HR data: the GDPR and beyond

1. Audit and analysis

One of the key steps in preparing for the GDPR coming into force was carrying out an audit and analysing the data processed in connection with HR and people management operations. A surprising number of employers have either not done so, or have taken a 'light touch' approach on this aspect.

Now is a good time to take another look at this and assess whether there any additional steps that should be taken. The ICO's approach to compliance post-GDPR appears more inquisitive and they now expect to see processing records and evidence of audit and analysis as a given. If employers aren't in a position to demonstrate this, the ICO is likely to take a dim view of any wider concerns or complaints made about them or any data breaches that are reported.

2. Purging and cleansing

Employers must ensure that they process the minimum amount of personal data required for the specific purpose(s) for which it is processed, and that they keep such data for no longer than necessary for the purpose(s) for which it is processed. In the run up to GDPR D-Day, a number of employers took the approach that they would put in place processes around this for future data processing, and would deal with historic data at a later date.

If employers haven't done so yet, now would be a good time to review retention practices and ensure that historic data is appropriately handled. The practical advantage of reviewing and deleting information that is no longer needed is that it should help with managing individual rights requests, such as subject access and deletion requests, and keeping associated costs down. It also all goes towards demonstrating compliance, a key aspect of the GDPR, and may reduce exposure in the event of a breach.

3. ICO approach: more generous to data subjects

The ICO's approach clearly evolved in the run up to the GDPR coming into force, and has continued to develop. Whilst we have had limited published guidance from the ICO so far, it is clear from both anecdotal evidence and the enforcement action taken to date that the ICO is placing a greater emphasis on the rights of individuals than it did before GDPR.

Whilst the outcome may not be any different, the ICO's communications and approach show an increased willingness to ask questions, test and examine the approach the employer has taken. This includes asking about the underlying audit and compliance steps undertaken by them, and a greater emphasis on policies and training. Employers must be prepared to justify, explain and evidence their actions and decisions, and adapt their processes accordingly.

4. Data subject access requests (DSARs) (and other individual rights)

As might be expected, anecdotal evidence suggests that there has been a significant increase in the number of data subject access requests (DSARs) submitted by employees, workers and other staff members to their employers. Historically, staff primarily submitted DSARs when they had left their employer; nowadays, it appears individuals are increasingly willing to submit a DSAR whilst still employed. This seems to be reflected in what the ICO has seen: the number of complaints relating to DSARs has increased significantly, albeit to date no recorded enforcement action has been taken in respect of an HR-related DSAR.

Whilst staff members have always sought to use such requests tactically, it is clear that the way in which DSARs are used has also developed. Further, with confirmation that ulterior motives (such as a desire to uncover evidence to support a tribunal claim) are irrelevant following Dawson-Damer, individuals are increasingly confident in taking a tactical approach to DSARs and employers are seeing more of the following:

• broad DSARs of the "I want everything" type (often followed by a refusal to narrow the scope of the DSAR);
• DSARs with specific requests and seeking particular information (albeit potentially covering long periods or wide swathes of documents); and
• difficult questions about processing (not all of which fall within Article 15 GDPR), which need to be considered carefully.

All of the above can be time-consuming and costly for employers to manage, and come with clear risk if not handled correctly.

The ICO has limited resources and has not (as yet) actively prioritised assessing whether employers are taking the correct approach to questions such as what information should / shouldn’t be disclosed, redacted etc.. That said, there is clear value for employers in being able to demonstrate to the regulator that it has appropriate, organised and efficient systems for handling DSARs in place and can evidence the process it has followed in responding to a DSAR, including the decisions it has made as to what must be provided and what can be withheld. The ICO is likely to start asking more probing questions and testing exemptions with regard to DSARs so employers must be prepared to explain and evidence the steps taken. Notes, logs and other record keeping steps are key, together with appropriate archiving to ensure that relevant correspondence and outcomes are retained.

Further, the ICO's interpretation of what is deemed a "proportionate" search has expanded, which in combination with the loss of the "disproportionate" defence, means that employers must think carefully about how to manage searches (which may need to be wide ranging and will be time consuming), and the content of its communications with requestors. Before GDPR, employers often sought to rely on an expansive approach to the exemptions allowing them to withhold data relating to management forecasting and ongoing negotiations; irrespective of whether that worked under the previous regime, the ICO's post-GDPR attitude is that these exemptions should be narrowly construed. This means that employers must consider carefully when to apply these, and should be prepared to explain and evidence their rationale for withholding data in reliance on them.

