Processing of personal information by employers
The Data Protection Act 1998 (DPA) incorporates the main bulk of existing legislation on the issue of privacy at work and the processing of personal information by employers. The latest addition to the Data Protection related legislation arrived in December of last year when the EU Commission, European Parliament and European Council of Ministers reached an agreement on the “General Data Protection Regulation”.
This regulation will inevitably mean new responsibilities being placed upon employers relating to how they deal with personal data. It’s likely these revisions will be finalised during the latter part of 2016, although the law may not come into force until a further twelve months or so have passed. Nevertheless, employers would be well advised to take note of the likely changes this regulation will bring and prepare accordingly, even at this early stage. The most significant future aspects of this proposed new regulation will involve the employee (Data Subject) and can be summarised as follows:
- The need for clear consent of the Data Subject to the processing of their personal data.
- Easier access by the Data Subject to his or her personal data.
- The right to be forgotten which would require a data controller to erase all personal data promptly if there are no legitimate grounds for retaining it.
- The right to object to the use of personal data for certain purposes, including direct marketing.
- The right to data portability from one service provider to another.
- The right to lodge a complaint with the supervisory authority, as well as their right to normal court claims for compensation and liability.
- Data controllers must also provide transparent information to data subjects on the processing of their data.
The huge advances in technology, internet use and the globalisation of business over recent years has placed an increased emphasis on the security of employee’s electronic data. The proposed new regulation contains a number of compliance measures on nominated responsible employees within an organisation (Data Controllers), including:
- Data Controllers (and those processing the personal data on their behalf) must implement appropriate security measures.
- Data controllers will also be required to provide notification (potentially within 72 hours) of any personal data breaches to both the regulator and, if such a breach puts the individual’s personal data at risk, to the data subject.
- Data controllers and data processors should keep internal records to include their names and contact details
- Although organisations who employ less than 250 people will generally be exempt from this burden, the exemption will not apply if the organisation engages in “risky processing, processing of sensitive personal data, or data about criminal convictions, or the data processing is deemed to be 'not occasional'.
A Data Protection Officer (DPO) will also need to be appointed in any organisation whose core activities consist of data processing which requires regular and systematic monitoring of data subjects on a large scale. So, if your business processes personal data, you should begin to think about planning for the changes.
- Employers should check if they fall into the relevant categories requiring a DPO.
- Employers should develop and implement written policies to enable them to respond to any data breach promptly and effectively.
- Employers should monitor and review their data processing procedures to minimise data processing and retention of personal data.
- The procedures and documents relating to consent by the individual to use and store their data should ensure that it is clearly freely given for a specified use.
- Staff should be trained to understand their obligations.
Is your business likely to be affected by this Regulatory change in the future? Contact QuestHR now for a review of your policies and procedures.
Contact our HR and health & safety experts at for guidance on any issue that may be affecting your organisation – we are here to help.
