A fundamental principle of data protection is transparency. Ensure that your business has in place appropriate Privacy Notices for employees, workers, contractors and job candidates. Privacy notices must clearly explain to individuals what personal data is held, how it is used and why. Employee general consent in relation to the processing of personal data is outdated and ineffective – contracts should be reviewed to reflect this.
Special category data includes information relating to health, racial and ethnic origin, sexual orientation or sex life and trade union associations. Information relating to criminal offences is also sensitive. Employee explicit consent may be required in relation to the processing of special category data. Ensure your business has Appropriate policies to explain the approach to compliance with data protection principles when processing special category employee data.
Minimise the collection and retention of personal data to only that which genuinely needed. Review systems and standard forms (such as application forms) and remove questions that ask for information that is not used or necessary to know. For example, if you do not monitor diversity, don’t ask for diversity information.
At least annually, verify and update employee information to ensure that employee data is accurate and correct. Many HR systems will already have the means to facilitate annual checks or can be configured to facilitate annual checks. Ensuring contact details, next of kin, and emergency contact details are up to date is not only good practice but can avoid embarrassing disclosure breaches.
Regularly audit security measures to ensure that employee data is accessed only by those who need to know it. Protocols setting out access rights, permitted use and other measures to ensure compliance with data protection principles are helpful. Essential security measures include the use of access controls, passwords, anonymisation, pseudonymisation, encryption and secure disposal.
Managers who retain their own records or copies of documents such as CVs, performance reviews and medical certificates risk serious security breaches, which can easily undermine efforts within the HR department to ensure the security and integrity of employee data. Use an employee data amnesty allowing managers to return employee data to HR for safekeeping and provide training to managers to understand why this is necessary.
The ICO’s new Code of Practice on Data Sharing makes clear that data protection is not a blocker to sharing employee data. However, HR departments should review Privacy Notices to ensure transparency and Data Sharing Agreements with providers such as payroll providers, benefit providers, and occupational health advisers to ensure that there are appropriate terms in place regarding the use, security, and retention of employee data.
On the introduction of any new HR system, initiative or new way of working involving employee data, a Data Protection Impact Assessment is good practice and good evidence that the employer has considered data protection compliance and accountability. An Impact Assessment will help to identify risks and measures to address those risks.
Develop a response plan in relation to potential security breaches. Personal data breaches must normally be reported within 72 hours, and so a set response plan can save valuable time. Identifying the nature and scope of the breach and remedial action is the priority. Plan ahead so that, in cases of a serious breach, measures to assist employees and help protect their privacy are available.
Employees commonly often exercise the right of access in the context of a grievance or dispute. Ensure you have a process in place for responding to data subject access requests in an effective and timely manner (usually within a month). HR teams should be familiar with the ICO guidance on this issue, particularly to understand the rights of privacy of managers and other employees before making any disclosures.
If you need help navigating data protection for HR team or need advice in relation to any of the issues raised in this article, you can contact a member of our Employment Team on 0161 941 4000 or email The Employment Team.