GDPR - are you ready? Managing employee data (with a handy checklist)

As a small business owner with employees, the data protection changes are going to impact on your HR activities. From recruitment and selection, to employment records, payroll, performance monitoring and disciplinary, grievance and absence documentation. Keeping up to date with the legal developments is essential to stay on top of the data protection principles and laws. Ignoring your responsibilities could lead to fines, compensation payments and prosecution in the courts.

If you follow current DPA you should already be well on your way to meeting the regulations but, to stay compliant, you will need to review how you collect, hold and process personal data, as well as look at how you communicate with individuals about that activity. Ensuring that employees understand their rights and obligations under the data protection law, being open and transparent about your data collection and processing and recognising individuals right to be forgotten will all help you meet your accountabilities and obligations.

Not all employers have to appoint an official data protection officer, but all businesses will need to assign responsibility for data protection compliance to an individual/team of appropriate people. If the person responsible for protecting HR data in your company isn’t you, make sure your data protection officer/privacy manager is trained on the DPA and the changes in GDPR and documents and records all audit, review and changes that they implement.

The DPA now has eight principles which specify that data must be:

• fairly and lawfully processed

• processed for limited purposes

• adequate, relevant and not excessive

• accurate

• not kept for longer than is necessary

• processed in line with an individual’s rights

• secure

• not transferred to countries outside the European Economic Area (EEA) without adequate protection.

As an overview, recruitment, employment records, monitoring and removing data are the key areas of managing employees you will need to review and consider any actions, changes or updates to implement in your business by the change in regulations on the 25th May 2018. For any areas which particularly impact you, ensure that you review them thoroughly and take action in line with the principles.

Recruitment and selection

Consider what information you need at each stage, why you need that, ensure it is limited to the specific data you require. It is also essential you ensure openness throughout the process, inform the individual of the information you require, why you need it, where it will be held and that you will keep that confidential.

For example, consider the information you require for recruitment, this will be a lot less than required for those you then employ.

Applicants should be aware what information about them is being collected and what it will be used for. Design your application forms with this in mind and ensure that the individual has to sign for the information they have provided to ensure it is accurate and they provide consent if you will be verifying the data and contacting references. Only ask for information about criminal convictions if this is justified by the type of job you are recruiting for. Don’t ask for ‘spent’ convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.

Only keep recruitment data for as long as there is a clear business reason for it, ensure you have a system in place for deleting and removing old data securely Also, gathering information about an applicant covertly is unlikely to be justified, be clear on your recruitment and employment processes.

Do you have a clear and concise application form detailing your privacy policy and data protection processes?

Employment records

You don’t need to get the consent of workers to keep records about them, but make sure they know how you will use records about them and whether you will disclose the information they contain. Ensure you have a data protection clause in your contracts and this adheres to the new GDPR requirements, highlight this during your offer and induction stages so the individual has received clear guidance on how and where the information will be held and why. This will tick your accountability and training boxes which is another requirement of the legislation.

If you use data for processing through a third party, such as recruitment agencies benefits providers, pensions or payroll, ensure that you have clear business reasons which are justified, the information is only used for the scheme and administration you have stated it will be.

Do you have a data protection clause in your contracts and employee handbook and an updated confidentiality clause? Have you updated and distributed an up to date data protection policy?

The Act doesn’t generally prevent monitoring. However, it sets out principles for the gathering and use of personal information. In short, data protection means that if monitoring has any adverse effect on workers, this must be justified by its benefit to the employer or others.

Do you have a monitoring clause in your contract, or where required, a CCTV, email access or stop and search notice?

IT, email and internet

The CIPD highlight that many legal issues arise concerning employees' potential abuses of email and the internet. As a starting point, all organisations should devise and implement a comprehensive Internet, social media and communications policy. Supplying staff with their own smart phones, laptops, tablets, or even USB devices, can raise important data protection issues, as can allowing staff to use their own devices.

An effective Internet, social media and communications policy must cover the permissible use of employees' own devices for working purposes, and the permissible use of (and return of) devices supplied by the employer. The relevant level of encryption should be deployed on all computers, consider a single sign on policy for your employees and/or a password policy.

Do you have an effective email and internet as well as social media policy in place?

Consider who will have access

Ensure that those who have access to employment records are aware that data protection rules apply and that personal information must be handled with respect. Data must be stored confidentially and securely, with only those who require access to have the passwords or secure cabinet key. Keep confidential sensitive data separate from the employment main file, ensure only those who need access to that additional information have access to it.

