The Human Resources (HR) function manages a vast amount of personal data throughout the employee life cycle, including; the hiring, firing, disciplinary or grievance procedures, payroll, and the like.
HR collects and processes personal data not only from their actual employees but also from candidates, consultants, contractors, and former employees. The type of personal data processed also includes special category data such as medical records, and for that reason it is of utmost importance that HR professionals understand their privacy related responsibilities and the General Data Protection Regulation (GDPR), to process personal data securely and accordingly. HR has a role to protect employee data from negligence and security threats.
In the article we look to raise awareness of when data privacy should be considered as part of the common challenges HR professionals face on a daily basis.
Jump to:
Responsibility for data protection is not just at a department level, every individual HR professional needs to be aware of their own privacy responsibilities.
In larger organisations, the HR department usually work very closely with their allocated privacy point of contact from the compliance or privacy team. However, in smaller companies the compliance function may not be so clearly defined. This is where support from an external expert may be crucial to ensure the business, and those within its HR function, have the right processes and training to maintain compliance.
HR can play a major role to manage and train employees in having a basic knowledge of standards of privacy and in keeping the organisations’ data secure. Employees would be best placed in learning their responsibilities at the onboarding stage, but, in order for this to be achieved, HR professionals themselves, need to fully understand the importance of GDPR.
If you need help developing and implementing the right compliance strategy our team of experienced data protection solicitors can help. We often work directly with HR professionals, helping to improve employee relationships and champion data privacy best practice across a business.
Integrating data privacy into policies and contracts
Employee privacy notice
Data privacy plays a massive part in each function. For HR, the Employee Privacy Notice is the most important notice as this provides information about how an organisation is processing personal data. It is a mandatory requirement under the GDPR for employers to provide certain information as well as a core obligation for employers to process HR related data in a fair and transparent way. Harper James can provide high level data privacy training to HR professionals to ensure these obligations are understood.
At the end of the day, employees need to know what data their employer is processing, why they are processing it, with whom they share and how long they need it for. An Employee Privacy Notice is the best way to give this information to an employee. Our data protection specialists can assist in data mapping what personal data you process, who you share it with and why, and help draft Employee Privacy Notices that provide information to employees in a clear and concise way.
Sensitive personal data
Special category data will inevitably need to be processed by HR so that employers can perform their obligations under employment laws. The likely conditions under which special category data can be processed for HR purposes is for; performing or exercising obligations or rights of the employer or employee under employment law; or exercising or defending legal claims. This should be clearly stated within the Employee Privacy Notice.
Employment contracts
HR professionals have been battling with the main question, which is - whether employment contracts need amending. This really depends on what they contain; to assess whether an amendment may be necessary, or a Notice may be sufficient enough to supersede any invalid and outdated clauses in the contract. It’s obviously easier to issue amended new contracts to new employees. Many employee handbooks will contain references to data protection rules and legislation which will also need updating, either by amendments or new policies. Unfortunately, some organisations still rely on employee consent to data processing in employment contracts, however, as consent can be withdrawn, this is clearly not the correct lawful basis to rely on, meaning - employees cannot really object due to the imbalance of power between an employer and employee. Essentially, employers should stay away from consent to data processing clauses!
Collecting and retaining employee personal data
It’s quite obvious why HR needs to collect data, it’s to manage the lifecycle of an employee; to make sure they get paid and obtain their benefits etc. But - why is it necessary to keep this information once an employee leaves? Well, the consensus usually is to retain information for at least 6 years, the reason being, to cover the time limits for bringing any legal action and for that reason, an employer may feel keeping the whole personnel file is justified. Many organisations make different decisions on how long to retain information, this could sometimes depend on the actual record and information it contains. For example, CCTV may be required to be kept longer than the ICOs recommendation; which is 6 months following the outcome of any formal decision or appeal, if it’s required and justified then there may be a reason to retain it longer. Retention and record keeping is a risk hot spot and will continue to be, it’s hard for an organisation to; a) establish how long information or records should be kept, b) review at the end of that said period whether it still needs to be kept, and c) whether that information is kept secure. This is probably one of the hardest documents to draft and essentially comes down to how long you require this information and at what point the organisation thinks it no longer needs it. As to the question whether the information is necessary, one would think that you would only collect what you need, if you don’t need it, don’t collect it, any extra information is pointless and against the GDPR regime and principles.