As a general comment, there was no significant take up of individual rights other than the right of access either pre or post-GDPR. Some employers saw an uptick in erasure requests immediately post-25 May 2018, but those requests appear to have slowed down. The other individual GDPR rights have typically garnered less attention, but it is important for employers to keep these in mind as there is potential for future development here.

5. Vicarious liability

Whilst not a GDPR case as such, the Morrisons case (see our analysis here) brought the potential commercial risks of an employee data breach in the post-GDPR world to the fore. The initial costs of dealing with the breach and implications for brand value and the employer's reputation were significant. But the wider costs are still mounting.

In the first case of its kind, over 5,000 affected employees brought a claim alleging both primary and vicarious liability for (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the DPA 1998. As a short reminder of the pertinent facts, a disgruntled Morrisons employee, Mr Skelton, retaliated against a disciplinary sanction by publishing sensitive personal data relating to around 100,000 of his fellow employees on the internet and then sending copies to several newspapers. Mr Skelton was subsequently convicted of various offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998) and given an 8-year prison sentence. Both the High Court and the Court of Appeal (CA) held that Morrisons was not primarily liable for the breach but was vicariously liable as his employer.

The case does not alter the tests for establishing vicarious liability. In reaching its decision, the CA found there was sufficient connection between Mr Skelton's authorised tasks and the unlawful acts he perpetrated, which all formed part of a seamless and continuous sequence of activities. However, the outcome in practice is uncomfortable; Morrisons was held liable for an employee’s acts in circumstances where his primary motivation was to harm his employer. In effect, the court has helped him to achieve his revenge. The CA noted that an employee’s motivation is irrelevant here, but it still feels strange given the court deemed Morrisons to have "adequate and appropriate controls" in every area save for managing the deletion of data (and held that this failure could not have prevented the data breach).

The CA noted that the DPA 1998 did not specifically exclude vicarious liability, and rejected Morrisons' public policy argument that vicarious liability imposes a disproportionate burden on supposedly "innocent" employers. The judgment suggests an underlying concern to ensure an effective remedy for the affected employees, and states that employers should consider insurance as a way to manage this risk.

Aside from adequate insurance, employers should ensure that appropriate safeguards are put in place to combat employees who go rogue, including implementing and enforcing appropriate policies and monitoring activities involving sensitive data, as well as making it very clear that data breaches will not only amount to gross misconduct but can also attract criminal penalties. This is an area for development – Morrisons have signalled their intention to appeal and permission has been granted by the Supreme Court – so watch this space.

6. Tricky areas: Criminal records checks

Criminal record checks remain a contentious area one year on. There is no blanket entitlement permitting employers to carry out criminal conviction checks during recruitment and employers must review this on a case-by-case basis, looking at the purpose of the processing.

• Where there is a legal obligation to carry out such checks, the position remains broadly unchanged and there is limited risk from an employer's perspective. However, regulatory requirements are generally not deemed to be legal requirements.
• Where there is no actual legal requirement to carry out a criminal record check the position is more complex. Unless the employer can obtain valid consent (almost impossible in the employment sphere) or identify an alternative legal basis, it could find itself exposed.

The difficulty here is in balancing data protection rights and privacy expectations as against public policy considerations, reputation risks and the expectations of commercial parties and clients (noting the ICO and the courts are unlikely to consider client expectations or requirements to be a relevant factor). Note that there may be additional requirements (e.g. the requirement to have appropriate policy document and to update to records of processing, where relying on the "substantial public interest" basis for processing).

Further, whilst there is no recent case law to assist prospective employers in determining what criminal records information can request and for what purpose, there have been several cases brought in a wider context, particularly under the Human Rights Act 1998, and further activity in this area is anticipated (see here, here and here). Employers would be well advised to review their position on criminal record and other background checks, and to ensure that their policies and procedures have been carefully thought out in light of the legal constraints in this area.

7. Tricky areas #2: Right to work checks

UK employers are prohibited from employing individuals who don't have the right to work in the UK and criminal and civil sanctions, including a civil penalty of up to £20,000 per worker, may apply in the event of a failure to comply. Employers have a statutory excuse under the Immigration, Asylum and Nationality Act 2006 if they can show that they carried out a right to work check which meets Home Office requirements. The Home Office expects employers to retain copies of the documents reviewed in connection with right to work checks securely for the duration of the individual’s employment and for a further two years after employment has ended.

