A Guide to Lawful Basis for Processing Employee Personal Data
Is your organisation ready for GDPR? The New legislation comes into effect on 25th May and overrides the current data protection legislation. It places more obligations on organisations of all sizes in respect to the protection and processing activities (using lawful basis) of individual’s personal data.
Lawful Basis for Processing
Under the GDPR legislation, in order to process any personal data what-so-ever, you must be able to rely on one of the 6 lawful bases for processing. If you can’t rely on any of these then you are not legally allowed to collect the personal data.
First of all, it’s important to remember that this only relates to ‘personal data’ therefore any data that identifies an individual. If you can sufficiently anonymise the data then it falls outside of GDPR and you don’t have to rely on a lawful basis for processing it.
What are the 6 Lawful Bases?
(1) Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
(2) Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(3) Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
(4) Vital Interests: The processing is necessary to protect someone’s life.
(5) Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(6) Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Most organisations wrongly opt for consent in the processing of all the employee data. However one of the elements of consent is that it can be withdrawn at any time, as easily as it was given. Therefore it is always better to rely on another lawful basis before opting for consent as any withdrawal of consent can pose significant practical problems. However, it won’t always be possible to rely on one of the other 5 bases therefore in certain situations you will need to comply with the rules of consent.
What does this mean for an employer and the processing of their employee personal data?
We would recommend undertaking data mapping of all personal data held on your employees. This way, you can truly identify what personal data you collect from employees, what personal data you process, for what purposes you process it and to who has access internally or who you share it with externally. Here are some examples:
- Sharing employee’s personal data with an external payroll bureau
You’re likely to rely on lawful basis 2 – you need to share this personal data in order to fulfil the employment contract and pay the employee for work undertaken.
- Sharing employee’s personal data with a pension provider
You’re likely to rely on basis 3 as you are legally required to auto-enrol eligible employees into a pension scheme.
- Using employee photographs on the company website
In the majority of cases, you’re not likely to be able to rely on any basis other than number 1 – consent. Remember that an employee may refuse consent or withdraw it and should not suffer a detriment because of it. Any processing where you are relying on consent is not ‘proper consent’ if it is rolled up into their contract or handbook (terms and conditions of employment) therefore you must use separate consent forms.
- Sharing employee’s personal data with a healthcare benefit provider
You are likely to rely on basis 1 therefore any form should comply with the rules of consent under GDPR.
- Various monitoring of employees
Whether this is CCTV monitoring, monitoring their emails / phones etc. you need to rely on a lawful basis for doing so. The one you are likely to opt for is basis 6, however you need to undertake a Risk Assessment to determine whether you are satisfied that your legitimate interests outweigh the rights and freedoms of the employee.
This is advisory only. Ultimately, it is up to the organisation to decide which lawful basis they are relying on to process the personal data and to ensure they have the correct technical and organisational measures in place to protect the data, as well as complying with all aspects of the GDPR legislation in the processing of the personal data.
What else should you be aware of when processing employee’s personal data?
- Data Minimisation – Don’t collect more data than necessary.
- Legally Compliant Privacy Notice – You need to be completely transparent about how you are processing employee’s personal data amongst other specific requirements.
- Technical & Organisational Measures in place to protect the personal data.
- Keep employee records up to date and accurate.
- Have employee’s personal data readily available in the event they make a data subject access request.
- Retention – Ensure you adhere to the retention policy for storing employee personal data.
REMEMBER – GDPR doesn’t just apply to the processing of your employee’s personal data. It applies to the processing of all personal data including that of your customers, suppliers, subcontractors, members of the public etc. It also applies to any personal data you receive from other organisations (such as marketing data).
As GDPR falls outside the remit of HR and Employment Law in many ways we have set up a separate GDPR Service to assist clients with their overall GDPR project. If you would like more information about this service and the costs, please contact our GDPR Practitioner Joanne Kay who can provide you with an overview of the services available.