Written and recorded by Robert Edwards, Law Hound
Welcome to this training session from Data Law. My name is Robert Edwards. I'm a consultant with Law Hound. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government before moving on to lecture on do provide legal training GDP L The Rights of Employees. The General Data Protection Regulation GDP are is designed to update the Data Protection Act in 1988 the d. P. A. In this session, we're going to examine some of the changes the GDP are will make to the rights of your employees On the processing of their personal data, I shall be using the following terms individual meaning the data subject or the individual employees whose data is held by your organization or data controller. Andi Organization meaning the data controller, the organization holding the data Andi data to mean personal data as applicable within the meaning of the Data Protection Act 1988 on GDP are the basics. Last, your employees rights with regard to data protection under GDP are based on the DP. A many of these are extended on bearing in mind the potentially large fines for non compliance of up to 4% of your business turnover globally. Compliance with GDP are is essential. So let's examine the basics. Personal data under Article four of the GDP, our personal data is given a broader definition on means any information relating to an identified or identifiable natural person, the data subject. This broadens the definition of personal data to take into account advances in technology and how we work and do business. Today. According to Recital 26 if you can identify a natural person directly or indirectly using all means reasonably likely to be used, then the information is personal data. All means reasonably likely to be used means applying objective factors such as the time required and the costs associated with identification but also taking into account the technology available, particularly given the speed at which complex and expensive enterprise level technology becomes less expensive and falls within the reasonable reach off the individual. It also means the data, maybe personal data, even if the organization holding it cannot itself identify a particular natural person. So taking into account Article four, the broader definition of personal data now includes a name on identification number, location data, something specific to that person's physical physiological, genetic, mental, economic, cultural or social identity. Online identifies such as I P addresses, cookie identifies or other identifies such as R F tags, radio frequency identification tags. Personal data may also include pseudonym ICE data. This is personal data, which has been pseudonym ized that is key coded, depending on how easy it is to recognize a particular individual from the pseudonym Under Article 26. Data is the term applied to all information and includes static images, video and audio recordings. It includes both paper and computer records and, according to Article two, is information that is or is intended to be wholly or partly processed by any automated means or automatically, including by any type of I T or equipment or computer records, such as a data base sales record or account system, or part of any type of what is referred to as a relevant filing system. This means any non automated, structured information, which enables ready access to information about individuals, including your employee records. The system may be separate paper files, the sort of eighties said you might associate with a filing cabinet. Alternatively, a cardboard folder where you store individual a four sheets of paper, each containing an employee's name, address and other details will also be regarded as a system for data protection purposes. The definition of data under GDP are is wider than the DP A's, but still applies to both automated personal data on day two manual filing systems where personal data are accessible according to specific criteria. It therefore also includes chronologically ordered sets of manual records containing personal data sensitive or special categories of data, genetic and biometric data. Article nine of the GDP are refers to special categories of data which is similar to the sensitive personal data under the DP A with two additions, It now includes genetic data. Andi biometric data were processed to uniquely identify a person. Examine and review your employee data so that you're clear about what information you're collecting and exactly how you're going to use it. How does it benefit you In this way, you can properly determine what it is you actually need as the I c. E o advises, you should take the time to consider what information you hold that constitutes personal data. What you do with the personal data, you process what you actually need to carry out these processes. And remember that a privacy impact assessment can help you to answer this question whether you're collecting the information you need, whether you're creating derived or inferred data about people, for example, by profiling them. In which case are you creating new data, whether you would be likely to do other things with the data in the future? This can be particularly important if you're undertaking large scale analysis of data. As in Big Data Analytics, it's a good time for a review to decide what data you really need. Review how you're processing your employees data and review and update your data protection policies and practices. Lawful Processing on consent Article 42 of the GDP are defines processing as any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available alignment or combination restriction ihr Asia or destruction. All of these are processing functions, so the definition is extremely wide on as we know from the DP A. It captures almost anything which a business may wish to do with an individual's data. Under GDP are processing data will only be lawful if it complies with one of the processing conditions under Article 61 One of these conditions is the consent of the data subject and is one of the conditions that employers commonly rely on for processing Andi for their processing to be lawful when it comes to processing special categories of data. GDP ours Article nine means that if you intend to rely on the consent of the data subject than that, consent must be explicit under article for 11. Consent must be freely given. Individuals must have genuine choice and control over how you use their data and without penalty or fear of penalty. A specific informed on unambiguous indication of the individuals wishes you will need separate consent for different processing operations wherever appropriate. Consent must also be given by either a statement or a clear affirmative action signifying agreement to the processing off their personal data. It must be a deliberate or positive opt in but not inferred by silence or from pre