In the past few years, we have seen an increasing number of organisations developing or using AI solutions. Although the business case for the use AI is compelling, tensions can arise where its use is at odds with data protection laws.
These tensions between AI and data protection include the following:
Transparency – the GDPR requires you to provide individuals with notice setting out how you are using their personal data. Where there is an element of automated decision-making which results in legal effects or otherwise has a significant effect on an individual (as there often is with AI), the controller is required to provide affected individuals with “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”. Given the complexities with AI and the fact that some types of AI can develop in an unsupervised environment, without human intervention, it can sometimes be difficult to meet these requirements.
Purpose limitation, data minimisation and storage limitation – the GDPR requires that processing of personal data is carried out for specific purposes, no more personal data than is adequate to achieve those purposes is processed and that personal data is only processed for as long as necessary to achieve those purposes. There is often tension between these principles and AI, since the development of an AI system can often result in data being used for unexpected purposes, and often requires vast amounts of data to be inputted into the system in order for it to meaningfully detect patterns and trends.
In respect of the transparency issue, the ICO has developed draft guidance along with the Alan Turing Institute (the UK’s national institute for data science and artificial intelligence) dealing with explaining AI. The guidance provides detailed information on the different ways in which businesses can seek to explain the processing they undertake using AI to the individuals concerned and seeks to address some of the concerns businesses may have in providing such explanations.
In addition to the above, the ICO is also working on finalising its AI auditing framework which will address the following specific issues:
Accountability – which will discuss the measures that an organisation must have in place to be compliant with data protection law.
AI-specific risk areas – which will discuss the key risk areas the ICO has identified in relation to the use of AI in the field of data protection.
As the use of AI becomes more widespread, it is hoped that the guidance issued by the ICO will help businesses better understand and comply with their data protection obligations whilst still allowing them to develop AI systems which can benefit organisations and individuals alike as our knowledge in this area continues to grow.
The GDPR provides supervisory authorities the power to issue huge administrative fines (and we have seen the ICO demonstrate its intent to levy such fines). It also provides individuals with the right to seek compensation against controllers and processors which fail to comply with its provisions. This is set to provide fertile ground for claimants bringing actions in this area, and we expect the number of claims for data protection violations to increase significantly over the course of 2020.
Of particular interest, is the rising number of class actions being brought for data protection related offences.
The decision of the Court of Appeal was significant since it allowed the case to be brought on behalf of all iPhone users affected by Google’s conduct over the relevant period on an opt-out basis. The Court of Appeal found this to be acceptable since all members of the class had the same “interests” (i.e. they had all suffered the same alleged wrong). This could potentially have broad ramifications in the area of data protection since violations will often impact upon a large number of individuals, rather than being one-off events affecting specific individuals (e.g. where an organisation is sending marketing communications to its entire mailing list unlawfully).
Many commentators have therefore suggested that the decision by the Court of Appeal in Lloyd v Google LLC could result in the floodgates opening for class action claims in relation to data protection violations. To a certain extent, this has already materialised, with a number of data protection class actions currently being fought out in the UK courts. Organisations which have suffered security incidents would appear to be at particular risk, with each of Morrisons, Equifax and British Airways currently litigating class actions in the aftermath of high-profile data breaches.
While the amounts awarded to individuals may be modest, in the event of a class action involving a large number of claimants, the potential total damages could dwarf the fines that could be imposed by the regulator.
The GDPR sets out six principles relating to processing of personal data. These include ‘lawfulness, fairness and transparency’, ‘purpose limitation’ and ‘data minimisation’. But then the GDPR adds another principle – that the controller “shall be responsible for, and be able to demonstrate compliance with” these six principles. This is referred to as the “accountability” principle. The ICO has said that “Accountability encapsulates everything the GDPR is about”. But what does it actually mean in practice?
Accountability is about putting data protection at the heart of your organisation. It means that you must consider data protection and privacy issues upfront when you are planning any new initiative. It includes things like:
implementing data protection policies;
recording your processing;
taking a data protection by design and by default approach;
having written contracts in place with processors;
implementing appropriate data security measures;
recording and, where necessary, reporting data breaches;
appointing a data protection officer;
establishing processes for handling data subject rights’ requests; and
carrying out data protection impact assessments where needed.