Employers who are Tier 2 sponsors and who have to carry out a Resident Labour Market Test (‘RLMT’) for an employee are also required to retain personal data about both that employee and about unsuccessful applicants for their role, for at least one year from the date the sponsorship ends.

None of this is set out in statute. It is all contained in Home Office guidance, so it is not clear that this would amount to a legal obligation justifying the processing of personal data. Employers may be able to rely on the legitimate interest ground for processing but where this is the case, employers must carry out a legitimate interests assessment (LIA) and notify employees of their right to object to the processing. Given the sensitivity of the information processed in relation to the above immigration checks, now is a great time to ensure that the additional steps are in place, appropriate security measures have been implemented, and that the correct notifications have been made to candidates and employees.

8. Fines and enforcement activity

Over at the ICO, the key focus areas of enforcement activity appear to be transparency and consent. In other words, the ICO is focused on key tenets of the GDPR, and taking action where those are breached. Although consent shouldn’t be an issue for employers in the sense that it is unlikely to be a legal basis for processing employee data given the difficulties of obtaining valid consent in the employment sphere, and should not therefore be relied upon, transparency and accountability are very relevant to employers.

In terms of company sanctions, whilst the ICO has flexed its muscles regarding fines and other enforcement action for both pre- and post-GDPR breaches, we are yet to see significant increases in fines imposed in the UK and certainly nothing approaching 4% of global annual turnover. That said, most of the significant breaches in the UK have been under pre-GDPR legislation and there are a number of post-GDPR breaches for which we are awaiting ICO action. We have also seen other national data protection authorities prepared to issue significant fines – the CNIL in France, for example, imposed a financial penalty of €50 Million against Google LLC – which will inevitably encourage other national authorities to follow suit. In short, UK enforcement action has been relatively restrained so far, but watch this space.

9. What to focus on? Reviewing, plugging the gaps and demonstrating compliance

So, 12 months on, what should you be doing and where should you be focusing your resources and efforts?

• Policies and procedures: Now is a good time to take stock and review policies and procedures. You should by now have sufficient experience to assess any flaws, procedural irregularities and practical difficulties so that you can update and put in place additional policies and procedures if needed.
• Look at your 'backburner' lists: In the rush to ensure a basic level of compliance by 25 May 2018, the important underlying documentation was sometimes forgotten. Now is a good time to assess and plug the gaps, as any sympathy the ICO may have had for delays in getting compliant following the implementation of the GDPR is eroding fast. As an example, if underlying privacy impact assessments (PIAs) and legitimate interest assessments (LIAs) are not currently in place, now would be a good time to implement these.
• Assessing and addressing risk: Review your current arrangements with the benefit of 12 months' experience. For example, as regards to the storage of HR data, exchange of data within teams and with third parties, think about reviewing your current arrangements, identifying any risks and implementing fixes. Look at back at any individual rights requests, including subject access requests, and any data breaches. What can you learn from your experiences?
• Purging and cleansing: As noted above, this is a good time to evaluate storage and retention arrangements, including any archiving arrangements, ensure that historic data is appropriately handled and purge any data for which there is no ongoing basis for processing.
• Record keeping: Are your records accurate and up-to-date? Do you have sufficient record-keeping arrangements in place to evidence your GDPR compliance? Now is a good time to review and rectify this where needed.
• Training: The GDPR is an area of continuous development, not a one-off change. Consider refresher training, look at any developments and make sure you upskill appropriate staff. Think about alternative methods: simulation, scenario-based training, war stories etc. Ensure that you keep a record of training and attendees.
• Staff relations: Look at the impact of the GDPR, and review your communications with staff - consider whether there is more that you could be doing and/or whether there are any the relationship sensitivities to manage. Equally consider how you can use refresher communications to share a positive message or to otherwise help manage employee relations.
• Forward planning: Think about your experience and identify any areas for improvement so that you can take remedial action and allocate budget accordingly.

10. Conclusion

Now that GDPR is a year old, the ICO will expect all businesses to have their houses in order, without exception. Whilst most employers will be in very good shape, there will always be room for improvement. Now is a good time to look at what more you can do to ensure compliance and manage risk.