How can you undertake thorough and effective due diligence in the context of a TUPE transfer without breaching data protection legislation?
This is a question we have been asked by clients a few times of late and so we thought it would be useful to get the answer out there for the wider benefit of employers in general.
In summary, the General Data Protection Regulation (GDPR), duly tailored by the Data Protection Act 2018, requires UK employers to comply with the following data protection principles when processing their employees’ personal information:
- Data should be processed fairly, lawfully and in a transparent manner.
- Data should be obtained for specified and lawful purposes and not further processed in a manner incompatible with those purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and kept up to date.
- Data should not be kept for longer than necessary.
- Data should be kept secure.
One of the biggest data protection headaches employers face in TUPE situations is in relation to the disclosure of Employee Liability Information (ELI).
Notwithstanding the need for the acquiring business to undertake due diligence in respect of the employment of the individuals they will be in receipt of upon the transfer taking effect, TUPE requires the transferor (e.g. the seller or current service provider) to provide the transferee (e.g. the buyer or new service provider) with certain ELI so it can determine the employment-related measures post-transfer. The transferor must then inform / consult with affected employees regarding those measures.
The ELI will invariably include personal data such as the age and birth dates of the employees concerned, as well as their terms and conditions of employment and information about any recent disciplinary and grievance issues. As provision of this information is a legal obligation, data protection legislation does not prevent the transferor relaying it without anonymisation. However, wherever practicable, transferor will often endeavour to anonymise as a means of erring on the side of caution on the basis that transferees frequently request information such as sickness absence and parental leave as part of a wider due diligence exercise. Therefore, it is often difficult to keep track of which information is protected as ELI and which is not.
In terms of what constitutes effective anonymisation for the purposes of the GDPR, it is simply to ensure that individual employees cannot be identified by the information that is disclosed. The simplest way to achieve this is to refer to each employee by number and to use those numbers consistently throughout the process.
If an employer decides not to anonymise the ELI it discloses, the affected employees should at least be issued with a privacy notice which confirms that their personal data is being provided to the transferee and why.
Regarding the consequences of and failing to follow the data protection principles outlined above, employers can be subject to significant fines for related data breaches under the GDPR and may also be subject to direct claims for compensation by individuals who have suffered damage as a result of any such breaches. Therefore, it is worth investing time and attention into how the ELI process is to be handled from the outset.
If you are an employer that is subject to a TUPE process at present, or could be in the near future, and have misgivings about the data protection implications of due diligence and the provision of ELI, please contact us for an initial discussion without charge or obligation.