GDPR for HR | Accessing employees' non-work related emails, Brexit, DSAR's and more
Published on 2nd Aug 2022
Welcome to the second edition of our GDPR for HR newsletter - bringing you a snapshot of developments, cases and insights relating to privacy in the workplace.
Deciphering Data: our monthly hot topic
Can employers access non-work related emails sent from 'general enquiries' work accounts?
It is generally accepted that employees have a legitimate expectation of privacy in respect of their personal affairs. However, the recent Court of Appeal decision in Brake v Guy found that no such expectation exists in respect of a former employee's personal emails sent from a "general enquiries" email address owned by their employer.
This should not be taken to mean that personal emails will never be protected. In fact, the same court indicated that had the business account been in the employees name, rather than a general enquires account, their expectation of privacy would have been greater.
Ultimately, the question of whether personal communications sent on work systems can be accessed by an employer will depend on the specific facts in each case. Not only will it be important to consider the kind of account in question, but also who has access to that account (that is, do multiple people use the account or is it password protected with only one employee having access?), the internal policies of the employer (do they provide employees with an expectation of privacy in respect of email accounts?) and any other fact-specific details.
In the news
Brexit and the DSAR regime
On 23 June, the first major update on the reforms to the data protection regime in a post-Brexit Britain was published, containing the UK government's reply to the consultation responses. The update contained various proposals. One potentially impactful change proposed relates to Data Subject Access Requests (DSARs).
Under the proposed regime, nominal fees to process DSARs will not be reintroduced, but where a DSAR is perceived to be "vexatious or excessive" it could be rejected, a material change from the previous threshold of a DSAR needing to be "manifestly unfounded or excessive" to be denied. As an example of a DSAR which would be perceived as "vexatious and excessive", the government described an employee leaving on bad terms and using subject access requests to disrupt their former employer.
Reforming data protection laws
Several other proposals, particularly focused on the accountability and governance structure of the current data protection law, were included in the government's update on 23 June which HR professionals should be aware of, including proposals to:
- Replace the requirement to designate a data protection officer with an obligation to appoint a senior individual to be responsible for data privacy management.
- Remove the requirement to undertake data protection impact assessments (DPIAs) and allow greater flexibility for data protection risk assessments.
- Replace the current record-keeping requirements with greater flexibility to document the purposes of processing.
The Data Reform Bill was introduced to Parliament on 18 July. Read more on the government's consultation response our Insight.
Osborne Clarke round-up
Top tips for handling data subject access requests
This recent article sets out our 10 top tips to follow when dealing with DSARs, with a focus on striking the right balance between risk and cost. If you would like any assistance or advice on handling DSARs, please get in touch.
Data-driven business models
Osborne Clarke, in partnership with the European Company Lawyers Association, has published a ground-breaking report exploring the challenges and opportunities associated with data driven business models (DDBMs).
With 62% of businesses surveyed across Europe offering data-driven products or services, and a further 27% planning to do so in the near future, it is clear that DDBMs are becoming central to the worldwide digital economy.
The detailed report looks at the role of in-house legal teams in helping to deliver success for businesses utilising DDMBs, while offering legal insight, inspiration and practical solutions for managing DDBMs.
For a taste of what to expect from the report, check out this 12-minute video which summarises the report's content and our recommendations for in-house counsel. Meanwhile, this infographic gives an overview of the report's key findings and this article looks at some of the main obstacles faced by legal teams in implementing DDBMs, and how the in-house legal function is evolving to meet those challenges.