HR and GDPR

The idea for this post came from a discussion in the excellent Facebook Group EU GDPR (General Data Protection Regulation) & E-Privacy Regulation  .

Disclaimer: This information is provided for your convenience and does not constitute legal advice.

Introduction

GDPR is about the regulation of Personal Data. There is a lot of noise around marketing and consent prior to processing but a lot less around HR.

GDPR also applies to staff eg Human Resources (HR).

Reminder

To keep this post short, remember that GDPR is -mainly- the enforcement of 6 data privacy principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation 
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

Each member state has a Data Protection Authority (list  ) that should be the point of reference in your country. GDPR is meant to be consistent, but as some DPA are better equiped than other for advice, I'll share a link to the Irish DPA  HR guidance  .

Personal data is almost anything relating to an individual (referred to as a "data subject").

Check Article 88 Processing in the context of employment.

A quick reminder that there are 6 lawful bases for processing (set out in Article 6 of the GDPR). At least one of these must apply whenever you process personal data:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose (Art 6-1-a).
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract (Art 6-1-b).
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations) (Art 6-1-c).
  • Vital interests: the processing is necessary to protect someone's life (Art 6-1-d).
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law (Art 6-1-e).
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) (Art 6-1-f).

Under HR, it should easy to find a lawful process under legal or contract obligation.

HR Workflows

With HR, the workflows are relatively simple:

  • Record management during the recruitment process (data workflow prior to employment, interview to hiring).
  • Records while in employment
  • Records related to leavers (data workflow when people leave)
  • Post employment (data workflow post employment). 

You will need to document the workflow and adjust your company practice to comply with the principles eg do you need to know the next of kin information prior to confirmation of the employment contract, do you need to know how many children the candidate has or their marital status? Probably not! Minimise...

Recruitment and CV Handling

Change company practice to avoid CVs being emailed to each other (or use encryption, see further down) and have a policy for disposal of notes related to CVs.

Recruitment and social media

Use of social media by individuals is widespread and it is relatively common for user profiles to be publicly viewable depending on the settings chosen by the account holder. As a result, employers may believe that inspecting the social profiles of prospective candidates can be justified during their recruitment processes.

Employers should not assume that because an individual's social media profile is publicly available they are allowed to process those data for their own purposes. A legal ground is required for this processing, such as legitimate interest. In this context the employer should - prior to the inspection of a social media profile - take into account whether the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection.

In addition, employers are only allowed to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job which is being applied for.

The individual must also be correctly informed of any such processing before they engage with the recruitment process.

There is no legal ground for an employer to require potential employees to "friend" the potential employer, or in other ways provide access to the contents of their profiles.

Note: this is copied from "Opinion 2/2017 on data processing at work" (Article 29 WP)

Legal and Retention

With HR, there are many legal requirements that justify the need to collect data about employees and contractors without prior consent.

Here are some examples, but you need to check with the employment law in your country. Each have a statutory retention period. I am not including any as it is likely to change from country to country and your GDPR consultant wouldn't be able to charge you any money ;).

  • List of employees 
  • Dates of commencement and dates of termination of employees
  • Written terms of employment (contract)
  • Payroll details and payslips
  • Hours of work
  • Young persons
  • Employment permits (for Non-EEA nationals)
  • Maternity leave records
  • Adoptive leave records
  • Parental leave records
  • Force majeure leave records
  • Sick leave records
  • Carers leave
  • Recruitment (Unsolicited applications, documentation relating to an advertised position and the decision making process)
  • Accident reports
  • Safety training documentation 
  • Data protection training documentation 
  • Training documentation
  • Pension

It is worth noting that while you are legally obliged to keep some records, they are not all for daily use and should only be made available in a certain context.

Note: Principle 6 (integrity and confidentiality) of GDPR states that "personal data must be processed in a manner that ensures appropriate security of the data using appropriate technical or organisational measures".

While you are in charge of keeping the records, you need to ensure they are securely stored. It means you need to control who has access to the data. If the HR department is small and you don't have many servers, ensure the computer is well protected and backed-up at least daily. When you dispose of the computer, you need to ensure the hard-drive is properly erased (format is not enough).

When data is no longer required by law, deleting the data will remind you that information not held will not form part of a potential breach.

If you send some HR related data by email, remember email is not the most secure way to send sensitive information. I'd suggest encryption of files in transit and deletion of the emails (inbox, sent item and recycle bin). In such case, you can use 7zip   and send the password to the recipient by text message. Although I tell you to encrypt to transfer a file, I do not suggest encrypting to hide data to avoid minimisation.

If you don't have a HR system   I recommend that you maintain a spreadsheet and once a month you go through the records. Also keep a log of the changes you make. It's an extra headache, but it'll help documenting GDPR.

Note on Cloud HR Systems (if not using the one mentioned in the previous paragraph): 

You need to find the country where the Cloud HR System is hosted.

  • If it is in the EU or EEA, you need to ensure you have a data-processor agreement with the company.
  • If it is not hosted in the EU or EEA, you need to ensure that, for the transfer of data, there is a data transfer mechanism that complies with the requirements of the GDPR. If it seems too difficult, you may consider finding a Cloud HR system that has EU or EEA data-centre (Recital 101-116; Art.44, 45).

Consent

Consent is required if there is no legal reason to do something, eg the list above.

For instance, a photograph of a person constitutes their personal data (biometric) and therefore any use of that photograph must be in accordance with the regulation.

  • Staff should be informed of all such uses that will be made of their image and given an opportunity to object to such use (intranet for instance).
  • However, a photograph and an name can be used on a security badge as it is used to ensure the person wearing it is the correct person, especially if your business handles sensitive products or services.

Privacy policies

If you have not yet a privacy policy for HR, you need at least one. Your website or client privacy policy is unlikely to be 100% relevant for staff and candidates, for the simple reason that the processes are different.

You can have one privacy policy, but it would make things easier to have 2 privacy policies:

  • One for candidates, where there may be less involved;
  • One for the personnel;

Policies

Many policies are communicated through HR, since starters have to read and acknowledge the rules as they join. Your policies must comply with the regulation. Since GDPR is the enforcement of existing law, that should be simple. Review them and include "Privacy by design and by default" in all your processes.

It also mean that if you have a "quality" system in place such as ISO 9001, you will need to revise to embed "Privacy by design and by default".

Staff and contractors MUST be trained.

You need to assess staff and contractors' understanding and get them to sign each of them.

Non-exhaustive internal policy checklist:

  • Bring your own devices (BYOD) policy
  • Email policy
  • Encryption policy
  • Computer use policy
  • Clean desk policy
  • Data breach policy
  • Ethics policy
  • Password protection policy

You can find some Information Security Policy inspiration on the SANS Institute website.

Staff monitoring

If you are going to monitor staff, staff need to be told. It needs to be legal.

CCTV used for security is not CCTV used to monitor staff at work.

Security badges are for security. Attendance badges are for attendance.

Read more here   (Irish DPA website), but beware that countries may have various guidance.

GPS (Sat Nav) tracking

The use of  vehicle tracking systems involves the collection of personal data as they record the location of the individual in charge of a vehicle at any particular time. An organisation using or considering using such a tracking system must be able to demonstrate that there is a good business reason for such surveillance. The individuals affected must be informed of the surveillance and its purposes. If personal (non work related) use of a vehicle is permitted, it should be possible to disable or mask the tracking system outside of working hours. (Irish DPA  ).

Also check the WP 29 opinion   for further guidance.

Payroll

This is sensitive personal data.

If you outsource, ensure the payroll company provides you with a data processor agreement as you are exchanging personal data. Be prepared to another shock, as most companies I met and spoke to in the field of payroll did not have a clue about GDPR.

