UK Information Commissioner's Office releases guidance for employer compliance with European data privacy rules
The United Kingdom Information Commissioner's Office recently announced that it would be creating an online resource for businesses with guidance on various topics related to employment records and employers’ data protection duties.
The Information Commissioner’s Office, or ICO, also released drafts of guidance on two specific topics, entitled “Keeping Employment Records” and “Recruitment and Selection.” These publications include legal definitions, answers to frequently asked questions, best practices, and practical tools like checklists to assist employers in complying with the UK Data Protection Act of 2018, or DPA, and the General Data Protection Regulation, also referred to as GDPR. Both will be open for public comment until March 5, 2024.
Keeping employment records
The guidance states that the DPA and GDPR apply when employers process a worker’s employment information and that all use and collection of employment information must be fair, lawful and transparent. In terms of whether processing of employee data is lawful, any collection or use of employee data must all under one of the six legal bases set forth in Article 6 of the GDPR: (1) consent; (2) contract; (3) legal obligation; (4) vital interests; (5) public task; or (6) legitimate interests.
The guidance includes detailed explanations and examples for how each of these legal bases might apply to certain employment data. Additionally, it is critical that employers tell employees what information is being collected, why it is being collected, the retention period, who the information may be shared with, and employee rights over the information.
Furthermore, certain information deemed “sensitive” under the GDPR is entitled to greater protection, and employers must meet additional requirements before collecting it. “Sensitive data” includes information about an individual’s race, political opinion, religion, union membership, or sexual orientation, as well as genetic or biometric data about the individual.
The guidance also describes multiple data protection principles that are central to the GDPR and DPA, and explains how they apply to employers and employment records. These include:
- Data minimization: ensuring that the personal information held by employers is adequate, relevant, and limited to what is necessary
- Accuracy principle: taking reasonable steps to ensure all data is accurate and up-to-date
- Storage limitation principle: not keeping personal information for longer than is needed by the organization, and maintaining a clear and written data retention policy
- Security principle: ensuring that the organization has appropriate security measures in place to prevent employee data from being accidentally or deliberately compromised
Data protection and recruitment
The data protection and recruitment guidance seeks to provide employers, recruitment agencies, and head-hunters with best practices for complying with the DPA and GDPR in the use, collection, and retention of data obtained from job applicants. Notably, the guidance states that it applies to recruitment in all contexts, from direct-hire employees to “gig workers.”
The guidance requires employers to be transparent about what information is being collected, the purpose of that collection, the expected use of the information, who the information will be shared with, how long the information will be retained, and the applicant’s rights regarding their information. Employers are cautioned to only collect and share information that is necessary for determining an applicant’s fitness, and to clearly identify and document a legal basis for all collections or uses of an applicant’s information. Similarly, this guidance explains how each legal basis under the GDPR might apply to applicant information and provides examples. This guidance also requires compliance with key GDPR data protection principles like data minimization, accuracy, storage limitation, and security, and provides best practices for each.
The guidance covers additional topics specific to the employment context, including two which have recently been the subject of state and local regulation in the United States. First, the use of artificial intelligence and automated decision-making tools in recruitment. The guidance states that organizations may use automated systems to assist with recruitment decisions, but only where the decision involved meaningful human involvement and where the use of automated tools does not result in unlawful “profiling” of a candidate.
Next, the draft sets a high threshold for pre-employment vetting, which it describes as “particularly intrusive” to the candidate. The guidance states that pre-employment background checks should only be conducted when the organization has a legal obligation to do so, or where the role involves a significant and particular risk to the employer, customers or the public. Examples of roles where these risks might apply include positions with national security implications, involving the care of children or at-risk individuals, involving a danger to others, or where there is a risk of disclosure of trade secrets or commercially sensitive information.
This guidance is targeted at United Kingdom-based business that are regulated by the ICO, and organizations with a European presence will recognize many of the principles contained in the guidance. However, employee relations are fraught with legal and practical pitfalls, and review of this guidance should be part of your compliance review. Additionally, guidance and regulations issued by European privacy regulators often serve as models for legislation enacted by U.S. state legislatures, so even U.S.-based businesses could be subject to similar requirements in the future.
If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.