Processing of Employee Data

On the 8th June 2017, the EU’s Article 29 Working Party published an Opinion which sought to provide guidance on data processing in the employment context. This Opinion was designed to cover the position under the EU Data Protection Directive, but also covers the changes brought about by the EU General Data Protection Regulation (“GDPR”) which will come into force on the 25th May 2018.

The key parts of the Opinion are as follows:

i)              Legal Grounds for processing Employee Data
In order to process employee data lawfully, employers must comply with fundamental principles of data protection and ensure that there are legal grounds for the processing of employee data, such as the following:

  1. Processing necessary for the performance of a contract, such as the processing of payroll data;
  2. Processing required for the employer to comply with their legal obligations, such as data required for an employer’s tax obligations; and
  3. Processing required to further an employer’s legitimate interests, such as improving efficiency in the workplace. There are further hurdles for an employer where they seek to rely on this ground when processing employee data, such as the requirement to keep a written assessment showing how the employer gave proper consideration to the rights and freedoms of the employees.

ii)             Consent
The WP29 Opinion explicitly states that consent will not be considered a valid legal ground for the processing of employee data except in exceptional circumstances. This is because employees are seldom in a position to freely give, refuse or revoke consent given the dependency that results from the employee/employer relationship. In addition, the GDPR sets out the position that consent may only be relied upon by employers where that consent can be freely withdrawn by the employee, and where the employee will not suffer any disadvantage as a result.

iii)            Social Media
In order for an employer to access a candidate’s social media account during the recruitment process, an employer is required to justify such processing with a legal ground for doing so, even where such an account is in the public domain. It is not enough to assume that the employer may process data on a candidate’s public social media account purely on the basis that the information is public.

Employers will also need to determine whether the social media profile is related to business purposes, such as a LinkedIn profile, or for personal purposes, such as a Facebook account. Candidates must be informed in advance that such screening will take place as part of the recruitment process.

In addition, the screening of social media profiles of existing or former employees should not be performed in the absence of a legal ground for doing so.

iv)           Monitoring IT Use
The WP29 Opinion sets out that the monitoring by employers of employee email, internet use and phones may be used in the legitimate interests of the employer (or on the basis of one of the other legal grounds), but that employers must consider the proportionality of the measures taken and whether any additional or alternative measures could be taken to alleviate the resultant data processing. Employers also need to ensure that any monitoring in place does not cross the line from an employee’s IT use in a business context to their personal IT use.

The WP29 recommends a Data Protection Impact Assessment (“DPIA”) be undertaken by every employer prior to implementing monitoring technology, and ensure that acceptable use policies are drawn up with employee input. In addition, “Privacy by Design” should be implemented in every new monitoring technology introduced into the workplace to ensure that employee’s data is processed in the least intrusive method possible.

v)            Conclusion
Bearing the above changes in mind, employers should consider the following steps:

  1. Review the grounds you currently rely upon when processing employee data, particularly if relying on employee consent. If relying on employee consent, ensure that such consent can be revoked without adverse consequences for the employee.
  2. Ensure that any processing of employee data is performed in accordance with fundamental data protection principles, such as transparency and proportionality.
  3. When implementing new monitoring technologies in the workplace, ensure that said monitoring and processing of data thereof are necessary and not merely useful.
  4. Bear in mind the need to undertake a DPIA when introducing new monitoring technologies and data processing mechanisms.
  5. Ensure that any candidate in a recruitment process is aware of any screening of social media accounts, and ensure that the screening covers a candidate’s business profiles as opposed to personal profiles.

For more information please contact Marc Fitzgibbon, Partner in our Employment Law Department.