Sensitive personal data in HR functions: climbing the ladder of legal bases

The GDPR's entry into force has forced HR teams to re-evaluate the ways in which they justify the use of personal data relating to their employees, applicants and contractors. Whilst compliance priorities will vary between organisations, all UK HR functions should be particularly mindful of their enhanced obligations to satisfy multiple conditions under both the GDPR and the UK's new Data Protection Act 2018 ("DPA 2018") before collecting certain special categories of personal data.

What are "special categories" of personal data?

Formerly known as "sensitive personal data", the following categories of data (many of which are commonly used in the HR context) are called out for specific protection in the GDPR and under the DPA 2018 because of their perceived sensitivity:

  1. information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, health, sex life or sexual orientation;
  2. genetic data and biometric data used to uniquely identify a person; and
  3. information relating to criminal convictions, offences and related security measures (which although not technically 'special categories' of data under the GDPR, are - broadly speaking - treated in the same way under the DPA 2018).
First base: Identify a general legal basis

Employers must – in their capacity as data controllers of their HR data –justify all of their activities involving personal data (regardless of whether it is sensitive or not) under one of six "general" legal bases under Article 6 of the GDPR. In the employment context, this will usually be possible on the basis that activities are necessary: (a) to perform the employment (or other) contract; (b) for the employer to comply with a legal obligation; or (c) for the purposes of the employer's legitimate interests. Where "legitimate interests" are relied upon, an employer must undertake and document a balancing exercise to ensure that these are not overriden by any individual's data protection rights.

Second base: Identify additional legal bases and implement an appropriate policy document where required

Where the sensitive types of data are collected, data controllers must also identify an additional legal basis before they can process this information as well as the initial general legal basis. This is because the processing of these categories of information is generally prohibited unless an additional, tougher, condition is also met. Some of these conditions are set out in the GDPR in Article 9, but the DPA 2018 also identifies a number of further legal bases for processing this special category data in Schedule 1. In order to rely on many of these domestic conditions in the DPA 2018, employers will also need to implement an appropriate policy document which must explain how they ensure that the sensitive processing complies with the GDPR's underlying principles and requirements, in particular those relating to retention and data minimisation.

The table below summarises some of the (non-exhaustive) additional conditions which are likely to be of most relevance to employers in the UK when seeking to use sensitive personal data:

Additional GDPR/DPA 2018 condition Appropriate policy document (and additional safeguards) required?
Explicit consent, for specified purposes (Art 9(2)(a) GDPR) No, but consent will rarely be appropriate in the context of a subordinate employment relationship, where consent cannot usually be said to be 'freely given'. This will only be relevant where truly voluntary – for example, if employees can choose to have biometric access to premises but can otherwise choose an alternative method.
Processing must be necessary to carry out obligations or exercise specific rights of the employer or employee, so far as authorised by one of these areas of law in the UK (DPA 2018 Sch.1, Part 1, para. 1). Yes
Equal opportunities monitoring involving data revealing race / ethnic origin, religious / philosophical belief, health or sexual orientation only (and provided that such data is not used to take decisions about an individual, or cause them substantial damage or distress). (DPA 2018 Sch.1, Part 2, para. 8) Yes
Monitoring racial and ethnic diversity at defined senior levels of organisations, with the aim of maintaining or promoting diversity (provided that such data is not likely to cause substantial damage or distress to individuals) (DPA 2018 Sch.1, Part 2, para. 9) Yes
Where necessary to protect / detect unlawful acts in the substantial public interest and obtaining consent would prejudice that function (DPA 2018 Sch. 1, Part 2, para. 10) Yes (except in relation to disclosures or potential disclosures to competent authorities).
Other conditions exist in relation to processing for the purpose of fraud prevention, certain vetting processing, disclosures under terrorist financing / money laundering laws, insurance contracts / claims, occupational pension administration and safeguarding. Yes (for the conditions specifically listed in the column to the left).
Necessary for the establishment, exercise or defence of legal claims (Art 9(2)(f) GDPR) No

Where an employer processes data relating to actual or alleged criminal convictions or offences – such as when undertaking criminal record checks or processing evidence of employee fraud – then it must refer to the DPA 2018 for an additional legal basis (the GDPR does not specify any legal basis).

What is an "appropriate policy document"?

Guidance on what will be acceptable as an "appropriate policy document" is currently limited. However, the DPA 2018 does confirm that such a document must, at minimum: (i) explain an employer's procedures for securing compliance with the GDPR's key data protection principles; and (ii) highlights their retention and erasure policies, in each case as specifically applicable to the relevant 'special categories' of data. This is information that is likely already set out in employers' existing data protection policies.

The DPA 2018 also mirrors the GDPR's focus on "demonstrating accountability" by requiring employers to retain any such policy document for at least 6 months following the end of any processing activity involving sensitive personal data, during which period it must be periodically reviewed, updated and provided without charge to the ICO upon request. Furthermore, where sensitive personal data is processed, an employer's record of processing activity (as required under Article 30 GDPR) must also note the processing conditions relied upon and confirm compliance (or explain any non-compliance) with the required policy document.

What else do we need to do?

Identifying appropriate legal bases for the processing of these special categories of personal data (and keeping these under review) is just one step towards satisfying the GDPR's onerous requirements. These will feed into and inform multiple aspects of HR compliance programmes, including employee facing privacy notices, records of processing activities, the need for data protection impact assessments where carrying out high risk processing and – potentially – the requirement to appoint a GDPR-compliant data protection officer. Where the business acts as a data processor, the employer will also be under pressure to ensure that employees are under contractual obligations of confidentiality to protect customer data.

Organisations who have not yet considered their obligations under GDPR would be well-advised to undertake an urgent gap analysis of current HR operations against the now enhanced legal requirements. Please do get in touch if this is something we can help with.

Latest insights

More Insights