HR data: the GDPR and beyond
The article focuses upon HR data and provides some suggestions as to what employers can/should be doing over the next twelve months.
1. Audit and analysis
One of the key steps in preparing for the GDPR coming into force was carrying out an audit and analysing the data processed in connection with HR and people management operations. Now is a good time to take another look at this and assess whether there any additional steps that should be taken.
2. Purging and cleansing
Employers must ensure that they process the minimum amount of personal data required for the specific purpose(s) for which it is processed, and that they keep such data for no longer than necessary for the purpose(s) for which it is processed.
If employers haven’t done so yet, now would be a good time to review retention practices and ensure that historic data is appropriately handled. The practical advantage of reviewing and deleting information that is no longer needed is that it should help with managing individual rights requests, such as subject access and deletion requests, and keeping associated costs down.
3. Data subject access requests (DSARs) (and other individual rights)
Anecdotal evidence suggests that there has been a significant increase in the number of data subject access requests (DSARs) submitted by employees, workers and other staff members to their employers. The number of complaints to the ICO relating to DSARs has increased significantly, albeit to date no recorded enforcement action has been taken in respect of an HR-related DSAR.
Whilst staff members have always sought to use such requests tactically, it is clear that the way in which DSARs are used has also developed. Further, with confirmation that ulterior motives (such as a desire to uncover evidence to support a tribunal claim) are irrelevant following Dawson-Damer, individuals are increasingly confident in taking a tactical approach to DSARs and employers are seeing more of the following:
• broad DSARs of the “I want everything” type (often followed by a refusal to narrow the scope of the DSAR);
• DSARs with specific requests and seeking particular information (albeit potentially covering long periods or wide swathes of documents); and
• difficult questions about processing (not all of which fall within Article 15 GDPR), which need to be considered carefully.
All of the above can be time-consuming and costly for employers to manage, and come with clear risk if not handled correctly.
4. Vicarious liability
Whilst not a GDPR case as such, the Morrisons case brought the potential commercial risks of an employee data breach in the post-GDPR world to the fore. The initial costs of dealing with the breach and implications for brand value and the employer’s reputation were significant. But the wider costs are still mounting.
In the first case of its kind, over 5,000 affected employees brought a claim alleging both primary and vicarious liability for (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the DPA 1998. A disgruntled Morrisons employee, retaliated against a disciplinary sanction by publishing sensitive personal data relating to around 100,000 of his fellow employees on the internet and then sending copies to several newspapers. The Employee was subsequently convicted of various offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998) and given an 8-year prison sentence. Both the High Court and the Court of Appeal (CA) held that Morrisons was not primarily liable for the breach but was vicariously liable as his employer.
Other areas the article covered criminal records checks, right to work checks and ICOs enforcement activity.
The article ends with a list of what employers should be focusing upon:
• Policies and procedures: Now is a good time to take stock and review policies and procedures.
• Look at your ‘backburner’ lists: If underlying privacy impact assessments (PIAs) and legitimate interest assessments (LIAs) are not currently in place, now would be a good time to implement these.
• Assessing and addressing risk: Review your current arrangements with the benefit of 12 months’ experience. Look back at any individual rights requests, including subject access requests, and any data breaches. What can you learn from your experiences?
• Purging and cleansing: As noted above, this is a good time to evaluate storage and retention arrangements, including any archiving arrangements, ensure that historic data is appropriately handled and purge any data for which there is no ongoing basis for processing.
• Record keeping: Are your records accurate and up-to-date? Do you have sufficient record-keeping arrangements in place to evidence your GDPR compliance? Now is a good time to review and rectify this where needed.
• Training: The GDPR is an area of continuous development, not a one-off change. Consider refresher training, look at any developments and make sure you upskill appropriate staff.
• Staff relations: Look at the impact of the GDPR, and review your communications with staff.
• Forward planning: Think about your experience and identify any areas for improvement so that you can take remedial action and allocate budget accordingly.
EU Updates: ePrivacy Regulation Inches Forward, EDPB Issues Guidance on Interplay Between GDPR and ePrivacy Directive
Provides an update on the progress of the new ePrivacy Regulation.
Introduced in 2017, and originally slated to go into effect with the GDPR (on May 25, 2018), it now appears the ePrivacy Regulation will not be implemented before late 2021. With the Romanian Presidency’s oversight of the Council of the European Union passing to Finland as of July 1, and in view of forthcoming EU parliamentary elections and procedural considerations, it is possible that the adoption of the ePrivacy Regulation may be delayed even further.
Key concepts currently up for debate and the subject of amendments in the Regulation’s latest draft include:
• Conditioning access to website content on a user consenting to advertising cookies: The current draft states this would not be “disproportionate” unless the site is provided by public authorities. Notably, this position contradicts those taken in Article 29 Working Party Guidance from April 2018, and in enforcement actions by supervisory authorities (see our post here on the UK ICO’s enforcement in this regard).
• No consent needed to process electronic communications data for information security reasons: Previous drafts would not have provided as much leeway on this point as the current draft allows.
• To what extent metadata can be processed by end users after receipt, or by a third party entrusted by them, without consent: One practical implication of this is that it may regulate aggregated and anonymized data that some companies rely on for analytics. Otherwise, this type of data may fall outside the scope of regulation (i.e., GDPR) since it may not be considered personal data.