Evaluating employee data stored in HR systems
The Human Resources Information System (HRIS) holds employee records. Think of this as one big digital filing cabinet for your employee files. At times we often become idle In ensuring that the data that’s no longer required is deleted. It quite often becomes that filing cabinet that just never runs out of space, and the only time you probably would take a good hard look at assessing destroying any files you don’t need would be once you buy yourself a new filing cabinet – right? Unfortunately, such is the case here, data migration from one HRIS system to another system can often assist in clearing up and destroying information you don’t need, but not everyone wants to be that person that makes the call in what to delete, hence, it’s important to have a proper retention schedule with a destruction procedure and a team or person that deals. Our data protection specialists can assist in drafting retention schedules and assist in providing advice on what information you may need to keep in line with laws and your own organisation’s strategy and appetite.
It’s necessary to identify information you have from the outset and go back to the core principles of GDPR; which is to check what you have, why you have it and why you need to keep it.
Mapping the movement of data
It's not usual for HR functions to offshore certain functions like payroll, simply because it’s easier and more cost effective. Mapping your data is an important step in GDPR, for example, how are you able to respond to a data subject if you don’t know where their data is?
It’s therefore necessary to inform employees that their personal data is being offshored and perhaps even to a country where there are no adequate privacy laws in place. It would then be up to the organisation to ensure there are adequate measures in place and all the necessary transfer risk assessments have been conducted to satisfy such a transfer would be secure. At times, companies instruct other companies and so the data could be continuously moving from company to company, from country to country. It’s necessary to keep up with this movement to ensure, as the ultimate controller of that data, that the flow of data is secure and that adequate measures flow down the chain. As a controller of personal data of employees, organisations need to understand what is being transferred or processed, to where and why. There are many software/cloud based application providers that can assist in managing the movement, at times whilst this may be the easiest option – it can be hard to track the flow of information within the providers infrastructure, organisations may find this to be costly, and choose to rely on good old fashioned excel spreadsheets which can work just as well, so long you know what information to record.
You may also find this guide to how GDPR affects payroll useful, and if you require assistance with a data mapping exercise at your organisation, our team are on-hand to help.
Data sharing and contracts with third party providers
The relationship between a controller and processor is typically set out in a written contract between the parties processing personal data. HR would need the third party to confirm the role they play in GDPR, whether they consider themselves a controller or a processor, and also whether the HR function accepts the role the third party purports to be. Usually, it’s quite obvious what role a service provider plays, for example; payroll is and always will be a processor, but at other times it’s not so clear. Once the role has been established, it’s necessary to assess whether the processor provides adequate, technical, and organisational measures to keep data secure. Once this can be satisfied, the next step is the contract, better known as a data processing agreement, as per Article 28(1) of the UK GDPR. Further guidance on the concepts of controller and processor in the GDPR can be found on the Information Commissioners Office (ICO) website. What needs to be included, is;
- the subject matter of processing
- duration
- nature and purpose of processing
- type of personal data
- categories of data subject
Pension trustees are usually considered data controllers, however, scheme administrators; that process data on their behalf, are considered data processors.
There are many arguments to be had whether scheme actuaries are usually considered to be joint controllers or independent controllers, in any event, it’s necessary to identify all service providers and check exactly what they do for your organisation; and for your employees. So, whether the service provider is a controller or processor, the exporter of data would set out everyone’s responsibilities and the importer would provide assurances on security of data. Whilst controller to controller agreements are not alluded to in the GDPR, good practice suggests a transparent arrangement that sets out your agreed roles and responsibilities for complying with the UK GDPR, which is likely to take form in the format of an agreement.
Notwithstanding the above, regardless of whether there is a joint controller agreement in place, a controller to controller, or a controller to processor agreement, it’s still prudent to understand where the data is going and why. As an independent first controller has the means for deciding what to do with the data which will eventually sit with the data importer (new controller), its often lost as to where the data continues to be shared and why, as, quite frankly, there is not a contractual need for the data exporter to know. For a data subject enhancing their rights, it’s necessary to know where the data is going as a starting point, so data subjects can be referred to these other independent controllers, if need be.
