Tag Archive: data privacy

Data Protection Bill: impact on employee data

On 14 September the UK Government published the draft Data Protection Bill, to replace the Data Protection Act 1998 (DPA) and supplement the forthcoming General Data Protection Regulation (GDPR) in certain key areas.

Our earlier Blog Entry provided an overview of the Bill. In this article we highlight the specific impact of the Bill on how employers process workforce data.

 Extra safeguards for special categories of data

Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.

The GDPR imposes strict controls on processing special categories of data.  However, one of the limited grounds under GDPR on which this data can be processed is where it is necessary for purposes authorised by Member State law “in the field of employment and social security and social protection law“.

The Bill sets out the basis on which special category data may be lawfully processed in the context of UK employment law. The derogation is narrow in scope and only includes processing necessary for compliance with legal obligations such as SSP, avoiding unfair dismissal or discrimination, or compliance with Health and Safety laws.  Further, under the Bill, the ability to rely on the derogation is subject to the controller complying with additional conditions and  safeguards.  In particular, employers will have to put in place an appropriate policy document which:

  • Explains the employer’s procedures for securing compliance with the core data protection principles in the handling of the relevant special category data; and
  • Explains the employer’s policies as regards the retention and erasure of the special category data, giving an indication of how long such personal data is likely to be retained.

In addition, the controller must review,  update and retain the policy documents from time to time and make them available to the ICO (the UK data regulator) on demand. These are substantial new procedural requirements which employers will not currently have in place when handling this data and will need careful governance to manage.

In addition, the employer will also need to keep a more detailed record of the processing of special categories of data, supplementing the general new GDPR requirement for a golden record of HR data.

All employers will process special categories of data, particularly health data, as a normal part of the employment relationship.  As well as ensuring that they are only processing this data for lawful purposes, employers will have to decide how best to build in these added requirements to fit in with their general GDPR compliance arrangements and existing HR policies in the relevant areas (such as recruitment and absence management).To achieve compliance in practice employers will need to train staff on the procedures for dealing with such data in accordance with the safeguards, in particular ensuring appropriate deletion or destruction.

Information relating to criminal convictions and offences

The GDPR contains a general prohibition from processing personal data relating to criminal convictions and offences, including allegations of an offence. This  has caused real alarm amongst UK employers who would need to process such information within the employment relationship at times (some disciplinary and grievances for example) and who currently do criminal record checks routinely on recruitment.

Fortunately for UK businesses, the Bill enables processing during the course of employment where necessary for employment law compliance for example.  The Bill also makes it clear that employers will be able to continue to carry out criminal records checks where employees are subject to the enhanced DBS regime (ie for roles working with children and vulnerable adults). It is also likely to assist criminal record checks where necessary for regulatory compliance. The same safeguards as for special category data must be applied.

However, the full extent of which circumstances criminal record checks could be carried out on recruitment remains unclear. On the basis of the current Bill, employers would still not be able to carry out blanket criminal records screening pre-employment for all sectors and roles as is common for many UK employers today.  More clarity in this area would be welcome as the Bill progresses and in the meantime employers who currently carry out checks should take specific advice about whether these are likely to be permitted going forward under the Bill in their particular circumstances.

Next steps

It should be noted that the Bill has yet to be debated in Parliament and may be subject to change before it receives Royal Assent. The Bill will go to the House of Lords committee stage on 20 October 2017.

The additional obligations which the Bill will place on employers in respect of workforce data make it critical that the HR team is an integral part of an organisation’s preparation for the GDPR.

Suggested tasks to take now:

  • Identify special categories of data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Prepare to update and implement appropriate policies and changes to HR practices and procedures to manage these obligations; and
  • Prepare to train staff on their obligations under the new regime.

For more information on data privacy visit DLA Piper’s Privacy Matters blog.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/data-protection-bill-impact-on-employee-data/

Draft Data Protection Bill published

Yesterday the Government published the draft Data Protection Bill which will replace the Data Protection Act 1998, supplement the General Data Protection Regulation in certain areas and provide more detail on how the GDPR will be enforced in the UK . DLA Piper’s Privacy team has published a blog post on their Privacy Matters blog which explains the key provisions of the Bill.

The Bill will have a significant impact on how employers deal with HR data. We will be publishing a further alert on these aspects of the Bill early next week.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/draft-data-protection-bill-published/

Monitoring employees: Guidance on privacy in the workplace

The recent decision of the European Court of Human Rights in Barbulescu v Romania (see our Be Aware blog post of 7 September) has placed the spotlight once more on the extent to which employers are permitted to monitor their employees’ communications and activities.

