Data protection in the workplace
The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018. This regulation significantly increases employers' obligations and responsibilities in relation to how they collect, use and protect personal data.
Employees must understand their responsibilities under data protection law and employers need to have adequate data protection policies and procedures in place. It is important that organisations tell their employees about GDPR and provide training on the new regulation.
This document gives an overview of some of the main obligations for employers and outlines the rights of employees.
Key GDPR terms include:
- Personal data: data that relates to or can identify a living person, either by itself or together with other available information. Examples include a person’s name, phone number, bank details and medical history.
- Data subject: the person to whom the personal data relates. Casual workers, agency workers and other independent contractors have the same rights as any other data subject under GDPR.
- Sensitive data (special category data): data relating to a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation and genetic or biometric data. Generally, sensitive data cannot be processed without the data subject’s explicit consent, but employers can process sensitive data where necessary to carry out an employment contract or to fulfil collective agreement obligations.
- Data controllers and data processors: organisations that collect or use personal data.
- Processing: any operation or set of operations which is performed on personal data, for example, collecting, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, restriction, erasure or destruction.
Employees have a number of rights under GDPR, including the right to:
- Information about the collection and processing of their personal data
- Access the personal data and supplementary information held about them by the data controller
- Have their personal data rectified by the data controller if the personal data they have is inaccurate or incomplete
- Have their personal data erased by the data controller
- Restrict a data controller from processing their data if they consider it is unlawful or the data is inaccurate
- Object to their personal data being processed for direct marketing, scientific or historical research
- Data portability – this allows them to get data from their employer and reuse it.
Read more about your rights under GDPR.
As an employer, you must be transparent about how you are using and safeguarding your employees' personal data, inside, and outside the organisation. You must be accountable for your data processing activities and be able to show how you meet data protection principles.
You should make an inventory of all the personal data that you hold. You should then check it under the following headings, and ensure that you have the required consent and legal basis to process the data:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
Legal basis (legitimate reason) for processing personal data
Your organisation needs a legal basis (a legitimate reason) to process an employee’s personal data. Legitimate reasons include:
- The employee has given their consent to the processing
- Processing is necessary to fulfil parts of an employee’s contract
- Processing is necessary in order to take steps at the request of the employee before entering into a contract. (For example, on matters of pay in an employment context)
- Complying with a legal obligation (For example, a statutory requirement to keep employee records)
- Processing is necessary to comply with the employee’s vital interests. (For example, where an individual’s medical history is disclosed to the hospital treating them after a serious road accident)
- For the purposes of the legitimate interests of the organisation.
Consent is a legitimate reason for processing employee data and you should get consent, if none of the other legal grounds above apply. You need to be aware of your obligations when requesting consent from employees. The GDPR states that consent must be ‘freely given, specific, informed and unambiguous’. This means that the data subject must be aware that they are consenting to have their data processed and should not be forced into giving consent.
Before an employee gives consent to have their data processed, the employer must show that they told employees why their personal data is being collected, and how it will be used and handled. Silence, pre-ticked boxes or inactivity cannot be taken as consent. A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.
GDPR training and communication with employees and prospective employees
As an employer, you must inform employees about:
- What personal data you will be collecting (or if it will be collected by a third party)
- How the data will be processed
- Why the data will be processed
You could have a Data Protection Notice displayed in your office to meet this obligation.
You should also have a data protection policy in place and provide training to employees on GDPR.
GDPR requires that certain information must be supplied to job candidates, before their personal data is collected and processed. This information must be clear and accessible and may be a privacy notice on the website and a letter to the candidate. Employee training on data protection policies takes place once the candidate is an employee.
Data Subject Access Requests (DSARs)
Employers must have procedures in place to respond to personal data access requests from employees within 1 month. This can be extended by a further 2 months if requests are complex or numerous.
Data must be protected by ‘appropriate technical and organisational measures’. Data must be kept secure, for example, by using anonymisation, encryption, anti-virus security measures, or by backing up data. Employers must test these security measures and be able to show that they have complied with GDPR security obligations.
Record-keeping and the right to correct
Organisations should only keep data for as long as it takes to complete the task it was collected for, or as required by law. Employers should have a retention policy in place and be able to justify why data was retained.
Employees have the right to know what data an employer has on file about them and they also have the right to correct this data. What happens to employee data when a contract of employment is terminated should be documented in the HR policies.
Sharing and transferring personal data
Organisations using third parties, such as recruitment agencies or payroll providers to process employee data will be responsible for ensuring the third party is GDPR compliant and they must have appropriate agreements in place. You must also comply with GDPR obligations about transferring data outside of the EU.
Data protection officer
Under GDPR some organisations must appoint a Data Protection Officer, for example, public authorities and bodies, government departments, organisations involved in large-scale data processing, and organisations that process sensitive or special category data.
You must report data breaches to the Data Protection Commission (DPC) within 72 hours of becoming aware of a breach. If you do not notify the DPC within 72 hours, you must provide a justification for the delay. Breaches that may harm a data subject, for example, identity theft, must also be reported to the person concerned.
It is important that you comply with the legislation and put adequate policies and procedures in place. Your organisation can be inspected and could face significant penalties if your practices are in breach of GDPR.
How to apply
If you have a complaint about how your personal data has been proccessed, you should contact the DPC. The website is dataprotection.ie.
Where to apply
Read more about the General Data Protection Regulation in our GDPR documents. There is further detailed information about the GDPR on dataprotection.ie and information on data protection measures in our document on working from home during COVID-19.