Keeping Personnel Files Personal - What to Keep in an Employee File

When it comes to data protection, personal employee data must be handled with as much care and sensitivity as client data. Data protection issues have a huge impact on the work that HR carries out – from recruitment to onboarding, record keeping, monitoring performance, and providing references. The Data Protection Act of 2018 (DPA) reflects the General Data Protection Regulation (GDPR) in the UK. These regulations affect how businesses gather and store data and outline the rights of individuals to access that information.

These regulations can look like a minefield and indeed, a failure to follow them will see your organisation stepping into a world of trouble. To avoid such a scenario, companies must have a strong understanding of their obligations and implement the appropriate level of security and privacy on employee data.

So, first things first: what are the obligations you have to your employees to ensure compliance?

The Rights of your Employees

According to the DPA 2018, employees have certain rights that must be respected. These are:

1. The right to be informed – this means there’s a need for transparency and openness about what data you’re collecting and how you will use it.
2. The right of access – your employees have a right to request access to any data and other information you hold on them.
3. The right to rectification – if the data you hold on employees is inaccurate or incomplete, they have a right to have this amended. If this data is passed on to third parties for whatever reason, those third parties must also be notified of any amendments.
4. The right to be forgotten – employees have the right to request that you delete or otherwise remove any personal data you hold on them if it is no longer necessary for the company to continue processing this data.
5. The right to restrict processing – in certain situations, employees can prevent the processing of their data; in this scenario, employers are still able to store this data but are prohibited from using it.
6. The right to portability – employees are entitled to ask for their data to be provided to another data controller in a accessible file-format.
7. The right to object – staff can request that you do not process their personal data and you must comply.

What does this mean for your Business?

Now that we have covered the rules and rights that employers must comply with, we can explore what this really means and how it impacts employee record management.

Employee data, or HR data, generally covers an employee’s personal file, payroll information, their medical information, and anything else that your business gathers that relates to an employee’s pay, benefits, etc. In short, its all the employee information that you have.

Under the DPA and GDPR, the definition of personal information is broad, and also includes any special category data on employee ethnicity, political opinions, religious affiliation, union membership, health, or sexual orientation.

The definition of ‘processing’ is equally broad, and includes the collection, storage, usage, or disclosure of employee data. In simple terms, any collection of data can count as processing.

So, you can understand the sensitivity around this information and how it is used. A breach of this data can lead to heavy sanctions and could be a breach of an employee contract. It would certainly represent a failure of an employer’s duty to maintain confidence and trust and would be damaging to a business’s reputation. A breach could also lead other legal issues not specifically related to data protection. So, HR has a profound duty towards security in the way that they maintain employee records and other employee information.

With that in mind, what are the processes, steps and best practices for businesses and HR departments to follow when it comes to protecting employee data?

How to Ensure Data Security and Compliance

In terms of data protection, openness and transparency are key. Effective communication on what data you will gather and store and how you will use it is critical. The best way for HR to do so is to provide an easily accessible Privacy Statement to employees outlining in clear and plain language how data will be used and the length of the retention period for that data.

HR departments must also be aware of the strict prohibitions and limitations on processing any sensitive employee information unless they have the express consent of the individual to do so. GDPR requires that the employee must give this consent, and that this consent must also be fully informed – this is again why it is so crucial to communicate effectively with your employees.

We have previously provided guidance on GDPR for HR, but the issue of consent becomes a lot murkier for employees than it is with clients or partners. There is an imbalance of power between employers and employees which does impact the ways in which consent can voluntarily be given.

However, even without consent, there are certain legitimate reasons for employers to process certain data, as in the case of preparing employment contracts. In terms of legal protection, the cover of ‘legitimate interest’ will only apply if a business has completed a Data Protection Impact Assessment (DPIA).

It may also be necessary for your business to designate the role of Data Protection Officer (DPO) who’s role involves the monitoring of the HR data that is being stored and processed. Whether or not you need a DPO will depend on the nature and quantity of data your organisation needs to process. There may be legitimate reasons for your business to monitor employees or store information on their health – especially in the aftermath of the COVID-19 pandemic. In which case, a DPO may be required.

How HR Software can Help

Its not uncommon for HR to be left out of discussions on data security, but it is fully necessary that they be included, especially when it comes to the management of employee information.

Not only is it critical for HR to be involved, but it is also necessary to ensure that its not just the processes in place that are robust in terms of data security. Software that can record and store employee data safely and securely is very important to ensuring compliance.

XCD is built on the Salesforce, the world’s most popular business cloud platform and benefits from the heavy investment Salesforce makes every year to maintain security. Housing your data on a secure platform is integral to maintaining GDPR and DPA compliance.

It also means that employees can easily access what data is being held on them, as well as any policies around privacy and protection on a self-service basis. This makes communication of what is required and the gathering of consent much easier, as employees can do so with a few clicks.

To understand more about how XCD’s HR software can help with data security and compliance, book a demo with one of our team.