Article 5(1)(f) (GDPR) | Information Law Blog

The COVID-19 pandemic has had a considerable impact upon the economy. Government figures suggest that there have already been about half a million redundancies since the beginning of the pandemic; as the Government’s Job Retention Scheme put in place in March comes to an end at the end of this month, it is sadly inevitable that there will be further redundancies. When an employee leaves employment, whether by redundancy or not, there are data protection implications for employers that they ought to be aware of and take into consideration.

Many employers now have employees working from home when they would never have done so before. In early March, before the lockdown was put in place, many employers started kitting out their employees to enable them to work from home in line with government guidance and this continued as businesses tried to recover from the immediate aftermath of the lockdown. This will add a further dimension to the data protection considerations that employers should have in mind when making employees redundant.

When an employee is made redundant, employers have a duty to ensure that any personal data that the employee had in their possession continues to be secure. Employers should ensure that they revoke access to any IT systems that the employee had access to once the employee’s employment has terminated. If the employee is working out a period of notice then this should occur at the end of their last day; if not, it should happen as soon as is practicable after the employee’s employment has been terminated. Employers should ensure that any IT equipment that they provided is returned in case employees have stored personal data locally rather than inside the company’s system. Employers should also ensure that any printed material that the employee may have taken from the office or printed while working from home is also returned.

Where employees have been using their own devices in order to work from home things get a bit more complicated. Employers should ensure that they take steps to ensure that their former employees do not retain personal data for which the employer is the controller on their personal devices. What steps will be required will vary depending upon the circumstances. Obvious things will be around E-mail (for example, did the employee access their work E-mail on their personal phone), both in terms of existing E-mails on the system and ones that arrive after the employment has come to an end. Laptops, tablets and other computer devices which are owned by the employee may have personal data stored on them from the employee’s time working from home; this should not be overlooked.

If you’re an employee it’s also important to consider how this affects you. If you’re taking templates and styles you need to ensure that you have stripped these of all of the personal data within them; otherwise this could cause problems for you personally. Also, if you’re hoping to setup on your own or move clients/customers to any eventual new employment that you have then you should speak to your employer first. Taking personal data from an employer where you either do not have their consent, or could not reasonably believe that you would have their consent, could result in you being convicted of a criminal offence under the Data Protection Act 2018.

Working from home is likely to continue for some time and when offices do begin to re-open employees may not be flooding back into them. Employers who were previously hesitant to allow home working may now be willing to offer some degree of home working once the pandemic is over. Whether you have allowed home working for a while or whether COVID-19 has been the impetus to change working practices; a home working policy which includes data protection measures is important. Your policies relating to home working should account for how the recovery of personal data will be dealt with where an employee leaves, whether that is by redundancy or not.

Data protection considerations may seem fairly low down the agenda at the present time, but with significant financial penalties a possibility for failing to have adequate technical and organisational measures in place, it’s something that should not be ignored. When your business may already be struggling financially, an ICO investigation followed by a financial penalty is probably the last thing it needs. For employees, it is also important that you follow any relevant policies and procedures which deal with personal data at the end of your employment; there could be consequences for you personally as well if you fail to do so.

Alistair Sloan

If you would like advice or assistance in relation to the data protection aspects of redundancy or home working; or any other information law matter, then please contact our team on 0141 229 0880 or by E-mail.

On 20^th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.