Right to privacy
Advice
Employees have several rights under General Data Protection Regulation (GDPR) as individuals, including the right to:
- Inspect information about the collection and processing of their data;
- Access the personal data and supplementary information held about them;
- Correct data that is inaccurate or incomplete;
- Have their data erased by the data controller;
- Restrict a data controller from processing their data if they consider it is unlawful or the data is inaccurate;
- Object to their data being processed for direct marketing, scientific or historical research; and
- Data portability, this allows them to get data from their employer and reuse it.
Right to be Informed.
Employers must be transparent with the data about their employees. This is a key requirement in the UK GDPR. The employer must inform you of your ‘privacy information. This includes the employer’s purposes for processing your data, the time that the employer is going to retain the data etc. If the employer plans to share your data with them. This information must be given to you when the employer collects their data.
If the data was collected from other sources, the privacy information still needs to be passed on to you within a reasonable period; this should be no later than a month. There are a few circumstances when employers do not need to provide people with such information, such as if an employee already has the information or if it would involve a ‘disproportionate’ effort to provide it to them.
Previously employers used consent clauses in employment contracts to inform employees of the kinds of situations in which their data will be used and processed. Some employers also had a data protection policy that provides further details of employee data processing. Most of the privacy information was already within the employer’s knowledge, however, it was merely used as a justification when a complaint was received. This has been updated to a new policy where employers need to be proactive in providing information about your data.
After the candidate has received the job offer, they must receive the following information as stipulated in Article 13 of the GDPR,
- The identity of the employer;
- The purpose and legal basis for processing your data;
- The recipient of the personal data;
- Whether you have to provide such data as a statutory or contractual requirement;
- Whether you must provide the data or not and the consequences of failure to provide such data; and
- Whether the personal data will be subject to any automatic processing and if so, the logic involved and the consequences of such processing.
When the job offer has been made, the employer must provide you with the data protection policy to read. This must be signed and returned as part of the acceptance of the offer. It forms the basis for the employer to state that they have complied with Article 13 of the GDPR, the right to be informed.
After employment has ended, the employer should inform you as to what information will be retained, the reason behind the decision and for how long. This will need to be balanced with the employee’s right to be forgotten, and so usually only information which is required should be retained and the employer must be able to justify why it is required.
Right to Access
Employees have a right to access and receive a copy of their data, and other supplementary information. It helps employees to understand how and why the employer is using their data, and check that they are doing it lawfully. This request is known as Subject Access Requests (SARs). You can request a copy of your SAR verbally or in writing, this is normally free but your employer may charge a small fee. You should receive the data within a month or two. Employers may ask for details required as part of the job application process, such as checking criminal records for finance/care work.
Right to Rectification
Employees have the right to rectify ‘incorrect’ personal data by informing the employer verbally or in writing. The employee could give arguments and evidence against their claim. The employer must verify the claim and respond to you within a month. This response would be to verify whether the records are accurate. If they are inaccurate the employer must rectify them. However, if the employer finds that the data, they have is accurate they must provide you with reasons for not making the alteration.
Right to erasure
The UK GDPR introduces a right for individuals to have personal data erased. This is also known as the ‘right to be forgotten. The right only applies in certain circumstances. Employees have the right to have their data erased if it is no longer needed by the employer. The request can be verbal or written. Employers need to make sure that the data is erased from their lives as well as backup systems, in some cases, employers aren't able to immediately erase data on their backup systems but they should do as soon as possible.
The right to erasure does not apply if the processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest;
- For archiving purposes in the public interest, historical research, obtaining statistical information (monitoring regulations) purpose, where erasure would impair the achievement of that processing; or
- If needed by a legal professional as part of the papers needed in current or future legal claims.
Apart from these, the employer may refuse an erasure request if it is 'manifestly unfounded' or 'excessive'. This requirement is similar to that in the request for rectification. If an employer has refused erasure, this must be communicated to you within a month of receiving the request. Employees must be informed of the reasons for the refusal, their right to make a complaint to the ICO (or any other authority). They should additionally be given information on how to enforce this right through legal routes.