Data Protection
Are you up to date with the Data Protection Act?
In 2018 the new Data Protection Act came in, which replaced earlier legislation. When did you last check whether your business was compliant? Are you up to date with the latest Data Protection Act? Over the past few years, there’s a risk that some businesses may have become complacent about compliance.
Ignoring some aspects of the data protection rules could result in businesses committing a criminal offence. All businesses holding personal data need to be registered with the ICO (Information Commissioners Office). You can find a wealth of information on their website, but we have summarised key points below in this blog.
Purpose of the Data Protection Act
The Data Protection Act 2018 relates to any living person and their privacy, which includes their personal or family life, as well as their business or profession. The aim of the act is to protect someone’s identity by regulating how information is “collected, handled and used”. This applies to any personal information stored on computerised systems and paper records.
There are many different ways data can be held, such as employees’ salaries, personnel records and application forms. Such information may be stored in a way that cannot easily be accessed, for example, a non-alphabetical system. Information about employees could also be found in the form of an HR database, emails relating to an incident or a supervisor’s notebook.
Sensitive data is when you are holding people’s personal information, and the act has clear definitions around what is permissible in this area. This covers information on people’s racial or ethnic origin, religious beliefs, political opinions, sexual preferences, and physical or mental health conditions. Sensitive data also applies to trade union membership.
There are separate safeguards for personal data relating to criminal convictions and offences.
Put simply, the Data Protection Act 2018 is designed to ensure you don’t collect more sensitive data or personal information than you actually need. Collecting irrelevant or excessive information would be considered a breach of data protection rules. It’s therefore vital that companies design job application and employee forms with this in mind.
The act ensures the responsibility of organisations “to process personal information that it holds in a fair and proper way.” Failure to comply with the act can incur significant fines and may be considered a criminal offence, so it’s important to make sure your company stays compliant.
Who’s included in the data protection rules?
When it comes to holding personal data in your business, the Data Protection Act applies to information relating to any living person. It has a much broader remit, however, than purely HR and employment-related data. It could also include clients, as well as current or former workers. The code of practice needs to be followed by anyone in the business with access to personal data.
The following people are also covered under the rules:
All job applicants - whether they were successful or unsuccessful.
All employees - whether they are existing or have left the business.
All agency - casual or contracted staff, whether past or present.
People often forget that candidate data is included in the Data Protection Act. From the moment someone emails a CV to you or completes an application form, you are collecting personal information. What you then decide to do with that data matters.
Employer code of practice for data protection
The Employment Practices Data Protection code is a helpful way for employers to manage data protection laws. This code of practice covers how you obtain and retain information about workers, including record access and disclosures.
Depending on the size and nature of your business, only some aspects of this code might be relevant. But it’s worthwhile understanding the code, as it can be a useful reference document if an issue arises.
By following the code, your business will benefit from the following:
Prevent misuse – following the code of practice ensures your business can rest assured that employees cannot illicitly use personal data.
Improved protection – by adhering to the code, your business will stay compliant and protected from any data challenges that may arise.
Consistent policies – as data protection rules were designed to align to other legislation, such as the Human Rights Act 1998, this can align to your other policies.
Workplace trust – if you are transparent about how you hold information, this will reassure your employees and create a more open atmosphere.
Better housekeeping – following the code of practice encourages processes to dispose of old data, creating more storage space for valuable information.
Data Protection Policy
If you haven’t reviewed these recently, it’s worth carrying out an audit of your current policies and practices to check whether you are compliant. Most businesses should have some sort of data protection policy in place. If you haven’t got one, make sure this a top priority. We advise that you create a team covering the different functions within the business, who have access to personal data to look at Data Protection from a holistic perspective. Finance, Payroll, HR, IT, Marketing, and Client Services might all have access to personal data.
At Invictus HR we can advise you on how the Data Protection Act applies to the HR functions within your business. We will help you develop and improve your current policies and procedures. We offer a retained HR service and support with more complex HR projects.
If you would like to stay compliant with the Data Protection Act, or you need advice on another HR matter, please get in touch.
Sources:
https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf