded as happening actually reflects reality.
Check your processors
Check whether any of the third party providers you rely on are situated outside the UK. If they are, you will need to check that there is an adequacy decision in place for that country or will need to look at other security measures before transferring any data.
You should also check that the providers are GDPR compliant so that the data you send them is secure and lawfully processed.
Focus on data protection by design
Make data protection inherent in everything that you design, be it a process, a product or a website. That way, no further data protection measures should be required. Don't assume that offloading your data to a third party is a way around this requirement; it is your responsibility to make sure they are compliant.
That means placing appropriate technical and organisational measures to ensure data protection is intrinsic to the actual design of products and services, to ensure safeguarding people's data is one of the core functions of anything your organisation does; internally or externally.
Inform and train staff
Your employees are the people who will be processing the data your organisation holds. It is therefore important that they understand what GDPR means in practice to your organisation and what rules you have implemented.
Case Law Update
Bryan v Landmarc Support Services Ltd
Facts: Early in the pandemic, the Respondent’s operations were confirmed as "essential services" and its employees were deemed "key workers". The Claimant was the only Project Management Co-ordinator at one of the Respondent’s sites and the Respondent considered her presence on site to be crucial. Although a key worker, the Claimant was unable to send her child to school, initially due to her personal vulnerability as an asthmatic and later because the school was at capacity. The Claimant requested to work from home, but this was rejected and she was disciplined for refusing to attend the workplace.
The Claimant resigned and claimed indirect sex discrimination as the Respondent required staff to work on site during the pandemic, which placed women at a particular disadvantage compared with men because women have greater childcare responsibilities.
Decision: The tribunal upheld the claim. The tribunal accepted that the Claimant suffered a specific disadvantage given that women have greater childcare responsibilities than men. The tribunal did not accept the Respondent’s argument of a proportionate means of achieving a legitimate aim – keeping the company running efficiently and in compliance with its obligations was undoubtedly a legitimate aim and, in normal circumstances, it would have been proportionate to require those with childcare demands to make suitable arrangements. However, taking account of the Claimant’s personal circumstances, including that she could not send her child to school, the Respondent could have allowed the Claimant some time off or worked out a longer term solution.
Takeaways: This case is likely to be one of many relating to the impact of childcare during the pandemic, and the knock on effect to work – in this instance in relation to the requirement to attend the workplace rather than work from home. Employers must adapt to the changing circumstances, and sticking resolutely with what was proportionate and reasonable before the pandemic may no longer be sufficient.
Kubilius v Kent Foods Ltd
Facts: The Claimant was employed as a delivery driver by the Respondent. The Respondent's employee handbook required courteous treatment of clients and that employees take all reasonable steps to safeguard their own health and safety and that of others as a result of their actions at work. The driver's handbook required customer instruction regarding PPE to be followed. The majority of Claimant’s work involved travel to and from one particular client – Tate.
Due to the pandemic, Tate required face masks to be worn at their site and all visitors were issued with a face mask on arrival. On 21 May 2020, despite being asked by two Tate employees, the Claimant refused to wear a face mask while he was in the cab of his vehicle, arguing that his vehicle was his own area and that wearing a face mask was not a legal requirement. Tate reported the incident to the Respondent and banned the Claimant from its site. Following an investigation, the Claimant was invited to a disciplinary hearing into the allegation that, by refusing to comply with Tate's instruction regarding PPE, he had breached the requirements to maintain good relationships with clients and to cooperate to ensure a safe working environment. The Claimant was summarily dismissed.
Decision: the tribunal held that the Claimant was fairly dismissed. The Respondent had a genuine belief that he had been guilty of misconduct and had carried out a reasonable investigation into facts (which were not in significant dispute). While another employer might have chosen to issue a warning, dismissal fell within the range of reasonable responses. The Respondent had been entitled to take account of the importance of maintaining good relationships with its clients, the continued insistence by the Claimant that he had done nothing wrong (which caused concern as to his future conduct), and the practical difficulties arising from him being banned from Tate's site.
Takeaways: With more staff returning to the workplace, the issue of health and safety should be high on every employer’s agenda. With legal restriction having eased some months ago but many still feeling cautious about the continuing circulation of coronavirus, there are undoubtedly more conflicts regarding PPE/mask wearing yet to come. This case indicates that employers may be able to take a tough stance on failure to follow PPE requests, regardless of the legal restrictions in place at the time. Where employers have staff attending the premises of clients or other third parties, it is worth being clear that they will be expected to comply with the Covid rules of those third parties.
