Sensitive personal data in HR functions: climbing the ladder of legal bases

By Sam Rayner
November 4, 2018

The GDPR’s entry into force has forced HR teams across the US and EU to re-evaluate the ways in which they justify the use of personal data relating to their employees, applicants and contractors. Whilst compliance priorities will vary between businesses, all US headquartered organizations with a presence or personnel in the UK should be particularly mindful of their enhanced obligations to satisfy multiple conditions under both the GDPR and the UK’s new Data Protection Act 2018 (“DPA 2018“) before collecting certain special categories of personal data.

Please note that this article focuses on the legal regime as it applies in the UK. Justifications for processing special categories of personal data are devolved – in full or in part – to individual EU member states. This means that restrictions will vary by jurisdiction and a granular, country-by-country compliance exercise is required.

What are “special categories” of personal data?

Formerly known as “sensitive personal data”, the following categories of data (many of which are commonly used in the HR context) are called out for specific protection in the GDPR and under the DPA 2018 because of their perceived sensitivity:

  1. information revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, health, sex life or sexual orientation;
  2. genetic data and biometric data used to uniquely identify a person; and
  3. information relating to criminal convictions, offences and related security measures (which although not technically ‘special categories’ of data under the GDPR, are – broadly speaking – treated in the same way under the DPA 2018).

First base: Identify a general legal basis

American employers with EU-based operations or staff must – in their capacity as data controllers of their HR data –justify all of their activities involving personal data (regardless of whether it is sensitive or not) under one of six “general legal bases under Article 6 of the GDPR. In the employment context, this will usually be possible on the basis that activities are necessary: (a) to perform the employment (or other) contract; (b) for the employer to comply with a legal obligation; or (c) for the purposes of the employer’s legitimate interests. Where “legitimate interests” are relied upon, an employer must undertake and document a balancing exercise to ensure that these are not overriden by any individual’s data protection rights.

Second base: Identify additional legal basis and implement an appropriate policy document where required

Where the sensitive types of data are collected, data controllers must also identify an additional legal basis before they can process this information as well as the initial general legal basis. This is because the processing of these categories of information is generally prohibited unless an additional, tougher, condition is also met. Some of these conditions are set out in the GDPR in Article 9, but the UK’s DPA 2018 also identifies a number of further legal bases for processing this special category data in Schedule 1. In order to rely on many of these UK-specific domestic conditions in the DPA 2018, employers will also need to implement an appropriate policy document which must explain how they ensure that the sensitive processing complies with the GDPR’s underlying principles and requirements, in particular those relating to retention and data minimisation.

The table below summarizes some of the (non-exhaustive) additional conditions which are likely to be of most relevance to employers of UK-based staff when seeking to use sensitive personal data:

Where an employer processes data relating to actual or alleged criminal convictions or offences – such as when undertaking criminal record checks or processing evidence of employee fraud – then it must refer to the DPA 2018 for an additional legal basis (the GDPR does not specify any legal basis; this matter is entirely devolved to local member state laws due to its sensitivity).

What is an “appropriate policy document”?

Guidance on what will be acceptable as an “appropriate policy document” is currently limited. However, the DPA 2018 does confirm that such a document must, at minimum: (i) explain an employer’s procedures for securing compliance with the GDPR’s key data protection principles; and (ii) highlights their retention and erasure policies, in each case as specifically applicable to the relevant ‘special categories’ of data. This is information that is likely already set out in employers’ existing data protection policies.

The UK’s DPA 2018 also mirrors the GDPR’s focus on “demonstrating accountability” by requiring employers to retain any such policy document for at least 6 months following the end of any processing activity involving sensitive personal data, during which period it must be reviewed, updated and provided without charge to the Information Commissioner’s Office (the UK’s data regulator) upon request. Furthermore, where sensitive personal data is processed, an employer’s record of processing activity (as required under Article 30 GDPR) must also note the processing conditions relied upon and confirm compliance (or explain any non-compliance) with the required policy document.

What else do we need to do?

Identifying appropriate legal bases for the processing of these special categories of personal data (and keeping these under review) is just one step towards satisfying the GDPR’s onerous requirements. These will feed into and inform multiple aspects of HR compliance programmes, including employee facing privacy notices, records of processing activities, the need for data protection impact assessments where carrying out high risk processing and – potentially – the requirement to appoint a GDPR-compliant data protection officer. Where the business acts as a data processor, the employer will also be under pressure to ensure that employees are under contractual obligations of confidentiality to protect customer data.

US-headquartered organizations which have not yet considered their obligations under GDPR would be well-advised to undertake an urgent gap analysis of current HR operations against the now enhanced legal requirements. Please do get in touch if this is something our team of international specialists can help with.

The Author

Sam Rayner

Sam Rayner is an Associate in the UK office of Bird & Bird. Sam has particular experience of co-ordinating large international projects and working with clients within the technology, media, sports and entertainment sectors.
He has also spent time working within our Privacy & Data Protection team, so is well placed to advise on employee data processing issues and the GDPR’s impact on HR operations.

For more information or to contact Sam, please visit his
Firm Profile Page.

Warning & Disclaimer: The pages, articles and comments on do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of Read more.

Discuss this

There are currently No Comments comments.