The new Data Protection and Digital Information Bill (No. 2) (the “Bill”) has been widely publicised, particularly the government’s claimed saving to business of £4 billion over the next 10 years. The savings are to be achieved by removing barriers to “responsible innovation”. This article explores what that might mean from an HR and employment law perspective.
Data Subject Access Requests (“DSARs”)
Employees, like all data subjects, have the right to understand what data is processed and check the accuracy of that data. The purpose as stated in the UK GDPR is to enable the individual to check that it is being processed lawfully. However, as the Impact Assessment to the Bill notes, requests are often made for other reasons and responding can be “very time-consuming and resource intensive”. This is particularly so when DSARs are made as part of a litigation strategy by employees or former employees to obtain early disclosure or to create additional cost for the employer (and therefore provides leverage for the employee in negotiations).
Currently, if the request is “manifestly unfounded or excessive”, data controllers can charge a reasonable fee or refuse to act on the request. The Information Commissioner’s Office (“ICO”) guidance on the right of access sets out fairly limited circumstances where this might apply including if the individual makes a request and then offers to withdraw it in return for a benefit such that it is clear they had no intention of exercising the right of access.
The Bill retains the change proposed in the original bill that a new standard of “vexatious or excessive” requests will be used to determine if data controllers can charge a fee or refuse to respond. “Vexatious” is still regarded as a high standard but it may imply a slight lowering and opening of the door to arguments that where the request is a litigation tool, it might be considered vexatious. It remains to be seen how the ICO will interpret this threshold and employers will still need to be cautious when seeking to rely on this exemption, particularly until new ICO guidance is forthcoming.
The Bill does not change the fundamental requirement for data controllers to assess whether they have a lawful basis in processing personal data. However, where the basis relied on is the controller’s or a third parties’ “legitimate interests” (Article 6(1)(f) UK GDPR) it does include a new list of examples of processing that can be considered necessary for the purposes of a legitimate interests.
These examples include: i) intra group transmission of personal data (including of employees) necessary for internal administrative purposes; and ii) processing necessary for the purposes of ensuring the security of network and information systems. This list reflects the position set out in recitals 47, 48 and 49 of the UK GDPR, but this proposal would make these examples part of the UK GDPR and is welcome clarification.
There is also further guidance in the Bill at Article 8A on how organisations will be expected to deal with situations where further processing of existing data is needed. The list appearing there includes specific circumstances when processing will be treated as done in a manner compatible with the original purpose which can be amended by secondary legislation and may be a helpful reference point.
International transfers of data
The Bill permits transfers of data from the UK using substantially existing methods currently permissible under the UK GDPR, i.e. if it is approved by regulations made under UK GDPR, subject to appropriate safeguards or made under a derogation. This will be helpful to organisations who have established compliant practices under UK GDPR as these would still count as a valid justification for international transfers of HR data. Similarly, employers who use a consistent framework for data transfers in the UK and EU will benefit from this provision of the Bill.
However, there is a proposed change in the Bill when it comes to determining whether appropriate safeguards are in place. In short, this is currently assessed based on a test of essential equivalence but the Bill proposes only that standards in the third country be “not materially lower”. While the extent of the practical difference is not yet clear, the Impact Assessment places great weight on the opening up of international opportunities and chimes with other government publications like International data transfers: building trust, delivering growth and firing up innovation from August 2021 by pushing a looser regulatory grip to encourage growth. Time will tell whether European data regulators are similarly ‘fired up’ about the Bill’s approach. Without wishing to overstate the risk as much will depend on how the Bill is implemented, this may be something that impacts the UK’s own adequacy decision with the EU if the new safeguards are seen as inadequate when the EU revisits the UK adequacy in four years’ time.
Data Protection Impact Assessments (“DPIAs”)
DPIAs would be replaced by an “assessment of high-risk processing” (“Assessments”) under the Bill. Other than the name change, the Bill would remove the mandatory requirement to conduct an Assessment in three specific situations: (i) where systematic and extensive evaluation based on automated processing takes place (including profiling); (ii) processing of special category or criminal conviction data on a large scale; and (iii) a systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).
Employers will still need to assess whether any processing, including that which would have been caught under the mandatory categories, creates a “high risk to the rights and freedoms of individuals”. Where it does, an Assessment will still be required. As a result, the removal of the mandatory categories above may make very little practical difference to employers who may still decide that such activities present a high risk and should therefore be assessed.
Automated decision making (“ADM”)
The Bill widens the justifications for ADM being used where special category data is not involved so that all of the Article 9 justifications, including legitimate interests, are potentially available not just the narrower list previously set out in Article 22(2) UK GDPR. There is clearly a practical challenge involved in being sure special category data and data subject to EU GDPR is not inadvertently included in the ADM justified under the Bill once it becomes law but it may open up some new opportunities.
Under the Bill, when considering whether there is meaningful human involvement in taking a decision, a controller must consider the extent to which the decision is reached by means of profiling. The Bill also reserves powers to the Secretary of State to make regulations setting out circumstances which will be and will not amount to “meaningful human involvement”.
Whether a decision is deemed “significant” will depend on whether it has a legal or “similarly significant” impact on the data subject. Further guidance on these ‘quasi legal’ decisions is likely to be beneficial. There is, therefore, still significant uncertainty about the extent of any potential change to the rules on ADM and the extent to which the Bill aims to “future proof” Article 22 to deal with the challenges of increasing use of AI and machine learning.
Records of processing
The obligation to keep appropriate records of the data processed have been narrowed so that they apply only processors engaged in “high risk” processing. This is processing which is likely to result in a high risk to the rights and freedoms of individuals when looking at the nature, scope, context and purpose of the processing.
In theory, this would reduce the compliance burden on data processors to retain such information where it does not meet the “high risk” threshold. However, we anticipate that it might be burdensome to operate a ‘twin track’ system whereby processing records are kept for some data sets and not others given the highly context-dependent test. In an employment context in which data sets are mixed and used for different purposes as part of the employment lifecycle, this could be challenging to organise in practice.
There are various other nips and tucks to UK GDPR in the Bill that will be relevant to HR data processing, although largely tangentially. For more on what’s changed and what’s stayed the same (see our article here).
For multinational employers with a presence in Europe, consistent policies are likely to be helpful so these companies may choose to keep operating to the higher bar of EU GDPR in any event. That may become a theme if and when the Bill becomes law as larger organisations seek a consistent approach to data privacy compliance.