Little Piece of Paradise Ltd v HMRC
Facts: A sports presenter provided services to Sky through a PSC, and the contract between the PSC and Sky included a statement at clause 2.3 that “The Company agrees that there exists no employment agreement or relationship between the Personnel and Sky or any Associated Company.”
Furthermore, clause 9.1 stated “the parties declare that, during the continuance of the Agreement, the Personnel shall be an employee or sub-contractor of the Company”, and that the Company “shall be solely responsible for all matters relating to the Personnel’s employment/engagement.”
Decision: The FTT looked beyond the paperwork to a hypothetical contract based on the actual conduct of the parties, and concluded that the individual would have been an employee of Sky. The reasons given by the FTT included:
- sufficient mutuality of obligation, by way of Sky having “first call” on the individual’s time and the inclusion of a termination clause in the contract (if there was no mutuality of obligation, then arguably the termination clause would not have been necessary)
- the same monthly fee had been paid throughout, rather than in reference to days/hours worked
- sufficient degree of control in that Sky decided which events to cover and therefore dictated where and when the individual worked
- the contractual ability to substitute was not an unfettered right, as it was only allowed with Sky's consent and Sky would then pay any approved substitute directly. When looking at the relationship between Sky and the individual directly and applying the hypothetical contract, it was found that there was in reality no right to substitution.
Takeaways: This is a reminder of the importance of properly assessing IR35 status, and that the conduct of the parties is the true test of status rather than the contractual documentation.
Stott v Ralli Ltd
Facts: The Claimant was employed by the Respondent between 9 October 2017 and 8 January 2018, whereupon the Claimant was dismissed at a meeting for poor performance with immediate effect and was paid in lieu of notice. Following the meeting, the Claimant sent an email to the HR manager headed "grievance procedure" which complained of discrimination and stated that the Respondent had been informed of her mental health issues in several communications.
At the grievance meeting, the Claimant stated that her disabilities were mental health issues, anxiety, depression and a heart condition – she claimed that these affected her performance and that she had "sort of mentioned her disability" at interview. She also claimed that she had told a colleague for whom she was working that she was not sleeping well and not feeling herself, and that this amounted to a disclosure of her depression. The Respondent rejected the grievance on the basis that the Claimant had never disclosed her disabilities; the Claimant appealed unsuccessfully.
The Claimant brought a claim in the employment tribunal for discrimination arising from disability (a mental health impairment) in relation to her dismissal. Before the trial, the Respondent conceded that the Claimant had a mental impairment amounting to a disability at the time of the dismissal.
The tribunal dismissed the claim. In relation to the question of whether the Respondent knew or could reasonably have been expected to know that the Claimant had a disability, the tribunal held that the Claimant had not disclosed her impairment to the Respondent at any time prior to her dismissal. It was noted that the Respondent had asked the Claimant about the reasons for her performance in the meeting on 8 January 2018.
The tribunal also held that the Respondent had a legitimate aim of maintaining high standards and accurate written communications – the supervision of the Claimant, the efforts to correct her work, and ultimately her dismissal, were a proportionate means of achieving that aim. The Claimant appealed.
Decision: The EAT dismissed the appeal. Although the tribunal had failed to reach a conclusion about whether the Claimant’s poor performance was something arising from the disability of anxiety and depression, the tribunal had been correct in their assessment of the proportionate means of achieving a legitimate aim. The EAT also held that the claim had been brought solely in relation to the dismissal and therefore knowledge or constructive knowledge acquired after the dismissal on 8 January 2018 was not relevant.
Takeaways: In this case, the employer was found not to have knowledge of the disability. It is worth remembering however that Tribunal’s can conclude an employer has constructive knowledge so even if they hadn’t specifically been informed of a disability, other information relating to an individual’s health may be enough to say the employer has constructive knowledge.
Gray v University of Portsmouth
Facts: The Claimant is autistic and also suffers from stress. The Respondent followed their 4-stage absence management process and made accommodations for the Claimant, but ultimately the Claimant was dismissed following a long period of sickness absence. His appeal was rejected.
The Claimant brought a claim for discrimination arising from disability. The tribunal accepted the Respondent’s evidence that there were several potential explanations as to why the Claimant’s dismissal was a proportionate means of achieving a legitimate aim – the legitimate aim being the efficient running of the department. The Claimant appealed.
