by Jim Ashton | Oct 29, 2017
GDPR Human Resource consideration case study. Some real-life Human Resource adjustments in preparation for the General Data Protection Regulation (GDPR).
Purpose of this document
This document shows information given to a client's Human Resource department in response to concerns raised about the GDPR's impact.
GDPR Human Resource consideration case study
One of our clients had the following concerns about certain aspects of Human Resource processing and the GDPR.
- Consent for HR purposes
- What consent means
- GDPR versus the law and regulations
- The right of a company to protect itself
- Discretionary employee benefits
- Discretionary processes
- Images from formal and informal events
- Passport images for the travel agency
Here are the findings that were published for use.
Consent for HR purposes
Consent should not be a serious issue for HR as its use is quite limited. Some context behind the GDPR and how it is meant to be used
The GDPR is created to protect the rights and freedoms of individuals.
- Employees as staff members must respect company policies to work in an organisation.
- Employees as individuals have the right to a personal life at work.
There must be a balance between what constitutes an invasion of privacy versus how a company expects its employees to behave.
What consent means
Consent is the strongest force in the GDPR. If you offer consent as a basis for a certain type of processing, you are obligated to stop processing if consent is withdrawn.
For this reason, the GDPR Working Party 29 recommends that consent, to as large an extent as is possible, is not used by HR.
Consent within HR has a very limited usefulness or basis because it can cause unnecessary conflicts with English law and regulations. Can you opt out of giving a national insurance number?
The other problem is that consent cannot be linked to an offer so if you tell an employee that he/she must consent to something or they can't have the job, you will break the GDPR.
GDPR versus the law and regulations
The law and regulations always trump the GDPR. There are no exceptions.
The majority of HR processing is governed by employment law and regulations. Employees and prospective employees must provide significant amounts of personal data because the law says so. Proof of eligibility to work, a tax code, a national insurance number and in some circumstances other information such as financial history and a police report. These are all legal and/or regulatory requirements.
External screening companies may assist in this process. If their employment verification checks are legal and proportionate, there are no problems. Wording for such screening should be something like. "company policy for this position means that a candidate undergoes a screening process". It is a statement, not a request for consent.
The right of a company to protect itself
A company has the right to protect itself against attack and theft. Employees need to have photo ids to enter the building, CCTV coverage is used in certain areas, digital devices are monitored.
Other measure may also be in place. If these measures are proportionate and do not invade an employee's personal life and right to personal privacy, there is no conflict.
A company must be transparent about all these measures so if an employee is aware of them, there is no problem.
If the company spies on its employees and uses intimate and private data about an employee that is not work related, the company is at risk.
As far as I am aware, employees are informed about all security measures, even regarding the use of email for private matters.
If employees still insist on using company emails or other communication services that are monitored for private use, that is up to them. All is well if the company does not use the content of private communications against the employee in the form of a disciplinary action.
Discretionary employee benefits
Employees always have been able to opt in or opt out of discretionary benefits, so this is not a problem.
Images that are not used for security purposed are candidates for consent and the coverage of this consent area is very small: internal use (e.g. organisation charts) and promotional use (brochures, videos, web site).
If an employee does not want a photo on the organisation chart or internal directory, they can opt out.
If an employee does not want a photo used in promotional material, they can opt out.
What they cannot do is opt in today, opt out in six months and demand that everything from the day they opted in is removed. The GDPR is explicit. Any work performed during the period that consent was active cannot be requested for deletion or removal.
Images from formal and informal events
If a photographer is going to be present at such an event and the images may be used for publication, all event attendees should be informed before the event takes place. There should also be a sign at the entrance stating that a photographer is present, and that photos may be published. At this point the attendee has been made fully aware twice and so is consenting by attending. The attendee should also be informed about how to make enquiries and requests about the photos after the event has finished.
Passport images for a travel agency
A corporate travel agent always asks for scanned passport images when making travel arrangements. This is not a good idea, but if passports are still required by the travel agent, they will need to be sent. The owner of the passport can easily attach and send to HR an image of a passport as an encrypted file using the free ZIP software installed on almost all computers.
Safer alternatives would be:
- find a travel agent that does not insist on passport images
- do not send the images at all (why does a travel agent need a passport?)
- let the employee send the passport directly to the travel agent instead of via HR
- get the travel agent to install an upload facility on their web so that the employee can upload an image of their passport
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?