The Data Protection Bill and GDPR- what employers need to know
- The Data Protection Act 1998 will be repealed
- The European General Data Protection Regulations (GDPR) become directly effective in the UK in May 2018
- The Data Protection Bill 2018 complements the GDPR
- This law card explains how the DPB and the GDPR work together and to what extent, in the context of the employment relationship, these represent changes to the regime under the DPA 1998
- It also sets out a summary of the practical key points and key steps for employers to take
The Data Protection Bill and GDPR
The Data Protection Bill (“the Bill) will replace the Data Protection Act 1998 (DPA) and provide “a comprehensive and legal framework for data protection in the UK”. The Bill supplements the General Data Protection Regulation ((EU) 2016/679) (GDPR) which becomes directly applicable on 25 May 2018. In particular, it provides for areas where the GDPR enables Member States to, set out more specific provisions
When the UK leaves the EU, the Bill allows for the continued application of GDPR standards and the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill currently before parliament.
Progress of the Data Protection Bill
The Bill completed its House of Lords stages and was presented to the House of Commons on Thursday 18 January 2018. This Bill passed its second reading in the House of Commons on Monday 5 March 2018 and has been considered by MPs in a Public Bill Committee. The Public Bill Committee completed its work in March and has reported the Bill with amendments to the House.The Bill will next be considered at Report Stage and Third Reading but the date for these remaining stages has not yet been announced.
The structure of the Bill
The Bill has detailed explanatory notes as on its completion of the House of Lords stages, https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/en/153en01.htm .
The bill is divided into a number of parts and schedules as follows:
Part one contains preliminary matters such as extending the definition of personal data, controllers and processors to apply across the bill.
Part two is of most interest to employers and employees. It contains provision extending the GDPR standards to areas outside EU competence (the "applied GDPR" scheme), with the exception of law enforcement and processing by the intelligence services, and provides for areas where the GDPR enables Member States to set out more specific provisions. For example:
- provision for the processing of special categories of personal data (formally sensitive data under DPA 1998) for reasons of employment, social security and protection (reflecting Article 9(2)(b)); substantial public interest (Article (2)(g)); health and social care (Article 9(2)(h)), public health (Article 9(2)(i)) and archiving, research and statistics (Article 9(2)(j)).
- safeguards for processing for archiving, research and statistical purposes
- the age at which a child can consent to the processing of their personal data by information society services (reflecting Article 8 of the GDPR Regulation
Part three contains provision for law enforcement data processing and Part four provides likewise for data processing by the intelligence services.
The remaining parts provide for the continuance of the Information Commissioner (the "Commissioner"), enforcement and offences, and supplementary provision.
There are also 17 Schedules to the Act. Of particular interest are Schedule I, part 1 which sets out the conditions relating to the processing of special categories of data in relation to employment and Schedule 2 which sets out Exemptions from the GDPR, including for example, restrictions to subject access rights where releasing information would involve disclosing information relating to another individual who can be identified from the information.
The ICO has published an Introduction to the Data Protection Bill here
GDPR/DBA - how much is new?
Personal data, controllers and processors
As under the DPA 1998, the GDPR imposes obligations on controllers and processors of information and it applies to personal data – the definition of which has been expanded (article 4) and makes it clear that information such as an online identifier, for example a computer’s IP address can be personal data and that biometric data and pseudomised data (depending on how easy to attribute a pseudonym to a particular person) are included
Under the Data Protection Act 1998 (“DPA”), the ICO can only take action against a data controller. Under GDPR, action can be taken against both a data controller and a data processor. Article 28 of GDPR sets out processor obligations and what needs to be in the contract between processor and controller.
Data Protection principles
As before the GDPR makes it a requirement to follow the 8 data protection principles (Article 5). They have been tweaked slightly and the Explanatory Notes to the DPB include a useful comparison chart found in the pdf entitled 'Data Protection principles' below.
Most importantly, Articles 5(2) provides a new accountability principle ie the controller shall be responsible for, and be able to demonstrate compliance with the data protection principles ('accountability')’. Hence there is a new priority on data controllers and processors to document what data you have and the lawful reason/s for processing as well as compliance with the other data protection principles. The ICO guidance has a useful high level checklist of actions to demonstrate compliance with GPDR found here .
Articles 24 and 25 provide more help for controllers in this regard, in particular, they must implement appropriate technical and organisational measures that ensure and demonstrate that processing is performed in accordance with the Regulation. Those measures shall be reviewed and updated where necessary. They may include data protection policies (24) . Article 25 is headed Data protection by design and by default and includes the requirement to implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles.There is useful guidance on accountability in the ICO guide here
More specifically,as regards security of processing, Article 32 requires the controller and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The ICO guidance on security was updated in April 2018 here. This makes it clear that compliance with this key data protection principle depends not just on technical measures but also on co-ordination between key people in an organisation and staff training on matters such as:
- The organisation’s responsibilities as a data controller or processor under the GDPR;
- Staff responsibilities for protecting personal data – including the possibility that they may commit criminal offences if they deliberately try to access or disclose these data without authority;
- The proper procedures to identify callers;
- The dangers of people trying to obtain personal data by deception (e.g. by pretending to be the individual whom the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading staff to alter information when they should not do so; and
- Any restrictions the organisation place on the personal use of your systems by staff (e.g. to avoid virus infection or spam).
