Employee rights under data protection

The GDPR and DPA 2018 afford employees a host of new and enhanced rights, allowing them greater control over their personal data. Here, we look at how to manage employee rights under the data protection rules.

What rights do employees have under data protection law?
  • Right to be informed: This right flows from the “transparency” requirement and it generally means that privacy notices for employees need to be detailed, open and honest. For example, if you use the time logs from your door fobs to discipline staff for arriving late, you need to tell staff you are going to use this data for this purpose.
  • Right of access (SAR): Individuals have the right to access their personal data, and employers can no longer charge a £10 fee for providing such access. We generally see employees or applicants submitting SARs as part of an evidence gathering exercise for complaints, grievances or disciplinary proceedings.
  • Right to rectification: Employers must have processes and procedures in place to keep employee personal data up-to-date and accurate. Consider what would happen if you held out-of-date emergency contact details for your staff.
  • Right of erasure: This right, in certain circumstances, allows employees to request that their data be deleted. Employees can request the erasure of data where it is no longer necessary for the original processing purpose, where consent has since been withdrawn, where the data was processed unlawfully or where erasure is necessary to comply with the law.
  • Right to restrict processing: In certain circumstances, employees also have the right to request the restriction or suppression of their personal data.
  • Right to data portability: This right allows employees, in certain circumstances, to obtain and reuse their data for other purposes across services. For example, when an employee leaves and joins another organisation, the ex-employee could request that their data be transferred from their old employer to their new employer.
  • Right to object: Employees have the right to object to processing where their data is processed for an employer’s legitimate interests, or where their data is being used for direct marketing purposes. Therefore, employers should think carefully before relying on the catch-all legal basis of “legitimate interests”.
  • Right to withdraw consent: Consent is a tricky legal basis for the employer and employee relationship (as there is usually an imbalance of power and consent needs to be “freely given” to be valid) but where it is used, the employee can withdraw his/her consent at any time.
What else do employers need to know?
  • Timescales: Employers must respond within one month of receipt of a request from an employee to exercise his/her rights. This is a tight timescale. If you consider where you might hold employee personal data (e.g. application documents, appraisal documents, sickness notes, training records), it could take a long time to gather this information or delete it. The rules extend to back-up copies and third party hosted systems.
  • Costs: Employers cannot charge employees for complying with the request unless it is manifestly unfounded or excessive, in which case employers may be able charge a “reasonable fee” for related administrative costs.
  • Format of requests: Requests can be made verbally or in writing and through a variety of platforms such as social media, over the phone or in person. The employee does not need to say they are exercising their rights under the data protection legislation or refer to the GDPR/DPA 2018 at all – they could simply say, “tell me what information you have about me”. Requests can be submitted to anyone in an organisation (it does not need to be addressed to a DPO). It is therefore vitally important that all personnel within organisations are trained to recognise these requests, and know how to handle them (and quickly!). 
Why care?

We are now well aware of the potential high fines for non-compliance with the data protection rules. Non-compliance can also lead to reputational damage for the business.

Earlier this year, Magnacrest Ltd was fined by Westminster Magistrates (under the previous data protection act) because the company failed to comply with a SAR and the ICO’s subsequent enforcement notice. This led to the ICO bringing a criminal prosecution against the company, which was successful. Although the fine against the company was not particularly high, the proceedings have been publicised.

What can employers/HR teams do to comply?

Employees having increased rights and control over their own data places more obligations on employers and HR teams to ensure they are complying with data protection laws. Some our top tips for compliance are:

  • Train staff to identify requests by employees (and other data subjects) to exercise their rights
  • Prepare a written procedure for dealing with requests by individuals to exercise their rights
  • Make sure that out-of-office replies and voicemails inform individuals who to contact if they wish to exercise their rights under data protection law

MacRoberts regularly issues updates on legal developments which could impact your business. To make sure you receive our updates and/or invitations to our events, please sign up here.

Read Part 1: Overview of the rules