Introduction
The General Data Protection Regulation (GDPR), particularly under Article 9(2)(b), provides specific provisions that permit the processing of special category data in the realm of employment, social security, and social protection law. This article aims to demystify the conditions under which such data can be processed, ensuring compliance while safeguarding the fundamental rights and interests of the data subject.
The Legal Framework
Article 9(2)(b) of the GDPR stipulates that the processing of special category data is permissible if it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”
In the UK, the relevant legal authorisation is articulated in the Data Protection Act 2018 (DPA 2018), specifically under Schedule 1 condition 1. This legal structure requires entities to maintain an appropriate policy document when handling sensitive personal data under these circumstances.
Practical Applications
Employers may find Article 9(2)(b) particularly relevant when they need to process sensitive data to:
- Verify eligibility for employment in the UK.
- Ensure the health, safety, and welfare of their employees.
- Keep records of statutory sick pay, maternity pay, and similar entitlements.
- Manage deductions for trade union subscriptions directly from payroll.
Public authorities and other organisations providing social services also fall under this provision, particularly when they manage benefits and support concerning sickness, maternity, invalidity, unemployment, and other social support systems.
Legal Compliance and Necessity
For processing to be lawful under Article 9(2)(b), the purpose must align strictly with compliance with employment, social security, or social protection laws. It is crucial for organisations to clearly identify the specific legal obligation or right involved, possibly referring to relevant legislation or authoritative guidance, such as government or industry websites.
Limitations and Conditions
It is essential to understand that this condition does not extend to processing activities meant to meet purely contractual employment rights or obligations. The necessity of processing the specific data must be justifiable—it should be a reasonable and proportionate way to meet the specified rights or obligations without processing more data than is required.
Case Example
Consider a scenario where a coach company conducts random drug and alcohol testing for its drivers to ensure safety. This processing falls under Article 9(2)(b) as it is necessary to fulfil health and safety obligations in the workplace. However, if the company extends these tests to include non-safety-critical staff, it would likely be unable to justify the necessity of processing their data under this particular legal basis.
Conclusion
Understanding and applying Article 9(2)(b) of the GDPR requires a careful approach to ensure that the processing of sensitive personal data is legally justified, necessary, and proportionate to the rights and obligations in the fields of employment, social security, and social protection. Organisations must establish clear policies, maintain comprehensive records, and ensure they operate within the legal frameworks provided by GDPR and national laws such as the DPA 2018.
Navigating these regulations with a well-informed strategy not only ensures compliance but also protects the fundamental rights of individuals, reinforcing the integrity of data processing practices in sensitive areas.