Legal news, views, trends and tools for HR Professionals. Stay ahead. Go further

DWF

DWF

Legal news, views, trends and tools for HR Professionals. Stay ahead. Go further

DWF

Data Protection Checklist

All employers deal with data about their employees and prospective employees. This checklist highlights the key areas to think about when collecting and storing data.

Key considerations

How well do you know your own organisation? Do you know exhaustively what data you collect? You need to cover all staff i.e. employees, temps, agency workers, contractors, past and present.

Consider:

  • What fields are sensitive data (in a general sense)? e.g. bank account details.
  • What fields are “personal data” regulated by the Data Protection Act (DPA)? Most if not all data you collect on employees will be personal data.
  • What fields are “sensitive personal data” ?
  • Who collects the data? Do you do this or do supplier(s) do it on your behalf (e.g. an IT supplier)?
  • When and how is it collected and stored?

Staying compliant is a team effort

Do you have a good, open relationship with your other stakeholders?

Consider:

  • Legal;
  • IT (especially information security);
  • Procurement;
  • Your board of directors – are they aware of the risks and issues?; and
  • Internal audit.

Do you have a compliance culture across your organisation?

  • People need to “walk the talk” on the ground.
  • Policies and contracts can protect you, but can be cold comfort if an incident occurs. Prevention is better than cure.

Dealing with employee data

What do you do when collecting employee data?

  • Communicate a privacy policy to each employee on joining your organisation and incorporate into the handbook.
  • It should not form part of an employment contract directly, so it can evolve over time, but should have disciplinary consequences attached to it for non-compliance.
  • At the very least, it needs to explain what data you capture and the purposes for which it is used.
  • Each employee should have the opportunity to read and agree to the policy.
  • Only use data for the purposes for which it was originally obtained (any other purposes must be “compatible” with the original ones).
  • Do you have processes and controls to make sure any changes affecting employee data are captured and the policy (and staff) updated accordingly?

Do you monitor staff? Do you monitor their computer systems, calls, location, social media posts etc?

  • Inform your staff about monitoring, be specific about the extent to which monitoring is going to be conducted, and the purposes for which it is going to be conducted e.g. social media, calls, location etc.
  • You cannot record calls for just any purpose. Training, quality monitoring and to establish facts (e.g. contracts) are ok.
  • Draw up and implement a policy which each employee should have the opportunity to read and agree to.

Do you allow staff to “bring their own device” to use for work?

  • You need to inform staff of the implications of this, not least the security measures your organisation puts in place.
  • Draw up and implement a policy which each employee should have the opportunity to read and agree to.
  • Have you engaged with your information security team?

All employee data has to be kept accurate and up to date and should be proportionate

  • What processes and controls do you have in place to ensure this is done?
  • You cannot retain employee data forever.
  • Data has to be systematically archived and anonymised or securely destroyed once no longer needed.

You have to respect an employee’s rights regarding their data

  • The right to opt out of direct marketing.
  • The right to object to automated decision-making about them (e.g. as a result of profiling, credit checking). The right to object to processing of their personal data that is causing damage or distress.
  • The right to have inaccurate personal data about them rectified, blocked, erased or destroyed in certain circumstances.
  • The right to claim damages for loss and compensation for distress in certain circumstances.
  • The right to be told what information is held on them (“subject access requests”).
  • What processes and controls do you have in place to ensure this is done?

All employee data must be kept secure

  • Have you engaged with your information security team?
  • For suppliers this issue is normally addressed at a contracting stage.
  • What processes and controls do you have in place to ensure this is done?
  • Make sure all staff who have material access rights and privileges are reasonably reliable.

You cannot transfer employee data outside of the EEA without additional safeguards being in place

  • For suppliers this issue is normally addressed at a contracting stage.
  • It is a particular risk with “cloud” IT systems.
  • What processes and controls do you have in place to ensure this is complied with?

Prospective employees

  • Only collect data that you actually need for the purposes of recruiting.
  • If you intend to use the data set out in any application for any purpose other than vetting/assessment, you should specify this on the application form.
  • If you intend to use third party data sources as part of your assessment and vetting process (e.g. social media), you should specify this on your application form.
  • Consider whether a separate privacy policy is required to explain all data sources and purposes for which you might use an applicant’s data.
  • Make sure your organisation’s identity is clearly set out in any adverts / application forms.
  • Make sure you tell an applicant what will happen to their data post-application (and remember you cannot hold on to personal data indefinitely).
  • Make sure any agencies you use treat personal data appropriately.

What training do you have in place?
Do you train ALL your staff who can handle personal data? On induction? On an ongoing basis? As necessary? Consider informal awareness campaigns e.g. on an intranet, in staff circulars or at team meetings.

Remember that a large proportion of data mistakes occur through human error. Training is seen as a key mitigator of risk by the Information Commissioner’s Office (ICO).

The absence of training is a key aggravating factor in all ICO sanctions

  • Tailor your training to your audience.
  • Managers need different training to administrators.
  • Staff within your HR, legal and information security functions should be especially well-trained.

This note is a summary of the issues and is not a substitute for detailed legal advice. It may contain information of general interest about current legal topics, but it should not be taken as providing legal advice on any of the topics covered.

 

 

 

employment@dwf.co.uk

Legal news, views, trends and tools for HR Professionals. Stay ahead. Go further