Sending payroll data by email is not the safest way. Once again, consider secure HR portals  as an alternative. The staff is then in charge of downloading and the security of their computer is their issue.

Contractors

There can be several types of contractors:

  • Some will be on your payroll;
  • Some will come through a temporary staff agency  The temp agency send an invoice to your company and they are in effect a data-processor. You will need a data-processor agreement. Be prepared for a shock as many haven't got a clue of what it is, and be cautious that the market will probably go though a reshuffle by the end of the year due to non-compliance. If the temp agency is not clear about GDPR, don't work with them.

If you hire contractors though an agency, you will still need to train them to the privacy policies in your company.

Training

With GDPR, your company will need to formalise training for data protection and data privacy. Do not underestimate as it could be a major cultural change.

Also, be clear with staff to explain the difference between commercial data and personal data. Data can be both, but the legitimate interest should not get staff to think they "cannot work anymore".

Subject Access Requests (SAR)

Under GDPR (and prior) staff have a right to obtain a copy, clearly explained, of (almost) any information relating to them that your company keep on computer or in a structured manual filing system. Your company needs to reply within one month.

However, there may be areas where it may not apply (check employment law in your country).

Here is a list of irish examples that I quote from the Irish DPA :

  • Discipline, grievance and dismissal
    • The general rule is that an employee has a right of access to personal data relating to him/her in connection with discipline, grievance and dismissal procedures, even if the disciplinary procedure is on-going or the subject of legal proceedings such as an unfair dismissals claim. There are however some limitations and exemptions to this right. For instance in Ireland:
      • Opinions given in confidence
      • Professional legal privilege
      • Protecting the source of data
      • Investigation of an offence
  • Appraisal and performance reports
    • The right of access applies to Appraisal and Performance Reports and the Commissioner considers that the confidentiality provision cannot reasonably be applied to them.
    • In regard to references, it is often said that these are given in confidence. Notwithstanding this, the Commissioner considers generally that the right of access applies to them. There would need to be particular exceptional circumstances which would cause the Commissioner to be satisfied that the data would not otherwise have been given but for this understanding
  • Medical reports
    • In Ireland, a 1989 Data Protection Health Regulation provide that health data relating to an individual should not be made available to that individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject. A person who is not a health professional should not disclose health data to an individual without first consulting the individual's own doctor or some other suitably qualified health professional.
    • An employee has a right of access to medical data held by the organisation's company doctor or medical officer, unless the "harm" exemption, detailed above, applies. Experience is that such situations are rare.
    • Organisations should have a procedure in place so that when HR data is requested, clarification is sought as to whether the request includes medical data. If medical data is being sought, HR should advise the Company Doctor/Medical Officer who should make the data available to the employee directly.

So, when you write your staff subject access request policy, check with your legal firm what applies and not.

Access requests may also come from former employees. You need to have a process internally to handle such request. It can be a specific email address. However, email is not always secure (since you cannot cotrol all parts of the transmission) and you need to ensure the mailbox is monitored as the person in charge of data protection in your company may be on holidays.

I normally avoid ads in my posts, but using Bizoneo   as your compliance platform could ease handling the subject access requests. Bizoeno have a dedicated SAR web portal to deal with the internal workflows and assign activities to fulfil the request.

Other consideration

Workers nationalities

In the forum discussion this post is inspired from, there was a question relating to a workforce made of people who were from different countries, therefore speaking a different language.

I am not a solicitor, so treat my opinion accordingly:

  • It may depend on the nature of your business and the location of the workforce;
  • I would have thought that you have to have your policies in the language of the country your business is located. For instance English (or Irish) for Ireland, French for France, German for Germany, The logic is that in case of an issue, the court will be the one where the company is located.
  • When hiring a foreign national, I would make the effort to explain data privacy in simple terms.

Conclusion

GDPR is a great opportunity to review your HR department.

Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about the privacy of your staff. Another priceless good business practice...

 

- Claude Saulnier
Brand Ambassador - Bizoneo

Post Scriptum: