The Data (Use and Access) Act, which has just become law, is the first major post-Brexit reform to data protection law. It's intended to make it easier for UK businesses to benefit from technological innovation, particularly artificial intelligence and automation. As well as having a major impact in sectors such as clinical research, healthcare and consumer businesses, it has significant implications for employers.
Automated Decision-Making (ADM)
The Act relaxes the rules on ADM, providing employers with greater flexibility to use automated systems, including AI, for processing personal data, without needing to obtain the explicit consent of candidates and staff (which can be challenging in an employment context) or demonstrating that the processing is necessary for entry into or performance of a contract. This is likely to result in increased usage of ADM in recruitment, performance evaluations, and job mapping. However, there are still important limitations on its use.
- Transparency requirements: Employers must inform employees and job applicants when ADM is used and provide meaningful information about the logic involved, as well as the significance and consequences of such processing. They must enable the individual to contest the decision and request meaningful human involvement in the decision-making.
- Fair and lawful processing: Employers must ensure that ADM in recruitment and employment do not result in discrimination or unfair treatment - as well as giving rise to discrimination claims, this would expose the employer to liability under the GDPR.
- Special Category Data: Stricter rules still apply to the use of special category data (e.g., health information) in ADM. Employers must obtain explicit consent or demonstrate that the processing is necessary for substantial public interest.
Employers should ensure that privacy notices for candidates and staff provide the required information and that any ADM is implemented only with appropriate safeguards in place.
Handling data subject access requests (DSARs)
The Act clarifies some aspects of the process for handling DSARs, by allowing data controllers to pause the response timeframe while seeking further information from the data subject, where this is reasonably required in order to respond to the request. This is helpful for employers facing wide-ranging requests. It also clarifies that data controllers must conduct a reasonable and proportionate search for the relevant personal data - again, a helpful change.
However, there's a sting in the tail. The Act introduces a new requirement for data controllers who wish to withhold personal data because it is legally privileged. They must keep a record of their reasoning for relying on this exemption and inform the individual making the request of the following:
- the fact that they have relied on this exemption and the reasons for doing so;
- the individual's right to request intervention from or complain to the Information Commissioner; and
- the individual's right to apply for a court order seeking disclosure of any material withheld.
Given how widely used DSARs are in employment disputes and how frequently issues of privilege arise when responding, this is likely to cause significant issues for employers.
Complaints procedure
The Act requires data controllers to have a complaints procedure so that individuals who believe their rights have been infringed have a formal internal mechanism for resolving this before complaining to the Information Commissioner. We anticipate that the Information Commissioner will provide further guidance about how the complaints process should work, but employers should start planning now.
Employers should keep an eye out for the new guidance, which is expected soon, and prepare for DSARs to become an even more contentious area in employment disputes.
Want to hear more from us? 
