Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Employment lawData protection

10 steps towards compliance

by Personnel Today 24 May 2005
by Personnel Today 24 May 2005

Almost all the major markets of the world, with the notable exception of the US, have now implemented privacy legislation to regulate the collection, storage and use of information held about employees by organisations.

Additionally, recent regulatory activity in Europe, new laws in Japan, and high-profile breaches of consumer data security in the US have ensured that data security and privacy laws have become a corporate priority.

At first glance, achieving compliance with these laws can seem a complex, onerous and expensive project. And for HR professionals working as part of a global team, managing employee data stored on centralised employee databases, such as SAP and PeopleSoft, can seem daunting.

However, most data protection laws share common privacy principles, and create similar obligations for private sector employers with respect to the collection, use, storage and disclosure of employee data.

Here are 10 steps that HR professionals can take to comply with these key privacy principles in respect of employee data.

Step 1: Analyse the data

Understanding the flow of employee data in your business will help you to establish the steps you must take to comply with privacy laws. It may not be possible to identify every piece of information coming into the business, but knowing the main sources is an invaluable first step in any compliance programme.

Top tip: Review the forms used by your HR department to find out what employee data is collected, what it is used for, and by whom.


Step 2: Review the data collected

It can be tempting for organisations to collect any information that might potentially be useful. However, privacy legislation typically prohibits organisations from collecting any personal information unless the collection is necessary (and not excessive) in relation to one or more legitimate purpose specified by the organisation.

Top tip: Review data collection forms to ensure that each piece of data requested is the minimum necessary for employment purposes. Any additional information requested should be clearly identified as optional.

Step 3: Ensure lawful use of data

Most privacy legislation prohibits employers from collecting data about employees unless it is collected in a manner that is fair and in circumstances that are lawful.

Collection is usually fair if the employer has informed the employee of the purposes for which the data is being collected, and has provided the details set out in Step 4.

Collection will usually be lawful if the employee has consented, or if it is necessary for the employer to comply with legal obligations or obligations arising out of the employment contract.

‘Consent’ can sometimes be implied. For example, an employer may inform an employee of a proposal to transfer their employment file, unless they object. If the employee doesn’t, they can be said to have given ‘implied consent’ (also called ‘opt-out consent’). Whether this is sufficient will depend on the circumstances.

However, many privacy laws deem certain categories of personal data to be sensitive. The circumstances under which such data can be collected are limited.

Top tip: Ensure employee consent is obtained where possible.

Step 4: Provide relevant information

Data protection laws usually require organisations to provide certain information to employees at the time the personal data is collected, or as soon as is possible thereafter. This usually includes telling the employee: the purpose for which the information is being collected; contact details for privacy complaints or queries; the identities of any third parties who may access the data; whether the information will be exported overseas; and whether it is mandatory to supply the information.

Top tip: Draft a standard clause containing this information for insertion into employment contracts, policies and forms used to collect employee data.

Step 5: Manage the storage of data

Data protection laws discourage organisations from retaining personal data for longer than is required for the original purpose for which it was collected, or any other legal requirement. Storing information indefinitely increases the risk of unauthorised access and also means the accuracy of the data erodes. Excess data storage also represents an unnecessary cost to your organisation. Most laws also require the accuracy of the information to be maintained, where relevant.

Top tip: Implement document retention and destruction procedures, specifying how long different types of employee data may be retained. Resist the temptation to specify retention periods that are longer than legally required ‘just to be safe’. Periodically purge employee data to ensure that it is accurate and up to date, taking into account any ‘hold’ orders that may exist due to litigation. Ask employees to inform you if their personal data changes, and clearly mark data as inaccurate where an employee has informed you that this is the case.

Step 6: Implement security measures

Data protection laws require that technical and organisational security measures are used to protect personal data held by organisations. What constitutes technical security depends on currently available technologies, and the amount of cost and effort put into security and maintaining accuracy should reflect the sensitivity of the information and the likely effects of unauthorised disclosure. For most databases, effective password protection and firewall protection is sufficient, and, for most manual files, swipe-card entry or other area restrictions will suffice.