The adoption of new information technologies in the workplace allows for systematic and potentially invasive monitoring, enabling employers to track employees not just in the workplace but potentially in their homes through many different devices including smartphones, tablets and wearables. The boundaries between work and home have  become more blurred as more employees work remotely using their employer’s equipment, or bring their own devices to work. Monitoring of individuals at work can increasingly shade into monitoring in a private context. A further risk comes from the over-collection of data such as WiFi location data; analysis of meta-data may allow for invasive detailed monitoring of an individual’s life and behaviour. Such new technologies create significant privacy challenges. Whilst data privacy and human rights legislation do not prevent employers from monitoring workers, employers should remember that workers are entitled to some privacy at work.

The General Data Protection Regulation (GDPR), which comes into force in May 2018, will significantly raise the stakes for employers to ensure that their monitoring systems stay on the right side of the privacy line. With this in mind, on 8 June 2017 the EU Article 29 Working Party on data protection adopted a new Opinion on data processing at work. Whilst primarily concerned with employers’ current obligations regarding monitoring the Opinion looks forward to the additional obligations which will be placed on employers by the GDPR.

In order to process personal data in the employment context, the employer must have a legal basis for doing so. Processing of special categories of data (usually referred to as sensitive personal data) is prohibited unless an exception applies; if such an exception applies, the employer must still have a legal basis for processing the data.  The Opinion emphasises that for the majority of processing at work, including monitoring, the legal basis cannot and should not be consent. Consent is generally not valid in the employment context as it cannot be freely given due to the real or potential prejudice which will usually arise from the employee not consenting.

Employers will more commonly be seeking to rely on the processing being necessary for a legitimate interest as the legal basis. Where the employer relies on legitimate interest, the processing must also be proportionate and should be carried out in the least intrusive manner possible. Specific mitigating measures should also be put in place to ensure a proper balance between the legitimate interest of the employer and the rights of employees; such measures might include only monitoring in certain areas, or avoiding monitoring sensitive areas such as changing rooms, avoiding monitoring of personal communications and undertaking spot check rather than continuous monitoring.

Employees must be informed of the existence of any monitoring, the purposes for which personal data are processed and any other information necessary to ensure fair processing. The information requirements under the GDPR will be more detailed and specific.

In order to comply with GDPR, employers as data controllers are required to implement data protection by design and default. An example of the impact which this has on workforce data is that where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved.

The Opinion addresses a number of data processing at work scenarios in which new technologies have the potential to result in high risk to the privacy of employees:

  • Processing during recruitment

Employers should not routinely  inspect the social media profiles of prospective candidates during recruitment processes. Such information should only be reviewed if it is necessary for the job, for example in order to be able to assess specific risks regarding candidates for a specific function. Candidates must be informed if social media information will be reviewed during recruitment.

Data collected during the recruitment process should generally be deleted as soon as it is clear that an offer of employment will not be made or not be accepted.

  • Processing during in-employment screening

Similarly, in-employment screening of employees’ social media profiles should not take place on a generalised basis. Employees also should not be required to use a social media profile provided by their employer; the option of a ‘non-work’ profile must be available.

  • Monitoring ICT usage in the workplace

Technological developments have enabled newer, potentially more intrusive and pervasive ways of monitoring employees’ ICT usage. The Opinion suggests that as good practice employers should offer alternative unmonitored access to communication technologies where employees can exercise their legitimate right to use work facilities for some private usage. Employers can implement an “all-in-one” monitoring solution for all ICT usage in the workplace, for example applications to decrypt and inspect secure traffic to detect anything malicious that can also record an employee’s online activity on the network. The employer can rely on legitimate interests to protect the network, however monitoring every online activity of employees is an interference with the right to secrecy of communications. A policy should be developed and made easily accessible concerning the purposes for which, when and by whom suspicious log data can be accessed and to guide employees about acceptable and unacceptable use.  If it is possible to block websites rather than continuously monitoring communications, blocking should be chosen. Prevention should be given more weight that detection – it is in the employer’s interest to prevent internet misuse rather than detecting it.

  • Monitoring ICT usage outside the workplace

ICT usage outside the workplace has become more common with the growth of home and remote working and ‘bring your own device’ (BYOD) policies. These technologies can pose a risk to employees’ private lives as workplace monitoring extends into the domestic sphere.

In respect of remote and home working, the use of, for example, software which logs keystrokes and mouse movements or captures screenshots, logging of applications used and remotely enabling webcams will be disproportionate.

