Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.

Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.

Key Changes Under GDPR

Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:

  • Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
  • Previously, SARs had to be in writing. Now, verbal requests are possible
  • Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
  • Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
  • The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”

Subject Access Rights under GDPR

When responding to a SAR, you must provide the employee with the following information:

  • The purposes for processing the data
  • The categories of personal data you process
  • The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
  • How long you will hold the data
  • The employee’s right to request rectification or erasure of data, and to restrict or object to processing
  • The employee’s right to complain to the ICO
  • The source of any data not provided by the employee
  • The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
  • The safeguards provided for the transfer of data outside the EEA (if relevant)

If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.

Policies and Procedures

You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.

  1. On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
  2. Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
  3. Employees responsible for dealing with SARs will need training.

Identifying SARs

Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.

Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.

You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.

Clarifying and Searching

Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.

Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.

The ICO’s Subject access code of practice may be of help.

Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.

Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.

Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.

Data Exemptions

If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:

  • Confidential employment references
  • Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
  • Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
  • Information subject to legal professional privilege

Providing the Data to the Employee

The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.

Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.

For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.

Six Common Summer Employment Issues

With high temperatures possible during the summer months, in this blog we’ll look at some employment law scenarios that you may have to deal with, as an employer.

Maximum office temperatures – The Workplace (Health, Safety and Welfare) Regulations 1992 state that the temperature in the workplace needs to be “reasonable”. However, there is no maximum temperature. What is reasonable will depend on the nature of your workplace and the work being carried out by your employees. Factors such as whether or not the work is strenuous or physical will need to be taken into account.

Unauthorised time off – If a holiday request is refused but your employee goes ahead and takes the time off anyway, it’s important not to jump to conclusions. You should carry out an investigation to establish whether or not the absence was for genuine reasons. If, however, there is no credible explanation from the employee, it may become a disciplinary issue and your disciplinary process will need to be followed.

Summer dress codes – It may be reasonable for you to adopt a more relaxed dress code during the summer months. However, the extent to which your employees may be allowed to dress down when the temperature rises will in part depend on the role he or she performs.

In the case of customer-facing roles, certain standards of presentation may need to be maintained. For health and safety reasons, it may be necessary for employees to continue to wear protective clothing, irrespective of summer heat.

One way or the other, you should ensure that the dress code is reasonable, appropriate to the needs of your particular business and does not discriminate between groups of employees.

Competing summer holiday requests – Under the Working Time Regulations 1998, you are not obliged to agree to an employee’s request to take holiday at a particular time, unless the employment contract provides otherwise.

If competing requests for holiday are received from different members of staff, your managers may prioritise requests, provided that they do this in a way which is fair and consistent, for example on a first-come, first-served basis.

To avoid the short periods of notice for requests and refusals, it makes sense for your business to have its own holiday policy in which you can set out your own notice provisions and other arrangements relating to holiday.

Late return from summer holiday – Issues may also arise in the case of an employee who returns late from his or her summer holiday. In the first instance, you should allow the employee the opportunity to provide an explanation. Supporting evidence, for example a medical certificate in the case of ill health, should be requested.

However, if the explanation does not appear genuine, you will need to consider following your disciplinary policy.

Summer work experience – The school summer holidays are typically a time when employers offer school-age children the opportunity to carry out work experience. You do not have to pay a child of compulsory school age while on work experience. However, all other rules and restrictions on employing young people will apply, and relevant approvals from the local authority or school governing body will need to be obtained.

Is your business ready for more heat this summer? If you need any advice regarding working conditions for your employees over the summer, just get in touch. You can call 0118 940 3032 or email me at sueferguson@optionshr.co.uk.

Source: XpertHR

It’s Time to Bring Your Staff Handbook Up to Date

Many businesses experience a quiet time in July and August, when staff and customers are on holiday. If this happens in your business, you can use the extra time you have to make sure that you’re up to date with all things HR.

