Data Protection – Key points for employers

Data Protection – Key points for employers

Guest Article Author - Tabytha Cunningham, Coffin Mew LLP

Perhaps understandably compliance with data protection often slips down on an employers’ lists of priorities; however this is a risk area for all employers. Changes coming into force in May 2018 mean that now is a good time for all employers to review their compliance with the data protection rules.

The legal requirements.

The rules under the Data Protection Act 1998 are designed to protect individuals’ personal information from being misused. Put simply, they say that personal information should be:-

  • Processed lawfully and fairly and only for specific purposes
  • Accurate, and kept up to date
  • Relevant and not excessive
  • Kept for no longer than necessary
  • Kept securely
  • Only transferred outside the European Economic Area in specific circumstances

Employers that fail to comply with these rules can not only face enforcement action from the Information Commissioner, but also risk employment claims, for example for breach of contract or discrimination.

Key areas for employers

Employers should specifically consider the following issues:

  • Recruitment: Employers inevitably gather personal information as part of their recruitment process, for example checking an applicant’s Facebook or LinkedIn account or requesting references. It’s important that employers are open with applicants about the data they’re collecting and why, only collect the information that they need, and keep it no longer than necessary.
  • Employment Records: Employers constantly process their employees’ personal data, ranging from personnel files to information regarding performance, appraisals and benefits. Employers should ensure that this information is kept securely, their records are not excessive and that the specified minimum time periods to keep different employment records are followed. Employees should also be given the chance to check and update their data regularly.
  • Employee health information: The strictest rules cover the processing of ‘sensitive personal data’ which includes heath information. Employers should have employees’ specific consent to this being processed and ensure that access to it is limited to real need. For example, the payroll officer processing sick pay only needs to know the dates of the absence, rather than the cause.
  • Monitoring employees: Most employers will monitor their employees in some way, from monitoring emails to workplace CCTV. Monitoring can usually be justified; however, employers must show that there is a good reason for the monitoring, it’s targeted and done in the least intrusive way possible, and that employees are made aware of it.

Changes from May 2018

The rules will be changing from May 2018 when the General Data Protection Regulation (GDPR), which is designed to update and align the data protection laws across the EU, will be introduced.

The key changes for employers will be:

  • Stricter requirements regarding consent: Under the new rules employees’ consent must be a freely given, specific, informed and unambiguous indication of their wishes, given by a statement or clear action. A general overall consent to processing data will no longer be enough. There will also be increased rights for employees to withdraw their consent.
  • Requirements for employers to provide more detailed information about the process data.
  • Obligations to appoint a Data Protection Officer.
  • A new mandatory duty to report breaches of data protection within 72 hours.
  • Reduced time frame to respond to data protection requests: This will become 1 month as opposed to 40 days and there will no longer be a right to charge a fee. The aim of the GDPR is to ensure that businesses make data protection a fundamental part of the running of their business, rather than simply relying on written policies. Employers should start looking at their current practices now to start to prepare for these changes.