• Expansion of the definition of “direct marketing communications”: The proposed definition would cover communications using new technologies (including voice over IP calls and electronic message applications), bringing these and other popular mobile applications within the scope of the ePrivacy Regulation.
• How the ePrivacy Regulation will interact with new technologies, in particular in the machine-to-machine, “internet of things” and artificial intelligence contexts.
• Enforcement by supervisory authorities: The latest draft requires cooperation with other supervisory authorities, as under the GDPR.
Where the ePrivacy Directive “particularises” the GDPR
In applying the lex generalis-lex specialis principle, the Board found that where the ePrivacy Directive “particularises” or sets forth more specific rules than the GDPR, the ePrivacy Directive’s specificity shall take precedence over the GDPR’s generality. For personal data processing activities not subject to specific obligations under the ePrivacy Directive, the GDPR controls.
The EDPB provided several practical examples applicable to a wide range of organizations, including processing involving website traffic data, location data, direct marketing and cookies.
• With regard to website traffic data, the Board discussed that, because Article 6 of the ePrivacy Directive explicitly limits the conditions under which website traffic data, including personal data, may be processed, controllers may not rely on alternative legal bases for processing under Article 6 of the GDPR.
• As to Articles 9 and 13 of the ePrivacy Directive, which regulate location data and direct marketing, the Board pointed out that where the ePrivacy Directive requires consent for the specific actions described, the controller must obtain a data subject’s consent and cannot rely on some other Article 6 legal basis, such as legitimate interests.
• Regarding cookies, the Board gave the example of a data broker profiling data subjects using internet browsing information collected by cookies, but which may also include personal data obtained from other sources. In this instance the Board pointed out that the use of cookies must comply with Article 5(3) of the ePrivacy Directive (as transposed in the relevant Member State’s law), which requires consent for the placement or reading of cookies. Any subsequent processing of personal data obtained by cookies must be performed under a legal basis set forth in Article 6 of the GDPR.
The Netherlands – First GDPR fine imposed: EUR 460,000
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000. The fine is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records.
A large amount of hospital staff had accessed the medical records of a Dutch celebrity (197 employees!) During its investigation, the Dutch DPA checked whether to hospital’s information security systems met the security requirements of Article 32 GDPR and, more specifically, specific health care sector security standards.
The Dutch DPA concluded that the Haga Hospital had taken insufficient security measures with respect to authentication and the control of logging, which constitutes a breach of Article 32 of the GDPR. With respect to authentication, the hospital did not have in place two-factor authentication, which should have been the case when it comes to patient records. With respect to the control of logging, the Dutch DPA mentions that the hospital did control its logs (by a random check of six patient records per year), but concluded that this wasn’t not sufficient to meet the requirement of ‘systematic, risk-oriented or intelligent control’.
Future of Data: Fake news – has the train left the station?
This articles discusses issues around ‘Fake News’.
In September 2018 the EU signed its Code of Practice on Disinformation (Code). Rather than produce an EU wide Directive (to be adopted by national laws of individual member states) the Commission has tried to bring the large technology companies onside to regulate fake news themselves, within the framework of the Code.
“Disinformation” is defined as “verifiably false or misleading information” which, cumulatively:
• “is created, presented and disseminated for economic gain or to intentionally deceive the public”; and
• “may cause public alarm”, intended as “threats to democratic, political and policymaking processes as well as public goods such as the protection of EU citizens’ health, the environment or security”.
In particular “Disinformation” does not include misleading advertising (which is regulated elsewhere), reporting errors, satire and parody, or clearly identified partisan news and commentary.
The Code has been signed by Facebook, Google, Twitter, Microsoft, Mozilla and by members of the advertising industry. The Commission was keen to ensure the Code was activated in time for the European Parliament elections in May 2019, and monitored results over this period.
Are loyalty points schemes a form of electronic money?
A case currently before the German courts concerning Lufthansa’s Miles & More loyalty points scheme raises the question of whether loyalty points schemes are now considered to be a form of electronic money. The outcome of the Lufthansa case may well set a precedent for regulatory treatment of loyalty points schemes in Germany and across the EEA.
The claim has been brought against Lufthansa by one of its loyalty programme members who is suing them for €21,000 on the basis that his loyalty points amount to electronic money. He claims he should therefore be able to withdraw his loyalty points as cash. Among other things, re-characterisation of loyalty points as electronic money could mean that Lufthansa is operating without the necessary regulatory authorisations.
Lufthansa’s argument in defence is that issuing points is not issuing electronic money because the points do not have any cash value. However, this argument is potentially undermined by the ability of customers to transfer points from other programmes that do sell their points for cash. If the member’s claim succeeds and a court determines that his loyalty points do constitute electronic money, Lufthansa may well have to become regulated as a bank or e-money issuer and comply with the rules that apply to such entities.
It remains to be seen what the outcome of the court case will be but if found for the plaintiff it could have significant impact on loyalty schemes across Europe.
Is reputation still king when it comes to a data breach?
This article discuses recent developments in the privacy regulatory landscape and how it is impacting upon companies legal and reputational damage. The article states that ‘Preparing for and responding to any breach therefore has to take into account the short and long term legal risks, as well as incorporating a sophisticated, joined up communications strategy, to preserve an organisation’s reputation.’
Not only doing the right thing, but being seen to do the right thing, is vital if you want to mitigate the legal and reputational impact of a breach- SEPTEMBER 5, 2019.
References:
