GDPR may sound more like a name for the new high-speed rail link but be assured it will be arriving at organisations across the country on 25 May 2018 and everybody will have to get on board.
The GDPR or General Data Protection Regulation is an overhaul of data protection law, which hasn’t been updated since the Data Protection Act came into being in 1998. Practices are being advised to start taking preparatory steps now as it will require time and effort to ensure compliance. Perhaps the first and most important step is to make sure that your partners and all levels of management in the practice are aware that the law is changing and what likely impact this is going to have.
Much of the focus in primary care thus far has been on the changes applying to patient records, but practice managers must remember that the new regulation also applies to the information you hold about your employees. So what is GDPR going to mean for you and the way you handle your employee data?
The GDPR will apply to "personal data", meaning information that relates to an identifiable living person. The definition is broad and, in the employment context, will include personnel records including sickness absence, performance appraisals, recruitment notes and any other information held about your staff.
The regulation is concerned with the "processing of data". For example, this could be running the monthly payroll or using an employee’s data to refer them to occupational health. This applies whether the practice is private or NHS. Be aware that job applicants will also be covered by the same legislation. Even though they are not employees, you are still processing their personal data.
So what are the practical implications for employers? As a starting point to compliance with the GDPR it would be useful to start thinking about the following:
- What categories of personal data do I process as an employer of staff?
- What do I do with that personal data?
- Why do I do this – what is the legal basis for processing it?
- Is it necessary for me to be processing all the personal data that I have and/or storing it (the more personal data you have the greater the risk of a breach)?
- Who am I sharing that personal data with? This information would form the basis for your “privacy notice” (see the checklist below).
To be able to process your employees’ data legally, you have to be able to show that there is a legitimate basis for doing so. An example of this could be that it is necessary to process the data for “compliance with a legal obligation”. An illustration of that would be sending information to the HMRC after each pay run.
The processing principles of the GDPR all existed under the Data Protection Act (DPA) 1998 but some have been refined. The Information Commissioner’s Office (ICO) has said that if organisations have been complying with best practice under the DPA then they probably won’t have too much work to do. However, as an employer, you are responsible for showing compliance with the principles and are therefore accountable in the eyes of the ICO.
The overriding principle in dealing with any personal data is that you are fair and transparent in what you do with it. The GDPR increases this transparency by making it obligatory for practices to inform employees about what they do with their data, including any relevant data retention policy.
This would take the form of a privacy notice. It is a requirement that the privacy notice is concise, intelligible and easily accessible (see checklist below for help on how to create a privacy notice).
Among other practical implications for consideration is how you monitor staff activities. Do you have CCTV in staff areas? Do you allow staff to make personal phone calls from the practice system or send personal emails from their business account? Do you have a fair use policy which outlines when staff can access the internet for personal use (e.g. at lunchtime) and are staff aware that you can monitor their usage and the sites they access through their computer’s IP address? Can they access personal email accounts and online banking from their work PC? If you have call recording, do staff know that you might use this for training and assessing their performance?
Why would you want to monitor these things? You could argue that you have a legitimate interest in protecting your business: for example you have the right to try to prevent viruses from coming into your IT system. However, you also need to respect the personal privacy of your staff. It’s a balancing act between a legitimate interest in monitoring and the right to privacy for staff.
Data subject access rights is another area that has small but significant changes to it. Currently, the Data Protection Act 1998 enables employees and ex-employees to ask to see the information that you hold about them. You would currently have to comply within 40 days. Once the GDPR is in place you will have to comply “without undue delay” but definitely within one month. You will also no longer be able to charge a £10 fee.
The points above give a flavour of the things that practices need to start thinking about. Check the ICO website as it is continually being updated with information about the GDPR as it becomes available.
Note that the penalties for breach of the regulation are high – up to 4 per cent of turnover or £17.8m (€20m), whichever is higher. So thinking and planning now about GDPR is certainly an investment worth making.
- Examine your existing data systems and the personal data you process.
- Review your current documentation relating to data protection and familiarise yourself with the requirements for privacy notices.
- Consider any practical ways that you monitor employees to assess proportionality.
Lindsey Falconer is a risk adviser at MDDUS
PRIVACY NOTICE CHECKLIST
The GDPR places emphasis on the documentation that data controllers must keep in order to demonstrate accountability. You should document what personal data you hold, where it came from and who you share it with. When you collect personal data you have to give people certain information, and in the context of personnel records you would have to provide that information to all of your employees. The following general checklist will provide a template for doing so. More information could be added if required.
What should be included?
How should the checklist be presented?
Once you have your privacy notice
The privacy notice doesn’t have to be one big document. If it becomes too unwieldy, you might consider using a layered approach where key privacy information is provided immediately and more detailed information could be provided elsewhere, such as on your shared drive. The important thing is to make sure you have been transparent and provided accessible information to your employees, as this is a key element of the GDPR.