Decision: The EAT upheld the appeal – the tribunal had not clearly set out any evaluation of the explanations provided, which explanation it accepted, or any findings regarding the level of disruption that may have been caused by keeping the Claimant’s job open.
Takeaways: When dealing with decisions which may be indirectly discriminatory or link back to a disability, it is important for employers to consider their justification argument and be clear about the reason for a decision (i.e. their legitimate aim) as well as ensuring that they have balanced this aim against the negative impact on the individual (proportionality).
Emuemukoro v Croma Vigilant (Scotland) Ltd
Facts: On the first day of the hearing, the tribunal struck out the Respondent’s response as they had not complied with tribunal orders which resulted in it not being possible to hold a fair trial within the allocated trial window. The Respondent’s non-compliance included not having prepared witness statements and missing out many of the relevant documents from the bundle. The Respondent appealed, on the basis that a strike out should be reserved for circumstances where a fair trial would never be possible.
Decision: The EAT dismissed the appeal – the tribunal was entitled to strike out rather than adjourn the hearing if a fair trial could not take place within the trial window, even if it could take place at a later date.
Takeaways: While the case here saw serious breaches of the tribunal orders, this is a clear warning for all parties to comply with tribunal orders or risk jeopardising their case entirely with strike out.
Secure Care UK Limited v Mr R Mott
Facts: The Claimant made nine alleged protected disclosures to the Respondent, relating to issues such as inadequate staffing. The day after the ninth disclosure, the Claimant was informed he was at risk of redundancy. He was dismissed several weeks later.
The tribunal held that the Claimant was unfairly dismissed. The tribunal accepted that three of the disclosures qualified as protected disclosures. It found that there was a genuine redundancy situation but that the Claimant’s concerns/disclosures had had a material impact on his selection.
Decision: The EAT disagreed. The tribunal had applied the wrong test – it had used the ‘materially influences’ test (which applies to claims for whistleblowing detriments), rather than the sole or principal reason test required for claims relating to protected disclosures.
The EAT also found that the tribunal had failed to distinguish the impact of the three protected disclosures from the impact of all nine disclosures when assessing the reason for the dismissal.
Takeaways: Where an employee is dismissed, having made protected disclosures, the dismissal is not always automatically unfair. The proper test that the protected disclosures were the sole or principal reason for dismissal must be applied and properly assessed by the tribunal. This is some comfort for employers, but emphasises the need for employers to be able to properly evidence the reason for a decision.
Sullivan v Bury Street Capital Ltd
Facts: An employee suffered two episodes of paranoid delusions which had a substantial adverse effect on his ability to carry out normal day-to-day activities. The first episode occurred in 2013 following the breakdown of a personal relationship, but the Claimant appeared able to partake in important business meetings abroad by the end of 2013 which indicated his condition had improved.
The second episode occurred in April 2017 when the Claimant’s condition worsened during discussions relating to his pay. On 7 September 2017, the Claimant was signed off work by his GP. On 8 September 2017, the Respondent terminated his employment on the basis of his capability. The Claimant brought claims for unfair dismissal, discrimination arising from disability, indirect disability discrimination, failure to make reasonable adjustments and unlawful deduction of wages. A jointly-instructed consultant psychiatrist considered that the Claimant was suffering from a delusional disorder.
Decision: The tribunal upheld the claim for unfair dismissal but rejected the other claims.
The tribunal accepted that the Claimant’s delusional beliefs persisted throughout the material period from 2013 to 2017, but the evidence did not show that a substantial adverse effect on his ability to carry out normal day-to-day activities likewise persisted. The tribunal found that there had been a substantial adverse effect from May to September 2013 and from April to July 2017. However, in neither case was it likely that the substantial adverse effect would continue for at least 12 months or recur, and therefore the Claimant was not disabled for the purposes of the EqA 2010.
The Claimant appealed, but the EAT dismissed the appeal. The Claimant appealed to the Court of Appeal, but the Court of Appeal also dismissed the appeal on the basis that the tribunal had set out its reasons adequately.
Takeaways: This case is a reminder of the test for disability and in particular the long term element of the definition. In this case the Tribunal concluded that later substantial adverse effects were not likely to recur given that the event triggering it was itself unlikely to continue. However, in many circumstances, episodic recurrence may strongly suggest that a further episode is something that "could well happen" and this may mean that an employee meets the definition of disability.
The Budget 2021 – implications for employment law
Minimum wage and inflation
The Chancellor confirmed the increased national minimum wage (NMW) and national living wage (NLW) rates that will apply from April 2022 as below:
- NLW for those over 23: from £8.91 to £9.50.
- NMW for those aged 21 to 22: from £8.36 to £9.18.
- NMW for those aged 18 to 20: from £6.56 to £6.83.
- NMW for those aged under 18: from £4.62 to £4.81.
- Apprentice Rate: from £4.30 to £4.81.
- Accommodation offset rate: from £8.36 to £8.70.
This represents a 6.6% increase, which should comfortably (or hopefully) incorporate the expected rise in inflation, which is currently forecasted to reach 4% - the highest since the financial crash.
The budget speech included genuine signs of positivity: growth is up, with the economy expected to expand by 6% over the coming year, and unemployment is at 5.2% (in comparison with the 12% figure that was predicted at the height of the pandemic). The expected spike in redundancies that many predicted would accompany the end of the furlough scheme at the end of September has failed to materialise, and the economy is expected to return to pre-Covid levels by the end of 2021.
Sector specific support and relaxation of business rates
Financial spending commitments for life sciences and SMEs was declared, including reforms of the R&D tax reliefs and a cut to business rates for retail, hospitality, and leisure business. This is an attempt to support the sectors hit hardest by the impact of the pandemic and lockdowns. For the 2022-23 financial year, these businesses will be able to claim a 50% reduction up to a maximum of £110,000.
Covid and furlough?
Covid was largely mentioned in the past tense, with little indication about any ongoing measures. Furlough came to an end on 30 September 2021, and there has been no mention of reinstating this support scheme.
Of course, the Government’s Plan B is waiting in the wings. With face coverings recently being reintroduced in shops and on public transport, further restrictions relating to the workplace and working arrangements are certainly possible.
The temporary visas for HGV drivers was raised as the current headline solution to the tighter business immigration regulations in the post-Brexit era. The introduction of HGV temporary visas has resulted in speculation that further exemptions to the business immigration system may be brought in, particularly in sectors such as agriculture or care. These sectors currently struggle the most with the skilled worker visa route, as many cannot meet the minimum salary threshold – currently the absolute minimum annual salary is £20,480.
The new immigration system, along with all the caveats and adjustments made in response to the worker shortage, is perhaps not a surprise to most but may also not be in line with Brexit expectations. The (unrealistic) expectation may have been for one way freedom of movement from the UK to the EU, without reciprocity. The reality, however, is leaning towards the reverse – perhaps increasingly so if further exemptions, no matter how temporary, are introduced.
Potential Future changes
A current hot topic amongst employment lawyers and HR professionals, the menopause is being discussed at government level – at the second reading debate of the Menopause (Support and Services) Bill on 27 October 2021, the government set out the actions it is taking to support those experiencing the menopause in the workplace:
- The Under-Secretary of State for Work and Pensions will host a roundtable discussion with organisations to improve support for and understanding of the menopause. Recommendations were due to be made to Parliament in November 2021.
- The Women and Equalities Committee will shortly hold an inquiry on menopause and the workplace.
- A new menopause taskforce will be established to encourage a fast and coherent approach to improved support for those experiencing the menopause.
Several organisations including the Chartered Institute of Personnel and Development, the British Menopause Society and the Faculty of Occupational Medicine, have produced guidelines for employers in how to support their staff and ideas for best practice.
Fire and Rehire
Acas has recently published advice on their website, including a podcast, to help employers dealing with fire and rehire situations.
The Acas guidance sets out that fire and rehire is not to be undertaken lightly, as the process can seriously damage working relations between employers and employees or wider reputational damage. Acas clearly sets out a number of risks for employers, including loss of staff, increased levels of stress, or claims by employees for breach of contract, unfair dismissal or discrimination. Employers are encouraged to make every effort to reach an agreement with staff on any contract changes – where contract changes are unavoidable, a genuine and meaningful consultation with staff can help to prevent conflict.
Monitoring of employees
With the many employers retaining at least some element of homeworking for their staff, the trade union, Prospect, is calling for stronger regulations as to employers’ use of technology to monitor their employees and for monitoring through webcams to be made illegal (except during calls and meetings).
Recent polls have found that 32% of employees working from home are being monitored by their employers, rising to 48% for younger employees aged 18 to 34. The poll also shows that the use of cameras to monitor of homeworkers has risen from 5% in April 2021 to 13%.
This is undoubtedly an area which will see change over the coming months and years, as employers grapple with homeworking and technology on the one hand, and data protection and privacy of individuals on the other.