ticked boxes or simple in activity. Consent must be as easy to withdraw as it is to give telling the individual of the right to withdraw and then having a straightforward mechanism in place but withdrawing consent. This creates a problem for employers who process employees data based on consent, since because of the imbalance in the relationship between employer and employee, it may make it difficult for an employee to refuse consent. So, for example, a senior manager may not feel pressurised when consenting to processing of his or her personal data. But a junior employee facing disciplinary proceedings may feel very differently on employees may feel compelled to consent when an offer of employment is made, anticipating that their consent was one of the conditions of the employment. While it's been common practice to include blanket consent in contracts of employment, the I C E. O has previously stated that this cannot be relied on even under the Data Protection Act. At any event, under Article 72 of GDP are it's clear that unless consent is clearly distinguishable from the other matters, it wouldn't be binding. Employers must also now ensure that there is a straightforward mechanism for withdrawing consent again without penalty or fear of penalty to the employees. Bearing in mind the potential issues with consent under the GDP are consider whether there is another lawful basis for processing employee data, such as, by way of example, to comply with the legal obligation as an employer or the legitimate interest of the employer or processing, which is necessary for the performance off the employment contract. Consider whether you have another lawful basis for processing employees data. If you're relying on consent, then make sure it meets the GDP are requirement, particularly by reviewing any consents obtained before 25th of May 2018. Andi. Ensure that you have a straightforward mechanism for withdrawing consent without penalty employees access to their personal data under the GDP Are individuals will have a right similar to the right of access or to make a subject access request and I say are as under the d. P. A. The main changes made by GDP are are as follows. There are no fees. The organization cannot charge anything under Article 12 5 unless the request is manifestly unfounded or excessive, or the request is for further copies of information already provided now in those limited circumstances, but only in those circumstances on organization can charge a fee based on the administrative costs. In supplying the data, bear in mind that you'll need to consider any guidelines to clarify what is manifestly unfounded or excessive. Onda ensure that the definition is made clear to employees, for example, by including it within your staff handbook. Responses to Essar's under Article 12 3 of GDP are the information requested must be provided without undue delay. Andi at the latest within one month of receipt of the request rather than the DPS 40 days allowed, but can be extended by a further two months where necessary. If the request is complex or numerous employees have other rights under GDP, our employees have rights, including the right to be informed. Employers will need to provide transparency as to how personal data will be used, including in accordance with Article 13 the lawful basis for processing, how long the data will be retained, the retention period, or what criteria will be used to determine the retention period. The existence of each of an individual's rights. The right to lodge a complaint with a supervisory authority, the right to rectification of data. Under Article 16 the individual will have the right to have their inaccurate personal data rectified Onda. Any incomplete personal data completed, including by means of providing a supplementary statement, the right to Air Asia or to be for gotten. This is a new right under Article 17 which enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. It's not an absolute right to be forgotten, but rather a right toe. Have personal data it raised and to prevent processing in specific circumstances under Article 17 1 including the personal data, is no longer necessary in relation to the purposes for which they were originally collected or processed. The individual withdraws consent. The individual objects to the processing on there are no overriding legitimate grounds for the processing. The personal data has been unlawfully processed. In other words, breaching GDP are the personal data has to be a raised to comply with a legal obligation. The right to object the GDP are Article 21 right to object, including processing based on legitimate interests or the performance of a task in the public interest or the exercise official authority, including profiling the right to restrict processing. This right provided by Article 18 is similar to the DP a right and enables an individual to suppress or block processing of their personal data. The rights to data portability. This new right, provided by Article 20 means that an individual can obtain and move, copy or transfer personal data easily from one I t. Environment to another in a safe and secure way on without hindrance to usability, to enable individuals to reuse their personal data for their own purposes across different services. The right to data portability only applies to personal data, which an individual has provided to an organization or data controller when processing is based on the individual's consent or for the performance of a contract which may also be considered to be a contract of employment. Since the nature of any applicable contract is not specified by the GDP are when processing is carried out by automated means, organizations must provide the data free of charge in a structured, commonly used on machine readable form by transmitting data directly to another organization. If this is technically feasible, should the individual requested, without undue delay on certainly within one month this can be extended by a further two months. Whether are a number of requests or the request is complex rights in relation to automated decision making on profiling similar to the DP A rights under Article 22 1 This right means that an individual has the right not to be subject to a decision based on automated processing, which produces a legal effect or similarly significantly effects that individual. So again, it's time for review review and update your data protection policies and practices provide training to ensure that processes air amended or, if you don't have them already put into place. GDP are blooming changes to the way you collect and process employee data. And you must remember that its aim is to provide greater transparency, enhanced rights for citizens and increased accountability. And that concludes this session for data Law. Thank you for joining me, Robert Edwards, on this session
00:19:28