Towards the end of 2019 the ICO consulted on the idea of developing a toolkit to help organisations comply with their accountability obligations. The objective is to provide down to earth practical guidance on implementing privacy management programmes based on an understanding of technical challenges and other barriers (such as commitment to data protection from top management).
The ICO is planning to conduct a workshop on the toolkit in early February 2020. Following this, they expect to pilot the toolkit later in the year. It is hoped that this may help organisations, whose resources are already over-stretched, with achieving a good and practical level of compliance.
We’re now one year on from the introduction of the General Data Protection Regulation (“GDPR”) and one of the consequences for our clients has been a significant rise in the number of data subject access requests (“DSARs”) made by employees. By making a DSAR, current and former employees can obtain all their “personal data” held by their employer. As personal data is information that relates to an identifiable individual, employers hold significant amounts of personal data about their staff.
DSARs are notoriously time-consuming to manage and, under the GDPR, the time period employers have to respond has been reduced to one month from the longer period of 40 days that applied under the old regime.
Given the increase in number of requests and the shorter period for a response we set out below 10 top tips to help employers if and when they receive a request:
1. Create a protocol so that your business can respond within one month
In today’s electronic world, employees generate significant amounts of material which is likely to contain their personal data and which will need to be collated, reviewed and processed before your business can respond to a DSAR. Doing all of this within the short deadline of one month can be difficult, so having an agreed protocol in place which outlines the steps you will take to respond to a DSAR can help save precious time. A protocol should include an allocation of responsibilities and the steps which must be taken to comply with a request.
Although it is possible in exceptional circumstances to notify the employee, within a month of receiving the DSAR, that you require three months to reply, the circumstances when an extension of time may be justified are rare. The exceptional circumstances apply to complex requests or to repeated requests from the same employee. However, these circumstances will apply rarely. Remember that your employee can challenge your decision to extend time to the ICO (Information Commissioner’s Office).
2. Train your staff
Your staff need to understand the importance of dealing promptly with DSARs. This will include who within your business should be notified once a DSAR is received and, if they are responsible for responding to the request, how it should be managed. Crucially relevant staff need to be trained on these points
3. Try to narrow the scope of the request
Often employees will be interested in very specific material when they submit a DSAR. For example, if they are participating in a grievance or disciplinary process or have recently had their employment terminated, there are likely to be particular documents they want to read. The scope of the request may be clear from the initial request. However, if it isn’t clear consider having a conversation with the person making the request about what they want and whether the request can be narrowed. Doing so should help to ensure you can respond within 30 days and only give the employee the personal data they really want. Of course this isn’t always possible.
4. Consider using a bespoke platform to manage the DSAR
It can be helpful to use bespoke electronic platforms to manage DSARs as these will often have specific functionality to assist with running searches, identifying relevant documents and carrying out redaction. This can be very useful particularly for larger DSARs, which can otherwise be very difficult to manage on an employer’s normal IT platform. Employers should discuss this with their IT provider and make sure that their systems are fit for purpose.
5. Use appropriate search terms and do a sample review before undertaking a full review
Once you know what you are looking for, consider using search terms to generate an initial set of results. This might be the employee’s name (or variations on it) plus key words and date ranges which are likely to generate personal data, taking account of the scope of the request. Once you have created an initial set of results, carry out a sample review to make sure that the results are largely relevant. Depending on the search that you’ve carried out, you might have generated a lot of false positives which could be removed by a further refinement to your search terms before you conduct a full review.
6 .Carry out a full review to ensure that the results contain personal data
Just because an individual’s name is mentioned in a document doesn’t necessarily mean that the document contains personal data. Make sure that you understand the test for personal data and apply it to your search results appropriately. Remember, personal data is information which relates to an identifiable individual.
7. Use the exemptions
When analysing the personal data, review the documents for those that are exempt from disclosure. You may need to take advice on this but the exemptions include references given or received, management forecasting or planning, information about negotiating intentions – perhaps in relation to a settlement agreement, third party information or information that may be subject to legal professional privilege.
8. Allow enough time for redaction
Once you have produced an initial set of results containing the employee’s personal data, you will need to review the material to see if anything needs to be redacted. In particular, you should ensure that any privileged material or personal data of other individuals is redacted before the response is sent to the employee.
