Guest Blog by Olivia Sinfield, Osborne Clarke
Consent has long-been one of the most talked about and thorny issues, even before 25th May. This article will bust some myths and uncertainty around when you should and shouldn’t be using consent in relation to HR data.
So, why is consent no longer a viable option for processing of most HR data? The GDPR downsides of relying upon consent say it all: Consent has to be a positive opt in and can’t be bundled up with other terms and conditions of employment. It has to be specific to the data in question and what the employer is using it for. It has to be refreshed every two years. If the data is being shared, each third party has to be named and specific consent to this sought. The consent provisions have to advise of the right to withdraw and explain the method of doing this. Records of consent have to be kept to demonstrate compliance.
HR teams are alive to this and have responded, by and large, by removing the age old standard consent provisions from contracts of employment and alternative grounds for processing are being sought and communicated to employees in internal privacy notices. All good so far.
However, the fear of consent clauses have also led to an overzealous red pen approach to anything that could possibly be a consent clause. One example is in relation to clauses in contracts of employment whereby employees consent to a medical examination. We are seeing these disappearing from contracts as part of this knee jerk reaction against relying upon consent. The distinction now is a fine one – employers still need consent from the employee to undergo a medical examination and release of the report but this must be distinct from consent to process the data under the GDPR which can no longer be relied upon. So, whilst the wording of clauses may need to be tweaked, these type of clauses shouldn’t be scrapped completely.
We frequently see consent being sought in relation to collecting and processing of data for equal opportunities monitoring. This can be re-visited as the Data Protection Act 2018 (which supplements the GDPR in the UK) includes a provision that specifically allows data relating to employees’ racial or ethnic origin, religious or philosophical beliefs, health or sexual orientation to be processed for monitoring equality of opportunity between different groups. So, no need for consent but, remembering that when relying on these exemptions, you must have in place an appropriate policy document setting out the safeguards for processing this data and how long it will be kept for. That said, we are seeing many clients opting still to rely upon consent in these circumstances as they want to give employees a genuine choice about monitoring and see this as being in-keeping with their more open culture.
We’re also seeing some confusion around whether consent is needed to share HR data where it’s not strictly required for performance of the employment contracts. For example, a union requests details relating to members; the rule of thumb is that you shouldn’t be turning to consent where an alternative ground is available. That takes us to the ground of legitimate interests and the tendency to use this as something of a ‘catch-all’. HR teams need to be careful about this as it’s not enough to say you’ve satisfied the legitimate interests test because it’s in your economic interests to process the data. You have to be able to show you’ve weighed up the individuals’ rights and interest and are being ‘fair, transparent and accountable’ in relation to use of the data. So, in the union example, you’d have to consider whether there are alternative ways of the union gathering the information – by contacting the individuals directly themselves? And, then, if minded to rely upon legitimate interests, you have to make sure individuals know about this processing if it hasn’t already been covered in the privacy notice.
Finally, whilst we are moving away from over reliance upon consent in the employment context there will be occasions where this is appropriate as no other lawful ground quite makes the grade. For example, processing personal data for the running of employee networks (such as for LGBT employees or employees with disabilities). It’s not necessary for performance of the contract, there’s no legal obligation and legitimate interests are tricky to establish. In scenarios like these employers shouldn’t be afraid of turning to consent but must ensure they meet the more lofty requirements of the GDPR in relation to the mechanics of providing consent.
So, yes, the days of consent being the answer to all data protection issues are well and truly gone. However, it’s not quite the case of consent being gone for good.
Olivia Sinfield is an Associate Director and employment lawyer at international legal practice Osborne Clarke.