Data privacy issues have an impact on most HR activities, including data processing, recruitment, performance monitoring, and the handling of references. This is especially true in this modern age of digital and technological advances. As a human resources manager it is vital that you implement systems and processes in your company to safeguard sensitive employee data, ensuring they comply with state, local and international data protection laws.
In this post we will take a look at GDPR data regulations and how the Data Protection Act affects employers in the United States. We will also discuss best practices for protecting employee personal data and tips for ensuring privacy compliance at all levels of your company.
- Data privacy overview [Data Privacy Day]
- HR’s responsibility when it comes to data protection
- US Data protection & Privacy
- Protecting Employee Data
- Employee data protection best practices
- The type of data a company can legally hold and which they can’t
- What happens to an employee’s data once they leave a company?
Let’s start with a curious event that happens each year in the world of GDPR and employee data.
Data Privacy Day is a global, annual event that aims to raise awareness on the importance of privacy and safeguarding data. The campaign promotes privacy and data protection best practices and it targets both individuals and businesses alike.
The event was first celebrated in North America on January 28th, 2008, as an extension of the existing Data Protection Day in Europe. The date corresponds with the signing of the Council of Europe’s 1981 data protection treaty, known as “Convention 108”, which follows a technologically-neutral, principle-based approach to protecting an individual’s right to privacy.
Each year on this date, governments and national data protection bodies launch campaigns, conferences and open-door events to inform the public of their rights to personal data protection and privacy. Aside from the general public, campaigns are also often targeted at those working in the education sector and those industries that rely heavily on data processing. The event is an opportunity for businesses to re-evaluate how they have been collecting, sharing, and using data, and to improve internal processes to stop valuable data from being exploited, misused, or lost.In the US and Canada, the event is led by the National Cyber Crime Alliance (NCSA), a non-profit organisation dedicated to promoting a safer and more trusted internet. NCSA’s privacy awareness campaign is an integral component of the global online safety, security and privacy campaign “STOP. THINK. CONNECT.™”.
Data privacy protection is a branch of data security concerned with the proper handling of data, including consent, notice, and regulatory obligations. Every individual is entitled to access and control all personal information collected and stored by a company and they may revoke their consent at any time.
Although there are no federal USA data privacy laws and no centralized data protection agency in the US, companies that work with clients, customers and employees in the European Union must be aware of the principles that govern the General Data Protection Regulation (GDPR). The European GDPR, which came into effect in 2018, replaced the previous UK Data Privacy Act and introduced a new set of guidelines for processing, handling and storing personal data. It requires companies working with or within the European Union to implement data protection policies and procedures that ensure transparency and accountability. Record-keeping requirements vary depending on whether a company handling data is a controller (responsible for determining purpose and means of processing personal data) or a processor (those processing data on behalf of the controller).
- Who the controller of their data is
- The purpose of processing their personal data (why information is collected)
- Any changes to their contract, company handbook or data processing
- Any third parties who receive their data, such as payroll providers
- Their data protection rights under GDPR, including their right to revoke consent at any time.
GDPR and companies with less than 250 employees: although GDPR record-keeping requirements are not enforced for most companies with less than 250 employees (with the exception of companies handling data relating to criminal convictions), all other aspects of the data security and privacy act must be complied with.
Personal data is defined in the GDPR as being “any information relating to an identified or identifiable person who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This includes data that is processed electronically, kept in a filing system, included in an accessible record, or held by a public authority.
In terms of employee data, this can include:
- CV, references, and application files
- Personal files
- Payroll information, including tax and insurance data
- Medical files
- Employment contracts, compensation and benefits
- Performance reviews and appraisals
Any company that collects, stores, gathers, organizes, retrieves, discloses, transfers, or otherwise makes available personal data for an employee located in the EU must ensure they are implementing the correct GDPR measures for employee data collection privacy protection.
When it comes to employees, it is the responsibility of the Human Resources department to protect and safeguard personal data. In the US, failure to comply with standards set by the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA) can result in major penalties. And for employees based in the EU, HR managers must also ensure all data handling processes comply with the GDPR.
Employers must create clear policies and procedures that take into account these regulations and ensure they are accessible to all employees. These policies must govern all personal data processed and handled by the company and they must be reviewed and updated on a regular basis. Employers must provide thorough and continuous training to all staff to ensure employees are aware of data protection usa and security laws, their GDPR employee rights, and the importance of adhering to GDPR procedures at all times. Measures should also be put in place to guarantee the security of stored data, including encryption and designated servers.
There are many issues that can arise as a consequence of retaining employee data. The following should be taken into account at all times:
Sensitive personal data: there are extra measures that need to be considered when handling sensitive data such as medical records and employee benefits. These measures aim to safeguard health and safety and reduce discrimination. Explicit consent must be provided before a company can handle and/or process this data.
Recruitment: as a recruiter, it can be tempting to gather as much information as possible about a potential candidate. Do not collect more data than you need and don’t retain information for longer than necessary.
Social media: by using social media as a basis for employment decisions you run the risk of encountering issues with protecting employee data and discrimination. A clear social media policy should be included with a company’s general data protection procedures.
Monitoring: If you monitor employee emails or have a workplace CCTV system in place, you must be able to prove you have a legal basis for doing so. Staff must be informed and provide consent before their computers can be accessed remotely. If consent is not provided, online monitoring could be classed as hacking, a criminal offence subject to penalties.
- Policy brief & purpose
- The identity and contact details of the employer
- A description of the personal data that is collected
- The purposes for processing the data
- The legal basis on which the processing will take place
- Who the personal data is shared with
- Whether personal data is transferred to/from the EEA and if so, details of the safeguards that are in place to protect the security of data
- How long the personal data will be stored
- Details about the rights that employees have in relation to that personal data, including the right to request that the employer rectify any incorrect information. Employee consent can be revoked at any time.
As a member of the HR team, you can implement a series of best practices to continuously monitor and improve your methods for safeguarding employee data protection:
- Develop effective administrative, technical, and physical data security controls for all business areas. Ensure all areas are aware of compliance requirements.
- Work with your IT department and senior managers to design and implement a series of policies for handling, storing, and accessing employee personal data. Review and update policies on a regular basis to ensure they address the most current security best practices.
- Restrict access to a “need-to-know” basis. Periodically review who is accessing sensitive information and ascertain if all access is authorized and necessary.
- Work with your security team to build and understand your company’s incident response. With that said, this should be done for each area impacted by privacy concerns (ie. internet usage, social media, confidentiality, information security, and document retention/destruction).
- Ensure all employees are aware of data protection procedures. Make sure they have access to all policies, and provide consent for the handling of their data.
- Train employees and managers on the importance of adhering to record-keeping guidelines. Also, they should know the risk of phishing emails, data mining and privacy, and security breaches.
- Always encrypt your data.
- Make sure you are only storing data that is necessary for your business.
- Train senior management so that they can help promote a security-first culture so that employee data protection is at the forefront of every process and procedure.
An often-overlooked factor when it comes to data protection is storage. According to the GDPR, personal data must be stored for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data. In addition, any legal obligations to keep the data for a fixed period of time (for example national labor, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period).
Data needs to be stored on a secure server and, although encryption is not mandatory, it is highly recommended. By using a safe and secure document management system you can easily and securely manage all your company and employee documents and effectively protect your data. Data can be readily accessed and audited which helps the company achieve its overall goal of compliance.
An employer can legally hold the following data:
- Personal details (name, address, marital status, etc.)
- Race, ethnicity, political membership and religion
- Trade union membership
- Biometrics, if your fingerprints are used for identification
- Health and medical conditions
- Tax code and other payroll information
- Emergency contact details
- Employment history with the organisation
- Employment terms and conditions (including pay, hours of work, holidays, benefits, absences)
- Any workplace accidents or incidents
- Documentation of raining undertaken
- Any disciplinary action
- Performance reviews
An employer can only legally hold the following data with an employee’s express consent:
- Camera images or video surveillance records
- Information of software that maintains and analyses the use of Internet and e-mail traffic
- Recordings of phone calls or instant messaging
- Remote management of all mobile devices, such as phones and laptops
- Tracking or location data of company cars or equipment.
A data breach is defined as the unauthorised access to, or loss, transfer or destruction of, personal data as a result of a security breach. Depending on location, there are various implications for encountering a data breach. In the UK, for example, data breaches must be reported to the Data Protection Commission (DPC) within 72 hours. Breaches involving personal data must also be notified to the data subject within the same timeframe.
Repercussions can include:
- Prosecution: The Data Protection Act 2018 contains provisions making certain disclosure of personal data a criminal offence. Penalties include warnings, reprimands and fines.
- A temporary or permanent ban can be imposed on data processing.
- Significant loss of revenue. Companies that face a data breach often end up losing revenue in the short and/or long-term.
- A data breach can negatively impact a company’s reputation and brand, also affecting the bottom line.
As we have seen, GDPR regulates personal data in Europe. In the US, it is also regulated by the following organisations:
- The Health Insurance Portability and Accountability Act (HIPAA), which seeks to protect the privacy of employee health information.
- The Americans with Disabilities Act, which also requires employers to maintain employee health information securely and confidentially.
- The Fair Credit Reporting Act (FCRA), which seeks to protect the privacy of consumer and employee financial data.
- The Fair and Accurate Credit Transactions Act (FACT Act)
Generally, personal data cannot be disclosed without the express consent of the employee in question. However, there are certain circumstances where employee data can be disclosed without consent:
- The performance of a contract.
- Compliance with a legal obligation (including tax and anti-fraud obligations).
- The legitimate interests of the employer.
- The performance of a task carried out in the public interest.
- Criminal record checks.
- Medical reports (in the current climate, this could include whether or not an employee has tested positive for COVID-19).
So far we have clarified what constitutes personal data, what laws govern the handling and processing of employee data, and how companies can safeguard these regulations and ensure compliance. But what about when an employee leaves the company? What requirements does an employer have and what data needs to be disposed of or stored?
First and foremost, although there are no minimum or maximum time limits for keeping employee data, the law does state that data should not be kept for longer than necessary. The length of time you keep data depends on many factors, including data type and reasons for storage and handling. Any data not required must be securely destroyed. This applies to both digital and paper records.
There are also other legal requirements which need to be taken into account:
- Working time records: must be maintained for two years.
- Payroll records: must be maintained for 3 years from the end of the last employment tax year.
- Maternity, Paternity and Shared Parental Pay records: must be maintained for 3 years after the end of the tax year that the payment stopped.
- An employment record: Generally speaking, employment records should be maintained for at least 6 years in case a former employee files a claim with the employment tribunals or a security breach claim.
Aside from deciding what data should be stored and what data should be destroyed, the IT department must ensure all company electronic devices, including phones, laptops and tablets, are retrieved and all access to internal systems, processes and documents are immediately restricted.
We hope the tips and advice in this post help you design and implement an efficient data protection policy that safeguards the data of all your clients, customers and employees. Following a proactive, hand-on approach to data privacy will help your company ensure compliance, avoid potentially catastrophic data breaches, and promote a brand based on trust, transparency and accountability.
Written by Cat Symonds; Edited by Tanya Lesiuk