Your Essential Employment Law Updates

Keeping yourself knowledgeable and up to date about the latest in employment law isn’t easy when you’re running a business. Instead, you can rely on me to help you remain legally compliant. So here is my summary of a few of the topics we discussed at last month’s Employment Law Workshop:

Zero Hours Contracts

A zero hours contract is helpful for new businesses as they become established, and small businesses. However, it’s important to remember that employees under a zero hours contract are also entitled to the same statutory rights as any other employee, such as annual leave, sickness, termination, and so on. Even if they don’t work many hours.

Despite the fact that an employer is not obliged to provide work under a zero hours contract, the employee is required to accept it when it is offered and, arguably, this is sufficient to amount to mutuality of obligation.

ICO Fees from May 2018

Since GDPR was introduced, it is a legal requirement for all organisations to pay an annual data protection fee to the ICO (Information Commissioner’s Office).

There are three tiers of fee payments that are dependent on your organisation’s size and turnover. Some organisations, such as charities and small occupational pension schemes, only need to pay £40 regardless of size and turnover. The tiers are as follows:

  • Tier one – £40 annual fee
    • Organisations with a maximum turnover of £632,000, or ten or fewer staff
    • Charities
    • Small occupational pension schemes
  • Tier two – £60 annual fee
    • Organisations that do not fall into tier one and have a maximum turnover of £36 million, or 250 or fewer staff
  • Tier three – £2,900 annual fee
    • Organisations that do not fall into tiers one or two, and that have a turnover of over £36 million, and more than 250 staff

To register with the ICO, find out more and pay your fee, click here.

No Right to Work in the UK

When recruiting, it’s essential to thoroughly check the candidate’s right to work in the UK. This involves checking and taking copies of documents such as passports, proof of address, proof of residence, etc. It’s important that you see the original documents and that they are valid. Throughout this process, be careful not to discriminate against anyone based solely on their race.

Gov.uk says to check that:

  • The documents are genuine, original and unchanged, and belong to the person who gave them to you
  • The dates for the applicant’s right to work in the UK have not expired
  • Photos are the same across all documents and look like the applicant
  • Dates of birth are the same across all documents
  • The applicant has permission to do the type of work you’re offering (including any limit on the number of hours they can work)
  • For students, you see evidence of their study and vacation times
  • If two documents give different names, the applicant has supporting documents showing why they’re different, such as a marriage certificate or divorce decree.

Remember that the original permission to work in the UK can expire, so it’s important to make regular checks on your current employees – you could face civil or criminal penalties if you’re found to be employing people who do not have the right to work in the UK.

The Gov.uk website provides some useful guides to help employers do this.

Christmas Parties – Preventing Problems whilst Having Fun!

It’s always good to have work parties, both for the fun and to celebrate the season, and also to help keep morale high whilst rewarding staff for a good year. But parties are not always without their problems. Costing on average around £50 per head, I always recommend that an Office Party policy should be drawn up to set expectations on behaviour. Key points should be:

  • Christmas celebrations should be viewed as an extension of the workplace
  • Celebrate responsibly
  • Expect high standards of conduct while still having fun
  • Let your hair down, but not yourself or your employers
  • Employees should not post photographs or videos of themselves, colleagues or other attendees and third parties (e.g. venue staff) at the event on the Internet or any social media websites.

If you have any queries on current employment law legislation and how it affects your business, or any other staff issues, do call me on 0118 940 3032 or click here to email me.

How GDPR Compliant Is Your Organisation’s HR Data?

The main principle behind the new General Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is to protect people from having unnecessary data stored about them, and for too long. In fact, there are seven main principles that you will need to keep in mind when processing personal data, being:

  1. Lawfulness, fairness and transparency – you will no longer be able to charge a fee when you receive a request for data held, and it must be provided within a month
  2. Purpose limitation – data must only be collected for specified, explicit and legitimate purposes
  3. Data minimisation – it must be adequate, relevant and limited to the purposes required
  4. Accuracy – every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified, without delay
  5. Storage limitation – personal data should not be kept for anything other than the purposes for which it is being processed, or for longer than necessary
  6. Integrity and confidentiality – data must be processed using appropriate technical or organisational measures to ensure its security
  7. Accountability – you will need an officer or someone in your organisation to be responsible for, and able to demonstrate, compliance with these principles

Conduct an audit now!

It’s important that an audit is carried out as soon as possible prior to 25 May 2018. When preparing for GDPR, it may be necessary for various departments – IT, Legal, HR and Compliance – to collaborate, ensuring that data security is robust.

  • The audit needs to assess current HR data and related processing activities to identify any gaps with the GDPR.
  • Assess the legal ramifications on processing personal data. Although consent is currently necessary, it may not meet the more stringent GDPR requirements. Keep in mind that consent may be revoked at any time. You may need to rely on other legal grounds to continue to process employee personal data, but if it can’t be justified you must cease those processing activities.
  • If your business is in an industry that’s highly regulated, you may be able to rely on compliance with a legal obligation as a basis for processing certain employee data. For example, some financial services employers need to provide and update regulatory references for staff for up to six years after the end of employment. Or if you operate in a safety critical environment, you could rely on health and safety risks to justify more intrusive processing of employee data to establish fitness to work, for example.
  • Review or implement documentation. This information must be written in a way that is easy for employees and job applicants to understand, and should include three key documents:
    • Data Protection Policy
    • Privacy notices for employees and job applicants
    • Data Processing Consent documents as signed by your employees
  • To maintain the GDPR principle of data minimisation, you will need to delete data once it is no longer necessary. For this reason, as well as the rights of ex-employees and other data subjects requiring erasure or the restricting of data processing, consider the retention periods of your HR personal data. If you already have a data retention policy, check whether the existing retention periods for HR data can still be justified. You must pay particular attention to matters such as disciplinary warnings, and data retained after the end of employment.
  • Data breaches will need to be reported to the data authority within 72 hours of the breach occurring, so ensure a strict procedure is put in place. Allocate responsibility to certain people to investigate and contain a breach, and to make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • You may need to appoint a data protection officer, either through recruitment or by training an existing staff member. They will be the accountable person and will liaise with the data protection authority.

The Information Commissioners Office (ICO) recommends 12 steps that you should take now, which you can access here. Or speak to me – I will be delighted to help you make sense of the new GDPR and how its principles should be applied to your organisation.

Helping You 

If you need help becoming GDPR compliant, I can provide your business with the documents that you need, which are:

  1. Job applicant privacy notice
  2. GDPR compliant data protection policy
  3. Employee privacy notice
  4. Form to make a subject access request

I can also offer an audit to assess compliance and the actions required and deliver training for your employees, either face to face or by webinar. Get in touch if you need any of these documents or some training. Call me on 0118 940 3032 or click here to email me.