Deputy Commissioner Rachel Masterton discusses the often-forgotten category of personal data that all employers will process, information about their staff, and how to make sure this isn’t a weak spot in compliance activities.
In June last year, we launched our accountability survey with the aim of understanding how organisations embrace compliance and demonstrate accountability.
This has produced an interesting stat; that while 83% of organisations have policies covering the handling of the personal data of customers or services users, only 67% have policies relating to the handling of employee data.
And whilst the title of this piece may be a little ‘on the nose’, it bears repeating. Data protection legislation applies to all information identifying a person, and therefore, as staff are people, it applies to their information too.
Think about that stalwart of data protection compliance, the data processing or privacy notice. The forward facing one that was drafted to cover the use of your clients’ personal data is unlikely to do the job when it comes to recruitment, selection and employment of staff. The types of data processed, as well as the purpose of that processing and the lawful processing condition relied upon are likely to be different to those applicable to your clients.
You may hold data on significantly fewer staff than you have clients, but the breadth of information you process could be significantly wider and of greater sensitivity.
Recruitment and selection will mean the processing of information about their talents, their qualifications, possibly aptitude or psychometric tests as well as an understanding of their performance in previous roles.
Health and safety legislation and the still relatively new prevention of discrimination ordinance will mean you could end up processing special category data about your staff, something you may never go near for your clients.
This could include health information in the form of sickness history, disabilities recorded in order to provide reasonable workplace adjustments or race or ethnic origin for the purposes of diversity monitoring.
Much of the information you use to make recruitment decisions will be provided by the candidate themselves, but some will come from elsewhere.
Pre-employment checks such as references from previous employers and disclosures obtained through the Guernsey Vetting Bureau are two such examples.
It should be made clear to the candidate that such checks will be carried out and the content of them discussed with them prior to the confirmation, or otherwise, of any offer of employment.
The data protection principles apply to recruitment data as much as they do to that personal data that fuels your business activities, and this can be where organisations become unstuck. Start with lawfulness, fairness and transparency and work from there.
Of course, your responsibilities don’t end with employment.
On top of the myriad of data you collected in the recruitment and selection phase, you will be adding more during the staff member’s time with you. Again, this will be a variety of types of data for a variety of purposes; payroll, performance and promotion being only a few of the ways that data will be used.
The people that will need access to this data will likely be a fraction of those that use your client data. Some at the same level as the staff member, some above them and some below them will lead to different access controls, very much on a role-based, ‘need to know’ basis.
For example, if you have a sensitive HR discussion with an employee, ensure that the “meeting details” are protected so that other staff can’t stumble upon information not intended for their eyes.
At the end of the day, all data protection principles continue to apply, so think lawfulness, fairness, transparency, accuracy and retention as a starting point.
Build in purpose limitation, (using information only for stated reasons) and minimisation (using only that which is necessary) with organisational and technical measures to ensure appropriate security. And above all else, embrace accountability and remember, staff are people too.
&
Indulge