Gathering and retaining health information is a sensitive area and requires consideration and documentation with a clear process and system for removal.

Check what records are kept about your workers, and make sure you are not keeping information that is irrelevant, excessive or out of date. Delete information that you have no genuine business need for or legal duty to keep.

If you have a Virtual Assistant or contractors you hire to help you manage your business, this will also include ensuring you have an agreement with them on their role and responsibilities as they could also be subject to fines for mismanagement of data.

Have you trained and informed your staff on GDPR and DP principles so they are aware of their role and responsibilities for the business?

Deleting information

Ensure you remove that data securely once you no longer require it for processing or legal reasons e.g. employment data periods, payroll, following disciplinary action.

How will you achieve the deletion of personal data, across the business, at an employees’ request in relevant situations? On computer systems, spreadsheets, emails and any hard copies of information you hold.

Do you have a system or notification process in place for deleting data such as recruitment, disciplinary, grievance, monitoring and selection processes or employee files?

Data subject access requests

Employees have the right to see the data you hold on them and within a new timescale of within one month, reduced from the previous 40 day period. This includes information about grievance and disciplinary issues, and information you obtain through monitoring. Normally you must give access when a worker requests it, but you can withhold information where providing it to the worker would make it more difficult to detect crime. The £10 fee for DSARs is now removed, although there is some discretion to charge a reasonable fee, based on administrative costs, in limited cases where the request is 'manifestly unfounded or excessive'.

When giving access to employment records be careful with information about other people. It could be wrong, for example, to disclose the identity of someone alleging harassment to the person accused of carrying out the harassment.

If there is a discrepancy between what an applicant tells you and what you learn by carrying out a check, give the applicant an opportunity to give their side of the story. Remember that the information you get from public records could be wrong.

What if I don’t do this? Fines and fees for non-compliance

Fines are now more considerable and up to 4% of annual global turnover. Staying compliant is then also likely to lead to additional costs and administration.

It is also important to be aware that workers can claim compensation if they suffer as a result of a breach of the Data Protection Act, so it is in your interests to make sure records are well managed and used responsibly.

Your action plan - checklist

• Appoint a data protection officer to be in charge of all aspects of information including compliance with the Data Protection Act 1998, and Freedom of Information Act for public authorities.

• Audit information systems to find out who holds what data, and why – create a checklist which you can document as your evidence of audit and review and come back to at regular periods:

1. the type of data held

2. the category of data and why you hold it e.g. recruitment or bank details

3. who the data concerns

4. who provided the data and what legal basis you have to process the data

5. the purpose of processing

6. where the data will be stored

7. who has access

8. data transfers

9. whether there are any automatic decision making processes

10. how you will deal with a breach,

11. when the data will be deleted

• Consider why information is collected and how it is used, and issue guidelines for managers about how to gather, store and retrieve data.

• Ensure that all information collected complies with the DPA.

• Check the security of the information stored.

• Check the transfer of data outside the EEA.

• Check the organisation’s use of automated decision making – do they allow you to deal with objections and involve a human decision maker if requested?

• Review policy and practice in respect of references.

• Review or introduce key policies: privacy notice to staff, data protection policy, email, internet and IT policy, social media policy, data breach reporting policy, subject access request policy, data retention policy and update other relevant policies e.g. disciplinary, grievance, recruitment and selection.

• Take steps now to prepare for the GDPR which will be in force from May 2018.

If you need any support understanding your requirements and responsibilities or in ensuring you have the documents, policies and clauses to meet your obligations, get in touch and we can help you get those, and your systems in place.

Guide

I have produced a summary of employers’ requirements but for a more comprehensive guide for small businesses, this is a really useful reference point provided by the ICO:

https://ico.org.uk/media/for-organisations/documents/1128/quick_guide_to_the_employment_practices_code.pdf

This blog is for information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that, at the date this guidance has been prepared, the Information Commissioner has not yet published all of the guidance relating to GDPR.

#procedure #employmentpolicies #gdpr #dataprotection #smallbusiness #smallbusinessowner #consultancy #dpa #employmentlegislation #managingemployees #employees #leadership #managment #peoplemanagement #policies #procedures #recruitmentprocess #recruitment #employmentrecords #employeefiles #HR #humanresources #businesssupport