Most of you will be aware of the requirements the Data Protection Act 2018 places on you, specifically in relation to the General Data Protection Regulations (GDPR) contained within it, with regards to personal and sensitive personal data. When you think of what personal and sensitive personal data you process you need to think outside of the box – this data isn’t just held on your databases, software and other IT systems.
If you have CCTV, a key fob or a fingerprint entry system, this will also qualify as personal data and in the case of CCTV or fingerprint entry, these are classed as sensitive personal data.
To process the personal data captured in these systems, you must identify and assign the most appropriate “legal basis” as set out by the GDPR. In relation to the personal data, it is likely that this will be the legal basis pertaining to “legitimate interest”.
So how do you ensure you have a legitimate interest?
There are three elements to legitimate interest. It helps to think of this as a three-part test. You need to:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms.
It is most appropriate where you use employee’s data in ways they would reasonably expect you to, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
In the case of key fobs or swipe cards, your legitimate interest may well be health and safety, building security, or for schools safeguarding of pupils, and it is highly likely that you have told your employees that you will process their data in that way. It is not unusual to see signs that say ‘images are being monitored for security purposes’.
In relation to sensitive personal data i.e. CCTV and biometric data such as fingerprints, the legal basis is likely to be in relation to the employee’s employment, specifically:
“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”
However, what if you want to rely on these types of data when managing employment matters, such as addressing conduct using your disciplinary procedure.
Can you use personal data to address employment issues?
A classic example of this is where employees abuse break times, taking longer or more breaks than the employer allows. Where is the first place you will look? Your CCTV or entry system records.
What to remember
The key to processing personal data, sensitive or not, is to ensure that you explain to the data subject:
What – what data you will process
How – how you intend to process it
Why – why you need to process the data
Use – what you will use it for.