When did you last check that your Staff Handbook was in line with current Employment Law? Every time changes are made to Employment law – which is usually at least twice every year, in the Spring and again in the Autumn – your handbook will become a bit more out of date. So far this year we’ve seen a number of changes to maternity and paternity laws, including shared parental leave. Flexible working laws have changed, along with those relating to attending antenatal appointments.

So how do you keep up to date?

The Acas website at www.acas.org.uk is a good source of information. It lists all the recent Employment Law changes. You’ll need to look at all the changes that have been made and work out which apply to your business. Then you’ll need to find the relevant sections within your Staff Handbook and bring them up to date. You should do the same with any staff forms and processes that you use, to make sure that you’re fully legal.

Once you’ve updated your HR processes and policies, you need to think about how to introduce the changes to your existing members of staff. If you publish your Handbook in hard copy, you can reissue it – but don’t just print it out and leave it on a shelf next to the old one! Let your employees know which policies have been changed and that they should read the Handbook, so they can see how the changes could affect them.

If you have an Intranet within your business, put your new Handbook onto it and tell your staff about the sections and laws that have changed, so that they can read the relevant sections.

However you share your Handbook, you need to encourage your staff to read it. You could ask each employee to sign a form showing that they’ve read the new Handbook and have understood how the changes affect them. This also gives them the opportunity to ask you about anything they don’t understand.

If your handbook is more than three years old, it will be out of date and will need a bit of work; if it’s more than five years old it will be more of an antique and you might even need a brand new one!

Does updating your own Staff Handbook could sound like a rather daunting task? If so, do get in touch to talk to us about how we can do it for you. Call us on call us on 0118 940 3032 or email sueferguson@optionshr.co.uk.

 

 

Holiday Commission Payments – The Verdict

Finally we have the decision about the calculation of commission payments.

This well publicised case was brought by Mr Lock, an employee of British Gas. He was paid a basic salary and commission based on the sales he made which represented, on average, over 60% of his take home pay.

British Gas paid holiday pay to Mr Lock based on his basic salary only, plus commission on sales he had earned prior to the holiday period. This resulted, in the weeks and months after the period of leave, in times when Mr Lock only received basic salary and not commission. This was because Mr Lock was not at work during the period of leave, did not make sales and did not generate any commission.

Mr Lock brought a claim against British Gas contending that his holiday pay should be based on basic salary and average commission.

The employment tribunal asked the European Court of Justice (ECJ) whether employers should include commission when calculating holiday pay and both decided that Mr Lock should be paid holiday pay including overtime. Since the ECJ we have been awaiting for the employment tribunal to see how to give effect to the ECJ decision.

At the hearing Leicester employment tribunal made it clear that the case was not about whether the commission received by Mr Lock should be included because the ECJ had already decided that it should. The case was about whether the Working Time Regulations could be interpreted to give effect to the ECJ decision.

The employment tribunal concluded that it could by adding wording to the Working Time Regulations which requires employers with workers who have normal working hours but who receive commission or similar payments to calculate holiday pay as if their pay varied with the amount of work done. The effect is to require employers to calculate holiday pay based on an average of the previous 12 weeks’ pay.

The Next Steps

Not all commission payments will qualify and have to be taken into account. You should reconsider how you calculate holiday pay if you operate a similar commission scheme, as you may face a claim for back pay. Legislation was introduced to limit the impact of such claims by restricting back pay for two years for cases on or after 1 July 2015.

This decision relates only to the calculation of four week’s holiday and not the entire current statutory minimum of 5.6 weeks or any enhanced holiday. You should also check any contractual provisions. If you need any help calculating holiday pay for your employees, call us on 0118 940 3032 or click here to email us.

Family Matters in Your Business

Many of the recent Employment Law changes have focused on family matters. There are more to come in 2015, so it’s important that you are prepared and know how they might affect your business. Many changes relate to the families of your members of staff. While you might not think you’re directly involved, you could be and you need to know how to handle each situation.