Conditions for lawful processing
The first data protection principle is that data must be lawfully processed and there are 6 grounds for lawful processing. In relation to the first data protection principle, that personal data must be processed fairly and lawfully, this mirrors and reflects the previous requirement to satisfy one of the ‘conditions for processing’ under the DP Act but places more emphasis on accountability and being transparent.
To comply with the GPDR, the data needs to be lawfully processed.
The lawful process grounds are:
Defined in GDPR Article 4 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ As such, there must be some form of clear affirmative action. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Article 7 sets out Conditions for Consent which make it clear that consent must also be separate from other terms and conditions, and it is also a requirement to provide simple ways for people to withdraw consent.
In the ICO guidance there is checklist for asking for consent, recording consent and managing consent (eg regular reviews) here . The ICO guidance on consent is here
Given that 'consent' must be freely given and separate from other terms, a general consent within a contract of employment will not be effective for processing employee data. Employers will need to rely on other grounds, particularly (b),(c) and (f) as below. Specific employee consent will sometimes be appropriate, for example, for a referral to occupational health
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. The lawful basis for processing necessary for contracts is almost identical to the old condition for processing in paragraph 2 of Schedule 2 of the 1998 Act.
This ground will be appropriate for employers to rely on with regards to processing certain data, for example, personal and bank details for processing payment under a contract of employment.
(c) Legal obligation:
The processing is necessary for you to comply with the law (not including contractual obligations). The lawful basis for processing necessary for compliance with a legal obligation is almost identical to the old condition for processing in paragraph 3 of Schedule 2 of the 1998 Act.
This ground will be appropriate for employers to rely on with regards to processing certain data, for example, tax and NI details to enable the appropriate tax to be paid under a contract of employment.
(d) Vital interests:
The processing is necessary to protect someone’s life. The lawful basis for vital interests is very similar to the old condition for processing in paragraph 4 of Schedule 2 of the 1998 Act. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subject themselves.
(e) Public task:
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. The public task basis in Article 6(1)(e) may appear new, but it is similar to the old condition for processing for functions of a public nature in Schedule 2 of the Data Protection Act 1998.One key difference is that the GDPR says that the relevant task or function must have a clear basis in law.
(f) Legitimate interests:
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. The concept of legitimate interests as a lawful basis for processing is essentially the same as the equivalent Schedule 2 condition in the 1998 Act, with some changes in detail. You can now consider the legitimate interests of any third party, including wider benefits to society.
The GDPR is also clear that public authorities can no longer rely on legitimate interests for processing carried out in performance of their tasks. In the past, some of this type of processing may have been done on the basis of legitimate interests. Public authorities will therefore now need to consider the public task basis for more of their processing.
The biggest change is that because of the accountability principle (see above) you need to document your decisions on legitimate interests so that you can demonstrate compliance under the new GDPR.
It is useful that the Recitals to the GDPR provide that 'processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest' (subject to the three-part test below)
Similarly the Recitals to the GDPR specifially state that legitimate interest could exist in situations such as where the data subject is a client or in the service of the controller (again subject to the three-part test below). Hence legitimate interests is likely to be appropriate for employers to rely on with regards to processing certain data, for example, staff performance data for the purpose of managing staff.
The three-part test - the ICO guidance suggests using the following three-part test for assessing legitimate interests:
Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
The ICO guidance includes useful sections headed How do we apply legitimate interests in practice? And Can we use legitimate interests for employee or client data?
The ICO has published a lawful basis interactive guidance tool
Sensitive data/special data
The 1998 Act provides additional safeguards for "sensitive personal data" which includes personal data relating to race, political opinion, trade union membership, health, sex life and criminal records. The GDPR refers to sensitive personal data as "special categories of personal data". The Regulations extend the additional safeguards to specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Processing of special categories of personal data is generally prohibited unless explicit consent is obtained. However, the GDPR allows (Article 9 (2)) for processing to take place in certain circumstances without consent. These include:
'where processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems' and where:
'processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests'
Hence the DPB (sections 10 and 11 and Schedule 1) sets out additional provisions. These are of course currently in draft form but similar to the Schedule 3 conditions under the 1998 Act for the processing of sensitive personal data. With regard to the employment exception the DPB requires that a condition in Part 1 of Schedule 1 is met, which includes a requirement that the controller has an appropriate policy document in place. Schedule 1 para 34 requires that such a policy 'explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained'. Given that employers will often be processing special data ( for example monitoring ethnicity and deducting union subscriptions), such a policy is likley to be essential.
