It’s important for those responsible for HR in a business to understand how data protection rules affect the employer – employee relationship. Here, we answer the questions we’re most frequently asked, covering recruitment, whistleblowing, and working from home.
- How does data protection apply to employees’ emails?
- How does data protection affect recruiting and interviewing potential job candidates?
- What are the data protection implications of keeping CVs on file for later use?
- Data protection and whistleblowing/whistleblowers
- Are there any data protection implications from allowing employees to work from home?
How does data protection apply to employees’ emails?
Employee email addresses (personal or corporate) constitute personal data. As you will store the email address, you are processing and storing the data.
To ensure you do not breach your obligations, you should ensure the data is stored safely and is not vulnerable or at risk of being lost or stolen. To uphold the 6 principles of data protection, you should also ensure you only store the email address for as long as necessary and that the email address is up-to-date. It is also important to inform your employees of the reason you need to store their email address.
You should also ensure employees are aware of their duties under data protection law. In particular, it is important that employee emails containing personal data about customers are protected. One way to achieve this is to establish a business policy which encourages minimum personal data to be included in the email.
How does data protection affect recruiting and interviewing potential job candidates?
Recruiting and interviewing potential job candidates will require you to collate and process personal data both sensitive and non-sensitive. It is therefore very important to take measures to ensure you do not breach your data protection obligations.
Discharging your obligations begins when you advertise a job role. It is important the potential job candidate is aware you will be processing the personal data provided. Such clarity is essential if you recruit through an agency, as the potential job candidate will need to know that the information provided to the agency will be processed by you.
When requesting details about criminal convictions, you should consider whether you can limit the amount of details you request. For example, you may only seek information about any criminal convictions which relate directly to the job.
If your application procedure is online, it is also recommended that you use an encryption-based software. This means any personal data transmitted by the potential job candidate is protected and not vulnerable to theft.
You should also inform interviewers how to store any information and personal data recorded during the interview. Once a reasonable time has passed, this information should be destroyed properly.
For more detail on how to take measures on compliance with DPA during recruitment and interviewing, read the Employment Practice Code by the ICO.
What are the data protection implications of keeping CVs on file for later use?
An employer can keep CVs and other details of unsuccessful candidates on file if it complies with its duties under the GDPR. An employer may find it useful to adhere to a data retention policy, which can define how long they may keep CVs on file for unsuccessful candidates.
Candidates must be provided with a privacy notice, so they are fully aware of how long their data will be kept and how their personal data will be used, including explicit mention if you are holding CVs for the purpose of future vacancies. The employer should have a process in place so that this actually happens and so that personal details are not kept for longer than necessary for the businesses purposes it was collected for.
There must be a legal basis for holding the personal data, such as that the employer has a legitimate interest. The employer must either inform the candidates that they have the right to object to the processing or ask candidates for written consent to hold their data.
Data protection and whistleblowing/whistleblowers
Any worker who makes a protected disclosure in the correct manner will be protected from dismissal or other disadvantage because of the disclosure.
A disclosure must be made to an appropriate recipient and must be in respect of one of the following:
The commission (or likely future commission) of a criminal offence; or
A breach (or likely future breach) of a legal obligation, where this has been (or is likely to be) deliberately concealed
A disclosure will not qualify if a worker commits an offence by making it, or if the information is subject to legal professional privilege. For the whistleblowing provisions to apply, whistleblowers must reasonably believe that the information they are giving is true and they must act in good faith. Disclosures should first be made under a whistleblower’s employer’s whistleblowing policy, if they have one, therefore as a business you have an extra layer of protection afforded to you if this can be dealt with internally first. If you would like help in drafting a Whistleblowing policy for your business, our specialist employment solicitors can assist.
Provided that whistleblowing has been done correctly the information collected will remain confidential and disclosed only so far as is required to be able to investigate the complaint. Organisations such as the ICO which may receive reports of wrongdoing have a duty of confidence and to protect the data of the organisations they regulate and are legally prevented from sharing much of the information they hold about them. Whilst the ICO publish information about the action they take as a result of disclosures made by whistleblowers in a yearly report, this won’t contain information which will identify individual whistleblowers or their employers (including ex-employers).
Under the GDPR, where a Data Protection Officer is appointed, the central advisory body on EU data protection regulations have made clear how vested the DPO role is in preventing breaches, not just reporting them. There was concern that the creation of the DPO role would just create a data protection whistleblower within each organisation. Communication to the DPO must be confidential for the role to function, and so the idea that the officer might act as a whistleblower is highly unlikely. The DPO is far more likely to want to build trust with employees and want to fix a potential data breach before it happens than report it afterwards by means of whistleblowing. The DPO is responsible for carrying out data protection impact assessments and data protection-related audits, they are the point of contact for individuals relating to the processing of their personal data or exercising their rights under GDPR. This means that their role is not just that of independent whistleblower. Their position should not be seen negatively; the introduction of the GDPR will promote accountability, enhancing the trustworthiness of data processing within organisations.
Are there any data protection implications from allowing employees to work from home?
There are a few added challenges in terms of data protection and employees who work remotely. For example, personal data is likely to be stored on mobile devices, which could be mislaid or stolen more easily. An employer cannot prevent this but can mitigate any damage by setting strict access rights, encrypting or pseudonymising (or both) data so that less of the company’s personal data can be viewed by anyone who should not be viewing the data. Since the pandemic, working from home has become the norm, and so businesses must ensure that they have conducted risk assessments looking at how to minimise risk where they move their business away from office working.
To protect work laptops and devices from misuse, organisations may be tempted to implement software to track how employees (or criminals) use the device. There’s plenty of software that can log keystrokes or track mouse movements, but this poses problems with complying with the GDPR as remote employees may well keep irregular hours and use their devices for both personal and work reasons, making it hard to differentiate between monitoring an employee’s work and private life. We discuss the difficulties in finding a lawful basis to process data and the key action points for employers to stay compliant in our guide to data protection and monitoring staff.