In respect of BYOD policies, appropriate measures must be in place to distinguish between private and business use to prevent monitoring of private information.

Where employees are provided with wearable devices which track health information, processing of the data by the employer is prohibited as it falls within a special category of data. The health data should only be accessible by the employee.

  • Time and attendance data

Systems that allow employers to control who can enter their premises or restricted areas can also allow the tracking of employees’ activities. New technologies may also process biometric data. Employees must be informed about any such processing and continuous monitoring of entrance and exit times cannot be justified for purposes such as performance evaluation.

  • Vehicle tracking

Any employer using vehicle telematics will collect data about the employee using the vehicle. Employers may be legally obliged to install some tracking eg for driver hours records and may have a legitimate interest in knowing where company vehicles are. However, use of such data should be proportionate. If private use of a vehicle is permitted, employees should have the opportunity to turn off location tracking where appropriate. The employer must also clearly inform employees that company vehicles are installed with trackers.

  • Disclosure of employee data to third parties

It has become increasingly common for companies to transmit employees’ data to customers for the purpose of ensuring reliable service provision. However, such data should only be provided if it is proportionate. For example, in the case of a delivery driver, the company might have a legitimate interest in transmitting information regarding the driver’s location to a customer, but not their name or a photograph.

Employers need to re-examine their employee monitoring systems and policies as part of their preparation for being GDPR-compliant.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/monitoring-employees-guidance-on-privacy-in-the-workplace/

Government publishes Statement of Intent on proposals for new data protection laws

On 7 August 2017, Government publishes its Statement of Intent (SoI) on ‘A new Data Protection Bill: Our planned reforms’. The SoI states that implementation of the GDPR and repeal of the Data Protection Act (DPA) will be done in a way that so far as possible preserves the concepts of the DPA to ensure that the transition for all is as smooth as possible while complying with the GDPR in full.

The Government has 3 main objectives in its approach to data protection law as we prepare to leave the European Union – (1) Maintaining trust; (2) Future trade; and (3) Security.

DLA Piper’s Data Privacy team has published a blog on the SoI here. The key aspects from an employment perspective are as follows:

Rights of individuals

The Bill aims to better protect UK citizens through a combination of new and strengthened existing rights:

  • Privacy – rules around consent are being strengthened and subject to additional conditions such as being unambiguous and easy to withdraw;
  • Improved data access – it will be easier for individuals to require an organisations to disclose the personal data it holds about them at no charge;
  • Right to be forgotten – individuals will be able to ask for their personal data to be erased; and
  • Profiling – individuals will have greater say in decisions that are made about them based on automated processing.


Requirements for organisations

Requirements will be strengthened or amended to reflect the changing nature and scope of the digital economy. The aim is to build accountability but with less bureaucracy – administrative and financial burdens will be alleviated but there will be increased requirements for data breach notification. The Bill will help to reduce business exposure to risk of data protection breaches and associated fines and reputational damage and will provide a clearer regime for data processing.

Regulator’s powers

The Information Commissioner will retain existing powers and gain additional authority to impose greater sanctions in the event of data breach.

Exceptions and derogations

The Government conducted a ‘Call for views’ on the GDPR derogations which closed on 10 May 2017. The Bill will exercise the available derogations in the GDPR. The most notable are:

  • Giving consent to process data and protecting children online – children aged 13 or older will be able to consent to their personal data being processed;
  • Processing criminal conviction and offence data – the Government will legislate to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal conviction and offences data. It will take a similar approach to that taken for the processing of sensitive categories of data.
  • Automated decision making – the Government will legislate to implement the exemption where suitable measures are put in place to safeguard an individual’s rights, freedoms and legitimate interests eg in relation to a bank check creditworthiness before agreeing to provide a loan; and
  • Research – research organisations will not have to respond to SARs when this would seriously impair or prevent them from fulfilling their purposes; they will not have to comply with an individual’s rights to rectify, restrict further processing and object to processing where this would seriously impede their ability to complete their work and provided that appropriate organisation safeguards are in place to keep the data secure.

Implications

The full detail of how the Government intends to implement the GDPR in the UK to ensure that data transfers to and from Europe post-Brexit are protected will not be clear until the text of the Bill is published. There are welcome indications that the Bill will deal with some aspects of the GDPR which could otherwise have been problematic for UK employers such as the prohibition on processing data about criminal records. It remains to be seen whether the Bill will deal with other problem areas such as the GDPR’s lack of exemptions to data subject access requests which could lead to employers being required to disclose privileged information. However, the SoI is helpful in further articulating the UK Government’s commitment to the adoption of the GDPR both pre- and post-Brexit.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/government-publishes-statement-of-intent-on-proposals-for-new-data-protection-laws/

How to prepare for GDPR: Implementing a compliance programme

In the latest in our series of briefings on preparing for GDPR, we focus on the steps necessary to implement a GDPR compliance programme. With only one year to go until GDPR comes into force on 25 May 2018, it is vital that organisations take action now to ensure that they are ready to comply with GDPR, in order to be in a position to meet regulatory standards, and minimise risk.

