Your Essential Employment Law Updates

Keeping yourself knowledgeable and up to date about the latest in employment law isn’t easy when you’re running a business. Instead, you can rely on me to help you remain legally compliant. So here is my summary of a few of the topics we discussed at last month’s Employment Law Workshop:

Zero Hours Contracts

A zero hours contract is helpful for new businesses as they become established, and small businesses. However, it’s important to remember that employees under a zero hours contract are also entitled to the same statutory rights as any other employee, such as annual leave, sickness, termination, and so on. Even if they don’t work many hours.

Despite the fact that an employer is not obliged to provide work under a zero hours contract, the employee is required to accept it when it is offered and, arguably, this is sufficient to amount to mutuality of obligation.

ICO Fees from May 2018

Since GDPR was introduced, it is a legal requirement for all organisations to pay an annual data protection fee to the ICO (Information Commissioner’s Office).

There are three tiers of fee payments that are dependent on your organisation’s size and turnover. Some organisations, such as charities and small occupational pension schemes, only need to pay £40 regardless of size and turnover. The tiers are as follows:

  • Tier one – £40 annual fee
    • Organisations with a maximum turnover of £632,000, or ten or fewer staff
    • Charities
    • Small occupational pension schemes
  • Tier two – £60 annual fee
    • Organisations that do not fall into tier one and have a maximum turnover of £36 million, or 250 or fewer staff
  • Tier three – £2,900 annual fee
    • Organisations that do not fall into tiers one or two, and that have a turnover of over £36 million, and more than 250 staff

To register with the ICO, find out more and pay your fee, click here.

No Right to Work in the UK

When recruiting, it’s essential to thoroughly check the candidate’s right to work in the UK. This involves checking and taking copies of documents such as passports, proof of address, proof of residence, etc. It’s important that you see the original documents and that they are valid. Throughout this process, be careful not to discriminate against anyone based solely on their race.

Gov.uk says to check that:

  • The documents are genuine, original and unchanged, and belong to the person who gave them to you
  • The dates for the applicant’s right to work in the UK have not expired
  • Photos are the same across all documents and look like the applicant
  • Dates of birth are the same across all documents
  • The applicant has permission to do the type of work you’re offering (including any limit on the number of hours they can work)
  • For students, you see evidence of their study and vacation times
  • If two documents give different names, the applicant has supporting documents showing why they’re different, such as a marriage certificate or divorce decree.

Remember that the original permission to work in the UK can expire, so it’s important to make regular checks on your current employees – you could face civil or criminal penalties if you’re found to be employing people who do not have the right to work in the UK.

The Gov.uk website provides some useful guides to help employers do this.

Christmas Parties – Preventing Problems whilst Having Fun!

It’s always good to have work parties, both for the fun and to celebrate the season, and also to help keep morale high whilst rewarding staff for a good year. But parties are not always without their problems. Costing on average around £50 per head, I always recommend that an Office Party policy should be drawn up to set expectations on behaviour. Key points should be:

  • Christmas celebrations should be viewed as an extension of the workplace
  • Celebrate responsibly
  • Expect high standards of conduct while still having fun
  • Let your hair down, but not yourself or your employers
  • Employees should not post photographs or videos of themselves, colleagues or other attendees and third parties (e.g. venue staff) at the event on the Internet or any social media websites.

If you have any queries on current employment law legislation and how it affects your business, or any other staff issues, do call me on 0118 940 3032 or click here to email me.

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.

Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.

Key Changes Under GDPR

Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:

  • Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
  • Previously, SARs had to be in writing. Now, verbal requests are possible
  • Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
  • Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
  • The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”

Subject Access Rights under GDPR

When responding to a SAR, you must provide the employee with the following information:

  • The purposes for processing the data
  • The categories of personal data you process
  • The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
  • How long you will hold the data
  • The employee’s right to request rectification or erasure of data, and to restrict or object to processing
  • The employee’s right to complain to the ICO
  • The source of any data not provided by the employee
  • The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
  • The safeguards provided for the transfer of data outside the EEA (if relevant)

If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.

