Data Protection at work
Posted on 15th February 2020 at 23:40
All employers should read and follow the ICO guide on the DPA and the GDPR as it applies in the UK. It covers matters such as what personal data is, lawfulness of processing, fairness and transparency, as well as the right to be informed, rights of access, data rectification and erasure. The right to restrict processing and data portability is also covered.
While the guide is aimed at data protection officers and others with responsibility for data protection and primarily aimed at small and medium-sized organisations, it may help larger organisations too.
There are some key themes that employers should be aware of.
Consent
Organisations must demonstrate that employees were:
informed of the purpose and use of their personal data, and
given a clear explanation of how it will be treated.
Employees must consent freely to specific use, purpose, or processing of data. Employees’ silence or lack of complaint about the processing, consent incorporated as a standard employment contract term or in data protection policies does not meet the standard required.
Employers must record the grounds on which they will be processing each separate category of employee data.
Lawful processing
Organisations may process personal information lawfully for six reasons including complying with an employment contract or legal obligation, and protecting the legitimate interests of the employer or a third party.
Job references
Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).
Email and internet
Data protection issues often surround email and internet use. Organisations need a comprehensive internet, social media and communications policy governing permitted data use.
Issuing staff with smart phones, laptops, tablets or USB devices has data protection implications, as can work use of employees’ own devices. ICO guidance suggests employers underestimate the risks associated with use of personal devices for work. Information may be at risk if there are inadequate security measures. An effective policy must cover permissible work use of all devices.
Monitoring should not be intrusive, for example using traffic data (about the routing, duration or timing of messages) rather than accessing email content. Both the DPA and Telecommunications Regulations (see below) must be complied with.
Accountability
Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies. They should also:
appoint a data protection officer (DPO) where appropriate – see below
only collect personal data that is adequate, relevant and necessary
remove names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered)
be open with employees about data processing and allowing them to monitor it
identify and limit any detrimental effects on individual privacy.
Data protection officers (DPOs)
Any organisation can appoint a DPO, but organisations must to appoint one if they:
are a public authority
carry out large scale systematic monitoring of individuals
carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
DPOs report to the highest management level (usually the board). They must be given adequate resources, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.
Subject access requests (SARs)
SARs are written requests from individuals for information covered by the DPA. Organisations must respond for free and without ‘undue delay’, which means within a month. The number of SARs that can be made is unrestricted although some unspecific SARs or those made for non-data protection purposes can be refused.
SARs may be used to obtain preliminary information before an employment tribunal claim, although normal tribunal disclosure requirements entitle employees to more information than SARs. Organisations must comply if SARs arise during disciplinary processes.
Employers should:
identify who is responsible for responding to SARs and provide sufficient training
make managers and HR aware of the DPA rules governing requests
deal with SARs efficiently.
When organisations receive SARs, they should:
check its scope
identify onerous requests or those made for non-data protection purposes
set clear deadlines for responding
follow a response procedure.
The ICO has a useful checklist. Breaching the SAR rules attracts fines.
Sharing and transferring personal data
Third parties, such as payroll providers, external HR and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:
clarify the information needed and why, and what the receiving organisation will do with it
only share essential data
anonymise or pseudonymise the data
check contract terms with third parties are GDPR compliant
check the relevant requirements for overseas transfers of data.
It may be possible to avoid sending personal data, or there may be a legitimate processing reason which avoids the need for employee consent.
Data security
Data security must be appropriate to the processing risks. The organisation’s size, the nature of information processed, and the potential harm from security breaches are all relevant.
In addition to clear policies covering security incidents, organisations should:
carry out risk assessments of data systems and act on the results
maintain up-to-date security systems (for example, using firewalls and encryption technology)
restrict access to personal data to those who need it
train staff on data security
review data security regularly.
Record keeping and correction
Organisations with over 250 employees must keep clear, accessible records of all their data processing activities. Smaller organisations only need to record any data processing they do regularly, or any processing of personal data which is sensitive, or could be harmful to, or intrude on the personal life of, the individual. The ICO can inspect records at any time. Data should only be kept for as long as needed to fulfil the purpose.
Organisations should:
think about the purpose of data retention
consider any legal requirement to keep the data for a period of time (tax records, for example)
decide whether the data is needed to defend a potential claim (such as a job applicant’s information who now alleges discrimination)
be able to justify retaining the data
respond to correction requests within the timeframe.
This content will only be shown when viewing the full post. Click on this text to edit it.
Tagged as: Data Protection
Share this post: