New year data protection resolutions for HR professionals
8 January 2024
New Year’s resolutions are an opportunity not only for individuals but for employers to resolve to improve their practices. So, while some may be resolving to overcome the effects of Christmas excess, with the clarity of mind that January brings, why not take this opportunity to resolve to tackle data protection in the workplace.
Here are some steps you could take as part of your data protection workout… positive results (almost) guaranteed.
- Ensure employment policies and procedures relating to data protection issues are fit for purpose: it is essential that your policies and procedures are reviewed and updated on a regular basis to reflect changes in both legislation and practice. Policies within staff handbooks covering data protection and the use of social media, IT systems and devices (such as mobile phone and laptops) should be non-contractual to allow you to make changes without consulting with your entire workforce. Your policies should set out the standards employees must meet when processing personal data as part of their job role and the implications if these standards are not met.
- Provide regular and tailored training: comprehensive training on data-related issues, including refresher sessions, should be provided at regular intervals and records maintained to evidence this. Whilst the frequency will depend upon the employee’s role, it is crucial that training is updated and refreshed, particularly if a breach may result in disciplinary action being taken, as an employee may allege that they have not received adequate training.
- Check that employees know how and when to report any suspected data breaches: all employees should understand to whom a breach should be disclosed within your organisation and the consequences of non-compliance with your procedure. Creating a ‘no blame’ culture that recognises that breaches happen in all organisations will encourage employees to speak to you promptly. This will, in turn, allow you to comply with the requirement to inform the Information Commissioner’s Office within 72 hours of a data breach. If your employees feel supported, the level of non-compliance and potential liability for your organisation will be reduced.
- Ensure that you have a process in place to respond to Data Subject Access requests: they can be a challenge, the complexity and volume of data can be overwhelming. Within your organisation agree who will be responsible for co-ordinating the response so you are able to act quickly, who will locate personal data (some are less obvious slack channels, video call recordings, WhatsApp messages on work devices to name but a few), how to approach filtering the personal data, understanding the principles for redaction and recording key decisions in the event you have to respond to the Information Commissioner.
- Have a ‘clear desk’ policy: desks should be kept free of papers and employees asked to lock their screens when away from their desks. Personnel files should be securely locked away and access limited to members of your HR team. Against the backdrop of the COVID-19 pandemic and wide-scale adoption of home working, these practices should be extended; documents should be stored appropriately at home and confidential calls taken in private to prevent potential personal data breaches.
- Keep employee personal data protected before – and after – employment: data protection issues arise throughout the life cycle of an employment relationship and beyond. You should be equally mindful of issues regarding the use of data whether dealing with candidates or leavers. Ensure you have appropriate privacy notices in place to let current, former and potential employees know how and why their personal data is used. Limit access to employee data to members of your HR team. Ensure you have identified an appropriate lawful basis for processing employee data, particularly sensitive data such as health data. Have a clear employee data retention policy and ensure you adhere to it to prevent information being from kept for longer than is necessary.
If you have any queries regarding data protection and best practice, do get in touch.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2024.