Collection and retention of personal data: key GDPR requirements for healthcare employers
Data protection is a crucial consideration for all healthcare organisations, given the nature and the amount of information about individuals that such an organisation will handle, not least regarding their workforce.
Any information relating to an identifiable person (not a company or organisation) will amount to “personal data” for data protection legislation purposes. For example their name, date of birth, passport number or health information. The General Data Protection Regulation (GDPR) regulates the processing of such personal data by organisations, including within the context of the employer/employee relationship.
What is required to ensure lawful processing of personal data?
Under the GDPR, it is essential that personal data is processed for at least one of the lawful reasons (or “bases”) stipulated within the GDPR. There are a number of lawful bases but the most relevant for employers when processing personal data for staff are:
- The processing is necessary in order to comply with a legal obligation (e.g. the requirement to provide information to HMRC about wages paid).
- The processing is necessary to perform a contract with the individual (e.g. obtaining and keeping a record of bank details to pay wages as per an employment contract).
- The processing is necessary for the employer’s legitimate interests and those interests are not outweighed by the interests, rights and freedoms of the data subject (e.g. in order to measure staff development and progress against targets).
Whilst consent from an individual is a lawful basis for processing under the GDPR, it is not advisable to rely upon consent when processing personal data in relation to the individual’s contract of employment. Whilst it may be acceptable to rely upon consent from an employee if the data processing is separate to their contract of employment, such consent may not deemed valid in the context of an employer/employee relationship, due to the perceived imbalanced relationship between the parties. We therefore recommend reliance on one of the other bases, with consent as a last resort, when dealing with an employee’s personal data.
The lawful basis which is relied upon must be communicated to the individual by way of a GDPR-compliant privacy notice. This should be provided at the time that the personal data is collected.
A key principle of the GDPR is data minimisation. This means that personal data should not be held or used unless this is required for the lawful basis that was set out within the privacy notice and that personal data should be irretrievably deleted once the lawful basis for processing has expired.
It is therefore a good idea for employers to establish retention periods to ensure that personal data is not retained once the lawful basis for processing has passed. Whilst some types of personal data for staff will no longer be required once their employment with the organisation has ended (such as bank details held by payroll), there are a number of types of personal data which should be retained in accordance with statutory obligations. A non-exhaustive list of examples is set out below:
- Accident books, accident records/reports: Three years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21).
- Income tax and national insurance returns, income tax records and correspondence with HMRC: Not less than three years after the end of the relevant financial year.
- Payroll wage/salary records (also overtime, bonuses, expenses): six years from the end of the relevant tax year .
- Statutory Maternity Pay records and certificates (also shared parental, paternity and adoption pay records): Three years after the end of the tax year in which the maternity period ends.
For categories of personal data without a statutory retention period, the employer will need to decide an appropriate retention period. Whilst the simplest approach may seem to be a blanket retention period for all types of personal data, this would not be compliant with the GDPR. Employers must take a specific and reasoned approach in relation to each category of personal data linked to the lawful basis for processing. In reaching such a decision, employers should always review the length of time that personal data is kept and consider the applicable lawful basis when deciding how long to retain it. Put simply, personal data should be kept for no longer than is necessary. What will be necessary will vary from data to data and to some extent, employee to employee.
In September 2020, the Information Commissioner’s Office announced that it will take an “empathetic and pragmatic” approach to the regulation of data protection during the ongoing COVID-19 pandemic. However, it has made it clear that it will continue to investigate non-compliance with the GDPR and take enforcement action where necessary. Such action could include a substantial fine. Therefore, healthcare employers should make all reasonable efforts to ensure that their approach to the collection and retention of personal data is GDPR compliant, despite the significant strain on resources and capacity within the healthcare sector at the moment.