Data protection is the process of ensuring the personal data of individuals is suitably protected from compromise or loss. The introduction of the General Data Protection Regulation (GDPR), effective from 25 May 2018, requires employers to notify data subjects about their personal data handling practices through a privacy notice. It should inform data subjects about how the organisation collects, store, uses, transfers and secures their personal data.

The financial and reputational consequences of a data breach are made evident in the media on a regular basis. Infringements of the GDPR carry penalties of up to EUR20 million or 4% of global turnover for the most serious derogations from data protection principles and individual rights.

Since the introduction of the GDPR, we saw the Supreme Court consider whether an employer could be held vicariously liable for the actions of a rogue employee, which resulted in one of the most noteworthy data breaches to have occurred. The case of WM Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 2339, concerned a former employee of Morrisons Supermarket, Andrew Skelton, who was a senior IT auditor at the time. Due to being subject to disciplinary proceedings (and seemingly holding a grudge as a result) he uploaded the payroll data of 100,000 Morrisons employees onto a public website in January 2014. Thousands of the affected employees subsequently initiated legal proceedings seeking compensation for the data breach. The case went to the Supreme Court who ruled that Morrisons were not vicariously liable for the actions of Mr Skelton. Mr Skelton was convicted and sent to prison for 8 years.

However, whilst this case was quite distinct in that the actions of the employee were clearly malicious, it is a timely reminder to employers of the risks associated with not ensuring that reasonable care is taken of personal data.

It is therefore essential that employers carry out thorough data protection audits to ensure legal compliance in terms of how their company uses and processes employee data. Regular training should be provided to staff members who handle personal data so they understand their obligations under the GDPR.

Key components of a Privacy Notice ⚓︎

A Privacy Notice will be just one of a number of policies your organisation will have in respect of data protection, and should not be confused with a general Data Protection Policy which sets out how the organisation protects personal data. A Privacy Notice or Privacy Policy is intended to be read by individuals and provide them with information on how their data is used.

In considering the new data protection principles, and specifically the need for transparency and for the individual to be informed, organisations need to communicate their processing activities to their data subjects. For the purposes of this article, we are focusing on employees as data subjects.

In accordance with Article 12 of the GDPR, the information given to data subjects must be concise, transparent, easily accessible and given in plain language. The information provided also has to be comprehensive. Therefore, from a practical perspective, employers may wish to have a short form policy on their intranet with links to certain sections.

It should cover a number of aspects, including, but not limited to:

• contact details for the data protection officer, or member of staff who is the point of contact for data protection issues;
• what types of data the company will process;
• the purpose of requiring personal data;
• the lawful basis for processing the data;
• who the data will be shared with, including reasons why it is shared;
• how long it will store the data for (retention periods);
• the rights of data subjects;
• how the rights of data subjects are protected (taking account of the data protection principles);
• where processing is based on an individual’s consent, that this consent can be withdrawn at any time; and
• the right to lodge a complaint with the Information Commissioner’s office.

As with all policies in your organisation, the Privacy Notice should be regularly reviewed and updated if the organisation starts to use personal data in a different way.

What Is Personal Data? ⚓︎

The ICO describes personal data as ‘information that relates to an individual’. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.

In the context of employee information, the likely personal information that will be collected will include; personal contact details, date of birth, marital status and dependants, bank account details, salary, pension and benefits information, copy of driving license/passport, disciplinary and grievance information and any medical conditions/disabilities.

Northern Ireland employers with 11 or more employees (working 16 hours or more per week) have a legal obligation to report to the Equality Commission yearly with details of male and female employees, applicants and appointees by community background. This information will usually be collected in monitoring forms which may also request additional information on the individual’s race, ethnicity and sexual orientation.

The Data Protection Principles ⚓︎

The Data Protection Act 2018, which implements the GDPR in the UK sets out the key principles which a data controller will need to consider in respect of personal information:

Personal data shall be:

(a)   processed lawfully, fairly and in a transparent manner;

(b)   collected for specified, explicit and legitimate purposes;

(c)    adequate, relevant and limited to what is necessary;

(d)   accurate and, where necessary, kept up to date. Every reasonable step must be taken to erase or rectify any inaccurate personal data without delay;

(e)   kept in a form which permits identification for no longer than is necessary; and

(f)    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

How Personal Information Will Be Used  ⚓︎

There is no one size fits all template policy that organisations should roll out, and the types of data and purposes for processing should be identified through the completion of an internal audit.

