(UK) GDPR compliance is an ongoing exercise. Processes around handling HR data need to be dynamic to handle new issues.  The impact of the COVID-19 pandemic is a good example of the way employers have had to adapt, but more established issues such as handling subject access requests and maintaining employee data policies also require constant attention.  We look at what to keep in mind when reviewing policies and practices relating to HR and other data in the context of recent and upcoming developments.

Hybrid working and data security issues for employers

Although employees are now returning to the workplace, many organisations are operating hybrid working where staff continue to work both in the office and also from home or other locations. Hybrid working can give rise to a range of data protection and information security risks. Employers need to recognise and, if necessary address these, as data protection legislation gives rise to a duty for employers to use appropriate technical and organisational measures to ensure security of personal data and to protect it from unauthorised processing and loss. This applies regardless of where the data is accessed.

Employers should carry out a data privacy impact assessment (DPIA) to assess and mitigate risks associated with remote working.  This is important not only from a reputational perspective, but also to head off any breaches, data loss and possible enforcement action by the ICO. They should consider, in particular:

• Ensuring no one other than the employee has access to company and personal data on a work device, so employers should provide this device where possible. Where staff are printing and storing work-related documents at home they should also keep these secure
• Encrypting the work device so that it is secure when it is moved between home and office, and cannot be accessed if stolen.
• Ensuring devices can be wiped by employers remotely if compromised, and have centrally controlled updates to security and other software.
• Having clear company policies which refer to hybrid working, including rules on retention deletion or destruction of data.

Employees should also be provided with guidance and training as to what their responsibilities are and how to comply with information and cybersecurity measures when working from home. ICO guidance on data protection and working from home can be found here.

How long should an employer retain employees' vaccination data?

Government COVID-19 measures have been relaxed across the UK and the ICO has set out some key points organisations need to consider around the use of personal information and, in particular, whether the information collected due to the pandemic is still necessary.  ICO guidance suggests that employers ask themselves the following three questions:

• How will still collecting extra personal information help keep a workplace safe?
• Does an employer still need the information previously collected?
• Could an employer achieve its desired result without collecting personal information?

Although additional personal information may have been collected and retained during the pandemic in accordance with government guidelines, employers should assess this and securely dispose of any information no longer required. If vaccination information is still being collected, then employers should be clear about what they are trying to achieve, and how asking individuals for their vaccination status achieves this. Use of the data must be fair, relevant and necessary for a specific purpose. The reason should be transparent and not that it is being collected 'just in case' it is needed.

If the lawful basis for processing the data was that it complied with a legal obligation due to particular legislation in force and this is no longer the case, then there may be no ongoing basis for processing it in which case it should be deleted unless it is possible to select another lawful basis – by no means a foregone conclusion.

ICO guidance makes it clear that "you should not swap to a different lawful basis at a later date without good reason". Employers can only continue to rely on the original lawful basis where the new purpose is compatible with the original purpose and provided the original lawful basis was not consent.   If the new purpose is very different from the original, would be unexpected, or would have an unjustified impact on the employee, it will not be compatible.  The ICO says you can only change purpose with specific consent, or where there is a "specific legal provision requiring or allowing the new processing in the public interest".  As it is difficult to obtain consent in an employment context, the circumstances under which an employer could continue to process vaccination or other health data where it was originally processed on the grounds of complying with a legal obligation which has now fallen away (or in relation to any new purpose), are likely to be limited.

In addition, as a person's vaccination status is special category (health) data it requires extra protection.  An employer may consider retaining anonymised records of vaccination data if it's just to monitor rates across its workforce. Data protection law does not prevent employers from keeping staff informed about potential or confirmed COVID-19 cases among their colleagues although individuals' names should not be mentioned and no more information than is necessary should be provided.

Employers may need to update their data protection policies and procedures, and their employee and other privacy notices, including to provide information about how long they will keep the vaccination data for.

Do you need to review your employee privacy notice?

