Data Protection Unlocked for HR: Introduction to Data protection

Show Notes

In the first episode of the 'Data Protection Unlocked for HR' podcast series, Lucy Densham Brown and Sana Nahas from the data protection team at Clarkslegal discuss the data protection issues that HR professionals often encounter. They provide advice and guidance on dealing with these issues, addressing common data protection questions from employers. This introduction to data protection covers the following topics:

• Overview of key data protection regulations and other laws impacting HR
• The importance of data protection in HR and the significance of protecting personal data
• Lawful processing of employee data
• Consent
• Data minimisation
• Security measures
• Best practices 

The episode aims to give listeners a fundamental understanding of the importance of data protection in HR and equip them with practical steps to implement best practices in their organisations.

If you have any questions or want to discuss data protection law and how it applies to you in more depth, please contact our data protection team, who would be happy to help.

Transcript

Lucy Densham Brown 00:05

Hello and welcome to the first podcast in our new series for HR professionals ‘Data protection unlocked’. My name is Lucy, and I am a solicitor in the Employment team and a member of the Data Protection team here at Clarkslegal.

Sana Nahas 00:18

And my name is Sana, and I’m a trainee solicitor and member of the Data Protection team too.

This series will deal with data protection issues faced by HR professionals. It will provide advice and knowledge on dealing with those issues, as well as address common data protection questions we receive from employers.

Lucy Densham Brown 00:37

In this episode, we will provide an overview of the key data protection regulations and other relevant laws that impact HR practices. We’ll discuss the importance of data protection in HR and the significance of protecting personal data. Additionally, we will explore the key data protection principles of lawful processing, consent, data minimisation, and security measures.

Listeners will gain a base understanding of why data protection is crucial for HR and how they can begin implementing best practices within their organisations.

Sana Nahas 01:10

We’ll start by providing an overview of data protection laws. 

In the UK, the key data protection regulations are in the UK’s General Data Protection Regulation, or GDPR, for short. The UK GDPR, is very comprehensive, and covers the collection, processing, storage, and transfer, of personal data. We also have the Data Protection Act 2018, which serves to implement GDPR principles.

The key data protection principles are as follows:

• Personal data must be used fairly, lawfully, and transparently;
• Personal data should be collected and processed only for specified, explicit and legitimate purposes;
• Data should be adequate, relevant, and limited to what is necessary;
• Data must be accurate and kept up to date;
• Data should not be retained longer than necessary; and
• Appropriate security measures must be in place to protect against unauthorised access or processing.

Because there’s a lot of mention of the term “personal data”, I think it’s important to talk a bit about what this means. Lucy, please can you tell us what Personal Data is?

Lucy Densham Brown 02:17

Yes of course. Personal data is any information which can be used to identify a living person, whether directly or indirectly. It could be the person’s name, an identification number, mental, genetic, economic, cultural or other identity of the person. It’s the cornerstone of data protection law, and individuals have key rights under the UK GDPR when it comes to their personal data. These are:

• The right to be informed about how their data is used
• They have the right to access to their personal data
• They have the right to have their personal data corrected
• They have the right the erasure of their personal data
• The right The restriction of data processing
• The right to Data portability
• The right to objecting to data processing under specific circumstances

Because individuals have these rights, good data protection practices are crucial in organisations, because they gather a lot of sensitive data on a daily basis. This data can relate to an organisation’s employees, customers and any third parties it deals with, but for this podcast series, the focus is on employees, and the data gathered on them.

For data protection purposes, the term ‘Employee’ includes current employees but also, job applicants, former employees, contract and agency staff. 

So Sana can you tell us something that employers should keep in mind when processing personal data?

Sana Nahas 03:47

Certainly Lucy. So employers have six lawful reasons for processing employees’ personal data, and these are the following:

1. The employee consents for a specific purpose; or
2. The processing is necessary in connection with a contract; or
3. The processing is necessary to comply with a legal obligation; or
4. The processing is to protect the vital interests of the data subject or another person; or
5. The processing is done in the public interest; or
6. The processing is necessary for the purposes of the legitimate interests of the employer or a third party – unless these interests are overridden by the employee’s legitimate interests.