Organisational security measures include restricted access to databases and guidance for those with access to employee data.

Top tip: Review existing technical security measures and adopt new measures to ensure the security of employee data, if appropriate. Provide procedural guidance and training to those who handle employee data.

Step 7: Review further use of data

As a general rule, once employee data has been collected by an organisation, privacy laws only permit its use or disclosure for reasons that are compatible with the purpose for which it was originally obtained.

Top tip: Review the uses that are made of employee data once it has been collected by your organisation. Be aware that you may be required to notify and obtain the consent of employees to use their personal data for a purpose unrelated to that for which it was originally collected.

Step 8: Review third-party contracts

Data protection laws usually require employers to ensure that third-party providers of services, such as employee benefit providers, contractually guarantee that they will safeguard employee data.

European data protection laws state that transfers of employee data from the EU to any entity in the US or other non-approved countries may only be made in limited circumstances. These include: where the transfer is necessary in relation to the performance of an employment contract; where the data is protected by a contractual arrangement between the sender and recipient; and where the recipient company has binding corporate rules that ensure the protection of the data.

In the US, organisations can choose to participate in the Safe Harbor scheme run by the Department of Commerce. To participate in the scheme, firms must certify that they will protect personal data in accordance with a list of principles published by the Department of Commerce.

Any personal data transferred to a US Safe Harbor company will be deemed to be adequately protected.

Top tip: Review third-party contracts and amend them if necessary to ensure they include appropriate data protection language, including indemnities from third parties for any damages incurred as a result of a breach of data security. Review the situations in which employee data is transferred from the EU to countries such as the US – for example, information stored on an employee database with a server located in the US – and ensure that the legality of each transfer has been considered and addressed.

Step 9: Review employee access to data

Data protection laws provide employees with rights, including a right to access and rectify any inaccurate data held on behalf of their employer.

Top tip: Implement access procedures establishing the scope of accessible data, as well as appropriate formats and timeframes to respond to employee requests.


Step 10: Be aware of local laws

The previous steps outline practical measures that HR professionals can take when handling employee data to assist in achieving compliance with the key principles common to many data protection laws. However, it is important to ensure that legal advice specific to countries and regions is also sought.

Top tip: Seek the advice of legal counsel on the vagaries of applicable local laws, such as national notification requirements, and adjust your business practices accordingly.

Gaela Bailey and Jonathan Fitzgibbons are data protection and privacy lawyers at Crowell and Moring

Personnel Today
Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Tribunal applications fall by 24% under statutory procedures
next post
Over-50s campaign could signal end of golden age

You may also like

Uber has more drivers than ever as worker...

11 Aug 2022

HMRC looking to recoup £1.4bn from businesses’ use...

1 Aug 2022

Ministers release guidance to clarify UK employment status...

28 Jul 2022

Underpayment not reported due to ‘fear and insecurity’

25 Jul 2022

Supreme Court: Holiday pay for part-year staff should...

20 Jul 2022

The risks of sexual harassment in the metaverse

14 Jul 2022

One in nine UK workers is in insecure...

12 Jul 2022

Should employers pay for restrictive covenants?

8 Jul 2022

Founder disputes: the significance of fair play

8 Jul 2022

Employment law changes for 2022 and beyond: update...

1 Jul 2022
  • 6 reasons why work-based learning is better than traditional training PROMOTED | A recent Fortune/Deloitte survey found that 71% of CEOs are anticipating that this year’s biggest business disrupter...Read more
  • Strengthening Scotland’s public services through virtual recruiting PROMOTED | This website is Scotland's go-to place for job seekers looking to apply for roles in public services...Read more
  • What’s next for L&D? Enter Alchemist… PROMOTED | It’s time to turn off the tedious and get ready for interactive and immersive learning experiences...Read more
  • Simple mistakes are blighting the onboarding experience PROMOTED | The onboarding of new hires is a company’s best chance...Read more
  • Preventing Burnout: How can HR help key workers get the right help? PROMOTED | Workplace wellbeing may seem a distant memory...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+