The UK's Information Commissioner, Elizabeth Denham, has launched a series of blogs designed to “bust some of the myths” which she believes have developed around the EU General Data Protection Regulation (GDPR). Her first blog addresses the high-profile issue of fines and her second, published on 16 August 2017, focuses on the equally well-publicised issue of consent.
In order for data processing to be lawful, the data controller or processor must identify a lawful basis for the processing. Currently many employers rely on consent as the lawful basis for the processing of their employees’ personal data (including their sensitive personal data). However, from 25 May 2018, when the GDPR comes into effect (and which will be implemented in the UK through the Data Protection Bill), it is doubtful that such consent will be valid. The myth which the Information Commissioner aims to bust in her latest blog is that an organisation must have consent if it wants to process personal data.
How will consent differ under the GDPR?
Under the current Data Protection Act 1998 (DPA), consent is required to be informed, specific, freely given and revocable. The GDPR sets a higher standard for consent: it requires that consent be unambiguous and given by clear affirmative action. There is also more focus on an individual’s ability to withdraw consent at any time.
Essentially, under the GDPR there is a greater emphasis on individuals being given clear, distinct choices and ongoing control over their consent.
Can employers rely on consent as a basis for processing data under the GDPR?
The ICO’s view is that it is unlikely that employers will be able to rely on consent as a basis for processing data under the GDPR. The ICO Consultation: GDPR consent guidance (the Draft Guidance), published for consultation in March 2017, states that if an organisation cannot offer individuals real choice and control over how their data is used, consent will not be the appropriate basis for processing. According to the Draft Guidance this may be the case if a data controller is “in a position of power over the individual” as is generally the position between an employer and its employees.
Other lawful bases for processing
The Information Commissioner, in her latest blog, is keen to point out that consent is not the only way to comply with the GDPR and that the new law provides five other bases for processing data that may be more appropriate than consent. Besides consent, those bases are if the processing is necessary:
- for the performance of a contract with the data subject;
- for compliance with a legal obligation;
- to protect the vital interests of the data subject;
- for the performance of a task carried out in the public interest; or
- for the purposes of legitimate interests pursued by the controller except where such interests are overridden by the individual’s interests or fundamental rights and freedoms.
An organisation should choose the lawful basis that most closely reflects the true nature of its relationship with the individual and the purpose of the processing. The Draft Guidance states that private-sector organisations will often be able to consider the “legitimate interests” basis if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that an organisation may have good reasons to process an individual’s personal data without consent – for example, in an employment context, an employer will need to process personal data to pay its employees.
The ICO gives guidance on legitimate interests under the current law and the Article 29 Working Party has also produced guidance on this basis for processing under the current law. The ICO recognises that organisations want more information about “legitimate interests” and is working with other European authorities to publish updated guidance on this next year. However, in her latest blog, the Information Commissioner suggests that there is no need to wait for that guidance since an organisation should already be in a position to identify its purpose(s) for processing personal data. The Information Commissioner also suggests that carrying out a data protection impact assessment should help with the task of understanding how an organisation can meet conditions for processing data.
Once an organisation has identified a lawful basis for processing personal data this must be documented, in order to be able to demonstrate to the ICO which lawful basis is relied upon.
Processing special categories of personal data
Whilst employers can look beyond consent as a basis for processing data, the difficulty is that the employment relationship also involves the processing of what is known as sensitive personal data under the DPA and “special categories of personal data” under the GDPR. This includes data which reveals: racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or data concerning health or sexual orientation. The processing of such data is prohibited under the GDPR unless an organisation has a lawful basis for processing and satisfies one of the conditions set out at Article 9(2). The only conditions that are likely to be applicable to the typical processing of this type of personal data in the employment context are:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes; and
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment law, insofar as it is authorised by law.
Explicit consent is not defined in the GDPR but is not likely to be substantially different from the usual high standard. There has been limited guidance as to what the second of the two conditions above will mean in practice and the extent to which employers in the UK will be able to rely on this to lawfully process special categories of personal data.
Continuing to rely on consent
Although it is unlikely that employers will be able to rely on consent as a blanket approach to processing personal data, it may be possible to rely on it in specific situations where the employee has a genuine choice in giving consent. Those employers who decide to continue to rely on consent for processing some personal data, or just for special categories of personal data, still need to ensure that the consent is valid under the GDPR. This will mean ensuring the following:
- consent requests must be separate from other terms and conditions – this will presumably mean that employees should not give their consent via the contract of employment;
- consent must be documented – organisations will be required to keep records to demonstrate what the individual has consented to and when and how consent was given;
- consent must not be a condition of the contract; and
- consent must be easy to withdraw – individuals must be told that they have the right to withdraw their consent at any time and how to do this and there must be simple and effective withdrawal mechanisms in place.
If existing DPA consents do not meet the new GDPR standards, employers will need to seek fresh, GDPR-compliant consent (or rely on one of the other bases for processing).
Another of the myths which the Information Commissioner seeks to dispel in her most recent blog is that organisations cannot start planning for the new consent rules until the ICO’s formal guidance on consent is published. The ICO will not publish this until the Article 29 Working Party of European Data Protection Authorities (of which the ICO is a member) has agreed its Europe-wide consent guidelines (due to be December 2017). In the meantime, the ICO will publish a summary of the responses to its consultation on consent. However, the Information Commissioner states in her blog that it is unlikely that the Draft Guidance will change significantly in its final form. Therefore, her view is that employers already have many of the tools they need to prepare for the GDPR.
The Draft Guidance is helpful in terms of ascertaining whether consent will be a valid basis for processing data but in the absence of further guidance as to the alternative bases for processing, employers still face some uncertainty as to which of those are likely to be appropriate and how they will be able to justify the processing of special categories of personal data. However, to the extent that they have not done so already, employers should be giving serious consideration as to whether they can continue to rely on consent for processing personal data and if not, upon what other basis they may be able to rely.