There has been some uncertainty on what the new data protection regime will look like in the UK and the new Bill helps to fill in those gaps. As the government has stated, the new regime sets new standards for protecting personal data, giving individuals control over their own personal data, including the right to delete that data (i.e. the "right to be forgotten") and to restrict data processing.
This article in intended to summarise the key features of the Bill which are additional to the GDPR requirements as they relate to employers, but for a general summary of the new GDPR requirements see our briefing 10 key questions for employers.
A significant feature of the Bill is that it introduces requirements for data controllers to document how they process data in order to show that they are legally compliant. This is evident, for example, in the new requirements described below around policies for special category personal data (currently sensitive personal data) and criminal records data.
Focussing on the particular issues that businesses have as employers in relation to the new law, the key points to note are summarised below:
Special category personal data – in order to process health data and data on ethnic origin, political opinion, religious beliefs, union membership and sexual orientation, (currently known as sensitive personal data), employers must meet strict conditions under the GDPR. These include obtaining explicit consent (which must itself satisfy certain tests (see the Clyde & Co briefing at section 2), or showing that the processing is necessary for the purposes of fulfilling obligations or exercising rights under employment law. In order to rely upon necessity, employers will need to have in place a policy that meets certain requirements. The Bill provides that-
- the policy must contain details of the employer's procedures for complying with the GDPR and its retention and erasure policy
- records should be maintained by employers to demonstrate compliance with those policies.
Criminal records data – the GDPR only permits employers to process data on criminal convictions if specifically permitted by law. The Bill sets out the circumstances when such processing is permitted and those broadly mirror the conditions for processing special category personal data including having an appropriate policy in place (see above). Note that criminal conviction data is quite a broad category and includes personal data relating to the alleged commission of an offence or proceedings for an offence committed or alleged to have been committed, or the disposal of such proceedings including sentencing.
Equal opportunities monitoring – the Bill permits the processing of special category personal data for reasons of substantial public interest if it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between specified groups of people (e.g. people of different racial or ethnic origins or people with different states of mental or physical health). Such processing must be with a view to enabling equality to be promoted or maintained and an employer must have a policy in place which meets the requirements set out above in relation to special category personal data. Further, the Bill provides that such processing will not be permitted if it is carried out with respect to a particular individual without their consent; if it is likely to cause an individual substantial damage or distress; or if an individual requests in writing that their data not be processed in that way.
New criminal offences and liability of directors and managers - The Bill creates a number of new offences including:
- re-identifying de-identified personal data; and
- altering, blocking, destroying or concealing information provided to an individual through a data subject access request ("DSARs").
There is a defence available to the latter offence if the person charged can prove that they acted in the reasonable belief that the individual making the request was not entitled to receive the information which was withheld. A key question here will be what amounts to a reasonable belief. Employers will need to be mindful of this in responding to DSARs and it would be advisable to keep a paper trail of any decision to withhold personal data insofar as is practicable.
Where a company has committed an offence under the Bill and it is proved to have been committed with the consent, connivance or neglect of a director, manager, secretary, officer or other person, they can also be found guilty of an offence and punished accordingly.
There are unlimited fines for offences tried summarily or on indictment in England and Wales or, level 5 fines (or statutory maximum depending on the offence) in Scotland and Northern Ireland for offences tried summarily.
What next?
The Bill will come into force in the UK at the same time as the GDPR which will be immediately enforceable throughout the EU, including the UK, from 25 May 2018.
Before the end of the year, look out for:
- The ICO's response on its public consultation on consent guidance
- Guidelines on consent from the EU Article 29 working party (expected in October)
Further information
GDPR - 10 key questions for employers – this Clyde & Co briefing sets out the 10 key questions which employers should be asking themselves to help prepare for the new data protection regime.
The ICO is also working on a number of publications to help businesses in the run up to May 2018 when data protection reforms take effect. More information on this can be found on their website.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.