Version:: v1.0

Understanding Data Protection

HRIS Programme

START

Data Protection Act 1998

• The Data Protection Act has two aspects:– Giving people the ‘right to know’ what information organisations

hold about them.– Providing a framework for organisations handling personal data.

The primary purpose of data protection legislation is to protect individuals against possible misuse of personal data information about them, held by others.

The Act is underpinned by eight straightforward, common-sense principles.

1

Data Protection Principles

The eight principles require that personal data is:

1. .Fairly and lawfully processed.

2. .Processed for limited purposes.

3. .Adequate, relevant and not excessive.

4. .Accurate and up to date.

5. .Not kept for longer than necessary.

6. Processed in line with the rights of individuals.

7. .Secure.

8. .Not transferred to other countries without adequate protection.

2

• HRIS stores personal and sensitive personal data on employees (current and former) and job applicants (successful and unsuccessful).

• Personal data is any information which identifies an individual e.g. name, photograph, applicant or employee number.

• Sensitive personal data is personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of sensitive personal data, including an obligation to obtain the explicit consent of the individual.

Personal data

3

• The Data Protection Act covers personal data where specific information about a named employee may be readily found within:

– Computer systems, such as HRIS.– Manual filing systems, where data is stored under topic headings or

folders where data is stored within file dividers. – Documents which contain personal data but are not filed or

referenced to a particular individual

• Particular care should be taken in handling sensitive personal data• Other information which should be handled with care includes next

of kin details, bank details or other financial information, and information collected for the purposes of staff recruitment

Handling personal data

4

Subject Access Requests• A Subject Access Request is where an individual asks for the

data the University holds on them. – Requests must be processed within 40 calendar days.

• The University can be asked to disclose all information held in electronic or paper form, that identify the individual making the SAR.

• E.g. emails & letters; handwritten notes; comments made in HRIS; shortlisting forms; interview notes; references.

• If you receive a request for information under either the Data Protection Act or the Freedom of Information Act you must inform HRIS Support immediately (hr.systems@admin.ox.ac.uk) and follow their instructions.

5

Subject Access Requests• Everything you write or email about an individual is

potentially disclosable to them...

From: Peter Headley (p.headley@ox.ac.uk)

To: Colleagues

Subject: This stupid data protection request (again!!!!)

Hi there….

The Data Protection Officer has demanded George Lambert’s personal file

again……!!

Can you all have a flick through the file and remove anything you don’t

want him to see, before I send it on to the DPO….

Ta. Pete

6

Subject Access Requests• Everything you write or email about an individual is

potentially disclosable to them...even if it is marked confidential or draft.

From: Peter Headley (p.headley@ox.ac.uk)

To: Colleagues

Subject: This stupid data protection request (again!!!!)

Hi there….

The Data Protection Officer has demanded George Lambert’s personal file

again……!!

Can you all have a flick through the file and remove anything you don’t

want him to see, before I send it on to the DPO….

Ta. Pete CONFIDENTIAL

7

Risks of non compliance

• Breaching the Data Protection Act represents a reputational and

financial risk to the University

• The Information Commissioner’s Office has the power to fine

organisations up to £500,000 for breaches of the Data Protection Act• Ealing Council and Hounslow Council fined £70,000 and £80,000 for

losing password-protected but unencrypted laptops.

• Hertfordshire County Council fined £100,000 for accidentally faxing sensitive personal information to the wrong recipient.

• Company A4e fined £60,000 for losing an unencrypted laptop containing sensitive personal details about salaries, criminal activity and employment status.

8

• Keep your HRIS password and log-in private – they should not be shared.• If you are leaving your desk either log out of HRIS or lock your computer.• HRIS may be accessed within the ox.ac.uk domain or via secured network

access such as VPN. Other than via secured network access, HRIS must not be accessed in a public place and data from the system must not be sent to personal email accounts. HRIS must not be used on personal off site computers or portable devices without the express consent of the HR Systems Support.

• Where it is necessary to download sensitive personal data from the system to be held in electronic form, the data shall be held on encrypted USB stick or in a secure ZIP file. The User shall keep the encryption details confidential in the interests of maintaining security.

• Where it is necessary to download data other than sensitive personal data, to be held in electronic form, it shall, at a minimum be password protected.

• If data is downloaded from the system to be held in paper form, the data shall be stored in locked filing cabinets.

Security Rules for Accessing HRIS

9

Further information

• Further guidance at:www.admin.ox.ac.uk/councilsec/dpwww.ico.gov.uk

• The Data Protection Team can provide specific advice on the Data

Protection Act at an individual, section or department level.

data.protection@admin.ox.ac.uk

• HR Systems Support

hr.systems@admin.ox.ac.uk

10

Individual User Agreement for HRIS

All information in HRIS is treated as highly confidential and should not

be divulged, shared or given to any other person, including after your

employment with the University terminates.

In order for you to be granted access to HRIS you must:

1. Take the Assessment (and score at least 8/10). Go to WebLearn > Tests > Understanding Data Protection Assessment

2. Read and accept the Terms and Conditions set out in the Individual User Agreement.

Go to WebLearn > Tests > Individual User Agreement

11