When you are considering implementing workforce management software (WFM), issues around data protection and GDPR, in particular, are important to address. In this blog article, we highlight how GDPR impacts workforce management implementation and the key questions in our experience that you will need to know the answers to in relation to GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EEA. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for businesses by unifying the regulation within the EU. It became law in the UK on 25 May 2018, and the UK Government enacted it into law and retained the regulation after the UK left the EU.
GDPR can create a lot of work for businesses, and the good news is that by implementing a WFM system, you can ensure your systems are as compliant as possible.
Does GDPR affect the data in a workforce management system?
Yes, it does. The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified from that data. Your WFM provider will hold employee scheduling and other data which is relating to each member of your staff, all of whom can be identified from it.
Does my choice of hosting solution have an impact on GDPR compliance?
If you host an on-premise solution, you will likely be both the processor and the data controller. If you host via a third party, they will likely be the processor, and you will still be the controller.
If my SAAS-based WFM provider is hosting the solution, who is the GDPR processor and controller?
The most popular option for hosting is for your SAAS-based provider to host the solution. In this case, the SAAS WFM provider will act as the processor of your data, and the customer or your organisation will be the controller of the data. The data should remain your property.
A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
If my WFM provider processes my data, do they need a “lawful basis”?
Yes. “Lawful basis” is a key principle of GDPR – your WFM provider will need to understand what lawful basis they have to process your data, and they cannot process data without establishing this. The WFM provider must also clearly communicate to the data subject (your staff) the Lawful Basis on which they intend to rely and how it applies before processing. They must also take only the personal data needed and nothing more. In most cases, that lawful basis is created by two key elements.
- Your organisation, as the controller, has obtained permission from the data subject and/or has established that it is necessary to process the data for specified purposes.
- The WFM provider has a contractual obligation to your organisation as their customer to process the data specifically required in order to perform the obligation.
Is there a legal obligation to process data with WFM, or do we need staff permission?
We are not qualified to advise you, but in most cases an employer has a legal obligation to process the data in a workforce management system. This is created by an employer’s obligation to comply with a number of legal requirements, such as tax authority processing requirements, national minimum wage legislation, working time directive, holiday and pension regulations.
You should note that this legal obligation only covers the minimum amount of data required to comply with these obligations. If your WFM system collects more data than needed to meet these obligations, you may have to get staff to opt-in to process the additional data.
Do I need a separate data processing contract with my WFM provider under GDPR?
Not necessarily, if your main contract covers all of the requirements of GDPR, however, you do need a contract of some sort in place. The GDPR states in Article 28.3 that a controller needs to have a written contract in place whenever a controller uses a processor. Similarly, if a processor employs another processor, it needs to have a written contract in place.
Can I use biometrics for time and attendance on my WFM system?
To understand fully how GDPR impacts workforce management implementation, you need to be aware of how time and attendance solutions impact the process as well.
The simple answer is yes, you can. However, you need to consider it carefully, carry out a data protection impact assessment and discuss the setup in detail with your WFM provider. That is because biometrics data (where used for ID purposes) is classified as Special Category Data under the GDPR.
Data controllers must still have a lawful basis for processing such data in exactly the same way as for any other personal data, and they must notify the data subject. The difference is that you must also satisfy a specific condition under Article 9.2 of GDPR.
We aren’t qualified to give legal advice however, it is our understanding that employers are likely to be able to justify a lawful basis because of the requirement to “exercise specific rights of the controller or of the data subject in the field of employment and social security and social protection law”. Namely, employers have an obligation to comply with the National Living Wage, working time directive and working hour caps for non-EU students. All of these are much better managed using biometric time and attendance. In order to use this as a justification for legal basis, employers need to carry out a Data Protection Impact Assessment (DPIA) and consider all alternatives to establish a “lawful basis”, however if the DPIA justifies the use of biometrics, they can be used and remain GDPR compliant. We strongly recommend you take legal advice on this subject because it is probably the most contentious issue around WFM and GDPR.
What is Special Category Data?
Special Category Data is personal data that needs more protection because it is sensitive. To lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a particular condition for processing under Article 9. These do not have to be linked.
If I use biometric readers for time and attendance purposes, who is the data controller and who is the data processor?
