New world, new problems, new compliance risks - navigating the data protection risks when processing employee data
10 December 2021
Employers are working in a new and disrupted world, with different volumes and types of data, processed for different purposes, including those driven by societal development, expectations and changing ways of working. These activities are using ever more complex technologies and innovative approaches. In that context, employers’ approach to navigate data protection compliance must also track those changes.
We discussed these exciting topics in a recent webinar and have summarised the key points below. You can find a link to a recording of the webinar at the bottom of this page.
Health data is nothing new but consider context carefully
Employers have always, and will always, need to process health data. Whilst Covid-19 has raised new scenarios to consider and reasons to process health data, the fundamentals remain.
- Employers should think carefully about the purpose for which they are collecting and processing the particular health data in question – is it really necessary to process the personal data to achieve the objective? Critical assessment is particularly relevant when considering new scenarios such as those we have in the case of Covid-19. If the employer can avoid processing personal data to meet its needs, a significant amount of regulatory tape can also be avoided.
- Under the GDPR, health data is special category data and so additional regulatory hurdles apply – not least the need to identify an Article 9 condition and additional policy requirements. Employers should account for these extra protections from the outset, when planning processing activities. The basis and conditions for processing one type of health data (eg vaccination status) and the compliance procedures necessary may differ to those required for another type of health data (eg long term sickness record).
- Health data can originate through active collection by employers and increasingly, from voluntary submission by employees. Employers should remember that if personal data is processed, the requirements of the GDPR must be met, irrespective of whether an employee provides their health status or information without prompt.
- Beyond data protection requirements, employers should also ensure their approach to processing health data (such as vaccination status) does not inadvertently lead to discriminatory policies that adversely impact individuals, particularly those with protected characteristics such as employees with a disability or certain religious beliefs.
Processing diversity and inclusion data provides helpful information if processed correctly
There are an increasing number of scenarios where employers are looking to process D&I data, often with the laudable aim of ensuring that all individuals have opportunities to progress within the organisation and do not suffer discrimination. However, the personal data involved may constitute special category data and so, as with health data, employers should take care to ensure compliant processing.
- Gender is not generally considered to be special category data under the GDPR, potentially enabling employers to monitor the likes of gender bias or gender pay gaps with more ease than may be the case when looking at other protected categories of data.
- Processing of anonymised data (falling outside the scope of data protection law) may provide sufficient insights in some cases but it is often inadequate to support D&I initiatives.
- Where employers wish to track the progress of, or support, individuals by reference to special category data such as race for example, consider data protection compliance from the start, it can be challenging.
- Transparency is key but does not overcome the GDPR need for an appropriate legal basis to process. Without legal obligations to take particular D&I steps in the workplace, and with potentially narrow scenarios for processing the data envisaged by data protection legislation (eg as seen in the UK Data Protection Act 2018), identifying the legal basis may be difficult. Reliance on consent in the employment context can be problematic but may not be impossible depending on the nature of arrangements.
New technology can present new opportunities but can increase complexity
As employers digitalise, technology offers scope to improve efficiencies in employee recruitment and management but data protection requirements continue to apply.
- AI systems may speed activities such as CV filtering processes but the likes of the EU’s Draft AI Regulation specifically address the use of AI in the employment context, imposing particular obligations on AI developers. When implementing AI systems, employers should carry out impact assessments in the context of data protection law but also be mindful of the impact of upcoming AI legislation and trends in associated guidance such as the need to consider bias and ethics. More on the EU’s Draft AI Regulation can be found here.
- Legislation often aims to be future proof but technology typically develops faster than regulatory action. The UK ICO recognises the need offer guidance in such scenarios and so UK based employers should look out for the upcoming revisions to the Employment Practices Code, designed to address the recent changes in personal data processing in any employment context.
Consider national and cultural deviations – a truly global policy may be difficult to achieve
Different requirements apply to the processing of data across the world, with an increasing number of jurisdictions implementing data protection focused legislation. There are obvious differences between the GDPR requirements and other less prescriptive regimes such as those in the U.S..
- Though core practice may be similar in some ways, what may be considered a perfectly sensible and legitimate approach to processing personal data in one country such as the U.S., may not come close to meeting the specific requirements of the regime in Europe. Equally, in scenarios where the more prescriptive regulations do not apply, employers may wish to avoid imposing unnecessary restrictions on the way they handle personal data, simply to achieve a consistent global policy.
- Employers should also be mindful that, even within the EU, national derogations and exceptions under data protection law itself and the interplay with other legislation mean that there is no true one size fits all. For example, in the context of Covid-19, monitoring vaccination status is encouraged or mandated in some countries whilst in others it is prohibited. In some EU jurisdictions health data must be processed by company doctors alone, in other countries this is not required.
- Cultural deviations, driven by different historical context or specific experiences for example, also mean that employers will need to account for a variety of legal obligations, particularly when it comes to the likes of special category data such as health or D&I data. In the U.S. for example, certain employers are in fact required to track race and gender information.
- Post-Brexit, the UK is consulting on developments in its data protection regime. It is considering changes to reduce the regulatory burden in relation to use of AI and automated decision making, as well as easing the barriers to rely on the legitimate interest legal basis, and addressing the challenges faced by organisations in responding to DSARs, amongst other things. More on the UK proposals can be found here and here.
- Whilst basic HR data is often centralised across jurisdictions, special category data is often retained at a local level to avoid the complexities of cross border transfers of personal data.
Consider legislative tensions and ensure accountability
Employers are required to comply with a raft of legislation, originating from different regulatory contexts and tensions inevitably arise in trying to meet all obligations.
- Employers need to consider where the risks to employees lie and minimise that risk. At a most basic level this can be through minimising personal data processed.
- Accountability is key. Employers should give due consideration to the processing, document decisions and be able to explain the rationale for actions if a regulator comes knocking. Be able to show that the processing of personal data has been taken sufficiently seriously.
- Employers should be open with employees, being transparent about the approach to processing and having employees on board will help to mitigate risk.
- Data protection legislation is intended to protect individuals’ fundamental rights, so employers should always keep employee expectations in mind and how individuals would feel about the relevant processing proposed.
Hear our employment and data protection specialists, Sarah Henchoz, David Smith, Jane Finlayson-Brown, Nicole Wolters-Ruckert and Brian Jebb, discuss data protection risks when processing employee data during their recent webinar.