In my previous article, I highlighted some of the compliance challenges the new GDPR regime will present for the HR function with respect to the processing of employee personal data. This article is a continuation of my series on the role of HR in GDPR compliance and details the impact of purpose limitation on the human resource function.
A momentous change introduced by the GDPR is the requirement of lawful basis for the purposes of each data processing activity. The objective behind introducing this change was to create a greater degree of accountability for both data controllers and data processors, to prevent invasion of privacy or otherintrusions, as well as to curtail unauthorized access of employee personal data.
Under the upcoming system, HR policies on data collection have to be transparent. Employees must be informed on not only the data being collected and the manner in which said collection takes place, but also any changes made to data processing policies consequent to the initial notification. The GDPR and the European advisory on ‘data protection at work’ provide an inclusive list of points on which information has to be made available to the employees.
The HR function’s lawful basis for processing employee personal data has a significant impact on how employee personal data is collected and managed. This new purpose limitation imputes accountability on HR Managers to justify the processing of employee personal data.
This requirement brings to light one of the most fundamental challenges in complying with the GDPR, for human resource managers: whether consent continues to be an irreproachable basis for data processing, and if employers need to look for alternatives.
Consent, Legitimate Interests, or Something Else?
Invalidity of Consent
Consent has always been the primary, and at times sole, lawful basis on which HRhas processed employees’ personal data. However, the GDPR has changed the scope of consent by introducing a number of preconditions, while also closing loopholes in the definition.
Article 7 of the GDPR enumerates the conditions for data processing on the basis of consent, supported by a series of recitals. Recital 32 reads in part, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating him or her…Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
Recital 42 establishes the burden of proof, reading, “…the controller should be able to demonstrate that the data subject has given consent to the processing operation.” This recital has a lot of relevance to human resource management because it asserts that “consent should not be regarded as freely given if the data subject has no genuine of free choice or is unable to refuse or withdraw consent without detriment.”
The most contentious aspect of consent is contained in Recital 43 read with Recital 42, asserting freely given consent cannot exist “where there is a clear imbalance between the data subject and the controller.”
The inherent power imbalance in an employer-employee relationship vitiates free consent, because any consent offered by the employee will not be ‘free’ simply due to the legal relationship between them. Practically speaking, employees may feel pressured (indirectly)due to their status vis-à-vis their employer and feel unable to refuse or deny consent, resulting in the absence of a “genuine or free choice”. Thus, employers may only be able to demonstrate “genuine or free consent” in limited circumstances such as data processing for voluntary arrangements where employee participation choice is entirely unencumbered.
The Article 29 Working Party guidance on consent clarifying the definition of consent stated, “If for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example, if you are a public authority or employer processing employee data.” The guidance specifically enumerated “an imbalance of power also occurs in the employment context.” The employer-employee relationship creates a dependency preventing employees from denying or withdrawing their consent to data processing because the employee “experiences the fear or real risk of detrimental effects as a result of a refusal.”
HR managers can rely on consent for data processing in those situations “when it is possible for the employer to demonstrate that consent actually is freely given.” HR will have to provide evidence that employee consent to process personal data was not overshadowed by the inherent power balance of any related dependency. The same also applies for consent to employee monitoring or other intrusive HR Policies. Hence, consent to data processing clauses in standard form contracts can no longer be ‘fall back’ justification for the purposes GDPR compliance. Rather, the HR function has to develop consent mechanisms based on affirmative action.
In the absence of consent as a viable lawful basis for data processing, the ICO recommends ‘legitimate interests’. Article 6(1)(f) of the GDPR addresses legitimate interests. Recitals 47 through to 50 provide an array of examples where personal data processing is necessary.
The GDPR requires employers to demonstrate processing is “necessary for the purposes of legitimate interests pursued by the controller…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” The ICO has issued clarifications in this regard, their guidelines permitting commercial benefit as a sufficient legitimate interest “unless outweighed by harm to individual’s rights and interests.”For example, the HR function needs to demonstrate the importance of gathering personal information to improve efficiency, proprietary reasons, internal administration, information security, or fraud detection.
Necessity is a requirement for legitimate interests; however there is much ambiguity with regard to which activities can be considered ‘necessary’. The determination will depend on a balance between HR’s interests (and by extension the employer’s interests) and the employee’s rights and interests. The human resources department must also consider if employees “do not reasonable expect further processing” of personal data because in those instances, employees’ interests would override those of the HR function.
When HR is processing employee personal data for legitimate interests, managers have to keep records of assessments in writing to demonstrate purpose compliance, showing due consideration to employees’ interests and a lack of less intrusive alternatives to complete the operations for which employee personal data was processed in the first instance.
An alternative basis is personal data processing to meet legal obligations such as maintain records for health insurance purposes, employee records in compliance with employment law requirements, and so forth. Another alternative is the processing of employee personal data to perform contractual obligations covered under Article 6(1)(b) of the GDPR.
Key Steps and Solutions
- Re-examine existing policies on employee personal data protection such as employee supervision policies and staff handbooks.
- Review terms in all employment contracts pertaining to employee consent and to employee personal data processing activities.
- Identify distinct employee personal data processing operations and evaluation their necessity. Discard ancillary processes. Append an appropriate lawful basis to each remaining activity. Ensure employee personal data processing meets standards of transparency, proportionality, and is as low-key as possible.
- Conduct Legitimate Interests Assessment to justify decision to use it as a lawful basis. Maintain records of written assessments detailing balance of interests when employing legitimate interests as a lawful basis for processing employee personal data.
- Notify employees of updated privacy and other HR policies. Provide employees with information about lawful basis for each activity where employee personal data is processed through notifications and easily accessible HR policies. Remind them of their reciprocal obligations regarding accurate personal data and new consent requirement where applicable.
- Implement transparent systems of employee personal data processing to facilitate employee awareness. Update HR IT systems and processed to incorporate privacy by default and privacy by design principles.
- Institute employee trainings to inculcate data protection into the organization’s culture
- Develop new consent mechanisms to accommodate obtaining multiple consents emphasizing on clear, simple language and opt-ins
- Amend consent mechanisms to accommodate ‘explicit consent’ requirements for processing special categories of employee personal data that includes protected characteristics like race, ethnicity, disability, religious beliefs, health, and sexual orientation.
- Consistently review domestic laws. Incorporate variations in requirements based on changes in Member States law. HR policies will differ in different jurisdictions within the EEA based on each Member States’ local developments.
Advisory to CRIS
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author anddo not necessarily reflect the opinions or official position of any agency,organization, employer, or company. The views expressed are for informationalpurposes only. They are not intended to constitute legal advice. For legal relianceon GDPR compliance, please consult your attorney.