The Information Commissioner’s Office (ICO) is calling for views on data protection and employment practices to help them shape their upcoming guidance products which will see existing guidance replaced with “a new, more user-friendly online resource with topic-specific areas”.
DLA Piper’s employment group will be submitting a response to the ICO’s call for views and our submission will be informed by responses to our employer survey which you can access here. This 5 minute survey asks you to identify the areas which businesses find tricky to manage when handling employee data and where updated or additional guidance would assist. Our survey will close on 11 October 2021.
The ICO’s existing Employment Practices Code was published in 2011 and has since been added to with supplementary guidance and a quick guide. As the ICO acknowledges, however, much has changed in the last decade. The General Data Protection Regulation and the Data Protection Act 2018 have implemented legislative change. Employee data subject access requests have become more widespread and detailed than was ever anticipated by legislators or regulators. Also, the pace of technological change means that artificial intelligence and automated decision making are now regularly used as part of human resource management.
These changes had already created an environment in which it was onerous for employers to meet their employee data privacy obligations when the COVID-19 pandemic arrived, bringing with it yet further challenges.
Remote working, which began as an immediate response to the government’s COVID-19 stay at home instructions, is now widespread across many sectors and looks set to remain for the long-term. Despite the benefits associated with remote working, employers feel hampered in their ability to supervise staff and check productivity. As a result, use of technology for employee monitoring is expanding. These practices are possible under UK data privacy laws, but there are a number of matters for an employer to consider and steps to take to ensure such activity is lawful – for example, data protection impact assessments as well as data privacy policies and procedures are required and employees must be informed of their employer’s monitoring activities.
Another significant impact of COVID-19 has been a surge in employers processing employee health data, be that information on employee vaccination status or COVID test results. Data privacy is a significant issue here given that health information constitutes “special category data” which is subject to extensive protection under the UK data privacy regime. As well as undertaking a health and safety assessment of the COVID-19 workplace risks to assess if, for example, testing is necessary measure, any employer wanting to access COVID-19 status data will need a data privacy impact assessment and a clear legal basis for processing employee health data.
Given these extensive developments, there is now a significant mismatch between the ICO employment practices guidance and the issues which employers are grappling with on the ground. This makes the ICO’s proposed update a welcome development, particularly given the indication that the guidance will be developed to meet the needs of those who use it.
As before, you are welcome to provide your responses to our employer survey which you can access here which we shall use (along with our knowledge of the challenges employers face generally) to inform our responses to the ICO consultation. Our survey will close on 11 October 2021.
Employers who wish to respond directly to the ICO’s call for views can do so via the ICO website. Their consultation closes on 21 October 2021.