The Irish Data Protection Commission ("DPC") recently published guidance for employers (as data controllers) regarding their data processing obligations and duties when processing the personal data of employees, former employees and prospective employees (the "Guidance"). The Guidance considers the legal bases for processing employee data, in particular occupational health data, and employer policies, monitoring employees, and employee rights. It also includes some practical case studies.
The Guidance is timely given the willingness of data protection authorities to impose fines for the unlawful surveillance of employees and the upward trajectory of fines. The fines show the importance of employers ensuring that they comply with their data protection obligations when processing employee data, and prior to implementing any employee monitoring measures.
This article discusses some of the key highlights of the Guidance, and employers' responsibilities as data controllers in the workplace.
Personal or Commercial Data?
The General Data Protection Regulation ("GDPR") only applies to personal data, which is defined as any information relating to an identifiable individual. Commercial data, on the other hand, includes any information relating to the business and its operations.
The Guidance notes that the DPC receives a large volume of queries about the status of work emails, and whether they constitute personal data or commercial data. This query commonly arises in the context of an employee making a data subject access request. The DPC confirms that an email address such as firstname.lastname@example.org, which identifies the account owner, John Smith, may be personal data. However, the DPC highlights that the content of emails addressed to John Smith at this email address are unlikely to constitute his personal data, to the extent that they occurred within the context of a professional working environment.
Nevertheless, the Guidance notes that when the employer receives a data subject access request, there is "an obligation on employers to investigate the content of their commercial or business emails to ascertain if the content of the email to the identifiable individual relates to the personal data of that individual in any way".
From a practical perspective, this may be a time-consuming and costly task for any employer, depending on the length of the employee's employment history with an employer, and the volume of emails received by the employee. In cases such as these, the DPC advises the employer to ask the employee to specify in their request the particular time and date of the emails requested in order to expedite their response.
Data Protection Principles
The Guidance highlights the importance of employers being aware of their obligation to comply with the data protection principles set out in Article 5 of the GDPR. These data protection principles provide that any processing of personal data must lawful, fair, and transparent, and comply with the principles of purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. Employers must be able to demonstrate compliance with all of these principles.
In particular, the Guidance highlights the importance of an employer being transparent about the information it holds about employees. This can be achieved by providing individuals with an easily accessible HR self-service system which allows an employee to see what data an employer holds about them, and how it is used. Employers must also provide employees with an Employee Privacy Notice, in order to meet their transparency obligations under Articles 13 and 14 of the GDPR.
In addition, the Guidance emphasises the importance of complying with the purpose limitation principle, which means that personal data should only be used for the purpose(s) for which it was originally collected. The Guidance includes a case study which shows, for example, that an employer should not use car park and building access data to verify an employee's time and attendance record, if the employer has previously informed employees that such data are collected for security purposes.
Legal Bases and a DPIA
Employers must have a lawful basis to process personal data under Article 6 of the GDPR (such as consent, contractual necessity, legal obligation, vital interests, legitimate interests). In addition, if an employer is processing special category data, such as health data (for example medical certificates or occupational health reports), the employer will also need to avail of one of the permissible exceptions for processing such personal data under Article 9 of the GDPR.
The Guidance recommends that when determining which legal basis to rely on, employers must assess what personal data is actually necessary for the relevant legal basis and purpose. To consider what is necessary, the employer should consider the reasonableness and proportionality of the processing.
Consent – not recommended in context of employer/employee relationship
The Guidance reminds employers that whilst "consent" is the most familiar legal basis for data subjects and controllers, it is not the most appropriate legal basis in an employment context. This is due to the fact that there is an imbalance of power in the employer/employee relationship that undermines the level of choice which an employee has in giving their consent.