Data privacy impact assessments
Article 35 requires privacy impact assessments (DPIA) for certain types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. ICO guidance states it is also good practice to do a DPIA for any other major project which requires the processing of personal data.
One of types of processing that is specifally listed in Article 35 is 'processing on a large scale of special categories of data referred to in Article 9(1)' (see above) and so the duty may apply to employers in that context.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
The Explanatory Notes to the DPB include a useful chart summarising these rights and comparing individual rights under GDPR and those under the DPA 1998. The chart is found in the pdf entitled'Individual Rights' below.
The right to be informed is key as it is this which underpins the requirements for privacy notices. Article 13 of GDPR sets out the information to be provided where personal data relating to a data subject are collected from the data subject. Importantly that information includes the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
The right of access The GDPR does introduce some changes from the DPA 1998 with regards subject acess requests. Hence a copy of the information requested must be provided free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. Information must be provided without delay and at the latest within one month of receipt of the request. The period of compliance can be extended by a further two months where requests are complex or numerous. If this is the case the individual ,must be informed within one month of the receipt of the request and explain why the extension is necessary.
Further information on individual rights are found in the ICO guidance here
GDPR provides, in Article 30 for both controllers and processors, who have 250 or more employees, to document certain information about processing activities.This includes information such as the purposes of processing, a description of the categories of individuals and categories of personal data and the categories of recipients of personal data.
The documentation of processing activities is a new requirement under the GDPR but there are some similarities between documentation under the GDPR and the information provided to the ICO as part of registration under the Data Protection Act 1998.
The ICO has further guidance here
Data Protection Officer
Recital 97 of GDPR states that a DPO 'should be in a position to perform their duties and tasks in an independent manner'. The requirements for and the role of the DPO are set out in Articles 37-9 of GDPR and the DPB sections 69 and 70.
A DPO is required if an organisation is:
- a public authority (except for courts acting in their judicial capacity);
- carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carries out large scale processing of special categories of data or data relating to criminal convictions and offences.
The ICO guidance states 'Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR'.
Penalties and Liabilities
Article 33 of the GDPR introduces a duty on all organisations to report a personal data breach to the relevant supervisory authority (the ICO), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notification must be with 72 hours of becoming aware of the breach, where feasible.
Controllers must also keep a record of any personal data breaches, regardless of whether they are required to notify (Article 33 (5))
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must also be informed without undue delay (Article 34).
Given these requirements, it is important for employers to have polices in place to identify, assess and report breaches
The ICO guidance has checklists here which cover preparing for and responding to personal data breach,
Under the GDPR, the ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. This compares to £500,000 which is the maximum fine which the ICO is entitled to levy against a data controller that has breached the legislation under DPA 1998.
Fees for data controllers
From the data of introduction of GDPR, there will be a new charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO). The new data protection fee replaces the requirement to ‘notify’ (or register), which is in the Data Protection Act 1998 (the 1998 Act). Although the 2018 Regulations come into effect on 25 May 2018, Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.
The Data Protection (Charges and Information) Regulations 2018 include exemptions from the requirement to pay the fee including where a controller only processes personal data for ‘core business purposes’. These are:
staff administration advertising, marketing and public relations accounts and records.
The ICO has published a guide here
Key points/steps for employers
NB This list is not exhaustive but aims to provide a useful aide memoire.
- Boiler plate clauses in employment contracts where the employee consents to the employer processing data are unlikely to comply with the consent requirements under GDPR
- Specific consent may, on occasions be the appropriate lawful ground for processing, for example, when referring an employee to occupational health
- Generally however, employers will need to rely on other grounds for lawful processing. Other grounds, such as legitimate interest and compliance with a contract will apply but employers need to review what personal data they hold, for what purposes and for how long
- If an organisation has more than 250 employees, it needs to maintain a record of its processing activities.
- Organisations need to assess what technical and organisational measures they have in place to ensure compliance with the data protection principles. For example, employers should review their practical processes for managing data so that they comply with their own retention policies and staff are aware of their responsibilities
- Organisations need to review their contractual relationship with processors of employee data
- Employers should review their processes for dealing with subject access requests to ensure the new shorter time limits are complied with
- Organisations need to ensure they have a process in place to deal with data breaches and consider if they need a Data Protection Officer
- Employers will need to provide employees with the information required by Article 13 of the GPDR. This may be in a separate privacy statement and/or as part of a data protection policy or policies. As well as setting out the purpose for which the data is processed and the lawful grounds for doing so, information should cover retention of data, transfers to other countries and an individual’s rights and security measures for the storage of data. The information should be concise, transparent, intelligible and easy to access.
- Employers should review other polices where data protection may be an issue to ensure compliance with GDPR and the Data Protection Bill 2018, for example, the processes for dealing with sickness absence
- In the interests of security of data, organisations should consider how best to ensure co-ordination between key people and what training staff need.
- Organisations should consider what, if any, Data Protection fee needs to be paid
- Organisations should plan for on-going monitoring and review of the handling of employee data