We reported recently that the Government are pressing ahead with its overhaul of the data protection laws. We also emphasised in our recent blog here why businesses should prepare for the changes. Below is a snapshot of the new data protections which employees will acquire when the General Data Protection Regulation (GDPR), become law in May 2018.
Right for files to be deleted (also known as the right to be forgotten) - Individuals will now have the right to ask businesses to delete their personal data. What will this mean for HR files? Will employees be able to delete their disciplinary records or personnel files? Not necessarily, the right to erase files is not absolute. Fortunately, it will be subject to exemptions, so employers do not need to worry that poor behaving employees will have an automatic right to demand the erasure of their disciplinary warnings.
However, following the departure of an employee from your business, after a reasonable period of time, employees will have the right to request the erasure of their warnings and personnel files. When faced with such a request employers can refuse to comply, if doing so would result in erasing the very files that your business would need to use to defend against a legal claim. Also erasure can be refused, if it was considered to be in the public interest to keep the data, perhaps because the employee was in breach of a safeguarding issue or a public health issue.
A rejection may also be permissible on the basis that you need to retain the data in order to comply with a legal obligation or for the performance of a public interest task or exercise of official authority. There are other circumstances to reject requests for erasure but these are not necessarily relevant to an employee relationship.
Transfer of data (also known as data portability) – Individuals will be able to move their automated data between different data controllers with ease. In terms of HR the implications are that an employee may request for automated data relating to their payroll or pension to be sent to another data controller. If such a request is made then the information needs to be sent as requested usually within one month of the request being made (latest 2 months if the request is complex).
Machine profiling or processing - If an algorithm has profiled an individual or made some other form of automated decision in respect of an individual, the individual will have the right to request that the assessment should be performed by a human. Trimming down HR processes to automated systems to sift through applications is still permissible but business should ensure that as and when requested a human is at hand to review the application or any other automated decision.
Privacy - An extension to the current laws will require employers to provide detailed privacy notices to employees and new applicants. The notices will inform them of how long their data will be stored for and whether it will be transferred to other countries. Additionally, the notice should explain to individuals their right to have their personal data deleted or rectified and also their right to request to see their data by making a data subject access request.
Personal data – The definition of personal data will be widened and will now include IP addresses, internet cookies and DNA.
Removal of fee - Previously a charge could be made to provide data, this will be removed in most cases.
Requirement to notify of breaches - Mistakes can happen and there is always a risk that a data protection act breach may arise. If your employees do happen to breach the data protection laws under GDPR, you may be required to report the breach to the Information Commissioners Office, and some cases to the affected individuals. You must report a breach where it is likely to result in a risk to the rights and freedoms of individuals. These breaches must be reported within 72 hours of the business becoming aware of the incident. Failure to comply is likely to result in significant fines.
Law for the online generation starts here.
"Practical advice on how data protection affects your business, including keeping employees’ and customers’ personal information secure.”