The impact of the pandemic is not the only reason to review your employee privacy notices.  When the GDPR first came in, many organisations felt unsure about what level of detail should go into their privacy notices. Listing all the possible types of processing for each data set and putting this in a schedule, was one approach. Another was to set out more broadly the types of processing that would occur, and for what purpose, in relation to key data sets. Either approach is valid, depending on the circumstances, but covering the necessary information (including on lawful basis) while remaining succinct and accessible to data subjects is a challenge. It may be time to revisit whether your organisation struck the right balance when it came to the level of detail to include in your privacy notice.

As an organisation evolves, so too will the use it makes of employee data. For example, diversity monitoring is relatively rare (and rarely productive) in small organisations but will be important as the size of the workforce grows. So too, as new technologies are introduced, for example, to allocate work or assess performance, will employee data be processed in new and oblique ways. Some of the questions you will want to ask during a review are:

• Can we provide the information required in a privacy notice in a more user-friendly and succinct way?
• Are we clear that the lawful basis for processing is still relevant?
• Are we clear the privacy notice still reflects the purposes for which we will process the data?
• Do we need separate, bespoke notices for occasional processing (like those needed in relation to COVID-19)?
• Is it appropriate to have different notices for applicants for employment and contractors, rather than having one 'staff' policy?
• Do we practise what we preach in terms of data retention?

Protocol for dealing with a subject access request

Having a process for dealing with subject access requests, rather than just responding to them in an ad hoc way, makes an organisation less likely to make errors or appear on the back foot in the event of litigation. As is often the way with GDPR issues, mapping the data flow and process around handling data can be just as important as getting to grips with the substantive issues involved. Given the relatively short timescale of a month for dealing with a SAR, the HR or other professional dealing with it will want a checklist to hand which will break the process down into bite-sized steps.  This might include:

• Log the date of the request and acknowledge it.
• Make an initial assessment of the nature of the request – for example is it straightforward or complex? Does it need clarification?
• Is the request excessive or unfounded (which may be grounds for refusal or may give rise to a fee being charged)?
• Locate in-scope data: identify systems where data may be stored and relevant search terms or dates to locate certain data.
• Liaise as necessary with other departments/staff to locate and collate the data.
• Consider whether redaction of data or third party consent is required.
• Decide whether it would be appropriate to seek legal advice.
• Review the draft response to the SAR.
• Decide how access to data will be provided, electronically or otherwise.
• Provide a formal response.

It is of utmost importance to provide some basic training at operational level so that managers know how to spot a SAR, how to locate data, and know to escalate to the relevant team. See here for more on evolving issues with SARs.

Prepare for more change

Businesses based in the UK or with UK employees, have already had to deal with the impact of Brexit.  Despite concerns around the future of EU-UK data transfers,  (see here for more on data transfer issues), in data protection terms, the transition was navigated relatively smoothly and UK law has continued to mirror the EU law from which it is derived.  That looks about to change.

In June 2022, the UK government published its response to its consultation on reform of the UK's data protection regime.  While the changes are less radical than originally envisaged by the government which has taken on board the need to preserve EU-UK adequacy, there will be an impact on HR data.  Organisations will be able to refuse SARs if the request is 'vexatious or excessive' rather than the current 'manifestly unfounded or excessive' threshold.  The right to charge a nominal £10 fee for responding to SARs will not, however, be making a return.

More widely, the government is looking to reform the accountability and governance structure of the current GDPR.  There will be no requirement to appoint a DPO, nor to carry out a GDPR-style Data Protection Impact Assessment or keep Article 30 processing records.  However, these elements will all be replaced with new obligations under a 'Privacy Management Programme'.  So organisations will need to appoint a senior individual responsible for compliance, put in place a risk management programme, and keep a personal data inventory. 

The Data Reform Bill is expected to be published shortly at which point more detail will be available.  The government is keen to stress that UK GDPR-compliant businesses will not face major disruption, however, employers will need to keep a watching brief and adapt to the new regime when it comes in.  Compliance with the UK regime may look different to compliance with the existing and EU regime going forward.  This means that employers will need to go through another round of review and internal education (see more about the proposed changes).  Again, it's a matter of ongoing compliance in a developing environment.

Employers may also be interested in further articles written by our data protection team on our Global Data Hub.