Protecting employee data

What is GDPR and why do you need to know about it? Risk adviser Lindsey Falconer offers some answers on new data protection regulations

 

GDPR may sound more like a name for the new high-speed rail link but be assured it will be arriving at organisations across the country on 25 May 2018 and everybody will have to get on board.

The GDPR or General Data Protection Regulation is an overhaul of data protection law, which hasn’t been updated since the Data Protection Act came into being in 1998. Practices are being advised to start taking preparatory steps now as it will require time and effort to ensure compliance. Perhaps the first and most important step is to make sure that your partners and all levels of management in the practice are aware that the law is changing and what likely impact this is going to have.

Much of the focus in primary care thus far has been on the changes applying to patient records, but practice managers must remember that the new regulation also applies to the information you hold about your employees. So what is GDPR going to mean for you and the way you handle your employee data?

PRACTICAL IMPLICATIONS

The GDPR will apply to "personal data", meaning information that relates to an identifiable living person. The definition is broad and, in the employment context, will include personnel records including sickness absence, performance appraisals, recruitment notes and any other information held about your staff.

The regulation is concerned with the "processing of data". For example, this could be running the monthly payroll or using an employee’s data to refer them to occupational health. This applies whether the practice is private or NHS. Be aware that job applicants will also be covered by the same legislation. Even though they are not employees, you are still processing their personal data.

So what are the practical implications for employers? As a starting point to compliance with the GDPR it would be useful to start thinking about the following:

  • What categories of personal data do I process as an employer of staff?
  • What do I do with that personal data?
  • Why do I do this – what is the legal basis for processing it?
  • Is it necessary for me to be processing all the personal data that I have and/or storing it (the more personal data you have the greater the risk of a breach)?
  • Who am I sharing that personal data with? This information would form the basis for your “privacy notice” (see the checklist below).

LEGITIMATE PROCESSING

To be able to process your employees’ data legally, you have to be able to show that there is a legitimate basis for doing so. An example of this could be that it is necessary to process the data for “compliance with a legal obligation”. An illustration of that would be sending information to the HMRC after each pay run.

The processing principles of the GDPR all existed under the Data Protection Act (DPA) 1998 but some have been refined. The Information Commissioner’s Office (ICO) has said that if organisations have been complying with best practice under the DPA then they probably won’t have too much work to do. However, as an employer, you are responsible for showing compliance with the principles and are therefore accountable in the eyes of the ICO.

The overriding principle in dealing with any personal data is that you are fair and transparent in what you do with it. The GDPR increases this transparency by making it obligatory for practices to inform employees about what they do with their data, including any relevant data retention policy.

This would take the form of a privacy notice. It is a requirement that the privacy notice is concise, intelligible and easily accessible (see checklist below for help on how to create a privacy notice).

OTHER IMPLICATIONS

Among other practical implications for consideration is how you monitor staff activities. Do you have CCTV in staff areas? Do you allow staff to make personal phone calls from the practice system or send personal emails from their business account? Do you have a fair use policy which outlines when staff can access the internet for personal use (e.g. at lunchtime) and are staff aware that you can monitor their usage and the sites they access through their computer’s IP address? Can they access personal email accounts and online banking from their work PC? If you have call recording, do staff know that you might use this for training and assessing their performance?

Why would you want to monitor these things? You could argue that you have a legitimate interest in protecting your business: for example you have the right to try to prevent viruses from coming into your IT system. However, you also need to respect the personal privacy of your staff. It’s a balancing act between a legitimate interest in monitoring and the right to privacy for staff.

Data subject access rights is another area that has small but significant changes to it. Currently, the Data Protection Act 1998 enables employees and ex-employees to ask to see the information that you hold about them. You would currently have to comply within 40 days. Once the GDPR is in place you will have to comply “without undue delay” but definitely within one month. You will also no longer be able to charge a £10 fee.

The points above give a flavour of the things that practices need to start thinking about. Check the ICO website as it is continually being updated with information about the GDPR as it becomes available.

Note that the penalties for breach of the regulation are high – up to 4 per cent of turnover or £17.8m (€20m), whichever is higher. So thinking and planning now about GDPR is certainly an investment worth making.

ACTION POINTS

  • Examine your existing data systems and the personal data you process.
  • Review your current documentation relating to data protection and familiarise yourself with the requirements for privacy notices.
  • Consider any practical ways that you monitor employees to assess proportionality.

 

Lindsey Falconer is a risk adviser at MDDUS

 


PRIVACY NOTICE CHECKLIST

The GDPR places emphasis on the documentation that data controllers must keep in order to demonstrate accountability. You should document what personal data you hold, where it came from and who you share it with. When you collect personal data you have to give people certain information, and in the context of personnel records you would have to provide that information to all of your employees. The following general checklist will provide a template for doing so. More information could be added if required.

What should be included?

  • Who is collecting the information (i.e. the name of the data controller and the data protection officer)? Normally the data controller will be the legal entity, which would be the practice name. The data protection officer would be the named person who is the contact for queries; probably the practice manager or an identified GP.
  • What personal information do you hold?
  • How is the information collected?
  • Why is it collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?
  • What are you doing to ensure the security of personal data?
  • Information about employee’s right of access to their data.
  • What is the retention period for the data?

How should the checklist be presented?

  • Use clear, straightforward language.
  • Adopt a style that your employees will all understand.
  • Don’t assume that everybody has the same level of understanding as you.
  • Avoid confusing terminology.
  • Be truthful.

Once you have your privacy notice

  • Test your draft privacy notice with users.
  • Amend it if necessary.
  • Roll it out to everyone.
  • Review and update as necessary.

The privacy notice doesn’t have to be one big document. If it becomes too unwieldy, you might consider using a layered approach where key privacy information is provided immediately and more detailed information could be provided elsewhere, such as on your shared drive. The important thing is to make sure you have been transparent and provided accessible information to your employees, as this is a key element of the GDPR.