Data Protection webinar: Data Protection & Human Resources

18th March 2014

Welcome. We’re just making the last few preparations for the webinar to start at 11.00.

Keep your speakers turned on and you will shortly hear a voice!

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

4

What Data Protection is about: 1

Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data

Protecting people

Protecting data

Employees VolunteersDonors Service usersMembers Professional contacts

5

What Data Protection is about: 2

Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide

things or go behind people’s back Offer people a reasonable choice over how

you use their data, and what for

Give us more

money! Support

our campaign!

We sold your details to someone

else

Comply with specific legal requirements, such as:

6

What Data Protection is about: 3

Right to opt out of direct marketing

Right of Subject Access

Notification

(And others)

Best practice with HR records External suppliers (e.g. payroll) The wider role of HR Contracts and staff handbooksBut first: The Data Protection Principles The definition of Personal data Confidentiality

7

The main topics for this webinar:

8

The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)

you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad

Personal data

Data Not data

Personal

Not personal

10

Personal data

The Act applies to information that is ‘personal’ and ‘data’The personal part means that it is about:

identifiable, living individualsThe data part means that it is recorded:

on a computer or automated system in a ‘relevant filing system’ with the intention of going into one of these

systems

11

Confidentiality

Clear boundaries

Data Protection and Confidentiality overlap

a lot, but they are not the same

Data Protection

How confidential is confidential?

Reasons for absence Sickness records Pregnancy Disability Disciplinaries Supervision notes Welfare/home circumstances

Taking confidentiality seriously

Passwords

Gossip

Scams

14

You could be breaking the law if you don’t respect

confidentiality

It is a Criminal offence ‘knowingly or recklessly’ to:

access data you are not authorised to access

allow another person unauthorised accessExamples: Criminal record and fine for operator who

looked to see if her friends were on the police database

Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife

15

HR records: Principle 1 Transparency & Choice

You must always ensure that Data Subjects are not in the dark about: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using

their data or check what you are doing You must give people a reasonable choice

over how their data is used – and in any case you must meet at least one of the ‘Schedule 2’ ConditionsFair Processing

16

‘Fair Processing’ conditions

With consent of the Data Subject (“specific, informed and freely given”)

For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government & judicial functions In your ‘legitimate interests’ provided the

Data Subject’s interests are respected

HR records: Principle 2Limited purposes

When you obtain information your purpose(s) must be clear

‘Staff administration’ is likely to cover almost all HR functions

You must use information only in ways that are ‘compatible’ with the original purpose(s)

HR records: Principles 3 & 4Data quality

The Data Protection Act says that data must be:

Adequate Relevant Not excessive Accurate Up to date (where necessary)

HR records: Principle 5Retention

Not longer than ‘necessary’ Refer to employment law book Take account of any regulations specific

to your organisation’s area of work Broad brush approach:

Short term (up to 6 months? current year?) Medium term (often 6 to 7 years) Long term (effectively indefinite)

HR records: Principle 6Data Subject rights (access)

Subject Access is important Can run alongside open files/self service The right is to access all their personal

data, this includes e-mails about them

There are exemptions: negotiations, planning …

You may have to ‘redact’ third party information Where someone else is the source Where the information is about someone else

HR records: Principle 6Data Subject rights

(references)

References you have given are exempt from subject access

References you have received should be shown unless they are confidential

When giving a reference: Is the information you have still accurate and

up to date? Make it clear whether the reference is

confidential or not

22

HR records: Principle 7Security

The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data

The security measures must be appropriate.They must also be technical and organisational.

The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security.

£500,000

Key security measures

Protect ‘data in transit’ Passwords & encryption on USB devices and

laptops extreme care when faxing, e-mailing & posting think about encryption on e-mails if

appropriate BYOD policy

Access controls, clear desks, locked filing cabinets

HR information held by line managers External contractors (‘Data Processors’) Secure destruction – shredding, etc.

24

Data Controller

A trading company is a separate Data Controller

Organisations can be joint Data Controllers Good practice to have a Data Protection

Officer

The ‘person’ legally responsible for complying with the Data

Protection Act

25

Data Processor

An organisation that work is outsourced to, which involves accessing Personal Data

The Data Controller remains responsible for what happens to the data

There must be a written contract with the Data Processor, setting out: what they are to do what the relationship is security others worth looking at (checklist)

The role of HR in promoting good Data Protection

practice I Job descriptions Employment contracts Staff handbook Behaviour/Code of conduct HR Policies and procedures Induction Training Monitoring Discipline (Don’t forget temps, interns, placements,

etc.)

The role of HR in promoting good Data Protection

practice II

Policies & procedures in operational areas: Service users Fundraising, membership & supporters Volunteers Safeguarding Complaints procedure

Repository of good practice Written in full collaboration with relevant

managers

28

Data Protection:the absolute basics

We are trying to: Prevent harm by

Keeping data only in the right hands (and being clear what ‘the right hands’ are)

Holding good quality data (accurate, up to date and adequate)

Reassure people so that they trust us Making sure people know enough about what we are

doing Giving people a choice where possible

Many thanks

Follow-up questions: paul@paulticher.com

To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation, after you

have completed the questionnaire