The United Kingdom’s Information Commissioner's Office (“ICO”) has released new guidance on the disclosure of employee data during a takeover or transfer of a business or where there is a “service provision change” (e.g., an outsourcing, re-sourcing or in-sourcing). Under regulation 11 of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) sellers, organisations outsourcing for the first time or outgoing service providers are required to provide certain employee information, known as “employee liability information”, at least two weeks before the transfer is completed.
Employee liability information comprises: name and age; employment start date; statutory particulars of employment; information of any disciplinary action taken, or grievance or employment claim brought, in the past two years; and details of any employment claims there are reasonable grounds to believe the employee may bring.
When TUPE came into force two years ago, the ICO confirmed that section 35 of the Data Protection Act 1998 (“DPA”), which allows the disclosure of personal data where the disclosure is required by law, permitted transferors to provide employee liability information without breaching the DPA. The new guidance confirms that the information can be provided to comply with TUPE but advises companies when disclosing employee liability information under regulation 11 of TUPE nonetheless to take care to comply with data protection principles. For example, companies providing information should ensure that the information is accurate, up-to-date and secure, and companies receiving the information should only use the information for the purposes of TUPE, such as assessing possible liabilities to those employees or planning how they are going to be adopted into the business.
Where companies receive requests for information which go beyond the requirements of regulation 11 of TUPE or where TUPE does not apply to the transaction, wherever possible information should only be released on an anonymous basis or, if this is not possible, obvious identifiers such as name should be removed. Companies should obtain employees’ consent to the disclosure of this information or put in place appropriate safeguards to ensure that the information is only used in connection with the proposed transaction and will not be kept afterwards.
After the transaction, the buyer/new service provider should check whether all the employee information is needed and, if not, it should delete or destroy securely any unnecessary information. It is permissible for the seller to keep some personal information about former employees after the transfer, provided that there is a justifiable need (e.g. to deal with any liabilities in relation to former employees) and the information is deleted or destroyed securely when it is no longer needed.
The guidance concludes by recommending the following as good practice:
Unfortunately, the guidance leaves a number of practical questions unanswered. One key question is that of employee consent. Given that consent is recommended in relation to the disclosure of information that does not fall within TUPE, companies may consider including in employees’ contracts of employment consent to the disclosure of personal data in the context of an M&A or outsourcing transaction. However, consent obtained in this way is arguably not a “specific and informed indication of an employee’s wishes” if nothing is known at the time of giving consent about a putative transaction at some point in the future.
The guidance also does not help companies resolve the issue of what employee information should be provided when in a competitive re-tendering situation on a service provision change. In such situations the organisation and incoming service provider push for employee information to be provided for the re-tendering; however, the outgoing service provider is often reluctant to do this, and will rely on its obligations under the DPA to avoid doing so. Beyond confirming that the information should only be released on an anonymous basis or, if that is not possible, with obvious identifiers removed, the guidance does not assist with the question of either the scope of the information which it is permissible to provide at this stage or the permitted timing of such provision.
 Pay details, place and hours of work, holiday entitlement, sick pay, pension provision, notice period, job title, length of employment (if not permanent), details of applicable collective agreements and additional provisions if required to work outside the UK for more than a month.
 See definition in Article 2 of the Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (95/46/EC).