Privacy notices: ICO code and the new EU law
The Information Commissioner's Office (ICO) has published a new Code of Practice on Privacy Notices. It is the first Code to look ahead at compliance with the new EU data protection law. In this article, we look at what the new EU law will mean for Privacy Notices and why you need to think about them now.
What are privacy notices?
In order to collect, use and handle employees’ personal data lawfully in compliance with the current Data Protection Act, you need to tell employees what information you hold about them, what it is used for and whether you anticipate disclosing it to third parties (except if the disclosure is required by law). The term ‘Privacy Notice’ is used to describe this mandatory communication of information, though, in practice, it is often provided on more than one occasion and in more than one document over the course of employment.
How does the new EU law impact privacy notices?
The new EU law is called the General Data Protection Regulation (GDPR). It requires Privacy Notices to include more detailed and more specific information than under current law. For example, you will need to tell employees the legal basis for each type of processing. If you rely on the legitimate interests condition for processing (most employers do), you must go on to explain just what that legitimate business interest is. You will also have to tell employees what rights they have in relation to their personal data and how long you will keep their personal data. The information must all be provided in clear, accessible language – how and when you provide it varies depending on its nature and who provided the information to you in the first place.
In addition, the GDPR introduces a new obligation: you must be able to demonstrate compliance with the data protection principles. In relation to privacy notices, this could involve recording the processes you follow to make sure that the notices accurately reflect how you will process an individual’s personal data. You also need to think about how to evidence that employees are provided with relevant privacy notices within the correct time frame. It doesn’t stop there - what processes do you have to make sure that the privacy notices remain an accurate reflection of your data processing on a continuing basis?
New ICO Code on privacy notices
The new ICO Code on privacy notices (which is aimed at all organisations that collect data about people – not just at employers and their employee data) makes best practice suggestions in relation to the current law. The ICO states that following these best practice suggestions will help you comply with the GDPR ‘Privacy Notice’ requirements when the GDPR comes into force in May 2018.
Why you need to act now
All employers will need to update their privacy notices. This will involve far more than re-issuing existing ones with a bit of extra standard wording. Before you can begin drafting new notices, you need to work out what employee information you collect, keep and use and what you do with it. You need to think about who sees it, if you have a valid legal basis to process it and how long you keep it. We anticipate that in the course of doing this, most employers will unearth practices which breach the current law or the GDPR, which will need to be put right.
What about BREXIT?
This current law will continue to apply until May 2018, when the new GDPR will come into force. The GDPR will apply directly to the UK until BREXIT, which we are expecting at the end of March 2019. It then remains to be seen exactly what stance the UK Government will take in negotiations relating to data protection, but it is very likely that UK data protection law will remain on par with the EU law after BREXIT.
How we can help
The new EU law is very complex and privacy notices are just one part of it. We recommend that employers begin to prepare for it now. This is why, in November, we are running a national seminar, New data protection law: impact on HR processes and employee records which takes a practical look at HR's current and future data protection obligations. Book now to find out how EU data protection law will continue to influence our data protection regime, and what will this mean for HR processes and employee records.