Contractual necessity – the processing must be "objectively necessary" for the performance of the contract with the employee
"Contractual necessity" is a common legal basis relied on by employers to process employee data, as their relationship with the employee is founded on contract. However, the Guidance notes that the processing of personal data must be "objectively necessary" for the performance of the employment contract with the employee. A contract between the employer and a third party will not suffice. A useful example of when this legal basis may be relied on, which is provided by the DPC, is when the employer is processing an employee's banking details in order to pay the employee.
Legal obligation – must be EU or national law
Where an employer is obliged to process employee data in order to comply with EU or national law, it may rely on "compliance with a legal obligation" as a legal basis. The Guidance notes that this legal basis "includes other forms of law, including common law or any form of soft law (e.g. guidelines/recommendations that are not necessarily legally binding but are adhered to generally)". However, it is worth noting that neither the text of the GDPR nor the Data Protection Act 2018 explicitly state that the "compliance with a legal obligation" legal basis extends to "non-legally binding guidelines/recommendations". Accordingly, it is possible that other EU DPAs and/or the courts may not take such a broad interpretation of this legal basis.
The Guidance further highlights that transparency obligations under the GDPR require an employer to inform their employees of what laws they are relying on or complying with when processing employee personal data. An example of this legal basis being used in an employment context, as noted by the DPC, is an employer providing employee data to Irish Revenue to comply with tax requirements or to comply with an employer's obligations under the Health, Safety and Welfare at Work Act 2005 (the "2005 Act"), or keeping records (such as payslips) to show their compliance with the National Minimum Wage Act 2000.
The Guidance highlights that "vital interests" is not a commonly used legal basis, and will only arise in limited circumstances, such as situations involving threats to the life or health of the data subject or another person.
The Guidance warns that whilst "legitimate interests" is probably the broadest legal basis to rely on, employers should exercise caution before doing so. In particular, employers seeking to rely on the legitimate interests legal basis must meet the following three components:
a) Identify a legitimate interest which they or a third party pursue;
b) Demonstrate that the intended processing of the data subject's personal data is necessary to achieve the legitimate interest; and
c) Balance the legitimate interest against the data subject's interests, rights and freedoms.
An employer's legitimate interests may include: commercial interests, third party commercial interests, broader societal benefits, or preventing fraud. For example, the installation and use of CCTV cameras in the workplace could fall within the employer's legitimate interests of ensuring the security of their building.
The processing of the personal data will only be lawful where the legitimate interest identified is not overridden by the interests, rights and freedom of the data subject. The Guidance recommends that employers carry out a balancing exercise between their legitimate interests and the rights and freedom of their employees through a Data Protection Impact Assessment ("DPIA"). Although, we would suggest that the balancing exercise may alternatively be carried out through a Legitimate Interests Assessment ("LIA"), which is a similar document to a DPIA. However, in circumstances where the processing activities d involve "high risk" processing or otherwise fall within the list of activities which the DPC requires a DPIA to be carried out for, a DPIA will also be required.
It's worth noting that a conflict of interests often arises in respect of employee monitoring, in particular. If an employer is considering implementing employee monitoring (particularly intrusive monitoring), it would be prudent to carry out a DPIA, to the extent that such monitoring may constitute "high risk" processing or "systematic monitoring of a publicly accessible area on a large scale" under Article 35 GDPR.
Occupational Health Data
Occupational health relates to the promotion and maintenance of employees' physical, social and mental wellbeing in the workplace. The Guidance highlights an employer's legal obligation under the 2005 Act to ensure the health and safety of their employees. It refers, in particular, to section 23 of the 2005 Act, which provides that an employer can require an employee to undergo a medical assessment of his/her fitness to work. This means that an employer can require employees to attend occupational health assessments without requiring their consent. This is a query often raised by employees. Furthermore, as per section 23(3) of the 2005 Act, a medical practitioner is obliged to notify the employer if the employee is unfit to work.
In fact, the Guidance highlights a number of lawful bases that an employer may rely on in the occupational health context when processing employee health data (e.g. Articles 6(1)(a), 6(1)(c), 6(1)(d), 6(1)(f), and 9(2)(h) GDPR).