Monitoring staff in the workplace
Employers often wish to monitor workplace activities, including remote work, to enhance productivity, bolster security, and ensure compliance with regulations. However, this monitoring comes with data protection challenges. Privacy concerns arise as monitoring activities may infringe on employees' privacy rights, leading to potential legal and ethical issues. Striking a balance between monitoring for legitimate reasons and respecting employees' privacy rights is essential. Please read our guide to monitoring staff for a list of key action points to consider.
Employee Subject Access Requests (SARs)
Subject access requests can be made by any employee at any time. You can only imagine how much employee data can be gathered during an employees work life cycle. A vast amount.
A response to a subject access request must be provided without undue delay and within one month, this period may be extended by up to three months if the request is particularly complex. This response must free of charge unless it’s manifestly unfounded or excessive. Many have the misconception, where HR receives such a request, that answering a SAR could mean a lot of investigating and digging deep and burdensome, but, in the grand scheme of things, this task is easy, although could use a lot of manpower or incur cost if the data is held by external suppliers, for instance in the cloud. There is a lot of to-ing and fro-ing in terms of guidance out there as to whether information that can be technically held to be beyond access falls within the scope of disclosure. This is the hard bit – assessing and checking what’s in scope for disclosure. The Irish Data Protection Commission have added their own thoughts to the mix, on one hand they state “…if the data subject expressly requests access to personal data that has been permanently deleted… and your organisation has not, in the normal course of business, access to the technology which can recover permanently deleted files.... and will need to employ an IT services company…. that request may be considered a complex one. However, on the other hand, if you normally have access to those technologies or have the resources to easily employ third parties that could recover the data, the request may not be considered a complex one…”. Your organisation will need to assess where your appetite lies and at what point you consider such data is considered beyond access. HR subject access requests can, therefore, be hard to deal with for those reasons as well as time consuming and costly.
Another issue HR has, is the use of applications that have not been vetted by the organisation, for example, WhatsApp; many colleagues often make internal WhatsApp groups to discuss aspects of their social life but also their work and other work colleagues (unfortunately), this begs the question; whether these applications are within scope of a subject access request. Our data protection specialists can assess each situation and advise whether certain data is within the scope of disclosure or not.
Employees right to be forgotten
This is another conundrum that HR functions deal with. Employees think, that once they have left employment at an organisation, that such a request can be made and all data relating to them can be deleted. Unfortunately, this is not the case as not all rights are absolute and can be enforced. Whilst there may be some data that can be deleted, it is likely due to retention schedules and statutory limitation periods for bringing a claim (6 years in the UK), employee personnel files will be retained for as long as necessary, and or at least as per the organisation’s retention schedule.
Risk assessments to implement a new system
As HR functions have and are becoming more and more digitalised, such as HRIS systems for storing personnel files or recruiting portals for job applicants, they are becoming more riskier to use. Most of these are external suppliers that house these systems, so it’s always necessary, especially where a lot of employee personal data is being processed and or housed, that the technology goes through a data protection impact assessment (DPIA). The ICO states that a DPIA is a process to help identify and minimise the data protection risks of a project, in this case, the technology or asset being used to process personal data. It would be required here, as processing here is likely to result in a high risk to the employees. To assess the level of risk, organisations must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. Organisations must assess whether personal data will be safe and secure and whether it will be transferred to any further sub processors and or outside the jurisdiction, including whether any of those are to non-adequate countries. If this is the case, then it would be necessary to get your legal and privacy functions involved to ensure any transfer risk assessments are being done and the correct contracts are being signed.
Training line managers
Anyone in the HR function requires high level data privacy training and this to be conducted as and when needed, in line with their job role and at least annually. This department processes lot of personal data, including special categories of data. Training in how personal data is handled, with whom it is shared and where it is kept are all important things a HR professional would need to know. One example would be ensuring personnel files are kept under lock and key, with no easy access to the private documents. This would ensure that there are minimal breaches as information is only shared on a role based and need to know basis. Here the GDPR training for HR can be highly beneficial. Employers should consider the training needs of different functions based on the nature, complexity and risks associated with job role, and deliver tailored training to address their needs. Annual training can also be rolled out; however, this is usually out of HR’s hands, and is usually an automated process for tick box compliance. Employees should also feel free to be able to ask for more training should they need it.