Here are some examples: 

2015 Childcare Scheme. From this autumn, almost 2 million families will be able to make use of the tax-free childcare scheme announced in the last Budget. Eligible families will be able to claim a 20% rebate on their childcare costs up to £2,000 per child. How could this affect your business? Research shows that nearly a quarter of employed mothers would increase their working hours if they could arrange good quality childcare. This could be a good thing for your business, but not every family is eligible and some could end up worse off. Some might need to reduce their working hours, which might not suit your business.

Flexible Working. In the past, only parents with children under the age of 17 and carers could apply for flexible working. Now employees who are not caring for others have the right to make a request and as the employer, you must deal with these requests in a reasonable manner. This means you can no longer only expect your employees with children to request flexible working. Now you need to be prepared in case any of your employees makes the request. Do you know how you would deal with these matters?

Time Off for Dependants. All employees have the right to time off during working hours, to deal with unforeseen matters and emergencies relating to dependants. This is unpaid leave, unless you’re willing to give paid time off. Employees have a right to a reasonable amount of time off – usually 1-2hours rather than days – to deal with emergencies involving a spouse, partner, child, parent or an elderly neighbour. Leave can be taken to deal with a breakdown in childcare, to put longer term care in place for children or elderly relatives, if a dependant falls ill or is taken into hospital or to arrange or attend a funeral. Do you have a plan in place to deal with employees needing to take time off at short notice?

Shared Parental Leave. In the past, mothers could take 52 weeks of maternity leave and receive 39 weeks of statutory maternity pay. Now they can decide to share the leave with their partner. This means that if you are the employer of the partner, you could still find yourself having to give them parental leave, if the mother decides to go back to work early. To make sure your business is prepared for this, know how many of your key members of staff this could affect. Having a contingency plan for what it could cost you.

Antenatal Rights. Pregnant mothers are entitled to time off for antenatal appointments. In addition, partners of mothers-to-be can now take unpaid time off work to go with her to two of these appointments. While you might not have any expectant members of staff, think about the impact on your business of losing a key member of staff for a day – the partner. Can you still hold a Board Meeting with one of your Directors absent?

There have been a number of recent Employment Law changes affecting family matters. However, there are many other legal requirements that you need to be aware of, relating to your employees and their families. For more information the Acas website is always a good place to start.

Employment Law Update Workshop

On 21 May 2015 we’ll be spending the morning at Hennerton Golf Club in Wargrave, Berkshire, going through the latest changes to Employment Law. For individual help with your business and your employees, book your place on the workshop. We’ll talk about how the changes will specifically impact on your business. Click here to book your place for just £15 +VAT.

One of the attendees at a recent workshop said “I thought the workshop would be full of other HR people who knew more than me – but it wasn’t like that at all. I learnt a great deal from the Employment Law update and it was really useful talking to other people to hear how they dealt with similar issues to me.”

How Do You Investigate Staff Issues?

If one of your employees raises a grievance at work, against one of their colleagues, you need to carry out an investigation into the situation, before you make any decisions. How do you go about doing this?

The first thing to consider is that the person against whom the grievance has been raised cannot carry out the investigation. Look for an impartial party to do it, who should decide what information they need in order to fully understand the situation. They should then interview the person who has raised the grievance, before speaking to the other party and anyone else involved. They should produce written evidence and be prepared to look for evidence both supporting the employee and against them.

All people involved should be asked not to discuss the allegation, or look for corroborating evidence or verification of what the employee and other staff are saying. They should also keep an open mind, as what they uncover may not be what anyone expects. For example, someone may be unhappy at work because of a family bereavement they haven’t told anyone about.

The next stage is to respond to the person who raised the grievance, with your decision based on the evidence. It may be appropriate to bring the two people together to discuss the evidence so that they can discuss the situation and plan how to resolve the situation. You must always respond to a formal grievance in writing, with your decision based on your investigation and offer the right of appeal.

