Is Your HR Department Protecting You from Litigation?

Your company could be liable if your HR Department isn’t complying with data protection laws. Leaking personal or private information about employees or even job applicants could spell disaster. In case your HR team isn’t taking appropriate measures to protect sensitive data.


The law requires companies to keep and protect any personal information about their staff. As the HR department sits on a mine of information about employees; their priority is to be aware of data protection laws. Not only that but also have processes in place to keep the company safe.

Who Must Comply With Data Protection Laws?

Any kind of organization in Europe and the US has to comply with local data protection laws. That includes charities, NGOs, or any other group of any size which has access to other people’s personal information. Starting from email addresses and phone numbers to physical addresses and other information such as surnames and relatives.


The Data Protection Act from 2018 bounds organizations in the United Kingdom. It’s a national law which complements the European Union’s General Data Protection Regulations (GDPR). It was founded on the Data Protection Act of 1998.


For organizations in the United States following data protection laws is a lot more complex because there isn’t a single act like those that regulate organizations in the UK and Europe. Instead, legislation is defined on state and federal levels, so the laws you follow depend on which state your business is located.

However, you still have to recognize the data protection laws governing the state where any employees or candidates are based regarding biometric data, driver’s license details, social security numbers and other private data.


On a federal level most data protection regulations fall under the Federal Trade Commission Act. If you employ drivers or keep information related to employee driving licences then you also need to be aware of the Driver’s Privacy Protection Act 1994.


Before introducing the general data protection regulation, obtaining an individual’s consent to process personal information was sufficient. However since since the new regulations, obtaining consent in the first place has become a lot tougher. These days, organizations must document the reasons for collecting and processing personal data.


Under GDPR there are six lawful reasons for processing personal data, depending on the circumstances:

6 Lawful Reasons for Processing Personal Data

  1. Consent – An individual must agree to you processing their personal data.
  2. A contract with the individual – When a contract exists between an employer and employee, or there’s a contract in place to supply goods or services.
  3. Legal Obligation – be compliant with local and international laws before processing personal data.
  4. Vital interests – When processing data will protect someone’s physical integrity or even their life.
  5. Public Interests – When individuals are involved in official roles or tasks that are in the public interest such as government departments, educational institutions, healthcare and the police.
  6. Legitimate Interests – When a private-sector organization has a genuine and legitimate reason to process personal data without consent, as long as there are no negative effects to the individual’s rights and freedoms. Legitimate interests can even include commercial benefits.

Treat Employees as Data Subjects

Colleagues can often become intimate friends. However there are boundaries as to what personal information should be shared with each other. Some employment contracts stipulate that employees shouldn’t discuss or disclose their salaries as this is confidential information between the employer and employee.

Problems can arise if employees doing similar jobs are on different pay scales. In case one share this information, this can lead to animosity among staff. Moreover it could even result in a discrimination case.


Employees have rights when it comes to the storage and use of their personal data. HR Department should be well aware of these inherent rights. Therefore they should ensure that the employees are aware of their right to:

  • be informed
  • access
  • rectification
  • erasure
  • restrict processing
  • data portability
  • object

Your organization’s data protection policy must be clear and available to job candidates and employees. You must inform them how they can request access to that data through a data subject access request (DSAR).


The right of access regulation is most frequently used by individuals wishing to lodge a complaint. The only requirement from an employee is a verbal request. If they want access the personal information you must provide everything you have on file about them. They don’t have to submit any forms or letters.


The HR department should recognize such requests and must respond to them within 30 days.


The same DSAR rules apply to job applicants. As such, the HR department must ensure they get consent from applicants to store their personal data, and make sure they are aware of their data protection rights.


Employers in the UK have legal obligation to keep job applications for a minimum of six months in case any candidates lodge discrimination cases. Otherwise, they can keep personal data on file only as long as necessary.

How Strong are Your Acceptable Use Policies?

In most jobs where employees are connected online, there should be an acceptable use policy (AUP). This is stipulating constraints and practices which employees must agree to before they can access the corporate network or the Internet.


Having an AUP in place is a layer of protection that allows your organization to have grounds for discipline or dismissal. If an employee seem to spend too much office time not doing their job. Visiting websites unrelated to work, or even endangering company security with malware.


However, while an AUP allows you to monitor and block online activity that could be dangerous to the network and jeopardies company security, such as employees inadvertently visiting a website that could infect the system with malware, it doesn’t mean that employers have the right to spy on their staff.


Your organization’s intranet should have spam filters, anti-virus and malware protection in place, and instruct employees not to download files from untrustworthy sources or from their personal email accounts to prevent phishing.

Implementing these policies still comes down to a matter of trust and responsibility. While employers can and should stipulate guidelines very clearly, there is a limit to the extent to which you can monitor employees.


In summary, the entire HR Department should be well aware of data protection laws regarding employees and any job applicants or candidates they come into contact with. They also need the support of a knowledgeable IT team. They can provide the organization with a secure network that reduces the risks of leaking personal data.

To learn more about the data protection solutions available to your organization tell us more about your company and we’ll be happy to give you our professional advice.

***Disclaimer***
Intelimasters is a background screening agency, not a law firm. This article is for informational purposes only. Nothing in it should be considered as legal advice. We encourage you to consult with legal counsel regarding your specific business and/or individual needs.



5 Comments

Comments are closed.