How GDPR Compliant Is Your Organisation’s HR Data?

The main principle behind the new General Data Protection Regulation (GDPR) coming into effect on 25 May 2018 is to protect people from having unnecessary data stored about them, and for too long. In fact, there are seven main principles that you will need to keep in mind when processing personal data, being:

  1. Lawfulness, fairness and transparency – you will no longer be able to charge a fee when you receive a request for data held, and it must be provided within a month
  2. Purpose limitation – data must only be collected for specified, explicit and legitimate purposes
  3. Data minimisation – it must be adequate, relevant and limited to the purposes required
  4. Accuracy – every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified, without delay
  5. Storage limitation – personal data should not be kept for anything other than the purposes for which it is being processed, or for longer than necessary
  6. Integrity and confidentiality – data must be processed using appropriate technical or organisational measures to ensure its security
  7. Accountability – you will need an officer or someone in your organisation to be responsible for, and able to demonstrate, compliance with these principles

Conduct an audit now!

It’s important that an audit is carried out as soon as possible prior to 25 May 2018. When preparing for GDPR, it may be necessary for various departments – IT, Legal, HR and Compliance – to collaborate, ensuring that data security is robust.

  • The audit needs to assess current HR data and related processing activities to identify any gaps with the GDPR.
  • Assess the legal ramifications on processing personal data. Although consent is currently necessary, it may not meet the more stringent GDPR requirements. Keep in mind that consent may be revoked at any time. You may need to rely on other legal grounds to continue to process employee personal data, but if it can’t be justified you must cease those processing activities.
  • If your business is in an industry that’s highly regulated, you may be able to rely on compliance with a legal obligation as a basis for processing certain employee data. For example, some financial services employers need to provide and update regulatory references for staff for up to six years after the end of employment. Or if you operate in a safety critical environment, you could rely on health and safety risks to justify more intrusive processing of employee data to establish fitness to work, for example.
  • Review or implement documentation. This information must be written in a way that is easy for employees and job applicants to understand, and should include three key documents:
    • Data Protection Policy
    • Privacy notices for employees and job applicants
    • Data Processing Consent documents as signed by your employees
  • To maintain the GDPR principle of data minimisation, you will need to delete data once it is no longer necessary. For this reason, as well as the rights of ex-employees and other data subjects requiring erasure or the restricting of data processing, consider the retention periods of your HR personal data. If you already have a data retention policy, check whether the existing retention periods for HR data can still be justified. You must pay particular attention to matters such as disciplinary warnings, and data retained after the end of employment.
  • Data breaches will need to be reported to the data authority within 72 hours of the breach occurring, so ensure a strict procedure is put in place. Allocate responsibility to certain people to investigate and contain a breach, and to make a report. Train employees to recognise and address data breaches, and put appropriate policies and procedures in place.
  • You may need to appoint a data protection officer, either through recruitment or by training an existing staff member. They will be the accountable person and will liaise with the data protection authority.

The Information Commissioners Office (ICO) recommends 12 steps that you should take now, which you can access here. Or speak to me – I will be delighted to help you make sense of the new GDPR and how its principles should be applied to your organisation.

Helping You 

If you need help becoming GDPR compliant, I can provide your business with the documents that you need, which are:

  1. Job applicant privacy notice
  2. GDPR compliant data protection policy
  3. Employee privacy notice
  4. Form to make a subject access request

I can also offer an audit to assess compliance and the actions required and deliver training for your employees, either face to face or by webinar. Get in touch if you need any of these documents or some training. Call me on 0118 940 3032 or click here to email me.

8 Things Every Employer Should Know about References

It is common practice for employers to provide references for employees and ex-employees, but there are risks involved. Here are eight things you need to know before you give anyone a reference.

  1. No legal duty to provide a reference. There is no obligation on you to provide a reference for an employee or ex-employee, unless there is a term in the contract which provides for this. This is irrespective of whether the request for the reference comes from the employee, a prospective employer or any other third party such as a bank or landlord.
  1. References must be true, accurate and fair. You have duties towards the subject and the recipient of the reference. You must take reasonable care to ensure that the information in the reference is true, accurate and fair, and does not give a misleading impression. If you fail to take such care, you could be sued for negligent misstatement and ordered to pay compensation. As an employer you must ensure that any reference you give, or any reason for refusing to give a reference, is not discriminatory and does not amount to victimisation. Employers can be liable for discrimination against a former employee even if it occurs after the employment has ended.
  1. Policy on giving references. It is good practice for employers to have a written policy on providing references. The policy should set out when a reference will be provided, who within the organisation may provide references and what information the reference should include. Many employers have a policy of providing a standard reference including only limited information, for example dates of employment and positions held. This limits exposure to claims.
  1. Settlement agreements. When you receive a reference request, you should check if there is a settlement agreement in place relating to the particular individual. Settlement agreements often contain the wording of an agreed reference, which the employer agrees to provide in respect of any reference requests made regarding the individual. There is more here on Settlement Agreements in one of our previous blogs.
  1. Employee consent to reference. In writing a reference, you are likely to have to process the employee’s or ex-employee’s personal data, as regulated by the Data Protection Act 1998. You need to check that the individual has consented to a reference being provided.
  1. Sickness absence. You must get explicit consent from the individual if you are providing sensitive personal data, such as physical or mental health information. Revealing the number of days an employee has been absent, but not the reasons for the absences, will not require explicit consent. However, this does run the risk of disability discrimination.
  1. Disclaimer of liability. Employers often include a disclaimer of liability arising from errors, omissions or inaccuracies in the information provided in a reference. The circumstances in which a disclaimer will be effective are limited. However, it is still worth you including one.
  1. Sending the reference. A written reference should be addressed to the named individual who has requested it and marked “Strictly private and confidential” and “To be opened by the addressee only”.