In the run up to 25 May 2018 when the General Data Protection Regulation 2016 (or GDPR for short) came into force, it was clear that data protection compliance and the level of priority given to HR data varied significantly between employers. One year on, what have we learnt and what should employers focus on over the next twelve months? Below, we make some suggestions.
All of the above can be time-consuming and costly for employers to manage, and come with clear risk if not handled correctly.
The ICO has limited resources and has not (as yet) actively prioritised assessing whether employers are taking the correct approach to questions such as what information should / shouldn’t be disclosed, redacted etc.. That said, there is clear value for employers in being able to demonstrate to the regulator that it has appropriate, organised and efficient systems for handling DSARs in place and can evidence the process it has followed in responding to a DSAR, including the decisions it has made as to what must be provided and what can be withheld. The ICO is likely to start asking more probing questions and testing exemptions with regard to DSARs so employers must be prepared to explain and evidence the steps taken. Notes, logs and other record keeping steps are key, together with appropriate archiving to ensure that relevant correspondence and outcomes are retained.
Further, the ICO's interpretation of what is deemed a "proportionate" search has expanded, which in combination with the loss of the "disproportionate" defence, means that employers must think carefully about how to manage searches (which may need to be wide ranging and will be time consuming), and the content of its communications with requestors. Before GDPR, employers often sought to rely on an expansive approach to the exemptions allowing them to withhold data relating to management forecasting and ongoing negotiations; irrespective of whether that worked under the previous regime, the ICO's post-GDPR attitude is that these exemptions should be narrowly construed. This means that employers must consider carefully when to apply these, and should be prepared to explain and evidence their rationale for withholding data in reliance on them.
As a general comment, there was no significant take up of individual rights other than the right of access either pre or post-GDPR. Some employers saw an uptick in erasure requests immediately post-25 May 2018, but those requests appear to have slowed down. The other individual GDPR rights have typically garnered less attention, but it is important for employers to keep these in mind as there is potential for future development here.
5. Vicarious liability
Whilst not a GDPR case as such, the Morrisons case (see our analysis here) brought the potential commercial risks of an employee data breach in the post-GDPR world to the fore. The initial costs of dealing with the breach and implications for brand value and the employer's reputation were significant. But the wider costs are still mounting.
In the first case of its kind, over 5,000 affected employees brought a claim alleging both primary and vicarious liability for (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the DPA 1998. As a short reminder of the pertinent facts, a disgruntled Morrisons employee, Mr Skelton, retaliated against a disciplinary sanction by publishing sensitive personal data relating to around 100,000 of his fellow employees on the internet and then sending copies to several newspapers. Mr Skelton was subsequently convicted of various offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998) and given an 8-year prison sentence. Both the High Court and the Court of Appeal (CA) held that Morrisons was not primarily liable for the breach but was vicariously liable as his employer.
The case does not alter the tests for establishing vicarious liability. In reaching its decision, the CA found there was sufficient connection between Mr Skelton's authorised tasks and the unlawful acts he perpetrated, which all formed part of a seamless and continuous sequence of activities. However, the outcome in practice is uncomfortable; Morrisons was held liable for an employee’s acts in circumstances where his primary motivation was to harm his employer. In effect, the court has helped him to achieve his revenge. The CA noted that an employee’s motivation is irrelevant here, but it still feels strange given the court deemed Morrisons to have "adequate and appropriate controls" in every area save for managing the deletion of data (and held that this failure could not have prevented the data breach).
The CA noted that the DPA 1998 did not specifically exclude vicarious liability, and rejected Morrisons' public policy argument that vicarious liability imposes a disproportionate burden on supposedly "innocent" employers. The judgment suggests an underlying concern to ensure an effective remedy for the affected employees, and states that employers should consider insurance as a way to manage this risk.
