Employees and other personnel are “data subjects” under the data protection legislation, and their employer will always be a “controller” in respect of their personal data. This means that employees will have certain data subject rights (set out in Articles 12 to 22 of the GDPR) vis-à-vis their employer in relation to the processing of their personal data, including the right to be informed, the right of access, the right to object and in very limited circumstances, the right to be forgotten.
The right to be informed ensures that employees are notified by their employer (usually in the form of a privacy notice) what personal data is held by the employer and what is done with this data. Articles 13 and 14 of the GDPR set out the detail that must be included in each such privacy notice, including: the identity and contact details of the organisation, the purposes of processing the personal data as well as the lawful basis of processing, recipients of the personal data, details of any transfers of personal data outside the EU, data retention periods and the existence of the data subject rights under the GDPR. Where the personal data was obtained indirectly by the employer (e.g. from a recruitment agency), the privacy notice also needs to include the categories of data as well as the source of the data.
Once the employee privacy notice (or notices, for those organisations who prefer to have separate privacy notices for recruitment purposes and for current employees) has been prepared, it also needs to be properly distributed to the relevant data subjects. After 25 May 2018, where an employer receives personal data directly from an individual, the privacy notice must be provided immediately; and where an employer receives personal data indirectly from a third party, the privacy notice must be provided at the latest one month after receipt of the data. However, what about the current and former employees whose personal data the employer already holds? Best practice suggests that the new privacy notice should be distributed to all such persons as soon as possible.
In addition to the privacy notices, employers should develop internal procedures (usually referred to as data protection policies) to ensure that the organisation can properly respond to a personal data breach or to the exercise of data subject rights.
Is it sufficiently clear what constitutes a personal data breach and would the person discovering such a breach know what to do next? A personal data breach is not limited to third party actions - it can be as simple as a mis-directed e-mail. After 25 May, organisations will be obliged to report personal data breaches to the Information Commissioner’s Office (and to the affected person(s)) in certain circumstances.
Where an employee exercises a data subject right, would the person receiving such a request know how to respond? None of the data subject rights are absolute, which means that the response will be dependent on the circumstances - for example, the right of access (also referred to as a subject access request) does not generally apply to the extent that such disclosure would include third party personal data, and the right to be forgotten does not apply where the data processing is based on a legal obligation.