Special categories of personal data in HR functions: climbing the ladder of legal bases
Written By
Partner
UK
As a partner in our London-based international Privacy & Data Protection practice, I advise companies on a range of international data and privacy compliance projects, including the implementation of global data management strategies, international data transfers and data compliance issues such as the General Data Protection Regulation (GDPR) or the ePrivacy directive. I am also a member of the firm's global (i) Executive Committee (ExCom) and (ii) Diversity & Inclusion leadership group.
Under EU GDPR and UK GDPR (referred to together as the GDPR), HR teams have to ensure that there is a lawful basis for their use of personal data relating to their organisation’s employees, applicants and contractors. HR functions should be particularly mindful of their enhanced obligations in relation to the processing of special categories of personal data.
What are “special categories” of personal data?
The following categories of data (many of which are commonly used in the HR context) are called out for specific protection in the GDPR because of their perceived sensitivity:
- information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, health, sex life or sexual orientation;
- genetic data and biometric data used to uniquely identify a person; and
- information relating to criminal convictions, offences and related security measures (which although not technically a ‘special category’ of personal data under the GDPR, are often subject to more stringent requirements and restrictions as compared to other personal data – in the UK, for example, it is, broadly speaking, treated in the same way as special category personal data).
Article 6 GDPR lawful basis: Identify a general legal basis
Employers must – in their capacity as data controllers of their HR data – justify all of their activities involving personal data (regardless of whether it is ‘special category’ or not) under one of six “general” legal bases under Article 6 of the GDPR. In the employment context, this will usually be possible on the basis that activities are necessary: (a) to perform the employment (or other) contract; (b) for the employer to comply with a legal obligation; or (c) for the purposes of the employer’s legitimate interests.
Where “legitimate interests” are relied upon, an employer must undertake and document a balancing exercise to ensure that these are not overridden by any individual’s rights and freedoms.
Article 9 GDPR lawful basis: Identify the additional Article 9 lawful basis and, for the UK, implement an appropriate policy document where required
Where special category personal data is processed, data controllers must identify an Article 9 GDPR lawful basis before they can process this information. This is in addition to the general legal basis. This is because the processing of these categories of information is generally prohibited unless an additional, tougher, condition is also met. These conditions are set out in Article 9 of the GDPR, but are subject to local law in some cases. In the UK, some of the legal bases under Article 9 are subject to additional conditions and safeguards in Schedule 1 of the Data Protection Act 2018 (DPA 2018).
In order to rely on many of these domestic conditions in the DPA 2018, employers will also need to implement an ‘appropriate policy document’ which must explain how they ensure that the relevant processing complies with the GDPR’s underlying principles and requirements, in particular those relating to retention and data minimisation.
The table below summarises some of the (non-exhaustive) additional conditions which are likely to be of most relevance to employers in the UK when seeking to use sensitive personal data:
| Additional GDPR/DPA 2018 condition | Additional GDPR/DPA 2018 condition Appropriate policy document (and additional safeguards) required? |
| Explicit consent, for specified purposes (Art 9(2)(a) GDPR) | No, but consent will rarely be appropriate in the context of a subordinate employment relationship, where consent cannot usually be said to be ‘freely given’. This will only be relevant where truly voluntary – for example, if employees can choose to have biometric access to premises but can otherwise freely choose an alternative method. |
| Processing must be necessary to carry out obligations or exercise specific rights of the employer or employee, so far as authorised by one of these areas of law in the UK (DPA 2018 Sch.1, Part 1, para. 1). | Yes |
| Equal opportunities monitoring involving data revealing race / ethnic origin, religious / philosophical belief, health or sexual orientation only (and provided that such data is not used to take decisions about an individual, or cause them substantial damage or distress). (DPA 2018 Sch.1, Part 2, para. 8) | Yes |
| Monitoring racial and ethnic diversity at defined senior levels of organisations, with the aim of maintaining or promoting diversity (provided that such data is not likely to cause substantial damage or distress to individuals) (DPA 2018 Sch.1, Part 2, para. 9) | Yes |
| Where necessary to protect / detect unlawful acts in the substantial public interest and obtaining consent would prejudice that function (DPA 2018 Sch. 1, Part 2, para. 10) | Yes (except in relation to disclosures or potential disclosures to competent authorities). |
| Other conditions exist in relation to processing for the purpose of fraud prevention, certain vetting processing, disclosures under terrorist financing / money laundering laws, insurance contracts / claims, occupational pension administration and safeguarding. | Yes (for the conditions specifically listed in the column to the left). |
| Necessary for the establishment, exercise or defence of legal claims (Art 9(2)(f) GDPR) | No |
Where an employer processes data relating to actual or alleged criminal convictions or offences – such as when undertaking criminal record checks or processing evidence of employee fraud – then it must refer to the DPA 2018 for an additional legal basis (the GDPR does not specify any legal basis).
What is an “appropriate policy document”?
An “appropriate policy document” is a short document outlining compliance measures and retention policies for special category data. The document must, at minimum: (i) explain an employer’s procedures for securing compliance with the GDPR’s key data protection principles; and (ii) explain the employer’s retention and erasure policies, in each case as specifically applicable to the relevant ‘special categories’ of data. The ICO has published an ‘appropriate policy document template’ that is intended to help meeting the requirements. This is information that is likely already set out in employers’ existing data protection documentation.
The DPA 2018 mirrors the GDPR’s focus on “demonstrating accountability” by requiring employers to retain any such policy document for at least 6 months following the end of the relevant processing, during which period it must be periodically reviewed, updated and provided without charge to the Information Commissioner upon request. Furthermore, where sensitive personal data is processed, an employer’s record of processing activity (as required under Article 30 GDPR) must also note the processing conditions relied upon and confirm compliance (or explain any non-compliance) with the required policy document.
What else do we need to do?
Identifying appropriate legal bases for the processing of these special categories of personal data (and keeping these under review) is just one step towards satisfying the GDPR’s onerous requirements. These will feed into and inform multiple aspects of HR compliance programmes, including employee facing privacy notices, records of processing activities, the need for data protection impact assessments where carrying out high risk processing and – potentially – the requirement to appoint a GDPR-compliant data protection officer.