Yes, absolutely. The law is built around seven principles (listed below) of data governance which must be followed by anyone using information about or related to identified (or identifiable) living people – such as your employees. All living people have 10 rights over how information about them is handled.
The only HR data that would not be ‘captured’ by data protection law is any information that cannot identify individual people (e.g. anonymised statistics), or any information relating to an employee who has died.
Special category data is any information (facts, speculation, or opinion) you may have that relates to an employee’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation, or any criminal matters.
'Special category data' is a sub-set of 'personal data' which is considered more sensitive, and therefore needs greater protection around its use.
This principle covers the fact that you must have a valid legal reason (or ‘lawful processing condition’) for processing your employees’ personal data. You must obtain it without deceiving them, and you must make it clear exactly how you are going to use their data.
A lawful processing condition is the reason (or reasons) you can point to in data protection law that legally justifies why you are using your employee’s personal information to do something. It is important to note that seeking to rely on ‘consent’ as your valid legal reason for using your employees’ data is rarely appropriate. This is because consent must be “freely given” which is not possible due to the power an employer holds over its employees: often an employee does not have a genuine choice over something their employer is asking them to legally consent to.
It is important that employers understand the crucial difference between asking an employee:
- “Do you understand what we’re doing with your data?”
(asking this question is good as it’s seeking to clarify that the employee is clear about what is happening and as such it is covering the transparency principle to a certain extent)
- “Do you agree to what we’re doing with your data?”
(this question should be avoided as it is seeking an employee’s consent to process their data, which is rarely appropriate in an employment setting)
There are 17 other lawful processing conditions in the Law. As an employer it is your job to identify, understand, and document which specific lawful processing condition you are relying upon to process employees’ personal data and to ensure it’s appropriate. Also bear in mind that it can be perfectly acceptable to rely on different conditions in different contexts for different types of personal data.
This principle means that you must only use personal data for the reason (or reasons) you have told your employee you are using it for.
For example, you shouldn't use their responses to a standard employee wellbeing survey to inform whether they are considered for a promotion.
This principle means you can only ask for the minimum amount of personal data necessary from your employee. Note: this does not mean you cannot ask them to provide information, it just means you must limit it to what is necessary.
This principle means you must ensure that any personal data about your employees is accurate and where necessary, up-to-date.
This could be for simple requests such as a change of home address where you should ensure your records are updated accordingly. Or it could relate to more complex issues, such as your employee disputing the accuracy of an opinion about them that you are using to make decisions about them (for example in disciplinary matters).
This principle means you must not keep your employees’ personal data for longer than you need it for.
So you need to think about retention periods that are appropriate for your organisation, as well as considering any other laws’ requirements that may apply (e.g. you have to keep tax records for X number of years to adhere to local tax law) and having appropriate policies in place.
This principle means you must keep personal data safe so that it does not get accidentally deleted or changed, or seen by someone who is not allowed to see it.
So in an employment context you need to think about setting your system access rights appropriately so that HR files are only available to the appropriate individuals. It may also be appropriate to think about higher levels of security for any files that are particularly sensitive.
This principle is the foundation which the other six principles rest on.
Accountability is about taking responsibility for how you treat people’s data, and being able to demonstrate how you are complying with data protection law. In employment terms this means implementing appropriate technical and organisational measures that ensures, and demonstrates, compliance. This may include internal data protection policies, internal audits of processing activities; reviews of internal HR policies; use of data protection impact assessments (DPIAs) where appropriate, among other measures.
There's further general guidance on accountability principle here.
All individuals (including your employees) have these 10 rights under local data protection law.
As an employer you need to think about what procedures you have in place to ensure that employees (current and former) can exercise these rights with you as an employer. Regardless of the relationship between the parties, employers who receive a rights request should focus on the human being who is making the request, and appreciate that they have a legal right to know what is being done with information about them. Processes in place to respond to individuals seeking to exercise their legal rights should be fair and impartial.