We provide tailored and innovative solutions.

Miller Samuel Hill Brown Solicitors Blog

From time to time we will post news articles and announcements relating to the firm and to various legal issues that may be of interest to you.

GDPR – Tricky issues for employers

mshb gdpr

We will be holding a free seminar on 21st February 2019 on the GDPR and issues it raises for employers.

We want to hear from you – what data protection issues or concerns do you have in your business? Let us know and we will seek to cover these in our seminar!

In the meantime, in this blog we take a brief look at five tricky GDPR related issues for employers.

1. Ex-employee data

The requirement that data subject must be informed of what information is held about them has led to a proliferation of privacy notices since the GDPR came into force. One tricky issue is whether there is an obligation to inform ex-employees what data is still held about them.

Retention of ex-employee data is common for numerous purposes. For example, HMRC rules require that payroll information is retained for certain periods, and employers may commonly retain ex-employee records in the event that a claim is raised, they require a reference and so on.

Generally, ex-employees are likely to reasonably expect their ex-employer to retain data about them. However, they do have the right be informed how this data is processed. The GDPR does not make an exception for data obtained before it came into force.

However, given employers may have numerous ex-employees and retain data for a number of years, there are obvious issues with contacting people to provide information about their data, not least that this would be a significant administrative burden. Another GDPR related issues is that their contact details may have changed, and there then results having to balance the right to be informed with the risk that the information would go to the wrong person.

Practically, steps to take include to carry out a Data Protection Impact Assessment and maintain a policy on what data is kept about ex-employees and for how long, and ensure that data which is outwith this policy and no longer necessary is deleted securely. A privacy notice or policy on data concerning ex-employees could be made publicly available, such as on the organisation’s website and available on request.

2. Job applicants

Recruitment processes will involve gathering personal data about numerous applicants, sometimes thousands. A key difficulty here is deciding how long to retain such information. As with all personal data, the main considerations should be

a) Is there a legal basis for holding and processing the data;

b) Is the data necessary and proportionate to the purposes for which it is held;

If hundreds of CVs or applications are received in response to a job advert, once that information is reviewed and an applicant is not shortlisted, arguably their CV is no longer required and should be deleted or destroyed.

However, employers may want to assess the risk involved in doing so. One potential issue which arises from recruitment is a claim that the decision to reject an applicant was discriminatory on grounds of sex, race, age and so on. Employers may therefore wish to retain paperwork for a period so that they have this available should a claim arise. However, if doing so consideration should be given to the extent to which data is retained. For example, paperwork may be retained only for those who were shortlisted or interviewed.

It is also fairly common to retain CVs on file if there are no current vacancies or an applicant was found to be impressive but there was no role for them at that time. Consideration should also be given to procedures for doing so. For example, it may be advisable to inform the applicant that their information is being retained and seek their consent to do so.

3. Criminal convictions and background checks

Related to this, it is not uncommon for employers to carry out backgrounds checks on prospective employees, which may disclose data about criminal convictions. There are specific rules about processing such data in the GDPR.

If you process such data, you need to have a lawful basis for doing so under the GDPR as with all other personal data. Ideally, the basis for such processing should be the consent of the individual. If this data is to be processed without consent, there are additional restrictions on processing on criminal offence data, which are that:

- You must be processing the data in an official capacity; or
- Specific conditions set out in the Data Protection Act 2018 are met and you have an ‘appropriate policy document’ in place which sets out procedures for compliance with data protection principles, particularly retention and erasure of data.

Certain roles, including those which are regulated by the Financial Conduct Authority and those which involve working with children, generally require a criminal conviction check due to the nature of the work. There are conditions in the Data Protection Act 2018 which can potentially be relied upon in these situations, but they tend to require that, in the circumstances, you cannot be reasonably expected to obtain the data subject’s consent.

Therefore, if you process such data, it is advisable to ensure that you have obtained explicit consent from individuals to process criminal offence data.

4. References

Employers are under no obligation to provide a reference, but if they do it must not be untruthful or misleading. In terms of data protection, references will almost certainly contain personal data about the employee, even if it is only their name and dates of employment. Given this will involve processing personal data, arguably it is difficult to be clear about the legal basis for processing this data. The most obvious is consent, as the employee is likely to want a reference to be provided. It is therefore worth considering procedures to document that such consent has been provided.

If an employee does not get a job and suspect this is due to an unfavourable reference, they are likely to want to see the said reference.

Interestingly, confidential references do not need to be disclosed as part of a Subject Access Request. Previously, they could be requested from the recipient employer, but this has been changed by the GDPR.

Section 24 of the Data Protection Act 2018 provides that the right of access (and also the right to be informed) does not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—

(a) the education, training or employment (or prospective education, training or employment) of the data subject,

(b) the placement (or prospective placement) of the data subject as a volunteer,

(c) the appointment (or prospective appointment) of the data subject to any office, or

(d) the provision (or prospective provision) by the data subject of any service.

However, data subjects may exercise other rights such as their right to restrict processing or right to rectification to deal with the issue of an inaccurate reference. Data subjects also have the right to withdraw their consent, so if this is the basis on which the reference is provided, it should no longer be given if the ex-employee has withdrawn consent for their personal data to be processed for this purpose.

5. Employee monitoring

It is increasingly common for forms of monitoring to be used in relation to employees. This can be through software on work computers, tracking email usage, trackers in company vehicles, or even random spot checks and searches.

There have been a number of cases concerning an employer’s right to employ such monitoring versus the employee’s right to privacy. Electronic monitoring in particular raises data protection issues. While the work done by the employee is not necessarily their personal data, they may use work equipment for personal purposes, or may use their company vehicle for personal journeys as well as work.

The ICO is clear that employees must be informed when they are being monitored and when.

Under the GDPR, it is unlikely that blanket monitoring will be acceptable. This, again, goes back to requiring a legal basis for processing personal data. Monitoring of employees is unlikely to be necessary for performance of the employment contract or any legal obligations. Consent is also a difficult basis on which to employ monitoring, as the power differential in the employment relationship tends to be such that employees would feel they have little choice but to consent. The basis generally used is that it is in the employer’s legitimate interests, but it must be made clear what those interests are, and why they are considered to outweigh the interests of the data subject.


Significant Fine for Google following GDPR breach
GDPR and Employment – Free Seminar