Data protection: Consent is no longer the silver bullet

20 March, 2018

The upcoming General Data Protection Regulation (GDPR) will impact any organisation that processes personal data. 


Setting out rules around the collection and processing of individuals’ data, GDPR comes into force on 25 May. Failure to comply could result in fines of up to £17m or four per cent of turnover.


It is particularly relevant to the healthcare industry due to the regular processing of sensitive patient data. However, GPs should also review and update their processes regarding employees.


The GDPR distinguishes between personal data – broadly any information that makes an employee identifiable – and ‘special category data’ (formerly ‘sensitive personal data’) such as information relating to ethnicity and health.


Applying to the whole employment lifecycle (recruitment; employment; and post-employment), GDPR stipulates that employers must ensure they only process the minimum personal data necessary for a specific purpose and that it is retained for no longer than is required for that purpose.


You’ll need to consider how long CVs and interview notes are retained. Further, applicants must be informed of such retention and usage. Also, you should contemplate the retention periods for disciplinary warnings, sickness absence records, and how long to retain personnel files following the end of employment.


The Information Commissioner’s Office has been clear that data security is paramount. GPs must ensure they have appropriate security measures and practices in place. Written policies alone are not enough to defend a breach, they must be put into practice.


Historically employers relied on ‘consent’ to process employee data, with consent often hidden in a data protection clause within an employment contract. However, under GDPR ‘consent’ must be freely given and expressed by clear affirmative action. The ICO has warned that in the employment relationship, consent alone is unlikely to be the appropriate ground for processing personal data.


The result is that consent clauses in existing employment contracts are likely to be null and void, and where consent has been lawfully relied upon, employees shall generally have stronger rights, such as having the data deleted.


GPs will need to consider under what other lawful grounds they can process such data and update their processes accordingly. For ordinary personal data there are three particularly relevant conditions, namely: performance of a contract; compliance with a legal obligation; or legitimate interests pursued by employer (except where overridden by the individual’s interests or rights).


Regarding ‘special category data’ explicit consent is a lawful ground, but the more likely justification is that processing is necessary for carrying out your obligations as an employer. In practice, it covers health information for the provision of sick pay, avoiding unfair dismissal or discrimination, and compliance with health and safety laws.



This article first appeared in Practice Management, March 2018.