Maintenance of Privacy
Advice
Processing of Data
Employers must ensure that they have a valid lawful basis for processing data. As an employer, Data Protection might seem like a giant legal complication, however, it is simply adding an extra step to the already established process. The requirement of a lawful basis for processing means that it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing fewer data.
The six lawful bases are;
- Consent: the employee has given clear consent for you to process their data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the employee, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the employee’s data which overrides those legitimate interests.
At least one of these bases need to apply for an employer to lawfully process the data. Your right to be informed requires employers to provide staff with information about the way data is handled, this should be included in your employer’s privacy notice. You may request erasure if the data is not processed on a valid lawful basis. Employers must be able to show compliance to GDPR by having appropriate privacy processes and policies.
Employers must be transparent about how they are using and safeguarding their employee’s data, inside, and outside the company, and must be accountable for their data processing activities. They should ensure that they have the required consent and legal basis to process the data.
Employers must consider the purpose of holding the data?
- How was it obtained?
- Why was it originally gathered?
- How long will it be retained?
- Will it be shared with third parties, if yes, have the necessary processes been followed to ensure privacy?
Information provided should follow the same manner that it was collected.
- Short notices containing key privacy information that have additional layers of more detailed information;
- Dashboards that inform people how you use their data and allow them to manage what happens with it;
- Just-in-time notices which give relevant and focused privacy information delivered at the time you collect individual pieces of information about people; and
- Icons (symbols) that indicate the existence of a particular type of data processing.
Responding to Subject Area Requests (SARs)
Employers must have procedures in place to respond to personal data access requests. They must do this within 2 months. If refused a SAR the employer must provide the reasons for refusing it; details on how to make a complaint to the Information Commissioners Office (ICO) and their ability to seek to enforce this right through the courts. A request is manifestly unfounded if you had no intention to exercise their right to rectification or erasure, but instead offers to withdraw it in return for some form of benefit, or used to harass company management just to cause disruption.
Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unapproved disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. You should report any concerns regarding any potential data breach to the Information Commissioner’s Office (ICO).