As part of the GDPR series, the Taylor Vinters HR GDPR team consider Employee Privacy Notices, and explain why all employers must give thought to constructing meaningful documentation.
Many organisations will already be familiar with the concept of Privacy Notices. However, these will almost exclusively be in the context of providing their customers (as opposed to their employees) with certain information about how the organisation is processing their personal data. Under the General Data Protection Regulation (‘GDPR’), it will become far more important that such notices are issued to all data subjects who an organisation may handle personal data in relation to, including employees and job applicants. In addition, Privacy Notices will need to contain far more detailed information about how any relevant personal data will be processed, so as to meet the enhanced requirements of the GDPR.
What is an employee Privacy Notice?
An employee Privacy Notice is a source of information that explains to an individual the “what, how, where, why and when?” regarding how a data controller (in our case an employer) processes an employee’s personal data. Processing is a broad term and includes (amongst other things) collecting, recording, storing, amending, reviewing, using and deleting personal data. A vast array of employment-related data is processed by employers and under the GDPR, they will have to be more transparent and open than ever before about such processing.
Why do employers need to draft a Privacy Notice?
It is a mandatory obligation under the GDPR for employers to provide certain information (detailed further below) to their staff. It is also a core GDPR principle for employers to process HR related data in a fair and transparent way. Issuing a bespoke and adequately informative Privacy Notice to staff, is therefore a key step towards achieving GDPR compliance.
There is no set way for employers to provide this information. However, our firm recommendation is that an employer does this by means of a Privacy Notice. How that Privacy Notice is communicated to staff is however left to the discretion of the organisation and we discuss this further below.
Arguably, this is one of the most important documents that an employer will need to prepare in order to become GDPR compliant. Organisations hold a vast amount of personal data, and often special categories of personal data in relation to their employees, and as one of the new concepts under GDPR is ‘transparency’, it is imperative that employers are open, honest and sufficiently detailed in the information that they provide to their staff in relation to the handling of their data. The Privacy Notice, alongside appropriate, policies, procedures and relevant training is a fundamental part of the GDPR jigsaw but will likely be the most scrutinised documents by staff who have much increased rights under GDPR.
What information must be included in an employee privacy notice?
The mandatory information “types” that must be set out in a Privacy Notice include:
- The identity and contact details of the employer;
- A description of the personal data that is collected;
- The purposes for processing the data;
- The legal basis on which the processing will take place;
- Who the personal data is shared with;
- Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data;
- How long the personal data will be kept for; and
- Details about the rights that employees have in relation to that personal data, for example the right to request that the employer rectify any incorrect information
How does an employer start constructing a meaningful Privacy Notice for its employees?
The Privacy Notice must be “meaningful”. Essentially this means that it must be tailored to reflect the structure of the employer’s business, the types of personal data that the employer processes and the nature of the processing (amongst other things). As such, whilst a template privacy notice is a useful starting point for an employer, it will only become a purposeful document, when it is specifically tailored to reflect the relevant processing of employees’ personal data within the organisation.
The first step for an employer to be able to complete a Privacy Notice is to understand exactly what data it holds, how it is processed, who has access to it, why is it processed and what is the company’s legal basis for being able to process that data. This can most effectively be done by carrying out some form of HR data audit or data mapping exercise.
Once an employer has a clear picture of the data it holds and how it handles that data, it can start to work these details into a Privacy Notice. In relation to each data type, the employer will need to confirm within the Privacy Notice, the purpose(s) for which it is processing that data and the legal ground(s) that it is relying on to carry out that processing activity.
Once a meaningful Privacy Notice has been produced for existing staff, the employer will need to think about tailoring it to job applicants or other forms of atypical workers.
The Privacy Notice needs to provide sufficient detail so that the data subject has clear knowledge of the types of data held about them, the nature of the processing activities and their rights under the GDPR. However, notwithstanding the level of detail that needs to be provided, the GDPR requires the document to be written in clear and concise language. Including all of the necessary information whilst remaining concise is something of an art form!
When should the Privacy Notice be issued to employees?
Privacy information needs to be communicated to individuals at the point the data is collected. Practically speaking, this will mean issuing an “applicant” Privacy Notice to anyone that applies for a vacant role. It will them mean issuing a new “employee” privacy notice as part of the on-boarding exercise for new employees. This is in addition to issuing a Privacy Notice to all existing employees.
How should the Privacy Notice be distributed to employees?
A Privacy Notice can be communicated in a variety of ways, either as a hard copy document or electronically. However it is good practice to use the same medium that you use to collect personal information from individuals, to communicate the Privacy Notice. For example, where an employers issues candidates with a printed job application form, then this could be accompanied by a printed copy of the Privacy Notice.
Whilst the information must be communicated to individuals at the point it is collected, this does not mean that all of the mandatory information needs to be contained in the same document. In this respect, the Information Commissioners Office (“ICO”) also recognises that some organisations may choose to take an innovative approach to distributing this information. This is therefore an opportunity for an organisation to be as creative in the way it provides this information to staff and is equally an opportunity to engage staff with data protection issues. This could be achieved for example by creating an app whereby employees can read and engage with the notice or, perhaps by setting some of the key information out in a text message sent to the employee, which would direct the employee to a link to a fuller policy document. Whatever method is chosen, it is essential that an organisation can ensure that all staff receive this information and can acknowledge receipt of it by some means
What are the potential consequences for failing to communicate the mandatory information to employees?
The GDPR is very clear about the information that must be provided to employees. If employers do not have a clearly documented record of having done this and are either subject to an ICO spot check inspection or dealing with the ICO for some other reason, then a failure to provide this information will not be looked upon favourably as part of the ICO’s assessment of the employer’s overall compliance strategy.
- If an employer has not already considered what personal data it holds about its employees and how this data is processed, now is the time to conduct this process. The results of this process can be used in a number of ways, including to draft a Privacy Notice.
- If an employer does not have time to create a Privacy Notice from scratch, please do get in touch and we can supply a template document.
- Use the results of the audit to populate the template privacy notice.
- Review the template Privacy Notice with your advisers to check that it contains all of the mandatory information and that it is drafted in a concise way.
- Amend the Privacy Notice to create a notice specifically for job applicants.
- Consider how to distribute the Privacy Notice both for existing and new hires.
How can we help?
Whether you have conducted a full personal data audit and are almost ready for 25th May, or whether you are about to begin the two month countdown, then we are available to assist with any necessary drafting, reviewing or implementing of your GDPR documentation. Please do not hesitate to contact Rachel Ashwood, Dominic Wrench or Shelley King to discuss how we can assist you and your business.
Read the previous articles in the GDPR series – HR GDPR Action Steps: Policies and Procedures. To read all of the previous articles, please see these listed under insights below.