In the fourth installation of our Data Protection Month posts, we explore how the Data Protection Act affects employees and what rights employees have under the act.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), and it applies to all organisations handling personal data. This includes employee data, such as medical records, payroll information, and contact details.
Employers must ensure that they comply with the Data Protection Act’s requirements when collecting, storing, managing or using employee data. They must also take responsibility for making sure that data is kept secure and confidential.
But before we dive into that, we must first ask:
What is Data Protection?
Data protection is the process of protecting the personal data of individuals from being misused or exploited.
It involves setting and adhering to rules about how data should be collected, stored, shared and used. Generally, these rules are set by a government or industry body like the General Data Protection Regulation (GDPR). They are then enforced by a body, such as the Information Commissioner’s Office (ICO) or the European Data Protection Board (EDPB).
To learn about important data protection concepts and vital terminology, read our Data Protection and GDPR Glossary of Terms.
Following the UK’s departure from the European Union, the United Kingdom adopted the Data Protection Act 2018, which sets out the rules and regulations for data protection within the UK. This is largely based on the GDPR, but with some additional provisions specific to the UK.
Under this Act, employers must ensure that they have appropriate measures in place to protect employee personal data from unauthorised access or misuse. This could include:
- Implementing data protection policies which clearly outline how employee personal data should be handled, processed and stored.
- Carrying out regular security checks to ensure that the data is secure.
- Implementing strict access controls for staff members who work with employee data.
- Deploying technical measures such as encryption or firewalls to safeguard employee data.
To find out more about the difference between UK GDPR and EU GDPR, read our last blog post.
What is Personal and Sensitive Data?
Personal data is any information that can identify an individual, such as their name, contact details or even personnel records
Sensitive personal data refers to information which is more sensitive in nature and can reveal things about a person’s health, racial or ethnic origin, political opinions or religious beliefs. This data must be treated with extra care and should only be used for legitimate reasons.
It’s important to remember that employee data is considered personal and sensitive data, so employers must take extra care when handling it.
Data Protection in the Office
It is important for employers to ensure that they are protecting their employees’ data by taking the necessary steps, such as putting in place robust security measures, conducting regular data audits and implementing policies and procedures that protect the data.
Employers must also be aware of their obligations under the Data Protection Act when it comes to data breaches. A data breach is any unauthorised access, use or disclosure of personal data and must be reported to the ICO within 72 hours.
What Are My Rights as an Employee?
The Data Protection Act 2018 (DPA) also sets out the rights of individuals – including employees – in regard to their personal data.
All employers should follow the ICO guide on the DPA and GDPR, which provides detailed information about how employers should comply with the law.
As an employee, you have the right to access your data, ask for it to be rectified or deleted, and object to its use. You can also complain to the ICO if you think your employer is not adhering to the law.
Under the Data Protection Act, employers must:
- Obtain explicit, informed consent from employees before collecting any personal data.
- Inform employees of how their data will be used and stored.
- Provide appropriate security measures to prevent unauthorised access or misuse.
- Allow employees to access and rectify any errors in their personal data.
- Have a lawful basis for processing employees’ personal data.
- Keep clear, accessible records of all their data processing activities if they have over 250 employees. Smaller organisations only need to record the processing of sensitive personal data or data that is regularly processed.
- Ensure data is only kept for as long as needed to fulfil the purpose.
- Delete employee data upon request.
- Demonstrate accountability and compliance with data protection by training, auditing and documenting processing activities. This will include having regular data breach checks to identify potential risk areas.
- Employ a Data Protection Officer (DPO) if they are a public body, carry out large-scale systematic monitoring of individuals or process special categories of data (such as data regarding criminal convictions or offences).
- Notify the Information Commissioner’s Office of any data breaches. Employers must respond quickly and be transparent with the affected individuals, informing them what happened and how they intend to resolve the issue.
- Identify who is responsible for responding to subject access requests (SARs) and provide adequate training.
- Ensure any third party that is processing employee data is compliant with the DPA.
It is important for employers to be aware of these rights and make sure they are adhering to them.
When it comes to employees, data protection affects all aspects of their employment. Employers must ensure they are taking the necessary steps to protect employee data and comply with data protection laws in order to avoid hefty fines or legal action.
By understanding their obligations and rights, both employers and employees can benefit from data protection laws.
Employer's Data Protection Action Plan
Employers should have an ongoing action plan in place to ensure they are complying with data protection laws.
For most employers, this plan should start by appointing a data protection officer (like Trust Hogen) to oversee all aspects of information management, including compliance with the Data Protection Act and the Freedom of Information Act.
Systems should be audited regularly to determine who holds what data, and why. During these reviews, employers must consider how data is used, issue guidelines for managers to follow regarding how to manage data appropriately, and check the company’s use of automated decision-making.
Employers must also make sure that all data collected is correct, securely stored, and complies with DPA and GDPR. The international transfer of data should also be checked regularly to ensure it meets legal requirements.
Policies and practices, such as the private use of telephones or emails, should also be reviewed frequently to ensure they meet the data protection guidelines, as well as update or modify them if needed.
Finally, employers must be aware of their obligations to notify the ICO in case of a data breach and respond appropriately if an employee makes a subject access request (SAR).
By following these steps, employers can ensure they are compliant with data protection laws and protect employee data
To find out more about how your company must abide by data protection laws, read our post on the key principles of data protection.
Data Protection as a Service with Trust Hogen
Thank you for reading our post on how the Data Protection Act affects employees and employers.
At Trust Hogen, we are dedicating an entire month to data protection to celebrate Data Protection Day on 28th January.
Trust Hogen is a leading independent managed security service provider (MSSP) with a team of experienced professionals who can provide tailored advice and guidance on data protection and GDPR compliance.
Our team includes experienced Data Protection Officers who can provide you with an effective action plan tailored to your business needs.
We are experts in legal, cyber, risk and operational security services and can help you create effective strategies to protect your business from data privacy risks.
If you would like to learn more about our services or find out how Trust Hogen can help your business adhere to data protection laws, do not hesitate to get in touch with us today. We look forward to hearing from you!