The aim is to be compliant by 25 May 2018 but this may be challenging so it is sensible to focus on the most important and risky areas first. The key features of the implementation of a compliance programme are to:

  • Assemble a project team;
  • Assess potential areas of exposure in your current working processes;
  • Develop a clear plan of action to be ready for 2018;
  • Implement changes needed in a logical / prioritised manner; and
  • Establish an effective information governance framework to manage risk.

Assembling the team

Implementation of a GDPR compliance programme requires a substantial investment of money, organisational resources and management time. It is vital to identify key stakeholders and ensure that the organisation has board or senior management buy-in to support the project.

Employers should first determine whether or not a DPO must be appointed. Even if the organisation is not required to appoint a DPO, it should assign an individual the responsibility for compliance with data protection legislation. The data protection lead will then need to bring together a team from within the organisation with the necessary skills and expertise . Legal, HR, IT, and compliance teams will need to take an integrated approach. Technical and/or specialist support may be required to understand where the organisation currently holds personal data, and whether or not current systems are capable of operating within the parameters required to comply with the GDPR.

Once the team is in place, they will need to work with each business area to identify the specific privacy risks that the organisation is exposed to and how these can be mitigated or avoided.

Conducting an initial risk assessment

The first step is to undertake an assessment of current practice – how the business collects, uses and shares personal data and how you regulate all this effectively within the business (ie proper record keeping, training, guidance, audit processes).

The next step is to identify and prioritise the gaps between where the organisation is now and where it wants to be by reviewing existing data practices against GDPR requirements. This exercise should be used to assess the level of privacy risk that the organisation is exposed to, based on:

  • The amount and type of data processed (eg if it is sensitive personal data);
  • The reason for processing;
  • Who it is shared with (eg if it is transferred to processors or other parties); and
  • Locations in which processing occurs (eg if it is transferred outside the EEA).

Establishing a GDPR compliance action plan

Once the organisation has conducted an initial audit and risk assessment, the next step is to create an action plan and timeline for developing and implementing a GDPR compliance programme. This should include the following steps:

  • Prioritise compliance activity and remedial measures based on areas with the highest risk;
  • Create a data register to meet GDPR recordkeeping requirements;
  • Review systems and processes. Can the organisation’s IT systems and processes cope technically with the expanded individual rights?
  • Create and/or review privacy policies and procedures with clear and practical guidance on GDPR compliance;
  • Review and update current privacy notices;
  • Integrate privacy by design and default. Collect the minimum amount of information and consider privacy from the outset of each project involving personal data;
  • Prepare for data breach notifications. Develop a data breach response programme for prompt notification and investigation.
  • Provide training on data protection policies and procedures, and specific training for individuals who process data;
  • Implement regular audits against defined metrics (eg number of privacy complaints, completion of training, data breaches suffered) to assess the ongoing success of the compliance programme; and
  • Review staffing requirements for ongoing data protection compliance;

How we can help

DLA Piper’s employment team have a wide range of experience in the field of employer data privacy, and are actively involved in assisting clients to prepare for GDPR. We can help you to:

  • Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
  • Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/how-to-prepare-for-gdpr-implementing-a-compliance-programme/

Preparing for the GDPR: New employee data subject rights could disrupt core HR procedures

The General Data Protection Regulation (GDPR), due to come into force throughout the EU including the UK on 25 May 2018, will force through a culture change in terms of attitudes to data privacy, according to the Information Commissioner Elizabeth Denham. Speaking at the Data Protection Practitioners’ Conference 2017, Denham warned that organisations risking damaging their brands and their business if they are seen to be cavalier with personal data: “If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.”

It is important to recognise that it is also a key HR issue. Data protection will become one of the major issues, and potentially source of disputes,  in the employment context in the next few years. Employers will need to adopt a whole new culture in relation to the processing of HR data in light of more restrictions on processing, new and strengthened rights for employees and much more stringent penalties.

Far from being a stand-alone issue or tick-box exercise requiring nothing more than updated data protection policies, data protection will impact the heart of the employment relationship and the operation of core HR projects and procedures.