The point of carrying out an investigation is so that you do not blunder into a grievance situation, without first finding out what is really going on. If you don’t have your own policy to follow, then use the guidelines published by Acas. As with most employment matters, following a clear process will keep you safe, if an aggrieved member of staff doesn’t like the way in which their grievance has been handled!

Are Your Employees Fit for Work?

The Department for Work & Pensions has finally launched its service for employers, employees and GPs, to help employees who have been sick for four weeks or more to return to work.

It has been designed to reduce sick pay costs for employers by facilitating a quicker return to work and by providing an occupational health service to small businesses with limited access to this type of resource.

As an employer you can access web and telephone advice about any work related health matters affecting you and your employees by visiting www.FitForWork.org or by calling 0800 032 6235.

It is not mandatory to use the service but you should now consider updating your sickness absence policies to reflect the availability of Fit for Work. You should make sure your managers know about the resources offered and that they may be contacted by the service concerning an employee referred to them. They also need to understand how to deal with a Return to Work Plan from Fit for Work and the fact that this plan removes the need for a fit note while it remains current.

You can refer an employee to Fit for Work if:

  • They are still employed by you
  • They have been absent for four weeks or more
  • They have not been referred for an assessment within the last 12 months
  • They have provided consent to be referred and
  • They have not already been referred to the service by their GP.

Fit for Work offers:

  • Advice by telephone and online, including information on adjustments at work or general work related health advice
  • Referral for an occupational health assessment. Employees referred will be contacted within two days of the referral and a telephone assessment completed. In some cases a face to face assessment may be deemed necessary
  • A Return to Work Plan. This will be provided to the employer by email and the employer should then consider whether it can act on the recommendations.

Fit for Work may contact you to gain an understanding of your specific workplace, when recommendations in the Return to Work Plan have not been actioned, or in cases where the relationship between you and your employee are identified as one of the obstacles to a return to work.

Employees will be discharged from Fit for Work when they have returned to work (including on a phased return basis) or when the Fit for Work service can no longer provide assistance or if a return to work has not been possible after three months.

Find out more at www.FitForWork.org or call 0800 032 6235.

The Next Round of Employment Law Updates

The Next Round of Employment Law Updates

Just when you thought you knew everything you needed to know about employing staff, they changed the law! Here is a summary of some of the recent changes that you need to know about.

  • Tribunal penalties for employers – from 6 April penalties can be imposed on employers who lose tribunals. This could be 50% of the award between £100 and £5000 where the employer breaches the employee’s rights and where there are aggravating factors; or where the employer has not made a genuine mistake but has made a deliberate breach of the ACAS code. If you run a small business there is some leniency, but larger employers are expected to follow the new rules.
  • ACAS Early Conciliation – from 6 May, early conciliation is compulsory before a claim can be submitted. The claimant must contact ACAS, who will issue an early conciliation certificate when the process is complete. As an employer, this now gives you opportunity to get early warning of a case or to settle.
  • Statutory pay rates – from 6 April, maternity, paternity and adoption is raised to £138.18. Sick pay rises to £87.55 and gross pay for redundancy is £464.
  • Abolition of the percentage threshold – before 6 April employers could claim back sick pay if it exceeded 13% of the employees Class 1 National Insurance in the month. That threshold has now been abolished.
  • Abolition of SSP record keeping obligations – from 6 April there will be no requirement to keep specified records of dates of sickness and SSP payments. Before this there was a requirement to keep records for three years.

There are more changes proposed for later in the year, which I’ll tell about in future blogs. If you need to know how any of the changes specifically affect your business and your employees, do get in touch and I’ll talk you through what you need to know.

