This article covers a Human Resources GDPR data privacy case study. It provides practical, real-life Human Resource adjustments in preparation for the General Data Protection Regulation (GDPR).

Purpose of this article

This article shows information given to a client’s Human Resource department in response to concerns raised about Human Resources GDPR data privacy.

Human Resources GDPR data privacy

One of our clients had concerns about certain aspects of Human Resource processing and the GDPR.

  1. Consent for HR purposes
  2. What consent means
  3. GDPR versus the law and regulations
  4. The right of a company to protect itself
  5. Discretionary employee benefits
  6. Discretionary processes
  7. Images from formal and informal events
  8. Passport images for the travel agency

GDPR recommendations for Human Resources

Source: Article 29 Data Protection Working Party opinion 2/2017 on data processing at work

  1. For most data processing at work, the legal basis cannot and should not be employee consent because of the relationship between employer and employee.
  2. Processing may be necessary for the performance of a contract when the employer processes employee data to meet contractual obligations.
  3. Employment law is expected to impose legal obligations requiring personal data processing. When the law applies, employees must be clearly and fully informed of the processing unless an exception applies.
  4. If an employer wants to rely on legitimate interest, the processing purpose must be fair. The chosen method or specific technology must be necessary, proportionate and implemented in the least intrusive manner possible, along with the ability to enable the employer to demonstrate that appropriate measures have been put in place to ensure a balance with the fundamental rights and freedoms of the employees.
  5. HR processing operations must comply with the transparency requirements. Employees should be clearly and fully informed of the processing of their data, including the existence of any monitoring.
  6. Appropriate technical and organisational measures should be adopted for secure employee data processing.

Consent for HR purposes

As its use is limited, consent should not be a serious issue for HR. Some context behind the GDPR and how it is meant to be used

The GDPR is created to protect the rights and freedoms of individuals.

  1. Employees, as staff members, must respect company policies to work in an organisation.
  2. Employees as individuals have the right to a personal life at work.

There must be a balance between what constitutes an invasion of privacy versus how a company expects its employees to behave.

What consent means

Consent is the strongest force in the GDPR. Therefore, if you offer consent as a basis for a specific type of processing, you are obligated to stop processing if consent is withdrawn.

For this reason, Article 29 Data Protection Working Party opinion 2/2017 on data processing at work recommends that consent, to as large an extent as possible, is not used by HR.

This Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of several scenarios in which they could be deployed.

Consent within HR has minimal usefulness or basis because it can cause unnecessary conflicts with English law and regulations. For example, can you opt-out of giving a national insurance number?

The other problem is that consent cannot be linked to an offer, so if you tell employees that they must consent to something or they can’t have the job, you will break the GDPR.

GDPR versus the law and regulations

The law and regulations always trump the GDPR. There are no exceptions.

Employment laws and regulations govern the majority of HR processing. The law says that employees and prospective employees must provide significant amounts of personal data. Proof of eligibility to work, a tax code, a national insurance number and in some circumstances, other information such as financial history and a police report. These are all legal and regulatory requirements.

External screening companies may assist in this process. There are no problems if their employment verification checks are legal and proportionate. Wording for such screening should be something like. “company policy for this position means that a candidate undergoes a screening process”. It is a statement, not a request for consent.

The right of a company to protect itself

A company has the right to protect itself against attack and theft. For example, employees should have photo ids to enter the building, CCTV coverage operates in certain areas, and digital devices are monitored.

Other measures may also be in place. If these measures are proportionate and do not invade an employee’s personal life and right to personal privacy, there is no conflict.

A company must be transparent about all these measures so if an employee is aware of them; there is no problem.

If the company spies on its employees and uses intimate and private data about an employee that is not work-related, the company is at risk.

Employees must be informed about security measures, even regarding the use of email for private matters.

If employees still insist on using company emails or other communication services monitored for private use, that is up to them. However, all is well if the company does not use the content of private communications against the employee in the form of disciplinary action.

Discretionary employee benefits

Employees always have been able to opt-in or opt-out of discretionary benefits, so this is not a problem.

Discretionary processes

Images not used for security purposes are candidates for consent, and the coverage of this consent area is minimal: internal use (e.g. organisation charts) and promotional use (brochures, videos, website).

Employees can opt-out if they do not want a photo on the organisation chart or internal directory.

Employees can opt-out if they do not want a photo used in promotional material.

What they cannot do is opt-in today, opt out in six months and demand that everything from the day they opted in is removed. The GDPR is explicit. Any work performed during the period that consent was active is not impacted when consent is withdrawn. The removal of personal data after consent is withdrawn is something for you to decide.

Images from formal and informal events

If a photographer is present at such an event and the images may be used for publication, all event attendees should be informed before the event takes place. A sign at the entrance should also state that a photographer is present and that photos may be published. At this point, the attendees have been made fully aware twice so if they intend, they should expect to see a photographer. At their discretion, they may choose not to be in photographs taken at the event. The attendees should also be informed about how to make enquiries and requests about the photos after the event has finished.

Passport images for a travel agency

A corporate travel agent always asks for scanned passport images when making travel arrangements. Of course, this is not a good idea, but if the travel agent still requires passports, they will need to be sent. The owner of the passport can easily attach and send to HR an image of a passport as an encrypted file using the free ZIP software installed on almost all computers.

Safer alternatives would be:

  1. Find a travel agent that does not insist on passport images
  2. Do not send the images at all (why does a travel agent need a passport?)
  3. Let the employee send the passport directly to the travel agent instead of via HR
  4. Get the travel agent to install an upload facility on their web so that the employee can upload an image of their passport

Learn more about data privacy. Take our CPD accredited Data Protection Officer training course.