< Back

Share |

Is consent the best approach to processing employee data?

July 2013

In the UK

Inevitably, employers are required to process the personal data of their employees during the employment relationship. The Data Protection Act 1998 (DPA) provides that personal data must not be processed unless at least one of the conditions in Schedule 2 of the DPA is met. The Schedule 2 conditions which are most likely to apply in an employment context include:

  • where the data subject has given his or her consent to processing;
  • where processing is necessary for the performance of the employment contract;
  • where processing is necessary for compliance with any legal obligation (other than an obligation imposed by contract); and
  • where processing is necessary in order to protect the vital interests of the data subject.

Many aspects of processing employee data do not require specific consent and fall within another Schedule 2 condition. For example, providing information to HMRC to enable salaries to be paid via payroll is likely to be necessary for the performance of the employment contract.

Union Jack flag

Many employers prefer, however, to obtain employee consent to processing rather than rely on alternative Schedule 2 conditions. Express consent is perceived as transparent, difficult to challenge, and involves the 'buy-in' of the employee. Consent is also perceived as being less open to the vagaries of interpretation of other conditions which often involve an employer having to make its own judgment about whether or not processing is for a legitimate interest. As such, consent is generally regarded as a more reliable and 'safe' option.

It is common in UK employment contracts to include a data protection clause in which the employee grants consent to the employer processing their personal data in connection with their employment or the business of their employer. Such clauses usually permit the employer to disclose or transfer personal data to other employees or any group companies of the employer, and will typically will also include consent to the transfer and disclosure of personal data outside the European Economic Area.

The benefit to an employer of including such a clause in an employment contract is in demonstrating that an employee has granted generic consent to processing personal data for employment related purposes. This removes the inconvenience and administrative difficulties of an employer being required to ask an employee to consent to each specific incidence of processing.

There are, however, difficulties in ascertaining whether general consent in an employment contract or policy satisfies the conditions of the DPA. Although the DPA does not itself define consent, under the Data Protection Directive 1995 (DPD), consent by an individual must be a "freely given, specific and informed indication of his wishes by which the individual signifies his agreement to personal data relating to him being processed" (Article 2 (h)) and consent must be "unambiguous" (Article 7). 

Positive indication of consent, such as a signed employment contract, will usually be sufficient to establish that consent is "unambiguous".  It can be harder to establish this where consent is implied, for example due to failure to complete an opt-out or objection box.

Files

The requirement for "specific and informed" consent will also usually be satisfied provided that the data protection clause in the employment contract is well drafted and clearly informs the employee of the type of personal data that will be processed, the purposes of such processing, and makes clear that processing will be continued and repeated throughout the employment relationship.  Where any particular incidence of processing strays outside the scope of what is envisaged in the employment contract, it will be hard to rely on the employment contract to establish that the employee has given specific and informed consent to that particular form of processing.

The condition of consent that causes the most problems in practice is the requirement for consent to be "freely given".  The Information Commissioner's Office (ICO) considers that "the extent to which consent can be relied upon in the context of employment is limited", primarily because the inevitable power imbalance between an employer and employee generally undermines the extent to which an employee can be said to have freely given their consent.  If the consequence of not entering into an employment contract containing a consent clause is that a job applicant is not offered a position, or an existing employee's continued employment or provision of benefits is conditional on entering into such a contract, then it is questionable whether the employee has any realistic alternative and is freely consenting. 

Due to the difficulties in establishing that employee consent meets the requirements of the DPA, employers should consider why, in practice, they need to process an employee's personal data, and, ideally, should be prepared to identify another Schedule 2 condition to support their reasons for processing.  As noted, in many cases, processing of an employee's personal data will be necessary for the performance of the employment contract and will be legitimate, whether or not an employee has provided their consent.   A considered approach which jointly combines employee consent and another legitimate Schedule 2 condition will be much less open to challenge at a later date. 

In Germany

The position regarding the use of consent to justify the processing of employee personal data in Germany is similar to that in the UK. Processing of employee data is generally prohibited under German data protection law unless the employee has given consent or some other legal justification exists. In Germany, however, consent can justify data processing to an extent much broader than stipulated by the permissive rules of the German Data Protection Act (BDSG). This means that even if data processing is not initially permitted under the BDSG, data processing (including export to non-EEA countries) can become lawful where valid consent is given.

German flagSection 4a BDSG, places strict conditions on the obtaining of valid consent, which is especially relevant regarding the consent of employees to the processing of their personal data by their employers. The data subject must be informed both in principle and in detail about the extent and the purpose of the data processing. This requirement is rarely satisfied on consent declaration forms in Germany. In many cases the data subject is just informed in a very general way that his personal data will be used and transferred to third parties which does not do the job. Under German data protection law, the data subject must be explicitly informed about the specific use of his data, the specific purpose for processing and the full name of the third parties that will receive the data (generic words like “service providers” or “affiliates” are not good enough). Furthermore, consent must be sought explicitly for any transfers of data outside the EEA.

Even if these strict requirements are met, it is debatable whether consent given in an employment relationship can be valid. As under UK law, another requirement of valid consent is that the consent be freely given and this presents the same issues in Germany as it does in the UK.

Consent may be considered valid in an employment relationship under certain circumstances, for example, when the employee gains some kind of advantage by giving it, but there will also be many cases where consent will be considered not to have been freely given and, consequently, void. This limitation to consent as a grounds for lawful processing in an employment relationship has been formalised in section 32l of the draft for the new employment data protection law. Even though it is uncertain when and if this draft law will ever enter into force, it should be taken into account. In addition, it is worth remembering that under German data protection law (as under UK law), consent can be withdrawn. This is another reason why using consent to justify necessary data processing activities in the workplace is often not advisable unless it is combined with another justification.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Safety keys
Paul Voigt

Paul Voigt       

Anna McCaffrey       





Anna and Paul look at the issues around obtaining valid consent to the processing of employee personal data in the UK and in Germany.

"A considered approach which jointly combines employee consent and another legitimate condition will be much less open to challenge at a later date."