To celebrate International Data Privacy Day 2021 (28 January 2021), the Birketts Data Protection Team has produced a series of data protection top tips articles. This bite-sized advice series is designed to provide you with some easily digestible compliance tips, focusing on some of the key issues we see clients dealing with on a daily basis. Today we are focusing on Employment. Jennifer Leeder and Sam Greenhalgh share their data protection top tips...
Ensure employment policies and procedures relating to data protection issues are fit for purpose: It is essential that your policies and procedures are reviewed and updated on a regular basis to reflect changes in both legislation and practice. Policies within staff handbooks covering data protection and the use of social media, IT systems and devices (such as mobile phone and laptops) should be non-contractual to allow you to make changes without consulting with your entire workforce. Your policies should set out the standards employees must meet when processing personal data as part of their job role and the implications if these standards are not met.
Provide regular and tailored training: Comprehensive training on data-related issues, including refresher sessions, should be provided at regular intervals and records maintained to evidence this. Whilst the frequency will depend upon the employee's role, it is crucial that training is updated and refreshed, particularly if a breach may result in disciplinary action being taken, as an employee may allege that they have not received adequate training.
Check that employees know how and when to report any suspected data breaches: All employees should understand to whom a breach should be disclosed within your organisation and the consequences of non-compliance with your procedure. Creating a 'no blame' culture that recognises that breaches happen in all organisations will encourage employees to speak to you promptly. This will, in turn, allow you to comply with the requirement to inform the Information Commissioner's Office within 72 hours of a data breach. If your employees feel supported, the level of non-compliance and potential liability for your organisation will be reduced.
Have a 'clear desk' policy: Desks should be kept free of papers and employees asked to lock their screens when away from their desks. Personnel files should be securely locked away and access limited to members of your HR team. Against the backdrop of the Covid-19 pandemic and wide-scale adoption of home working, these practices should be extended; documents should be stored appropriately at home and confidential calls taken in private to prevent potential personal data breaches.
Keep employee personal data protected before - and after - employment: Data protection issues arise throughout the life cycle of an employment relationship and beyond. You should be equally mindful of issues regarding the use of data whether dealing with candidates or leavers. Ensure you have appropriate privacy notices in place to let current, former and potential employees know how and why their personal data is used. Limit access to employee data to members of your HR team. Ensure you have identified an appropriate lawful basis for processing employee data, particularly sensitive data such as health data. Have a clear employee data retention policy and ensure you adhere to it to prevent information being from kept for longer than is necessary.
Originally published 27 January 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.