Are You Ready for Pension Auto Enrolment? Part Two

Are You Ready for Pension Auto Enrolment? Part Two

All businesses will soon have to provide a pension for their staff. The start date depends on the size of your business. But there’s a lot more to think about than just the date. Last month we brought you five tips to consider (click here to read that blog) and here are five more:

Existing joining methods may be fit for purpose. Many employers believe they will need to change the way they currently join employees to their pension scheme. However, your existing method and processes for joining may already be suitable. For example, if your employees already join the pension scheme via their contract of employment, then there may be no need to introduce a different method. This can also allow all staff to be treated the same way, regardless of their age or income. But it’s likely to mean changing processes and potentially employment contracts, to meet the new legal requirements.

Use waiting periods to fit your business. The majority of employers have used waiting periods aligned with payroll so employees join on the first day of the pay reference period. This avoids having to calculate, explain and manage part payments. But it is also possible to build in a waiting period to avoid one off events such as bonus payments or seasonal increases. Or to allow time to organise contract joining before the auto-enrolment duty kicks-in. But remember while employers can delay assessment and auto-enrolment, they cannot delay the statutory communications to their employees.

Communicate with employees early. Engaging with your employees and clearly communicating the changes in advance of auto-enrolment will make sure that when it happens, they understand why money is being deducted from their pay. This will also ensure they appreciate the value your contribution is adding while reducing employee questions.

Review existing default investment funds. You have a regulatory responsibility to make sure the auto-enrolment default investment option is suitable for your employees that will be enrolled to the scheme. Existing investment solutions may not be appropriate. Advice is crucial to getting this right. You also have a responsibility to have an on-going investment governance framework in place.

Remember to register with the Pensions Regulator. You must register your scheme with the Pensions Regulator within four months of your staging date. Details must be given of your qualifying workplace pension scheme and how you have gone about enrolling employees to the scheme.

 

There is a lot to think about and do when it comes to setting up your company pension. These five tips, combined with the five we gave you last month, give you a good starting point. In the meantime, if you have any questions about pensions, do get in touch.

Are You Ready for Pension Auto Enrolment? Part One

Are You Ready for Pension Auto Enrolment? Part One

All businesses will soon have to provide a pension for their staff. The start date depends on the size of your business. But there’s a lot more to think about than just the date. Here are five tips to consider:

Don’t leave it too late. The auto-enrolment ‘to-do’ list for employers will take some time to complete; don’t leave it to the last minute. Collating data can mean sourcing information from various systems. In addition, enrolling employees to the pension scheme could involve changes to their contracts of employment, which requires a three month consultation period. An early start is ideal – 6 to 12 months ahead of your staging date is ideal.

Understand your key dates. It’s crucial that you not only understand when your staging date is, but also any key company dates such as the pay reference period and payroll cut off. Documenting these dates and then overlaying the new dates when actions need to be completed as a result of pension reform legislation will help gauge the impact on the business. It will also help decision making, such as the need for a waiting period and if so, how long it should be.

Quality of data is key. It’s easy to underestimate the complexity of the data you require. You’ll need data for employee eligibility assessment, joining, contributions and opt outs. Inevitably this will come from different sources and systems. It takes a significant amount of time to do this within payroll cycles and the frequency that this data is needed also adds a layer of complexity. The quality of the data and the processes for sourcing the data for each payment cycle will be crucial to how smoothly that works each pay period.

Choice of contribution basis. Your chosen scheme must meet a quality standard, based around a minimum level of benefit or contribution, so you need to start budgeting for any extra costs. There is more than one acceptable contribution basis and they can be mixed and matched across the workforce to suit different reward mechanisms or pay patterns. What will work best for you? The key point is that the contribution basis and definition of earnings can be chosen to suit your business.

Method of contribution. Salary Exchange should also be considered as this can offer you significant cost saving benefits. However, where salary exchange is being used, this decision should be made prior to the scheme staging, otherwise it can cause additional administration for employers.

There is a lot to think about and do when it comes to setting up your company pension. These five tips give you a good starting point and in a future blog we’ll share with you another five tips. In the meantime, if you have any questions about pensions, do get in touch.