Written and recorded by Kathy Daniels, Associate Dean, Aston Business School
hello and welcome to this session in which we're going to have a look at the topic of data protection. Maybe it would have been talking to call it a session on GDP are. But of course, data protection is bigger than just a GDP are. So let's start at the very beginning on understand the legislation is it currently is, which is a data protection at 2018 member. We're going today is explore a number of different areas in a little bit more detail. So let's start at the beginning. We have the Data Protection Act 2018. Amongst other thing, this introduces the General Data Protection regulation. The GDP are also in fluency. European Union Law Enforcement directive and it addresses the Freedom of Information Act and the Environmental Information Regulations. So what, The day and it replaces the Data Protection Act 1998. I should also have said so. What we've now got is one place where all data protection legislation is contained on that includes a GDP are so when we're referring to the UK legislation. What we should be referring to is a data protection at 2018 rather specifically, the GDP are There was some key terminology that is important to understand from the Star Festival data on, and we're going to come to that in a moment on Look at that in a little bit more detail. It was also the data controller, and this is the person in the organization who is responsible for data now. When the GDP our first was being introduced, one of the things that was a particular concern to employers was the penalties that can be imposed as a result of bridges of the GDP are now one of the things that is really important, therefore, is that organizations are thinking about data protection on are making sure that they've got policies and procedures Andi processes in place, first of all, to make sure that problems don't occur. But we'll se Teoh think about issues that might arise. Andi preempt them. So there should be somebody in the organization who is responsible for data protection on it. Should be a named person on that person should be thinking about potential problems advising completing the responsive of the employer to to the requirement to a due date protection legislation. So that's a really important messed four employers to take it seriously and get somebody responsible for it. The data process of that is referred to in the legislation is whoever is actually processing the data now. That might be the same as date controller, of course, but the legislation is really noting and accepting that in an organization, particularly large organization, there are likely to be several people actually processing data and therefore several data processes. And then we also have the terminology of the data subject on this is the person that the data is about. The dead flexion at 1998 had eight principles. The Data Protection Act 2018 is focused on six principles, and these really are the key messages that employers need to understand. And there's probably it's fair to say that, as the GDP are was being introduced was a fair amount of scaremongering about what employers had got to do. Now, of course, there is detail, and the employees need to be aware off. But these six principles, if employers just have got these embedded into what they're doing in the organization, then they're going a very long way toe. Having done all that is required off them So let's look at these principles, first of all, that the data must be processed lawfully and fairly. So it's about thinking of their processing of the data and some of the things that we're going to look at in a moment and a little bit more detail things like is the consent to process the data? Is the data being held securely? The processing must be specified, explicit and legitimate. So what we mustn't do is collect data about employees and be vague about what he's going to be done with it. The processing must be specific, and please must know what exactly is happening to the data about them. And it must be legitimate. Aziz. Well, and as we'll see when we come to Concertante, if there is a legitimate reason that the employer has got to do something, then they can do it. The personal data must be adequate record relevant and not excessive. I'm one of the things that I'm I've seen time and time again, as I've done a number of sessions with employers about data protection over the recent months is the number of employers who were saying they've got records filling basement rooms filling filing cabinets. I love her flaring, going back years upon years upon years. Why why are they holding that information that may be out of date? It probably are. Lots of it refers to employees that no longer work in the organization, but it is excessive, and it's not relevant for them to be holding it. Therefore, it shouldn't be there. So what personal data is being hold? Is it accurate? Is it adequate? Is it relevant? Is it needed on the next principal? Is it accurate? And is it kept up today? Of course, to a certain extent, the employers in the hands of the employees here because if the employee moves house and doesn't tell the employer, the records are inaccurate. But it's not exactly a lot that the employee can do about it if they don't know. But the employer can't just hide behind the excuse. The employer has gotta have processes in place for making sure they're doing all they can. Teoh keep that information up today, and accurate on that might be that the human resource information system allows access of employees to update their own details. It might be sending out details to employees and saying, Come back to me. If anything hold here is wrong, it might be each year having some sort of promotion of going Check your data. Make sure it's accurate, but the employees got be show. Be able to show that they are trying to do something to keep the data accurate. It shouldn't make it longer for net than necessary. Mount necessary. Interesting. How long is necessary? Well, some information, of course, has to be kept for a specified period of time. For example, a certain amount of payroll data has to be kept. A journal sees that the rules there if an employee leaves the organisation, my recommendation is always t Keep the information about employees for only six months, just in case there's some grievance have got on the planning on going to an employment tribunal. Mase Cases have to come to an employment tribunal within three months of the event occurring. You've also got the early conciliation service it's got to be engaged with, and up to a month can be added for that. So in our four months, and there is a possibility that the employee can argue, it's not just inequitable for them to bring a claim to the employee tripe limit. Try panel in that period of time so it could potentially be extended. It's not often extended, but it could be. So. Six months feels like a sort of safe approach to me, and then personal data must be processed in a secure manner. So challenge the employer who can access the data that they hold about employees. Does everybody that have