Is Your HR Department Protecting You from Litigation?

Your company could be liable if your Human Resources department isn’t complying with data protection laws. Leaking personal or private information about employees or even job applicants could spell disaster if your HR team isn’t taking appropriate measures to protect sensitive data.
Companies are legally required to keep and protect any personal information about staff. As the HR department sits on a mine of information about current and prospective employees, their priority is to be aware of data protection laws and have processes in place to keep the company safe.

Who Must Comply With Data Protection Laws?

Any kind of organization in Europe and the US has to comply with local data protection laws. That includes charities, NGOs, or any other group of any size which has access to other people’s personal information, from email addresses and phone numbers to physical addresses and other information such as surnames and relatives.
Organizations in the United Kingdom are bound by the Data Protection Act 2018; a national law which complements the European Union’s General Data Protection Regulations (GDPR) founded on the Data Protection Act of 1998.
For organizations in the United States following data protection laws is a lot more complex because there isn’t a single act like those that regulate organizations in the UK and Europe. Instead, legislation is defined on state and federal levels, so the laws you follow depend on which state your business is located. However, you still have to recognize the data protection laws governing the state where any employees or candidates are based regarding biometric data, driver’s licence details, social security numbers and other private data.
On a federal level most data protection regulations fall under the Federal Trade Commission Act. If you employ drivers or keep information related to employee driving licences then you also need to be aware of the Driver’s Privacy Protection Act 1994.
Before general data protection regulations were introduced, obtaining an individual’s consent to process personal information was usually sufficient to abide by generic privacy laws, but since the new regulations, obtaining consent in the first place has become a lot tougher. These days, organizations must document the reasons for collecting and processing personal data.
Under GDPR there are six lawful reasons for processing personal data, depending on the circumstances:

6 Lawful Reasons for Processing Personal Data

1. Consent
An individual must agree to you processing their personal data.

2. A contract with the individual
When a contract exists between an employer and employee, or there’s a contract in place to supply goods or services.

3. Legal Obligation
When data must be processed to be compliant with local or national laws.

4. Vital interests
When processing data will protect someone’s physical integrity or even their life.

5. Public Interests
When individuals are involved in official roles or tasks that are in the public interest such as government departments, educational institutions, healthcare and the police.

6. Legitimate Interests
When a private-sector organization has a genuine and legitimate reason to process personal data without consent, as long as there are no negative effects to the individual’s rights and freedoms. Legitimate interests can even include commercial benefits.

Treat Employees as Data Subjects

Colleagues can often become intimate friends but there are boundaries as to what personal information should be shared with each other. Some employment contracts stipulate that employees shouldn’t discuss or disclose their salaries as this is confidential information between the employer and employee. Problems soon arise if employees doing similar jobs are on differing pay scales and that information is shared, which can lead to animosity among staff and could even result in a discrimination case.
Employees have rights when it comes to the storage and use of their personal data. HR staff should be well aware of these inherent rights, and they should ensure that the employees are aware of those rights, which are:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object

Your organization’s data protection policy must be made clear and available to job candidates and employees. You must inform them how they can request access to that data through a data subject access request (DSAR).
The right of access regulation is most frequently used by individuals wishing to lodge a complaint. A verbal request from an employee is all that’s required if they want to access the personal information that you have on file. They don’t have to submit any forms or letters.
The HR department should recognize such requests and must respond to them within 30 days.
The same DSAR rules apply to job applicants. As such, the HR department must ensure they get consent from applicants to store their personal data, and make sure they are aware of their data protection rights.
Employers in the UK are legally required to keep job applications for a minimum of six months in case any candidates lodge discrimination cases. Otherwise, personal data can only be kept on file as long as necessary and only for the purpose that the information was collected.

How Strong are Your Acceptable Use Policies?

In most jobs where employees are connected online, there should be an acceptable use policy (AUP) stipulating constraints and practices which employees must agree to before they can access the corporate network or the Internet.
Having an AUP in place is a layer of protection that allows your organization to have grounds for discipline or dismissal if an employee is seen to spend too much office time not doing their job; visiting websites unrelated to work, or even endangering company security with malware.
However, while an AUP allows you to monitor and block online activity that could be dangerous to the network and jeopardies company security, such as employees inadvertently visiting a website that could infect the system with malware, it doesn’t mean that employers have the right to spy on their staff.
Your organization’s intranet should have spam filters, anti-virus and malware protection in place, and instruct employees not to download files from untrustworthy sources or from their personal email accounts to prevent phishing.
Again, implementing these policies still comes down to a matter of trust and responsibility. While employers can and should stipulate guidelines very clearly, there is a limit to the extent to which you can monitor employees. For example an employee’s browser history is considered personal data under the GDPR, so you’d need a lawful basis to process that kind of information, even if it’s stored on the company’s computers.
In summary, the entire HR team should be well aware of data protection laws regarding employees and any job applicants or candidates they come into contact with. They also need the support of a knowledgable IT team that can provide the organization with a secure network that reduces the risks of personal data being leaked inadvertently or deliberately.
To learn more about the data protection solutions available to your organization tell us more about your company and we’ll be happy to give you our professional advice.


Comments are closed.