Data Protection Bill: impact on employee data

On 14 September the UK Government published the draft Data Protection Bill, to replace the Data Protection Act 1998 (DPA) and supplement the forthcoming General Data Protection Regulation (GDPR) in certain key areas.

Our earlier Blog Entry provided an overview of the Bill. In this article we highlight the specific impact of the Bill on how employers process workforce data.

 Extra safeguards for special categories of data

Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.

The GDPR imposes strict controls on processing special categories of data.  However, one of the limited grounds under GDPR on which this data can be processed is where it is necessary for purposes authorised by Member State law “in the field of employment and social security and social protection law“.

The Bill sets out the basis on which special category data may be lawfully processed in the context of UK employment law. The derogation is narrow in scope and only includes processing necessary for compliance with legal obligations such as SSP, avoiding unfair dismissal or discrimination, or compliance with Health and Safety laws.  Further, under the Bill, the ability to rely on the derogation is subject to the controller complying with additional conditions and  safeguards.  In particular, employers will have to put in place an appropriate policy document which:

  • Explains the employer’s procedures for securing compliance with the core data protection principles in the handling of the relevant special category data; and
  • Explains the employer’s policies as regards the retention and erasure of the special category data, giving an indication of how long such personal data is likely to be retained.

In addition, the controller must review,  update and retain the policy documents from time to time and make them available to the ICO (the UK data regulator) on demand. These are substantial new procedural requirements which employers will not currently have in place when handling this data and will need careful governance to manage.

In addition, the employer will also need to keep a more detailed record of the processing of special categories of data, supplementing the general new GDPR requirement for a golden record of HR data.

All employers will process special categories of data, particularly health data, as a normal part of the employment relationship.  As well as ensuring that they are only processing this data for lawful purposes, employers will have to decide how best to build in these added requirements to fit in with their general GDPR compliance arrangements and existing HR policies in the relevant areas (such as recruitment and absence management).To achieve compliance in practice employers will need to train staff on the procedures for dealing with such data in accordance with the safeguards, in particular ensuring appropriate deletion or destruction.

Information relating to criminal convictions and offences

The GDPR contains a general prohibition from processing personal data relating to criminal convictions and offences, including allegations of an offence. This  has caused real alarm amongst UK employers who would need to process such information within the employment relationship at times (some disciplinary and grievances for example) and who currently do criminal record checks routinely on recruitment.

Fortunately for UK businesses, the Bill enables processing during the course of employment where necessary for employment law compliance for example.  The Bill also makes it clear that employers will be able to continue to carry out criminal records checks where employees are subject to the enhanced DBS regime (ie for roles working with children and vulnerable adults). It is also likely to assist criminal record checks where necessary for regulatory compliance. The same safeguards as for special category data must be applied.

However, the full extent of which circumstances criminal record checks could be carried out on recruitment remains unclear. On the basis of the current Bill, employers would still not be able to carry out blanket criminal records screening pre-employment for all sectors and roles as is common for many UK employers today.  More clarity in this area would be welcome as the Bill progresses and in the meantime employers who currently carry out checks should take specific advice about whether these are likely to be permitted going forward under the Bill in their particular circumstances.

Next steps

It should be noted that the Bill has yet to be debated in Parliament and may be subject to change before it receives Royal Assent. The Bill will go to the House of Lords committee stage on 20 October 2017.

The additional obligations which the Bill will place on employers in respect of workforce data make it critical that the HR team is an integral part of an organisation’s preparation for the GDPR.

Suggested tasks to take now:

  • Identify special categories of data processed throughout the employment lifecycle from recruitment to termination and beyond;
  • Understand the legal basis for processing and identify what will need to change to comply with the new regime;
  • Prepare to update and implement appropriate policies and changes to HR practices and procedures to manage these obligations; and
  • Prepare to train staff on their obligations under the new regime.

For more information on data privacy visit DLA Piper’s Privacy Matters blog.