Key areas of focus for ICO’s new guidance

As you may know, the Information Commissioner, the ICO, is currently working on some new guidance and they have been calling for views from relevant stakeholders to help shape it. Of course, those stakeholders include employers so we have submitted our views to the ICO, based on what we think will help our clients. In a moment we can share the key points with you. 

By way of background, the ICO has previously published detailed guidance, including the employment practices code, supplementary guidance and the quick guide. It is now planning to replace that with a new, more user-friendly online resource with topic-specific areas. The ICO says it wants to make sure that the new guidance addresses the changes in data protection law and reflects the changes in the way employers use technology and interact with staff. They intend addressing the processing of personal data in the context of recruitment, selection and verification, employment records, monitoring at work and workers’ health, as well as data processing in the context of TUPE.

The views we have submitted are based on the issues we see clients struggle with day to day and we have flagged these with the ICO and invited them to address these points specifically. So where do we see clients struggling and how can the new guidance help? Katy Docherty is a data protection specialist who drafted the response to ICO’s consultation on behalf of Pinsent Masons. Katy joined me by video-link from the Glasgow office. One of the areas Katy flagged was the buying of new technology. So what’s the issue there? 

Katy Docherty: “The issue here is that quite often we find that technology somewhat outpaces law and outpaces regulation and it may be that the technology that is available to employers for various purposes, involving their employees or their customers, actually has technological capabilities that might in practice not be lawful under data protection legislation if you were to use that technology to its fullest capability. So, for example, new technology may allow for more intrusive monitoring of employees than if you were to carry out a data protection assessment of activity which would, in fact, be lawful. So one of the key things for companies to look out for when they're researching and buying new technologies is really whether they are buying technology that is capable of doing more than they think they can lawfully do, and being careful that they don't go out of the bounds of lawful processing just because technology is able to carry out a particular type of monitoring or a particular type of data processing. I think, probably, there is quite good scope for HR, or for those with data protection responsibility in an organisation, to be involved in that initial scoping and researching process when employers are looking at purchasing this technology for that reason.”

Joe Glavina: “Can I move on to TUPE, Katy? So you say in response to one of the ICO’s questions that often transferors are uncertain and reluctant to transfer data to the new employer, citing GDPR, or a lack of consent, as reasons for not providing information. Can you explain that point?”

Katy Docherty: “So one of the issues that we often find on commercial deals and on TUPE transfers stems from a slight lack of knowledge of data protection rules on the part of, for example, the transferor in a TUPE transfer who is going to be transferring over data to the new employee, so employment contracts is a very good example. They often think that the GDPR and data protection legislation prevents them from providing any of this information unless they have the consent of everybody involved and it’s quite a common misconception, more common than you would think, and we quite often find ourselves advising clients on how to try and persuade transferors, for example, that actually they probably do have a lawful basis to hand over things like employment contracts, even if it's not consent. It is quite a difficult commercial situation because, obviously, the buck stops with the transferor, it's their final call as to whether they think they have a lawful basis to transfer, and we can try and persuade them, and reassure them all we like but, ultimately, if they think that they have to rely on consent only, for example, they're not going to hand over that data. So, I think the one thing that we would find very useful for our clients when they're in that slightly difficult commercial situation is perhaps slightly more detailed guidance from the ICO on the thought process that you have to go through when you're handling employee data in the context of a transfer, or in the context of a commercial deal, and a reminder that consent might not always be the only lawful basis, there are other lawful bases that you can rely on to transfer over data. I think being able to point to guidance like that would be really useful in these commercial situations where there's a bit of, perhaps, lack of expertise on data protection, and some nervousness on the part of those holding the employee data. So we think that having this guidance would be a useful tool for us to point to in those situations to try and persuade them that a data transfer can take place.”

Joe Glavina: “A final point Katy, on vaccination status. You say that company's own clients are increasingly asking for vaccinated staff to work on their projects, or asking for proof that staff are vaccinated and how that’s potentially difficult.”

Katy Docherty: “So this is one of the trickiest issues that a lot of our clients are facing, where they're getting pressure from their own clients, for example, to only provide vaccinated staff to work on sites. I don’t think the ICO will come out with this new guidance that gives a strict yes or no either way. I think what they will do is remind employers that it is quite a delicate balancing act and we would like them to provide guidance to help employers work out what kind of data protection considerations they need to take into account when they're looking at whether they can either mandate their own staff, that's a very tricky topic, or whether they can even hold data on their own staff’s vaccination status. A lot of employers are wrestling with this at the moment, there are several different approaches that we're seeing in the market at the moment, and I think that guidance from the ICO would be really helpful in allowing employers to work out what the right approach is for them from a data protection perspective because the same answer and won't apply to every single situation. My key bit of advice for employers who are currently wrangling with this, in the absence of any kind of more detailed ICO guidance, is to make sure that for example your own policies and practices on holding the vaccination status of your staff doesn't differ from the practices of your clients and if it does differ, that's an issue that you need to be alive to because you're going to have to manage that in a sensitive way that doesn't damage the commercial relationship, but also means that you're able to meet your data protection obligations. So, I do think this is one of the trickiest issues that employers are going to have to deal with for as long as Coronavirus is with us, and it's one of the reasons why we've focused on asking the ICO for some more detailed guidance on what employers thought process should be when they're looking at this topic.”

The ICO’s consultation - their call for views on employment practices - closed last week, on 28 October. As soon as the ICO has digested all the responses from all the various stakeholders they will publish new guidance so watch this space.