GDPR and employee data - when there’s more to consent than meets the eye
Depending on your point of view, the EU’s (in)famous “cookie law” is either a mildly-amusing joke or a minor irritation. In practical terms, however, it’s probably made very little difference to either those who run websites or those who simply click past the compulsory notification to get to the content they actually want. Once people added the code to their website, it was done and forgotten about.
GDPR, however, is very different; one of the many differences is that it is actively dangerous for employers to rely on consent as grounds for processing their employee’s personal data.
Employee’s are not customers
Consent has to be given freely in order to be considered valid. Customers can choose whether or not to give consent to their data being processed or whether to walk away and use another supplier (or none).
Admittedly this is not necessarily as straightforward as it sounds, for example when supply is limited and/or when all suppliers are working on much the same basis as regards data processing, but it is still probably fair to say that it is generally easier for a potential customer to walk away from a purchase transaction than it is for a (potential) employee to walk away from a job.
Because of this, employers are very likely to find that they are skating on thin ice if they rely on consent as their reason for processing data. They are likely to find that “legitimate interest” is a far better option – provided that they can demonstrate their interest is legitimate.
The basic principles of legitimate interest
Even though it may seem obvious that employers have a legitimate need for some data, it is always worth questioning why data is collected and double-checking that it is necessary, which is the first requirement for legitimate interest.
Employers should collect only the amount of data that they actually need and should work to ensure that the employee’s fundamental right to privacy is compromised only as far as is actually necessary. For example, it would be entirely reasonable for an employer to collect an employee’s bank details as these are necessary for the employer to pay them and the data requested is proportionate to the need. Collecting an employee’s bank statements, by contrast, would be an entirely different matter.
When employers have a broader interest
Some employers will have a need to collect more data on their employees, for example if they need to provide them with insurance or where it’s important that a high degree of security is maintained.
This situation is rather more complicated but fundamentally it works along the same principles as basic legitimate interest, with the added requirement that the measures are transparent to the employee. In other words, if any monitoring of any sort takes place (such as internet or email usage), then employee’s must be made aware of the fact that their activities are being monitored and must also be informed of what is and is not considered appropriate usage and of any sanctions which may be applied if they act inappropriately.
Employers should therefore check that they have clear, consistent and compliant policies that are effectively communicated, documented and enforced.