Policies and Procedures

You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.

  1. On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
  2. Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
  3. Employees responsible for dealing with SARs will need training.

Identifying SARs

Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.

Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.

You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.

Clarifying and Searching

Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.

Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.

The ICO’s Subject access code of practice may be of help.

Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.

Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.

Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.

Data Exemptions

If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:

  • Confidential employment references
  • Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
  • Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
  • Information subject to legal professional privilege

Providing the Data to the Employee

The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.

Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.

For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.

How GDPR Compliant Is Your Organisation’s HR Data?

The main principle behind the new General Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is to protect people from having unnecessary data stored about them, and for too long. In fact, there are seven main principles that you will need to keep in mind when processing personal data, being:

  1. Lawfulness, fairness and transparency – you will no longer be able to charge a fee when you receive a request for data held, and it must be provided within a month
  2. Purpose limitation – data must only be collected for specified, explicit and legitimate purposes
  3. Data minimisation – it must be adequate, relevant and limited to the purposes required
  4. Accuracy – every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified, without delay
  5. Storage limitation – personal data should not be kept for anything other than the purposes for which it is being processed, or for longer than necessary
  6. Integrity and confidentiality – data must be processed using appropriate technical or organisational measures to ensure its security
  7. Accountability – you will need an officer or someone in your organisation to be responsible for, and able to demonstrate, compliance with these principles

Conduct an audit now!

It’s important that an audit is carried out as soon as possible prior to 25 May 2018. When preparing for GDPR, it may be necessary for various departments – IT, Legal, HR and Compliance – to collaborate, ensuring that data security is robust.

  • The audit needs to assess current HR data and related processing activities to identify any gaps with the GDPR.
  • Assess the legal ramifications on processing personal data. Although consent is currently necessary, it may not meet the more stringent GDPR requirements. Keep in mind that consent may be revoked at any time. You may need to rely on other legal grounds to continue to process employee personal data, but if it can’t be justified you must cease those processing activities.
  • If your business is in an industry that’s highly regulated, you may be able to rely on compliance with a legal obligation as a basis for processing certain employee data. For example, some financial services employers need to provide and update regulatory references for staff for up to six years after the end of employment. Or if you operate in a safety critical environment, you could rely on health and safety risks to justify more intrusive processing of employee data to establish fitness to work, for example.
  • Review or implement documentation. This information must be written in a way that is easy for employees and job applicants to understand, and should include three key documents:
    • Data Protection Policy
    • Privacy notices for employees and job applicants
    • Data Processing Consent documents as signed by your employees
  • To maintain the GDPR principle of data minimisation, you will need to delete data once it is no longer necessary. For this reason, as well as the rights of ex-employees and other data subjects requiring erasure or the restricting of data processing, consider the retention periods of your HR personal data. If you already have a data retention policy, check whether the existing retention periods for HR data can still be justified. You must pay particular attention to matters such as disciplinary warnings, and data retained after the end of employment.
  • Data breaches will need to be reported to the data authority within 72 hours of the breach occurring, so ensure a strict procedure is put in place. Allocate responsibility to certain people to investigate and contain a breach, and to make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • You may need to appoint a data protection officer, either through recruitment or by training an existing staff member. They will be the accountable person and will liaise with the data protection authority.

The Information Commissioners Office (ICO) recommends 12 steps that you should take now, which you can access here. Or speak to me – I will be delighted to help you make sense of the new GDPR and how its principles should be applied to your organisation.

Helping You 

If you need help becoming GDPR compliant, I can provide your business with the documents that you need, which are:

  1. Job applicant privacy notice
  2. GDPR compliant data protection policy
  3. Employee privacy notice
  4. Form to make a subject access request

I can also offer an audit to assess compliance and the actions required and deliver training for your employees, either face to face or by webinar. Get in touch if you need any of these documents or some training. Call me on 0118 940 3032 or click here to email me.