The GDPR will make it difficult, if not impossible to rely on consent for processing in the employment context due to new and more restrictive conditions for consent and the ability to withdraw consent at any time.

The most commonly used basis for legal processing of HR data (beyond processing required by law) is therefore is likely to be legitimate interest. Employers will be able to show a legitimate interest in processing ordinary HR personal data for routine HR processes. However, employees have the right to object to their data being processed or to ask for it to be deleted where processing is based on legitimate interests grounds.  If this happens employers must stop the processing unless and until they have confirmed to the employee compelling grounds for the processing which overrides the objection.

Similarly, if employees challenge the accuracy of HR personal data processed by the employer, they can require cessation of processing or deletion of the data unless accuracy is verified.

Although in many cases the employer may be able to show an overriding need to process the data and that it is sufficiently accurate, the employer will be unable to process the data whilst this is established. These rights could be used by  employees individually or collectively to disrupt and delay HR processes such as appraisals, capability procedures, disciplinary and grievance proceedings, restructures and redundancy exercises and TUPE transfers.  Alternatively they may rely on unlawful processing to challenge management decisions in subsequent employment tribunal proceedings as well as making complaints to the Information Commissioner’s Office.

The risk for employers can be mitigated by ensuring that privacy considerations are embedded in each HR process and project, both in their design and in how they are operated.  To minimise the risk of the  disruption specifically highlighted above businesses should take the following steps as part of the wider review preparing for GDPR before it comes into force:

Legitimate Interest Objections

  • Understand where legitimate interest is the correct legal basis for HR data processing, the likelihood of objections, and whether there is likely to be an overriding compelling ground to continue processing in the event of an objection;
  • Establish a process for dealing with objections promptly and efficiently, being clear who has authority to make the judgment.

Accuracy Challenges

  • Consider how accuracy of data relied on by the business is ensured in each HR process and improve processes where necessary;
  • Build in opportunities to review accuracy or raise queries where appropriate; and
  • Establish an efficient process for dealing with accuracy challenges under GDPR including any verification required, authority for sign-off and responding to the employee.

These and other new and expanded rights under GDPR hugely increase the potential for data protection to be used as a weapon in the context of employment disputes and prospective areas of conflict. In future briefings we will focus on different practical impacts of GDPR on the employment relationship and what business can do to manage these and prepare for implementation by May 2018.

On a more general basis, the HR team needs to be an integral part of an organisation’s preparation for the GDPR. We can help you to:

  • Identify existing data systems and the personal data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Identify particular risk areas where use of data could be exploited to delay or disrupt business critical decisions; and
  • Develop and implement policies or changes to HR practices and procedures to manage potential GDPR issues and support compliance.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/preparing-for-the-gdpr-new-employee-data-subject-rights-could-disrupt-core-hr-procedures/

Privacy Shield adopted by European Commission and US Department of Commerce

Earlier this month, the European Commission (EC) voted to adopt the final version of the new EU/US data protection scheme, the Privacy Shield, which provides a mechanism for the valid transfer of personal data from the EU to the US.  The scheme was approved simultaneously by the US Department of Commerce (DoC).     The Privacy Shield is a replacement for the previous EU/US data transfer scheme,  the Safe Harbour Agreement,  which was declared invalid by the European Court of Justice in Autumn 2015.   Click here and here for previous Be Aware posts on Safe Harbour and here for our GENIE post on the impact on employee data.

New improved scheme?

The purpose of the Privacy Shield scheme is to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The EC considers that the Privacy Shield arrangements satisfy the requirements identified by the ECJ when it declared the Safe Harbour scheme invalid.   The DoC believes that it “provides a set of robust and enforceable protections for the personal data of EU individuals”.    The scheme is intended to give EU nationals more transparency about transfers of their personal data to the US; stronger protection of their personal data; and easier and cheaper options for making a complaint which can be made directly or with the assistance of their local Data Protection Authority.

Businesses in both the EU and US will have to understand the details of the new scheme; US corporations will have to take steps to comply, while businesses in the UK and elsewhere across the EU transferring data to the US will need to verify that the recipient in the US is compliant.   To join the Privacy Shield framework,  US corporations must –

  •  Self-certify annually to the DoC that they meet the requirements of the scheme and agree to adhere to the Privacy Shield Principles which cover notice, choice, access, accountability for onward transfer, security, data integrity and purpose limitation, recourse/enforcement and liability.
  • Publicly commit to comply with the framework’s requirements. This commitment will be enforceable under US law.
  • Publish a Privacy Shield Privacy Policy on their website.
  • Reply promptly to any complaints and provide an independent recourse mechanism.   Further redress will also be available through data protection authorities (DPAs) and the Privacy Shield Panel.
  • Ensure accountability for data transferred to third parties.

Specific rules for HR data

For companies that transfer or receive human resources data for the purposes of employment relationships, there are certain specific Privacy Shield rules which apply. In particular:

  • Where an EU employee complains about a breach of data protection rights, their ultimate recourse will lie with the national DPA in the jurisdiction in which they work. This is because primary responsibility for their data remains with the EU employer organisation. As such, the framework makes clear that US organisations using EU human resources data must commit to cooperate and comply with requirements of the competent EU authority.
  • Organisations that are required to utilise EU DPAs in this way must pay an annual fee to cover the operating cost of the EU DPA panel. The fee is not to exceed USD 500.
  • Where an organisation’s self-certification relates to human resources data, the privacy policy covering that data must made available to the organisation’s employees whose data will be transferred to the US, but need not be made publically available.

Action points

The US DoC has indicated that it will begin accepting self-certifications to the Privacy Shield on 1 August 2016.   Steps that organisations will need to take prior to self-certification include –

  1. Checking eligibility to participate in the Privacy Shield – organisations that are subject to the jurisdiction of the US Federal Trade Commission or the Department of Transportation may participate.
  2. Identifying and putting in place an independent recourse mechanism.
  3. Developing a Privacy Shield compliant privacy policy which must –
    • Conform to Privacy Shield Principles.
    • Specifically refer to Privacy Shield compliance.
    • Identify the organisation’s independent recourse mechanism.
    • Be made publically available.
  4. Ensuring that the organisation has procedures in place to verify compliance with the Privacy Shield. This can be either an internal self-assessment procedure or an external assessment program.
  5. Designating a Privacy Shield contact within the organisation who will be responsible for handling questions, complaints, access requests and other issues arising under the Privacy Shield.

Sign up or wait and see?

The Privacy Shield framework has been a long time in the making but, now it is finalised, perhaps the biggest question for companies is whether or not to use it as a means of protecting their EU/US data transfers.   Despite the strongly expressed views of both the EC and the DoC that the framework satisfies EU requirements, there is nonetheless some doubt about its long term validity. Certain EU DPAs are believed to be critical of the scheme; it is not clear that its terms are sufficient to satisfy the more stringent requirements of the EU General Data Protection Regulation which will come into force in 2018; and given the continued mass surveillance by the US Government, litigation challenging the new scheme is fully expected.   In view of this uncertainty, rather than immediately signing up to the Privacy Shield, some organisations may choose to adopt a wait and see approach, preferring, for example, to execute or continue to use other mechanisms available for international data transfers such as standard contractual clauses or binding corporate rules.  All organisations are recommended, however, to use the implementation of the Privacy Shield as the impetus for reviewing their data protection and international transfer arrangements and verifying that they are using the method best suited to their organisation.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/privacy-shield-adopted-by-european-commission-and-us-department-of-commerce/

Despite Brexit, businesses need to start preparing for the General Data Protection Regulation

The Information Commissioner’s Office (ICO) has published an Overview of the European General Data Protection Regulation (GDPR) for organisations. The changes anticipated by GDPR are wide-ranging and require a cross-organisational compliance framework that will take time to assess and implement effectively. Organisations which process data within the UK should start their planning now if they have not already done so.

The result of the 23 June 2016 referendum on membership of the EU means that the Government will ultimately need to consider the effect on the GDPR. However, Brexit should have little, if any, impact on GDPR compliance planning. The GDPR will come into force in the UK without the need for implementing legislation in May 2018, at which time it seems likely that the UK will still be a member of the EU (as exit negotiations are likely to take at least 2 years and have not yet been triggered).

Following the UK’s eventual exit, if the terms of the UK’s withdrawal from the EU result in the UK remaining in the EEA, it is likely that the UK would be required to comply with the GDPR. Even if the UK is outside the EEA, the practical reality is likely to be that substantial compliance with GDPR principles will be required in any event. In order for data to continue to be transferred from other EU countries to the UK, the UK will have to be able to demonstrate that it provides adequate protection for the rights of employees whose personal data is transferred. Demonstrating such adequate protection would be likely to require the implementation of much of the GDPR in national law.

The ICO has also expressed the view that UK data protection legislation requires reform in any event, and it seems likely that they would press for UK law to conform to a large extent with the GDPR.

Key actions which organisations should put in place now include:

  • Put in place effective governance – Organisations should have a strong governance function in place, capable of impacting on and involving all parts of the organisation.  Cross department teams will be needed to ensure effective compliance with the GDPR including HR, IT, Legal and Data Protection or other compliance specialists. Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR; they need to appreciate the impact this is likely to have including on employee data. The degree of change over the next couple of years is such that effective governance is going to be critical to implementing the changes effectively and in good time.  There will need to be ongoing governance in place regarding data flows, privacy notices and documenting privacy impact assessments in a way that hasn’t been seen before.
  • Audit data flows to be clear about the purposes and legal basis for processing – Increasing awareness of the rights of data subjects and the changes to the legal bases for processing are two very good reasons to do this. The GDPR will have a significant impact on how, and how much, employee data can be processed. Use of data (including big data) will impact on all aspects of the employment relationship from recruitment, to compensation and benefits, mobility of your workforce and structural change and growth. HR involvement will be key to ensuring (i) that organisations can continue to process employee data for the purposes which are critical to both day to day management and the achievement of strategic objectives and (ii) that organisations are not exposed to the risks of the substantial sanctions which may be imposed for misuse of employee data under the GDPR.
  • Implement training within your organisation – Many data privacy breaches are caused by simple errors.  By having effective and memorable training processes in place an employee is more likely to think about their actions and hence a breach is avoided.  Effective training on good practice will be valuable whatever legislation is ultimately in place.

For a copy of the ICO Overview click here. The ICO has also published ‘Preparing for the GDPR: 12 steps to take now’ which provides practical guidance.

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/despite-brexit-businesses-need-to-start-preparing-for-the-general-data-protection-regulation/

New European data protection rules will have significant impact on employers

Today’s adoption of the new EU General Data Protection Regulation (GDPR) heralds a new dawn in data protection, with far-reaching consequences for employers. For many, there will need to be a wholesale change in culture with a brand new approach to processing personal employee data. It is likely that existing practices will fall far wide of the mark and will require substantial review before the GDPR takes effect in 2018.  The importance of this cannot be overstated due to the introduction of extremely onerous sanctions which will heavily penalise breaches of the GDPR.

Although the new regime is challenging, compliance is achievable provided suitable planning and preparation is undertaken, and the correct steps are taken at the right time – beginning with a thorough audit of existing practices for data processing. The UK’s Information Commissioner’s Office (ICO) has published useful guidance for employers on the “12 steps to take now“. In order to meet the new obligations, co-operation in, and understanding of, the issues across the business is critical and employers are therefore likely to need Legal, HR, IT and Compliance teams to take an integrated approach.

Red flags for employers

The most important issues for employers, potentially involving changes to existing practices and/or new and significant administrative burdens, will include:

  • Grounds for processing employee data need to be audited: Employers will need to carefully consider the basis on which they process employee data. Employee consent to processing will almost certainly be invalid in the employment context, and, in any event, can be withdrawn at any time. Grounds which have been historically relied on, such as the employer having a legitimate interest in the data processing, will be subject to challenge due to a new right for employees to object to processing on this ground which cannot be overridden unless the employer has compelling legitimate grounds for the processing.
  • Data subject access requests will be easier for employees:  Employees will be able to make data subject access requests without restriction and without payment of a fee, unless the requests are manifestly unfounded or excessive. Employers must respond without ‘undue delay’ and no later than 1 month (subject to a 2 month extension for complex/multiple requests). At present, there are no exemptions (even on the grounds of legal privilege) which an employer can rely on to avoid provision of the employee’s personal data.
  • Extensive information will have to be given to employees when obtaining personal data: An administratively onerous net is cast over employers with the requirement to provide an extensive list of information to employees at the point when employers obtain their personal data.
  • Routine criminal records checks may not be allowed: Employees may have to review any policy of routinely conducting standard (ie not enhanced) criminal records’ checks. Under the new regime this appears to be unlawful on the basis that there is no requirement under UK law to carry out these checks.
  • Employees have new rights to erasure and rectification of their personal data: Employers must promptly erase an employee’s data if one of a number of ground applies, including that the data is no longer necessary for the purpose for which it was collected. Where data is alleged to be inaccurate, employers will also have onerous responsibilities to check and rectify the data and will be restricted as to how it is used in the interim.
  • Employees have the right not to be subjected to automated decision making: Unless it is necessary for entering into, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly. This is likely to apply to matters such as automated shortlisting; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering. Employers will therefore need alternative mechanisms for decision making if challenged.
  • Employers must notify any data protection breaches within 72 hours: Employers will have to notify the relevant national data protection authority (in the UK, the ICO) within 72 hours of becoming aware of a data protection breach resulting in unauthorised loss, amendment or disclosure of data, unless the breach is unlikely to result in a risk to the rights of the employees. If there is a high risk to employee rights employers will also have to promptly communicate the breach to the employees individually.
  • Employers must be audit ready at all times: Employers are expected to set up systems in a way which ensures compliance by design and default – restricting the data, use and access. The onus is on employers to prove compliance and they must keep records and have policies in place to demonstrate that.
  • Data protection standards may be ‘ramped up’: The long awaited harmonisation arrangements mean national supervisory authorities will be required to co-operate, assist each other in performing their tasks, provide mutual assistance and to actively take steps to achieve consistent application throughout the European Union. On the basis that it is unlikely that member states with stringent laws on data processing will want to compromise their protection, this may lead to a ‘ramping up’ of data protection across Europe to the highest denominator. The concept of lead supervisory authorities for cross-border processing is also being introduced which may be administratively beneficial for multi-national organisations; however, as the national supervisory authority will remain competent in a number of circumstances, it will remain to be seen how effective having a lead authority is in practice.
  • Transfers of data to third countries may be easier: Under the new regime, personal data may be transferred to a third country or an international organisation where there is a Commission finding of adequacy, if appropriate safeguards are in place eg binding corporate rules or standard contractual clauses adopted by the Commission or the ICO, or if one of a number of prescribed derogations is met. The recent impact of the Schrems case (which declared the Safe Harbour regime ineffective) will therefore potentially be resolved if the EU-US Privacy Shield is given a final finding of adequacy.
  • Sanctions are extremely onerous: Infringements relating to matters including the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of total worldwide annual turnover, if higher.
  • Appointment of a DPO may be required: must do so if they are a public authority, are required to do so by local law or have core activities which require regular and systematic monitoring of individuals on a large scale or they carry out large scale processing of sensitive data or criminal records. The DPO is expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data.

With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data processing cycle so that they can enter 2018 with their house in order, fully equipped to address the data processing challenges ahead.

There is no doubt that the arrival of the GDPR is timely, coming at a point when information and communication technologies now underpin all aspects of the employment relationship and when employee awareness of individual privacy rights is high. Employers who have previously taken a more pragmatic view of compliance for employee data, prioritising protection of consumer and customer data instead, can no longer afford to do so.

For general information on data protection issues, view DLA Piper’s GDPR website and Privacy Matters blog.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/new-european-data-protection-rules-will-have-significant-impact-on-employers/

Employers do not have green light to monitor employee emails, despite ECHR judgment

A recent case before the European Court of Human Rights has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy and data protection in the workplace.

Widespread media reports would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal correspondence during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring, and imposes disciplinary sanctions as a consequence, can, in fact, expect to find themselves in hot water.  Employers must, as a minimum, have comprehensive, and bespoke, internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used.  The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

Barbulescu v Romania

The claimant, Mr Barbulescu, was an engineer in charge of sales who was employed from August 2004 – August 2007. In July 2007, Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulesco’s Yahoo communications.  This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated, “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s findings were backed up by a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court. The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use.  The court said that as Mr Barbulescu had denied using the internet for personal use, the employer had no option but to check the content of his Yahoo communications, and that monitoring employees’ use of company computers was within the broad scope of the employer’s right to check the manner in which professional tasks were being completed.

Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu therefore took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and  ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also found that in the absence of notice about monitoring, employees would have a reasonable expectation as to privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms).  It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the Yahoo account; they had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. The ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, employers must still exercise significant caution. The UK has a raft of legislation and guidance governing employee monitoring and data protection, and in many workplaces, the lines are unlikely to be as clearly drawn as in this case. Further, in many cases, a blanket ban on personal internet and email use may be impractical. As identified by the dissenting judge, some employers will allow employees to use the company’s internet and email/messaging systems for personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. The dissenting judge was at pains to make clear that an employer’s right to monitor an employee’s communications is not unrestricted or at its discretion. The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may, in certain circumstances, be displaced by a bespoke internet policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring. Automatic or continuous monitoring of internet use is unlikely to be permissible;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should give their explicit consent to the policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, before carrying out any monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employees’ right to privacy;
  • Sanctions for a breach of the employer’s internet rules should normally start with a verbal warning, before moving to a written warning, and ultimately dismissal. Relevant considerations for the appropriate sanction are likely to include whether damage has been caused to the employer and/or whether there has been a pattern of behaviour over a sustained period of time;
  • Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/employers-do-not-have-green-light-to-monitor-employees-emails-despite-echr-judgment/

Older posts «