that that has password access? Should they have it? Do they need it where those passwords being hold? Do we have the situation that occurs from time to time, where employees have got their past world on a post it on their laptops, sticking on their screen? If it's Holden, a hard copies are held. If they're in a filing cabinet, does somebody open the filing cabinet in the morning? And then it's open all day? People coming in and out the office could access things. Challenge employers to think if somebody wanted to access data, how difficult would it be to actually do that? So let's look at data and data is information that is processed either electronic lee or manual information. That's a set of information that is structured and readily accessible. So what do we mean by structured? Well, we're not really thinking about scruffy pieces of paper stuffed in a desk, although, of course, that shouldn't be there anyway if it's personal data. But we are thinking of things that are held in an ordered so much systematic way such that the data can be accessed by others. Um, personal data is any information by which individuals can be identified, and here the GDP are does have a wider definition, and therefore we have a wide definition in the Data Protection Act 2018 than we had in the Data Protection Act 1998 on it includes anything from which on individual could be identified, so that could include an I. P address. It could include DNA, and then we also have a subset of personal data, which is sensitive data, which covers areas such as political and religious beliefs, health, criminal offenses, racial origins, trade union membership and sexual orientation. Andi, the limitation on how sensitive data can be used is stricter than the limitations than how personal data could be used now when talking to employers and important starting point is to encourage them to carry out an information order it what I've been particularly startled by, I think I would say, as I've been talking to employers in training sessions over the recent months and even years, is the ignorance some employees have. When you say, Can you tell me? Well, the personal data that you're holding in the organization on so many employees say, Well, I'm not really sure. So really, there does need to be some sort of order off the personal information that the organization is holding now. The particular focus at this session is based on employment looking at employment issues. But it is with just but being aware that many organizations hold personal information about customers, clients, patients if it's a medical organization on. Of course, all of those sorts of pieces of information are also covered by the data protection at 2018. So it's worth encouraging organizations just to think really broadly about the data that they hold on. This might be getting together a number of managers from a number of different departments in the organization because it is quite possible that one individual person won't have the knowledge to be able to fully answer the question and then, having identified what date of the organization does hold what is the organization process and then the important question. Does the organization have the necessary consent to store and process the data? And, of course, at the start of this session, we referred T the data controller on the data controllers should be the person in the organization that is able to answer these questions and should have that good A view of all the data that is being hold and processed in the organization on by the data controller needs Teoh to think about how that that rule picture is being kept up to date on accurate. Then we get to consent. Now when we go back, Teoh the GDP are on a lot of the publicity that the wars around the time that the GDP are was being introduced. Consent was probably the biggest topic on this was because it was a bit of a change. In the past, it's been acceptable to say to someone we're presuming that you consent to a storing or processing data. Unless you tell us otherwise, that is no longer the case. Consent must firstly be unambiguous. So there must be no question in the way that the organization asked for the concern that the individual has actually given concern. This means that the individual has got to be clear about how the employer is intending. Using the information on this might mean that the consent form needs quite a bit of detail on it, depending on exactly what the employer is asking for on the consent has to be given by a nef Irma tive action. So you can't say we've pretext the box. And if you want to withdraw consent, you've got to remove that tick from the box. No, you can't either. You will have the boxes A If you give consent, then ticket. It's got to be on affirmative action. Andi. If it's relevant, then there has to be a need for the consent to be granular. So that could be I. I consent to you storing my information. I consent to you, processing my information for this purpose. I consent to you, processing my data for but different reason, Andi, option of I consent to you, storing and processing my details for all the reasons listed above. But if there are a number of different things that could potentially be done with the data. Three individual has got to give specific action for each and so that he's going to require something granular toe happen, and consent must be separate from other terms and conditions. So, for example, you couldn't put in an employment contract a clause that says, By signing this contract, you give consent for us to hold your personal details on process it for whatever reasons we want to process it. Because then if the employee doesn't want to give that consent, they can't sign the contract for employment and therefore they can't have the job. And so that's actually no giving them freedom to decide whether they are consenting or no, it just forcing them into a corner. So that has got to be the opportunity to give, really, uh, give consent, not be forced into giving consent. And it's worth thinking about the employees journey here when the employee before they're in employee. When the individual first applies for a job as part of the application process, they are inevitably giving personal data because they're giving information to you so that you can decide whether you want to engage with them in the first step of the selection process. So at that stage, what are you doing with the data? Do you have consent to do it? You then might have a situation where the individual doesn't get the job, but you would like keep their information on file because they were great. But just somebody was better on if another job comes up. You would like to go back on d reconsider their application, but if you're going to keep it on file for those purposes, you've got to have the consent of the individual. To do that, it might be there's an individual applies for a job in your organization and you read the application and you think you know they're not right for this job. But there is a job elsewhere in the organization, and I happen to know that my colleague is recruiting for