With the General Data Protection Regulation (GDPR), coming into force very soon, many HR organisations are still confused about their new legal obligations when it comes to collecting, processing and retaining employee data.
The new regulation stipulates that a single basis for the lawful processing of employee data needs to be chosen. Up to now, consent has been one of the most commonly relied on grounds for data processing, however, under the GDPR it will be difficult for consent to be freely given and valid for all processing requirements.
It will be very hard for an employer to justify a standard term in a contract or a one-off request for consent to be justifiable for all scenarios in which employee data is used. As such, consent is unlikely to be a workable basis for processing all forms of HR data.
Many HR teams are instead looking at legitimate interests as their legal basis for processing employee data. The relevant passage in the GDPR guidelines states that this will be lawful where it is, ‘…necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data,…’
Put in more simple terms, this means you can still use data without someone’s explicit consent – as it is essential for the legitimate interest of running your company – unless individual rights override this.
However, legitimate interest is quite a broad term and you must be absolutely sure that your activity falls into this category. So you need to be very careful. The first step is to ensure you have considered the rationale properly, by applying a three-part legitimate interest test:
The three-part test:
Part one – Purpose. Are you pursuing a legitimate interest?
This first consideration is the most obvious. Is your reason for collecting and using the employee data legitimate – i.e. is it necessary for the functioning of your business?
Example: You collect, store and use bank account and sort code data for the legitimate purpose of paying your employees. And your business can’t function without you paying your staff.
Part two – Necessity. Is your use of data absolutely necessary?
You need to be able to prove that using data is the only reasonable way of achieving your purpose. Could you reasonably achieve the same result in a less intrusive way? If not, then you pass.
Example: Employers are required by law to process sickness absence data in order to facilitate the payment of statutory sick pay. There is no other way of achieving this and by not using the data in this way you would be breaking the law, thus it is absolutely necessary.
Part three – Balance. Do individual rights outweigh your legitimate interest?
Are you using data in a way an employee would not reasonably expect you to use or could cause them unwarranted harm? In that case, their interests are likely to override yours and the process in question could lead to a breach of GDPR regulations. However, your interests can still prevail over the individual’s if there is a clear justification for your actions.
Example: Monitoring an employee’s work emails during an absence could be at odds with the individual’s right to keep their emails private. However, that right does not outweigh your legitimate interest in picking up and replying to urgent emails – as this process is vital to the running of your business. However, you would have to ensure that any personal emails are not reviewed, as they have nothing to do with your business and thus are not part of your legitimate interests.
Auditing and recording your data categories
It’s also important to remember that GDPR regulations cover both future data collection and data you already hold and use.
So, you must go through all the data categories you hold and put them through a full audit along the lines of the legitimate interest test above. If a category fails to pass then you must either delete all relevant data or obtain consent from the individuals concerned for its use. Consent must be explicitly related to the reason for the data processing and must be freely given. So, you cannot coerce the individual by, for example, making consent part of a new employment contract. Also, you must inform them that consent can be withdrawn at any time and have a structure in place that can accommodate withdrawals.
As part of the process of ensuring that employer rights don’t outweigh those of the employee, you must ensure there is full transparency regarding all data processing.
So, it must be 100% clear what employee data you collect, why you collect it, and what you use it for. And this must be communicated clearly and unambiguously to all employees. This must be done before data is collected and any subsequent changes are made.
Further guidance on how to assess your lawful basis for data processing and to conduct your own legitimate interests assessment can be found on the Information Commissioner’s website here: