In HR we pride ourselves on being alive to issues like confidentiality around staff information and probably have at least a passing understanding of data protection and an individual’s right to make a subject access request, probably seeing examples of this being used as a tactic as part of e.g.:- a grievance or dispute. However data protection is becoming more of a serious issue and HR needs to brush up it’s behaviours in this area or find itself in trouble in the future, especially as the price-tag for non-compliance gets higher and higher.
The European General Data Protection Regulation which replaces the EC Directive behind our laws has been revamped and although it will take a while to come into force (2018) we need to start getting ready, training staff and embedding changes to practices well in advance of that.
Whilst there are lots of similarities with the law as it stands a more stringent position is being adopted on obtaining consent to personal data being processed. The current Directive states that consent must be “freely given, specific and informed” we have all tended to think that if we give people the ability to opt-out of something or if we bury information about data protection in amongst other stuff that’s OK. The new Regulation stipulates that it must be ‘freely given, informed, specific and explicit’. It goes on to state that, where consent is given “in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”. This a new requirement and will have implications for employers seeking consent to data processing at the same time as e.g.:- a job application form or a contract of employment or staff handbook is signed.
It will make it even more important that we make it clear to people what we are using their data for. So for example, (giving an example of something I saw today that would breach the current data protection rules) an employee disclosing emails to an employer as part of raising a grievance, with their own annotations on, is giving that employer the data concerned for the purposes of the grievance process. It is not automatically acceptable for the employer to use that data for other purposes, such as a disciplinary process and doing so is likely to be unlawful processing of that data.
Now is the time to brush up on data protection principles and issues: we conduct data protection for HR training so make an enquiry: firstname.lastname@example.org
The Information Commissioner’s Office has published guidance for data controllers on ‘12 steps to take now’ in preparation for the coming into force of the Regulation: https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf