The GDPR or General Data Protection Regulation came into effect in May 2018 and replaced the 1998 Data Protection Act (DPA). Much of the focus in primary care thus far has been on the changes applying to patient records, but practice managers must remember that the regulation also applies to the information you hold about your employees.
The GDPR applies to "personal data", meaning information that relates to an identifiable living person. The definition is broad and, in the employment context, will include personnel records including sickness absence, performance appraisals, recruitment notes and any other information held about your staff.
The regulation is concerned with the "processing of data". For example, this could be running the monthly payroll or using an employee’s data to refer them to occupational health. This applies whether the practice is private or NHS.
Be aware that job applicants are also covered by the same legislation. Even though they are not employees, you are still processing their personal data.
So what are the practical implications for employers? As a starting point to compliance with the GDPR it is useful to think about the following:
- What categories of personal data do I process as an employer of staff?
- What do I do with that personal data?
- Why do I do this – what is the legal basis for processing it?
- Is it necessary for me to be processing all the personal data that I have and/or storing it (the more personal data you have the greater the risk of a breach)?
- Who am I sharing that personal data with? This information would form the basis for your “privacy notice” (see the checklist below).
To be able to process your employees’ data legally, you have to be able to show that there is a legitimate basis for doing so. An example of this could be that it is necessary to process the data for “compliance with a legal obligation”. An illustration of that would be sending information to the HMRC after each pay run.
The processing principles of the GDPR all existed under the DPA, but some have been refined. The Information Commissioner’s Office (ICO) said that if organisations have been complying with best practice under the DPA then they probably won’t have too much work to do. However, as an employer, you are responsible for showing compliance with the principles and are therefore accountable in the eyes of the ICO.
The overriding principle in dealing with any personal data is that you are fair and transparent in what you do with it. The GDPR has increased this transparency by making it obligatory for practices to inform employees about what they do with their data, including any relevant data retention policy. This takes the form of a privacy notice. It is a requirement that the privacy notice is concise, intelligible and easily accessible.
Among other practical implications for consideration is how you monitor staff activities. Do you have CCTV in staff areas? Do you allow staff to make personal phone calls from the practice system or send personal emails from their business account? Do you have a fair use policy which outlines when staff can access the internet for personal use (e.g. at lunchtime) and are staff aware that you can monitor their usage and the sites they access through their computer’s IP address? Can they access personal email accounts and online banking from their work PC?
If you have call recording, do staff know that you might use this for training and assessing their performance? Why would you want to monitor these things? You could argue that you have a legitimate interest in protecting your business: for example you have the right to try to prevent viruses from coming into your IT system.
However, you also need to respect the personal privacy of your staff. It’s a balancing act between a legitimate interest in monitoring and the right to privacy for staff.
Data subject access rights is another area that has small but significant changes to it. The DPA enabled employees and ex-employees to ask to see the information that you hold about them. You were obliged to comply within 40 days. But under the GDPR, you must comply “without undue delay” but definitely within one month. You can also no longer charge a £10 fee.
This article offers an overview of the points practices must consider when managing employee data. Stay up-to-date on the latest GDPR developments on ico.org.uk. Note that the penalties for breach of the regulation are high – up to 4 per cent of turnover or £17.8m (€20m), whichever is higher. So make sure you have all measures in place to ensure compliance.
- Examine your existing data systems and the personal data you process.
- Review your current documentation relating to data protection and ensure you meet the requirements for privacy notices.
- Consider any practical ways that you monitor employees to assess proportionality.
Liz Symon is an employment law adviser at MDDUS