Introduction
Advice
Data protection is the right of an individual to prevent misuse of information about them. Updated legislation allows employees to have greater control over sensitive personal data. It is important for employees to understand their rights regarding their privacy and for employers to ensure that their employees are aware of their rights. Employers need to develop policies that take a compliant, but balanced, approach. Organisations that ignore their legal obligations risk reputational damage, potential prosecution in the courts and heavy penalties.
Definitions you may come across: -
Definition
Meaning
Applicable laws
The Data Protection Act 2018, General Data Protection Regulation (GDPR) 2018 and the Human Rights Act 1998.
Personal data
Data that relates to or can be used to identify a living person, either by itself or together with other available information
Data subject
The person to whom the personal data relates
Sensitive data
Data relating to a data subject’s racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation and genetic or biometric data. Generally, sensitive data cannot be processed without the data subject’s explicit consent. Employers can process sensitive data to fulfil their requirements to keep records in line with their equality reporting requirements.
Data controllers
This means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Data processor
This means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. and data processors: organisations that collect or use personal data
Data Processing
Any operation or set of operations that are performed on personal data, for example, collecting, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, restriction, erasure or destruction.
Employees have several rights under GDPR as individuals, these are covered in the section “Right to privacy”
Processing of Data
Employers must ensure that they have a valid lawful basis for processing data. This section is aimed at employers and their obligations. As an employer, Data Protection might seem like a giant legal complication. It however is simply adding an extra step to already established processes. Processing must be targeted and proportionate and for a specific purpose.
The six lawful situations that which an employer can process data are: -
- Consent: the employee has given clear consent for you to process their data for a specific purpose;
- Contract: the processing is necessary for a contract you have with the employee, or because they need you to take specific steps before entering into a contract;
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations);
- Vital interests: the processing is necessary to protect someone’s life;
- Public task: the processing is needed for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the employee’s data which overrides those legitimate interests.
At Least one of these bases need to apply for employers to lawfully process the data.
Transparency Requirements
Employers must be transparent about why and how they use data held on their staff, they must be accountable for their data processing activities and follow data protection principles. Employers must list all the personal data that they hold and ensure that they have the required consent and legal basis to process the data.
Employers should respond to Subject Area Requests (SARs) within 1 month. This can be extended by a further 2 months if requests are complex or numerous. These ensure the employer furnishes them with all held data, however, employers can refuse this request if it is manifestly unfounded or manifestly excessive.