Privacy statements are designed to inform employees in a clear and transparent manner of how their data is being used and their rights in relation to that personal data. In this article, Annabel Mackay and Beatrice Duke of Addleshaw Goddard LLP examine what employers need to know and highlight areas of continuity and change.
With the prospect of fines of up to 4% of annual global turnover or €20 million (whichever is greater), the General Data Protection Regulation 2016/679 (GDPR) has certainly captured employers’ attention. However, in a number of respects, it simply places greater emphasis on principles of fair and lawful processing which were already embodied in the Data Protection Act 1998 (DPA). So, what do employers need to know?
For years, it was common practice to include general consent clauses in employment contracts as the lawful grounds for processing employee personal data. However, in recent years guidance from both the Article 29 Working Party and the Information Commissioner’s Office (ICO) discourage employers relying on consent in an employment context due to the perceived imbalance of power between employer and employee.
This is further emphasised by the higher threshold of consent under GDPR, namely that it must be freely given, specific, unambiguous and indicated by a clear affirmative action. For consent to be freely given, it cannot be bundled together with other terms and conditions (e.g. an employment contract) and an individual must be able to withdraw their consent without detriment. As such, going forward, it is desirable for employers to rely on alternative processing conditions (such as compliance with a legal obligation or performance of a contract).
There may be instances where employers still rely on consent and in such cases the employees must be clear about the processing which forms the basis of their consent and how their consent can be withdrawn. For example, if the employer is running a voluntary wellness programme for its employees, those interested may consent to the data processing arising from the use of Fitbit trackers.
Data privacy statement
Irrespective of the lawful grounds or legal basis for processing on which the employer relies, Articles 13 and 14 of the GDPR set out that specific information must be provided to the individual by way of a data privacy statement (also known as a fair processing notice, privacy statement or privacy notice).
Such information includes: the identity and contact details of the data controller and any data protection officer; the source of the data (if the employee has not provided it directly); the purposes and legal basis for processing; the specific legitimate interest pursued (where that is the legal basis on which the employer relies); the recipients of personal data (or categories of recipients); data retention periods (or the criteria for data retention); and whether or not such data will be transferred outside of the European Economic Area (EEA) and associated safeguards.
If automated decision-making, including profiling, is taking place, employees must be given meaningful information about the logic and any anticipated consequences (e.g. where performance data is being analysed and used to determine eligibility for transfers, promotion or bonus).
Employees must also be given detailed information about their rights under the GDPR in relation to the processing of their data.
Those rights include: the right to request access to and rectification or erasure of personal data, the right to restrict processing, the right to object to processing (including automated decision-making) and data portability. The privacy statement should also explain that complaints can be raised with the ICO. Where data is being requested for statutory or contractual purposes, employees must be told the consequences of failing to provide the relevant information.
Employers should have been informing employees about most of this information already as part of the principles of fair and lawful processing under the DPA but the GDPR places greater emphasis on transparency by requiring employers to outline to the data subjects their rights (including the new right to data portability and the right to be forgotten), the legal basis for data processing, retention periods and the safeguards that apply to transfers outside the EEA (and where an employee can obtain information about those safeguards).
The data privacy statement should provide a categorical response to an employee’s enquiry about how their data is being processed, including who is processing the data, the types of data being processed, the purpose behind the processing and where such processing takes place.
The ICO recognises that it may be challenging to capture all this information in one document in a clear and coherent form for the data subject to digest. A layered approach to the provision of information may therefore be desirable, particularly if an employer is moving from a generic consent clause to a far more detailed data privacy statement. Employers may find that they have all the information they need for an effective privacy statement already and that it is a case of drawing that information together and making it easier to access.
The ICO guidance suggests that employers could use icons and symbols to signpost where additional information is available. Recital 60 of the GDPR also states that, “information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.”
It is no good communicating information about data processing if the employees do not understand it. The ICO encourages employers to adopt a simple style, with clear language and terminology that avoids legal jargon. In order to ensure that data privacy statements have the maximum impact, they should be consistent with the employer’s house style and refer to the organisation’s values, to the extent that there is an alignment. However, perhaps the most important element is that the privacy statements must be accurate and transparent so that employees are fully aware of how their data is being processed. The nature and effect of processing must not be hidden in the small print.
It is important for employers to consider how the data privacy statement will be delivered to employees. The efforts of an employer would be wasted if the data privacy statement was not effectively provided to the employees. Employers should consider the normal means of internal communications (e.g. an intranet or internal HR platform) and assess the effectiveness of such communications to ensure that the data privacy statements are adequately provided to the employees.
As with most employment matters, having the right policies/statements is not sufficient to discharge an employer’s liability. Their effectiveness needs to be monitored. The ICO guidance suggests that employers carry out research to check employees’ understanding of data processing. Employers should also keep data protection under review in the light of feedback or complaints and sector experience. This is particularly important given the changing data protection landscape and the coming into force of the GDPR on 25 May 2018.
Adapting to change
Employers must not forget that the data privacy statement cannot be static. If there is a change in the way in which data is processed, it must be communicated to employees in advance of the change and privacy statements must be adapted to accommodate that development. Where data is obtained from a source other than the data subject, the information in relation to processing must be provided within a reasonable period of receipt. The change might be subtle; as data could be obtained through a variety of means, including combining datasets, tracking and the use of algorithms to analyse data (adopting the examples given in the ICO guidance).
Data privacy statements are not as significant a change as some other aspects of GDPR. Data controllers may have already had the relevant information spread across a number of different policies, internal communications and contracts. It is a case of drawing that information together in an intelligible format and asking whether the way in which personal data is processed has been conveyed to the employee in a clear and transparent manner.
While a data controller may not wish to rely on consent as a processing condition, if consent is relied upon, a clear data privacy statement will mean that there is a better chance of demonstrating that such consent is specific, informed and unambiguous. When approaching data privacy statements (or any other element of an employer’s GDPR compliance programme) it is essential to remember that at the heart of data protection legislation (both the DPA and the GDPR) is the human right to privacy.
An effective data privacy statement allows employees to be better informed about how their data is being used and the action that they may take in relation to the processing of their data. Continuously bearing in mind the right to privacy will encourage employers to test whether their existing arrangements are fair and transparent and whether they meet the key objective of GDPR which is “privacy by design” namely protecting personal data at each stage of the employment lifecycle.
- Ensure that the mandatory content is included in data privacy statements
- Avoid legalese and jargon
- Use a layered approach where more detail is required
- Ensure the data privacy statement is provided to employees
- Keep the data privacy statements under review
- Issue a new data privacy statement if processing changes