Employers can process limited data without an employee’s consent, such as their name, address, gender, education and emergency contact details. This is because employers can rely on the lawful processing ground of ‘legitimate business purposes’.

Other personal data, such as that relating to an employee’s health and wellbeing, is sensitive data, known as ‘special category data’, and should only be collected if it is really needed for a specific purpose. The employee must provide explicit consent both for the collection of this data, and for who it will be shared with.

Due to the importance of data protection in an employer-employee relationship, many employers choose to have data protection policies on their intranet, which employees can access to find out how their employer satisfies its obligations, under data protection law, for obtaining, handling, processing and transporting or storing personal data in the course of its operations and activities.

Lucy Densham Brown 05:28

Thanks Sana. Now, let’s go over some key principles of data protection for employees.

Personal data must be processed lawfully, fairly and in a transparent manner. The processing is only lawful to the extent that one of the grounds set out in Article 6 of the UK GDPR applies. Employers should consider which of these grounds will be used and recorded to process employee data. The grounds are:

• The data subject has given consent to the processing of their personal data for one or more specific purposes;
• The processing is necessary either for the performance of a contract to which the data subject is party to, or in order to take steps at the request of the data subject prior to entering into a contract;
• Thirdly that the processing is necessary to comply with a legal obligation;
• The processing is necessary to protect the vital interests of the data subject or another person;
• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• And finally that the process is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject which require protection of personal data, especially where the data subject is a child.

Sana Nahas 06:58

We have seen that processing personal data is lawful if the data subject has consented to this for one or more specific purposes.

Now, in an employment context, it may be difficult to rely on consent, because there is a power imbalance between the employer and employee. The Information Commissioner’s Office – the ICO for short – states that, if for any reason it is not possible to offer an employee a genuine choice over how their data is to be used, then consent will not be an appropriate basis for processing. This will cover a scenario where an employee is worried about facing negative consequences if they do not provide this consent. This is why it’s generally better for an employer to find an alternative basis to consent when it comes to processing.

Where the employer does ask for consent, it must be clear what the employee is being asked to consent to, and the consent provided should also be a clear, affirmative act. This could be by ….. ticking a box, for example.

Lucy Densham Brown 07:56

Thanks Sana. The next key data protection principle is Data Minimisation. This is a fundamental principle in data protection law. Organisations should collect and process only the minimum necessary personal data required to achieve a specific purpose. This works to discourage organisations from collecting excessive or irrelevant data.

In a HR context, data minimisation is crucial for safeguarding employee privacy and complying with data protection regulations. We have some tips for those in HR when it comes to collecting data:

1. Only collect necessary personal data during the recruitment process. So things like qualifications and work history will be relevant, but information about an applicant’s personal life is not. That brings us to point 2.
2. Avoid requesting irrelevant or sensitive information, such as marital status and health conditions. 
3. Maintain minimal employee records, and only store essential details, such as contact information, job role, and performance evaluations.
4. Limit the data collected during performance assessments, so focus on job-related metrics rather than personal details.
5. When an employee leaves, promptly delete unnecessary data and retain only legally required information, such as the employee’s tax records.

Sana Nahas 09:27

Always remember, less data means less risk for privacy breaches.

Moving on to security measures, personal data must be secured against unauthorised or unlawful processing, accidental loss, destruction or damage.

This is done through risk analysis, policies, and technical measures that are appropriate to each organisation’s size, scope and business. Organisations should regularly evaluate and test the effectiveness of the safeguards they have in place. 

Access to employee records should be strictly limited based on roles and responsibilities. Only authorised personnel should have access to sensitive information. Employee personal data can be encrypted during transmission and storage to prevent unauthorised access. Physical files should also be secure, for example safely locked in cabinets.

Organisations should have protocols in place to handle any data breaches promptly and transparently. 

Lucy Densham Brown 10:27

Thanks Sana. This draws our first episode in this series to an end. It is crucial for HR staff to be trained on data protection principles and best practices, as they handle sensitive data like payroll, performance reviews, and health records. If you have require legal advice on anything we spoke about today, please contact our data protection team on our website.

Sana Nahas 10:51

Thank you for listening to this podcast.