The Data Protection Act 2018: HR HeadlinesPosted in : Hot topics in Employment and Technology Law with Matheson on 9 July 2018
In the fourth of the series by Crowley Solicitors on data processing in the workplace, Eimear Boyle provides an overview of the derogations from the General Data Protection Regulation (GDPR) contained in the Irish Data Protection Act 2018 (DP Act 2018) that will apply to Irish HR professionals’ data processing activities.
Special Categories of Personal Data
In order to lawfully process special category (sensitive) personal data under the GDPR, it is necessary to have a legal basis. The DP Act 2018 (giving effect to Article 9 of the GDPR) provides the legal basis for processing special category personal data for a number of specific purposes. The following are examples of sections under the DP Act 2018 that HR practitioners should be aware of when considering how to lawfully process special category personal data, subject always of course to suitable and specific measures being taken:
- Section 46: When processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller (employer) or the data subject (employee) in connection with employment or social welfare law. This legal basis mirrors Article 9 (2) (b) of the GDPR and is, in our opinion, a sensible restatement by the DP Act 2018 of how practical the GDPR is and that both recognise the clear need for employers to be able to process some special category personal data, simply in order to comply with employment law.
- Section 47: Where processing is necessary for the purposes of providing or obtaining legal advice for legal proceedings or is necessary for the purposes of establishing or defending legal rights. Employment litigation more often than not requires the processing of some special category personal data, such as personal data revealing racial origin, ethnic origin or religious beliefs (for example, in alleged workplace discrimination cases) or health data (for example, in workplace personal injury cases). It is logical that HR professionals would be provided a legal basis in this regard in order to allow them to obtain legal advice and to best state their case.
- Section 50: Where processing is necessary and proportionate for insurance and pension purposes. This explicit legal basis was not included in the General Scheme of Data Protection Bill (May 2017) but is clearly set out in the DP Act 2018, much to the relief of those working in the insurance industry and to employers for the administration of benefits and their employee-related insurance policies.
- Section 52: Where processing is necessary for health-related purposes, including a specific stipulation for the assessment of the working capacity of an employee. Section 52 is another very practical legal basis that the DP Act 2018 simply calls out. It will hopefully be of comfort to HR professionals to know that they can continue to engage medical professionals to assess an employee’s fitness for work as normal (subject to any workplace-specific policies).
Criminal Convictions and Offences
Article 10 of the GDPR permits personal data relating to criminal convictions and offences or related security measures to be processed under the control of official authority or where it is authorised by national law. Section 55 (1) (b) of the DP Act 2018 outlines where such processing is permitted. Of note for HR professionals includes:
- Where the data subject has given explicit consent (except where EU or Irish law prohibits it);
- Where the processing is necessary for the performance of a contract to which the data subject is a party; and
- For the purpose of legal advice, legal proceedings, defending or establishing legal rights.
Subject to additional considerations (and possibly restrictions) in respect of the processing of criminal convictions and offences personal data in an the employment context, which are likely to be sector and role-specific, it is helpful to know that there are derogations under the DP Act 2018 that may be explored and, subject to careful case management, utilised.
In line with the legal basis for processing special categories of personal data, the processing of personal data in respect of criminal convictions and offences is subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects.
Suitable and Specific Measures Taken for Processing Data
Thankfully, Section 36 of the DP Act 2018 outlines the types of suitable and specific measures that may be employed in order to avail of the data processing described in this article, namely, special categories of personal data and personal data relating to criminal convictions and offences (which also apply where suitable and specific measures are required for other data processing activities).
Such suggested measures include:
- Explicit consent from the data subject;
- Access limitations and logging mechanisms in order to verify access to and prevent unauthorised consultation, alteration, disclosure or erasure of personal data;
- Strict implementation of retention and erasure mechanisms,
- Specific targeted GDPR training for those involved in processing operations;
- Even where it is not mandatory, appointing a data protection officer; and
- Pseudonymisation and encryption of personal data.
Note: Eimear's colleague, Deirdre Crowley, Crowley Solicitors, is presenting a session at the Annual Review of Employment Law Conferences 2018, 'The GDPR and E Privacy – 6 Months In: Key trends and practical tips for HR professionals'. Early Bird Offer is available for this event - register now to save up to €100.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.