Commonly information collected from employees will include:

• determining the terms on which the individual works for the company and to administer the relevant contract;
• to check an individual has a legal right to work in the UK;
• to process pay and other benefits;
• fitness for work or management of sickness absence;
• gathering evidence or a disciplinary or grievance process;
• determining continued employment or the termination of employment; and
• dealing with threatened and actual legal proceedings. 

Individuals’ Rights ⚓︎

The Information Commissioners Office outlines the rights individuals have under the GDPR:

1. The right to be informed (the data must be easily accessible and understandable)
   
   
2. The right of access (the ability to review the information held and this links in to subject access requests)
   
   
3. The right to rectification (data should be rectified if inaccurate)
   
   
4.  The right to erasure
   
   
5.  The right to restrict processing (individuals can block the processing of their personal data in certain circumstances)
   
   
6.  The right to data portability (this provides the individuals with the ability to transfer their personal data where necessary, safely and securely)
   
   
7.  The right to object (this could include rejecting direct marketing communications)
   
   
8.  Rights in relation to automated decision making and profiling (individuals have the right to request that decisions are not made solely via automated processing and can object and ask for reconsideration where this has been done).

In the context of employment, it is commonplace for employees to make data subject access requests (DSAR) to obtain specific personal information held about them. The Privacy Notice should signpost employees to the appropriate person to contact should they wish to have access to their personal information.

Under the GDPR, employers can no longer charge a fee for responding to a DSAR. However, if the request for access is unfounded or excessive, a reasonable fee may be charged. 

Data Protection Officers ⚓︎

Under the GDPR, public authorities and organisations carrying out specific core activities are required to appoint a data protection officer (DPO). However, regardless of whether there is a requirement, it can be beneficial to appoint a designated DPO who will take responsibility for implementing the practices, processes, training and controls required to ensure compliance.

If there is a designated DPO, their details should be included in the data protection policy.

Data Retention ⚓︎

Under the GDPR, organisations are only permitted to retain personal data for as long as necessary to fulfil the purpose it was collected for. In order to comply, organisations should identify retention periods for personal data and ensure that this data is either anonymised, securely destroyed or erased at the end of applicable retention periods. Businesses should consider having a separate data retention policy which sets out the retention period for the records they hold, including the personnel records of individual staff members.

Specifically, in Northern Ireland, registered employers should be aware of specific retention periods that apply with respect to employees and applicants under the Fair Employment (Monitoring) Regulations (NI) 1999.

Data Protection and A Remote Working World  ⚓︎

The pandemic has resulted in widespread changes to how organisations operate, and in line with Government guidance, people are again being encouraged to work from home where they are able to do so. In a remote working environment, how do employers ensure compliance with data protection laws?

First and foremost, organisations should be regularly reviewing and updating their data protection policies and procedures to ensure that personal data continues to be protected whilst people work from home. Relevant changes should be communicated to employees so they understand what is expected of them. This may include one or a number of the following:

• Requiring employees to use only company approved or provided hardware and software when handling personal data;
• Encouraging employees to limit the number of physical documents they keep at home (where documents are taken home, a register of what is being kept at home may be useful), and where it is necessary to print documents, to ensure they are stored securely until they are able to dispose of them safely at work.
• Reminding employees of the need to lock away documents and equipment in a safe place when not working.
• Employees should be reminded of the need to lock computer screens if away from their workspace, and to be mindful of confidentiality when on work calls (including video calls).

Conclusion ⚓︎

Having a suite of data protection related policies and procedures in your organisation is important for the purposes of ensuring compliance with the GDPR. The risks associated with a data breach, both reputationally and financially, can be significant. Spending the time ensuring the right practices, procedures, training and people are in place to deal with compliance is essential.

The pandemic has thrown up further data protection challenges for organisations so it is important to ensure a risk assessment of related issues is carried out, and changes are implemented where necessary to ensure personal data remains protected.