Relying on consent as the lawful basis for processing personal has taken some twists and turns in the employment context. When the Data Protection Act 1998 first introduced the requirement for a lawful basis for processing personal data, employers tended to take a fairly simplistic approach and incorporate a consent provision into the employment contract. As employees were required to sign the contract, employers considered agreement to it (including the consent provisions it contained) was enough to meet the lawful basis requirement.
This position evolved as ICO and EU-level guidance came out on the use of personal data in an employment context and employers began to re-think whether and when consent could be a lawful basis for HR-associated data processing, especially where sensitive personal data was involved.
Fast forward to the GDPR with its enhanced standard of consent which must now be freely given, specific, informed, unambiguous and involve an affirmative action, as well as explicit in relation to special or sensitive data. As the Information Commissioner's Office points out in its guidance on consent, there is likely to be a power imbalance between employer and employee, making consent difficult to obtain in the context of day to day core employment practices. Further, the European Data Protection Board in its Consent Guidelines states that most data processing at work cannot be based on the consent of the employees.
In addition, the employee is entitled to withdraw consent at any time and must be given information about this right. Withdrawal of consent would, however, frustrate the employer's ability to carry out activities that may be necessary and justified in an employment relationship.
So how can employers navigate the issues of lawful basis and consent when it comes to processing employee personal data?
Alternatives to consent
The problems with getting freely given consent from employees mean that employers should no longer look to consent as the default when processing employee personal data. There are more appropriate lawful bases in the GDPR and in the Data Protection Act 2018 (DPA18) for most activities that are basic and core to administering the essential employment relationship.
The majority of processing operations involving employee personal data can be carried out on the basis that it is necessary for the performance of the employment contract, or to comply with employment or national laws. In some scenarios the employer may also need to process the employee's personal data to protect the employee's vital interests, however, this will be very limited in scope.
The 'legitimate interests' basis may (where the employer is a private organisation) also provide justification for the processing of non-special category personal data for many employment activities. However, this lawful basis requires a proportionality test be carried out to ensure that the legitimate interests of the employer as data controller, do not override the fundamental rights and freedoms of the employee. A careful assessment of these issues should therefore be carried out before reliance is placed on this as a lawful basis.
Where employers need to process special category personal data to meet their legal obligations or exercise their rights as employers, the GDPR and DPA18 Act provide justification. This might arise, for example, in the context of ensuring a safe place of work, equality of opportunity or treatment of employees (eg diversity monitoring and disability workplace adjustments), administering social security payments (eg sick pay), and for some occupational health purposes. Reliance on this ground comes with conditions and requires clear, documented policies to be in place to ensure required standards for the processing are met. Selecting the appropriate lawful basis requires a detailed assessment of the individual processing activities and data involved.
Is consent ever appropriate in an employment context?
It would be an exaggeration to say that consent is never an appropriate lawful basis in an employment relationship. As explored above, the main barrier is ensuring that the employee "freely gives" their consent. In some situations, an employee will have a genuine choice, for example, where an employer wants to make a promotional video about the company and involves some of its employees on an entirely voluntary basis. Provided there will genuinely be no adverse consequences for any employee who refuses to be in the video, the employer may rely on consent to process the personal data of the employees (their images and audio) to make the video.
Consent collection methods in employment
Where consent is capable of being given freely by the employee, the employer will need to ensure the other GDPR requirements for consent are also met. There are various ways to do this, but the employer must provide a clear explanation of what, precisely, the employee is agreeing to and the potential impact of the agreement, and ensure the employee actively indicates their agreement to the described processing by way of a clear affirmative action.
This means that the employer must ask its employees to provide an active opt-in, using, for example, an opt-in tick box or button, signing a consent form, responding to an email stating that they give their consent, or giving a 'yes' answer to an oral consent request. These consents must not be bundled together (employers will need consent for each discreet processing activity) and should be presented separately from any other terms in order to be as specific and clear as possible.
The employer will need to maintain a record of any obtained consents including oral ones. Where consent is being collected for use of special category personal data, extra care is required as consent has to be "explicit" and a more granular explanation and acceptance mechanism may be needed.
International position on consent
Employers cannot presume that a single harmonised approach to the use of consent in an employment setting applies across the EU, whether in relation to relying on consent or to regulator guidance. In some Member States, national labour laws also need to be taken into account and the GDPR contains an overarching provision which allows for the relaxation of the certain aspects of compliance to reflect them. This means you should seek local law advice before deciding on the lawful bases for processing employee personal data in other EU countries, or developing a single approach to EU human resources operations.
What does this mean?
The effect of GDPR UK's DPA18, has been to limit the situations where consent is the appropriate basis for processing employee data. It is also unlikely that a single lawful basis will apply across all employment activities. Careful documented assessment of all processing activities within employment practices should be undertaken and kept under review, and if it is appropriate to rely on consent, evidence of the employee's acceptance should be maintained. Fairness and proportionality will inevitably come into play in the employment context and transparency will be of fundamental importance to effective compliance.