The Guidance contains a helpful case study concerning the processing of an employee's health data. The case study refers to a situation where an employee was dissatisfied with the processing of their health and special category data by a third party, namely a HR investigator. The employer argued that they had a lawful basis to process the data in that they were complying with a legal obligation, and that the processing was necessary for the purposes of carrying out their obligations and exercising specific rights in the field of employment and social security and social protection law under Articles 6(1)(c) and 9(2)(b) GDPR. The DPC was satisfied that the employer had a lawful basis for the processing, but that the employer should inform its employees that it relies on those lawful bases in its data protection policies, in order to comply with Articles 13/14 GDPR.
The Guidance highlights that Article 24 GDPR requires controllers to implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. This includes implementing appropriate data protection policies. In addition to an employee privacy notice, employers should put data protection policies in place specifically dealing with the processing of employee personal data, including:
- A data retention and storage policy;
- Internet usage policy;
- Use of personal device policy; and
- CCTV policy.
Employers should also consider their relationships with third parties who process data on their behalf and ensure that appropriate agreements are in place between controllers and processors or between joint controllers.
The Guidance refers to the DPC's extensive guidance available on the use of CCTV and vehicle tracking, and provides further information on employers' monitoring of computer networks, internet and email.
The DPC recognises that employers have a legitimate interest in protecting their business, reputation, resources and equipment. To achieve this, they may decide to monitor their employees' use of the internet, email, and telephone. The DPC warns, however, that any limitation of employees' right to privacy should be proportionate to the likely damage to the employer's legitimate interests. An acceptable use policy should be adopted reflecting this balance and employees should be aware of the scope and purposes of the monitoring specified. In the absence of a clear acceptable use policy, employees may be assumed to have a reasonable expectation of privacy in the workplace.
The Guidance notes that, by its nature, employee monitoring software is particularly intrusive. The DPC therefore recommends that, in the ordinary course of business, employers should seek to implement other less intrusive means of monitoring employee productivity and attendance.
If an employer wants to install covert software, by way of keystroke logging, tattleware, or other such type of monitoring software programme on an employee's device, employers should be cognisant that use of recording mechanisms to obtain data without an individual's knowledge are "generally unlawful". The Guidance highlights that covert surveillance of employees should be avoided where possible. It is only permitted on a case-by-case basis, where the data is kept for the purpose of preventing, detecting or investigating offences. Accordingly, employers, as data controllers, should be wary of any covert monitoring of employees.
The storage limitation principle in the GDPR requires personal data to be retained for the least amount of time required to achieve the objective. However, the DPC recognises that there are a number of statutory obligations requiring an employer to retain personal data for certain periods, including the following:
- Employee details: 3 years – Section 25 Organisation of Working Time Act 1997
- Payslips: 3 years – Section 22 National Minimum Wage Act
- Parental leave / Force Majeure: 8 years – Section 27 Parental Leave Act 1998
- Taxation: 6 years – Companies Act 2014 and Taxes Consolidation Act 1997
- Workplace accidents: 10 years – Section 60 S.I. No. 44/1993 Safety Health and Welfare at Work (General Applications) Regulation 1993
Employers collect and process significant amounts of personal data on prospective and current employees, and it is essential that they are aware of their data protection obligations, and take this Guidance into account.
A key takeaway from the Guidance and case studies is the importance of employers ensuring that they comply with their transparency obligations under Articles 13/14 GDPR, by clearly informing employees in privacy notices and related data protection policies (such as Internet, Acceptable Use and CCTV policies) of, inter alia, the legal bases and purposes of processing employee data, and of any employee monitoring activities. In addition, employers must ensure that they carry out a balancing exercise prior to introducing any employee monitoring measures, and document their decision-making process. This will help employers to be able to demonstrate, in line with the accountability principle, how they have complied with their GDPR obligations.
If you would like to find out more, please contact Technology and Innovation Group team or your usual Matheson contact.