9. Allow enough time to send the response
Depending on how the DSAR was submitted and the size of the response, you may need to provide a hard copy and/or electronic response. If you’re going to provide an electronic response, consider whether you will share the response on an electronic platform (and, if so, which one will you use) or whether you will email the response (in which case, ensure you have the right email address and that the attachments are small enough to be sent through any relevant firewalls).
10. Create an audit trail
If an employee is dissatisfied with the response they receive to a DSAR they may complain about it to the Information Commissioner or a court or tribunal. If they do so, it will be important that you can demonstrate the steps you took to respond to the DSAR so as to minimise the risk of sanctions being applied.
How we can help
We regularly advise our clients on how to respond to DSARs and often work through these steps with them. If you’d like more information about the services we provide or if you have any questions arising out of this article, please contact us.
Helen Farr is a partner, and Daisy Jones is a senior associate, in our HR law team.
Employers cannot manage the employment relationship without using their employees’ data. Data is used by employers on a daily basis for a variety of tasks ranging from monitoring sickness absence, administering benefits to paying salary using payroll.
To process this data lawfully most employers rely on provisions in the employment contract authorising them to do so. However, employers need to be aware that simply including a provision in a contract may not be enough if the employer is using a specific class of data; sensitive personal data.
Sensitive personal data includes data about an employee’s health, sexuality, diversity and political beliefs. To use this data lawfully employers need the employee’s express consent to do so.
Problems can arise for employers in a number of situations where they need to use sensitive personal data.
A common problem area is when a referral is made to a company’s occupational health team for an opinion and prognosis on an employee’s health problems. There are two main components to occupational health records: transferable information and the confidential clinical record. Transferable information is information that is generally accessible by the employer, the employee and enforcing bodies like the HSE – it includes information about accidents at work, monitoring data and exposure to hazards. The confidential clinical record is specific to the employee and his or her health during employment. This is sensitive personal data.
When the referral is made to Occupational Health it must be made with the employee’s consent. However, relying on consent may not be enough to protect the employer from a claim.
Employers must ensure that when they make a request for a medical report from Occupational Health the request is focussed and limited to the purposes for which consent is obtained.
They also need to make sure that any medical information provided to Occupational Health is focused. It is common practice for HR practitioners making the referral to send all sickness records they have about the employee. But what if the employee has suffered various health problems over the years, including conditions that the employee would not necessarily want his or her line manager or the wider business to know about? If the Occupational Health report refers to these historical conditions there could be claims by the disgruntled employee.
The consent that has been obtained is unlikely to be enough to protect the employer from a claim. Potential claims include a breach of the employee’s right to privacy and breach of the Data Protection Act. The issue could also lead to claims of discrimination. Therefore employers should not complacently rely on the consent received when requesting a report but must properly consider the particular purposes for which the report is needed.
Our experience is most businesses do not send a copy of the Occupational Health referral to the employee. Best practice must be to do so. This will avoid any potential problem when the employee reads a report containing lots of historical medical information ; it makes it difficult for them to claim they did not agree to it being referred to.
Another potential problem area is the use of sensitive personal data about an employee’s sexual orientation. Many large employers have relationship at work policies obliging their employees to disclose information about romantic relationships with work colleagues. Of course this policy applies to same sex relationships.
Again the problem employers often omit to consider is how that information is used. The business justification for disclosure of a relationship with a work colleague is to enable the employer to ensure that the parties to the relationship do not either benefit or suffer because of it. Sometimes employers post information about the existence of a relationship with a colleague on their intranet.
What the policy authors overlook is that the employer needs express consent to process information about sexuality which of course this is. Therefore posting such information on the company’s intranet, unless the employee expressly consents to this, will be a clear breach of the Data Protection Act. There may also be claims for discrimination if the employee suffers less favourable treatment following publication of the information.
Employers therefore need to take care when relying on policies that allow them to use data. If the data concerned is sensitive personal data reliance on the policy is not enough to protect them from claims.
Helen Farr is a Partner in the HR Law team at Fox Williams LLP and can be contacted at HFarr@foxwilliams.com.