Employment and pensions

GDPR for HR | Accessing employees' non-work related emails, Brexit, DSARs and more

Published on 2nd Aug 2022

Welcome to the second edition of our GDPR for HR newsletter - bringing you a snapshot of developments, cases and insights relating to privacy in the workplace.

Above view of people in a meeting sitting around a table

Deciphering Data: our monthly hot topic 

Can employers access non-work related emails sent from 'general enquiries' work accounts?

It is generally accepted that employees have a legitimate expectation of privacy in respect of their personal affairs. However, the recent Court of Appeal decision in Brake v Guy found that no such expectation exists in respect of a former employee's personal emails sent from a "general enquiries" email address owned by their employer. 

This should not be taken to mean that personal emails will never be protected. In fact, the same court indicated that had the business account been in the employees name, rather than a general enquires account, their expectation of privacy would have been greater. 

Ultimately, the question of whether personal communications sent on work systems can be accessed by an employer will depend on the specific facts in each case. Not only will it be important to consider the kind of account in question, but also who has access to that account (that is, do multiple people use the account or is it password protected with only one employee having access?), the internal policies of the employer (do they provide employees with an expectation of privacy in respect of email accounts?) and any other fact-specific details. 

In the news

Brexit and the DSAR regime

On 23 June, the first major update on the reforms to the data protection regime in a post-Brexit Britain was published, containing the UK government's reply to the consultation responses. The update contained various proposals. One potentially impactful change proposed relates to Data Subject Access Requests (DSARs).

Under the proposed regime, nominal fees to process DSARs will not be reintroduced, but where a DSAR is perceived to be "vexatious or excessive" it could be rejected, a material change from the previous threshold of a DSAR needing to be "manifestly unfounded or excessive" to be denied. As an example of a DSAR which would be perceived as "vexatious and excessive", the government described an employee leaving on bad terms and using subject access requests to disrupt their former employer. 

Reforming data protection laws

Several other proposals, particularly focused on the accountability and governance structure of the current data protection law, were included in the government's update on 23 June which HR professionals should be aware of, including proposals to:

  • Replace the requirement to designate a data protection officer with an obligation to appoint a senior individual to be responsible for data privacy management.
  • Remove the requirement to undertake data protection impact assessments (DPIAs) and allow greater flexibility for data protection risk assessments.
  • Replace the current record-keeping requirements with greater flexibility to document the purposes of processing.

The Data Reform Bill was introduced to Parliament on 18 July. Read more on the government's consultation response our Insight.  

Osborne Clarke round-up 

Top tips for handling data subject access requests

This recent article sets out our 10 top tips to follow when dealing with DSARs, with a focus on striking the right balance between risk and cost. If you would like any assistance or advice on handling DSARs, please get in touch.

Data-driven business models

Osborne Clarke, in partnership with the European Company Lawyers Association, has published a ground-breaking report exploring the challenges and opportunities associated with data driven business models (DDBMs). 

With 62% of businesses surveyed across Europe offering data-driven products or services, and a further 27% planning to do so in the near future, it is clear that DDBMs are becoming central to the worldwide digital economy. 

The detailed report looks at the role of in-house legal teams in helping to deliver success for businesses utilising DDMBs, while offering legal insight, inspiration and practical solutions for managing DDBMs.

For a taste of what to expect from the report, check out this 12-minute video which summarises the report's content and our recommendations for in-house counsel. Meanwhile, this infographic gives an overview of the report's key findings and this article looks at some of the main obstacles faced by legal teams in implementing DDBMs, and how the in-house legal function is evolving to meet those challenges.

Follow
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up
Related articles
UK Employment Coffee Break | New Vento bands, EAT rules on trial periods as reasonable adjustments, and immigration update
28/03/2024 5 mins
UK Public Service Pensions Update | March 2024
20/03/2024 6 mins
How to bridge the gap in gender pay in the Netherlands to avoid surprises
15/03/2024 3 mins
UK Employment Law Coffee Break: Age webinar, statutory family leave and the Platform Workers Directive
14/03/2024 5 mins

services

topics

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up