Typically, WFM providers sell biometric face or fingerprint recognition scanners to customers, which are kept on the customer’s premises for staff to “clock in and clock out”. If the readers have been sold, then the readers are owned by the employer. The readers take the biometric scan and keep an encrypted copy of the scan on their hard drives. The scan (or an encrypted version) is not usually sent to the WFM provider’s servers, and if you are using this setup, your WFM provider will never process that data on their equipment or servers. Most readers send a “data string”, which includes the time and location of the scan and an identifier of the person “clocking in”. This counts as Personal Data under GDPR but is not Special Category Data that remains on the scanner at the employer’s premises.
If this is the way your biometric readers are working, then you as the employer are both the processor and the controller of the special category data and your WFM provider is the processor of the personal data that the reader sends to the WFM system.
Is there anything I need to know about GDPR and other T&A tools?
In our article about the other types of time and attendance “clock-in” mechanisms, we list a variety of ways to register the start and end time of shifts. Several of these simply generate more personal data, these include time sheets, web-based “clock-in” tools and feeds from till data. In these cases, the personal data is covered by the rest of your GDPR compliance checks.
The two areas you might need to consider more closely for GDPR purposes are app-based “clock-ins” where your staff use their own phone to clocking in via an NFC app, QR code or GPS-based tracking. If you are using one of these apps for time and attendance, then you should consider if you are capturing “location data”.
Am I capturing Location Data under GDPR with my T&A tools?
Location Data is a category within GDPR that requires consent and special data handling. The Information Commissioner’s Office in the UK suggests that this applies only to mobile phone operators and provides the following guidance on the applicability of location data:
“In our view, this does not generally include GPS-based location information from smartphones, tablets, sat-navs or other devices, as this data is created and collected independently of the network or service provider. Neither does it include location information collected at a purely local level (eg by wi-fi equipment installed by businesses offering wi-fi on their premises). However, organisations using such data still need to comply with the Data Protection Act.”
Based on this view from the UK ICO, using NFC, GPS or QR code-based apps for time and attendance software does not mean that the employer is capturing Location Data.
Is my WFM system likely to count as Automated Decision Making?
In our opinion, this is another crucial area to cover when discussing how GDPR impacts workforce management implementation. The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement);
The area where there is some debate is the use of “Automatch rules” to match biometric scans to expected working hours and approve them automatically. This could have the effect of adjusting staff salaries. Most workforce management solutions require a manager to check and approve a summary of all matched shifts each day, and that manager has the ability to override any automatically matched scan. If that is the way your WFM system is setup you will not be caught by Automated Decision Making. However, if the system is fully automated and has no manager intervention, you may want to take legal advice.
Where should my WFM data be stored to be GDPR compliant?
The GDPR imposes restrictions on transferring personal data outside the European Union, to third countries or international organisations. The UK and the EU (as well as other countries) have an agreement in place called “Data Equivalence” that allows data to be stored either in the EU or the UK and any country where a Data Equivalence Agreement is in place.
Can my staff ask for the data held on a WFM system to be deleted?
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. In some specific circumstances, the right to erasure does not apply, and you can refuse to deal with a request.
One of those circumstances is to comply with a legal obligation to perform a public interest task or exercise official authority. With most WFM setups the data being processed is part of payroll processing, and most tax authorities require employers to retain this information giving an exemption from the right to erasure. You should be aware that this only relates to the data required to meet these obligations. Additional data held on your WFM system is not subject to this exemption.
HMRC requirements and how long should I keep data?
Of course, when explaining How GDPR impacts workforce management implementation, we should not forget HMRC data. In the UK, most employers rely on the requirement to keep data for HMRC as the basis for retaining payroll data for 6 years plus the current tax period, and this is often referred to as the 7-year requirement.
HMRC actually insist that PAYE data is held for 3 years plus the current period: ‘an employer must keep, for not less than 3 years after the end of the tax year to which they relate, all PAYE records which are not required to be sent to the Inland Revenue by other provisions of these Income Tax (PAYE) Regulation 2003 (SI 2003/2682) Reg 97.
However, not all Payroll data is related to PAYE, and so many companies feel safer holding the data for 6 years; for instance, on self-assessment, HMRC can issue an assessment at any time up to six years after the end of the chargeable period to which the assessment is related. There is no limit in cases of fraud or wilful default, and this is the reason most UK WFM platforms retain data for 7 years.