Aside from adequate insurance, employers should ensure that appropriate safeguards are put in place to combat employees who go rogue, including implementing and enforcing appropriate policies and monitoring activities involving sensitive data, as well as making it very clear that data breaches will not only amount to gross misconduct but can also attract criminal penalties. This is an area for development – Morrisons have signalled their intention to appeal and permission has been granted by the Supreme Court – so watch this space.
6. Tricky areas: Criminal records checks
Criminal record checks remain a contentious area one year on. There is no blanket entitlement permitting employers to carry out criminal conviction checks during recruitment and employers must review this on a case-by-case basis, looking at the purpose of the processing.
The difficulty here is in balancing data protection rights and privacy expectations as against public policy considerations, reputation risks and the expectations of commercial parties and clients (noting the ICO and the courts are unlikely to consider client expectations or requirements to be a relevant factor). Note that there may be additional requirements (e.g. the requirement to have appropriate policy document and to update to records of processing, where relying on the "substantial public interest" basis for processing).
Further, whilst there is no recent case law to assist prospective employers in determining what criminal records information can request and for what purpose, there have been several cases brought in a wider context, particularly under the Human Rights Act 1998, and further activity in this area is anticipated (see here, here and here). Employers would be well advised to review their position on criminal record and other background checks, and to ensure that their policies and procedures have been carefully thought out in light of the legal constraints in this area.
7. Tricky areas #2: Right to work checks
UK employers are prohibited from employing individuals who don't have the right to work in the UK and criminal and civil sanctions, including a civil penalty of up to £20,000 per worker, may apply in the event of a failure to comply. Employers have a statutory excuse under the Immigration, Asylum and Nationality Act 2006 if they can show that they carried out a right to work check which meets Home Office requirements. The Home Office expects employers to retain copies of the documents reviewed in connection with right to work checks securely for the duration of the individual’s employment and for a further two years after employment has ended.
Employers who are Tier 2 sponsors and who have to carry out a Resident Labour Market Test (‘RLMT’) for an employee are also required to retain personal data about both that employee and about unsuccessful applicants for their role, for at least one year from the date the sponsorship ends.
None of this is set out in statute. It is all contained in Home Office guidance, so it is not clear that this would amount to a legal obligation justifying the processing of personal data. Employers may be able to rely on the legitimate interest ground for processing but where this is the case, employers must carry out a legitimate interests assessment (LIA) and notify employees of their right to object to the processing. Given the sensitivity of the information processed in relation to the above immigration checks, now is a great time to ensure that the additional steps are in place, appropriate security measures have been implemented, and that the correct notifications have been made to candidates and employees.
8. Fines and enforcement activity
Over at the ICO, the key focus areas of enforcement activity appear to be transparency and consent. In other words, the ICO is focused on key tenets of the GDPR, and taking action where those are breached. Although consent shouldn’t be an issue for employers in the sense that it is unlikely to be a legal basis for processing employee data given the difficulties of obtaining valid consent in the employment sphere, and should not therefore be relied upon, transparency and accountability are very relevant to employers.
In terms of company sanctions, whilst the ICO has flexed its muscles regarding fines and other enforcement action for both pre- and post-GDPR breaches, we are yet to see significant increases in fines imposed in the UK and certainly nothing approaching 4% of global annual turnover. That said, most of the significant breaches in the UK have been under pre-GDPR legislation and there are a number of post-GDPR breaches for which we are awaiting ICO action. We have also seen other national data protection authorities prepared to issue significant fines – the CNIL in France, for example, imposed a financial penalty of €50 Million against Google LLC – which will inevitably encourage other national authorities to follow suit. In short, UK enforcement action has been relatively restrained so far, but watch this space.
9. What to focus on? Reviewing, plugging the gaps and demonstrating compliance
So, 12 months on, what should you be doing and where should you be focusing your resources and efforts?
Now that GDPR is a year old, the ICO will expect all businesses to have their houses in order, without exception. Whilst most employers will be in very good shape, there will always be room for improvement. Now is a good time to look at what more you can do to ensure compliance and manage risk.
Sep 22 2023
Sep 22 2023