that, and I think they would be ideal for that other job. What you can't do is just send the application on without the employee's consent, because they've given you that personal information for a specific purpose. On that is to be considered for job A. You're now saying. Well, OK, you know, ideal for your baby could be ideal for job be, but you haven't got their consent. Teoh forward their details should have to go back to the individual and say Sorry, but you're not suitable for this job. But we do have this other job. Do I have your consent? Careful with your details for consideration for job be Another thing that is in the GDP are, and therefore in the data protection at 2018 is the issue off automated decision making, which is quite common in the application process. So, for example, you might have a situation where you've got some psychometric assessment where there's an automated process which, um, excludes a certain number of people from going any further in the application process. In itself, that is not a problem, but an individual has to have the right to ask for a human intervention in the decision making if they want to. So you've got the whole decision, the consent issue around the recruitment process on. Then, when you take an employee into the organization, you need to have consent for the storage and processing of the data that you're going to carry out because the individual is now an employee. I'm really, as we've already said, and it said on on the slide here, it's got to be separate from other terms and conditions. So really, it was your inducting the employees into the organization. It would be ideal if employees are having a separate form at that stage. Foreign pleased to give consent to whatever they won't consent for. And then you've got the issue of the employees resigning from the organization. When the employee leaves, it might be that the employer wants to keep certain information about them on and unless they have the right to do so when we look at the right to do so in just one moment. Unless than then, they would have to get the employees to sign a consent form for them to keep information whence the employees left the organization. But there are situations where consent is no needed. Firstly, if there's a legal requirement process of data, So, for example, there were information that has to go to the HMRC about the tax an individual has paid. There is a legal requirement for the employer to provide the H M L. C. With that information on the employer, therefore, does not have to go to the employees and seeing that permission if there's a contractual right to process the data, maybe the most straightforward of these is pay. Say the employment contract says that the employer will pay the individual foot doing their work, so there is not a requirement to then seek a different additional permission. Tiu have the bank details of the employees and to process them on a monthly or weekly or however often basis to pay the employees if it's necessary to protect somebody's life. There's not going to be a lot of situations in organization whether is going to be essential unless we're working in the medical sector. But it could be that there is medical information about an employee, maybe about allergies, for example, Andi. It's necessary to keep that information in certain places. Say that, and nothing's happened that would trigger an allergic reaction if it is necessary to carry out an official role or task in the public interest. So, um, this could be some sort of monitoring process, or if there's a genuine, legitimate reason that outweighs THEAN individual's rights and interests on really here. We're back to the data controller. To rely on that, the data controller would have to be satisfied that there really waas a genuine Andi. Legitimate reason. Now an interesting area to look at as well is subject access requests on Under the Data Protection Act 1998 in please, we're entitled to ask to see information held about them that right continues. But in the past, employees could charge employees for this access. The information commissioner's office used to recommend a charge of around £10 but no longer can there be a charge on the requirement is to provide the information within one month unless there is a good reason that that is no possible and a good reason is going to be something like the requirement. Teoh get away. The data together is particularly onerous or a lot of employees of all last at the same time on it's just not possible to get it done within the time constraints. But employers should work on the basis that my subject access requests or relatively straightforward, because most data about one employee is hold in a maybe two places, maybe an HR and payroll, but in a limited number of places, at least Andi, it's no too much effort to gather it all together. Employees can ask for any information to be amended or corrected if it's incorrect. And indeed, as an employer on the employer wants employees to be telling them if information is incorrect, partly because that meets the one of the six principles of ensuring that the data is accurate. But also because, of course, what's the point holding the data if its role and just finally, a few other issues t consider first, we'll data breaches. The penalty for a breach of data is severe under the GDP. Are is up to 20 million euros, or 4% of the annual global turnover of the organization, whichever is greater. That's big, um, data breaches do sometimes occur on def. They do occur. The requirement is to report them to the information commissioner. But there's not a requirement to report minor things, and the requirement is to report something if it potentially poses a risk to people. Andi again back to the data controller who would be responsible for making the report, but also for considering If if it's got impact on people. If it's a personal data that has gone out into the public domain. Andi, particularly if it's sensitive data, then yes, it should be reported. If the breaches caused employees harm such that maybe their bank accounts have been accessed because bank details have gone out into the public domain, then that should be reported to the information commissioner. Really, the best advice is if in doubt, contact the information commissioner's office. Andi ask for specific advice relating to whatever has happened. Another thing is that they're the GDP are requires there to be data protection by design. Andi, really, this is a very useful requirement because what it's saying is let's not think about data protection after we put a process in place, but let's be mindful. But if we're putting a new process in place and it involves the manipulation of personal data or the storage of personal data, we've got to think of it up front. Andi, Therefore, it's important to design it in. There's also requirement to write a data protection impact statement if new technologies being deployed, if a profiling operation is likely to significantly affect individuals, or if there is processing on a large scale of special categories of data on then it really what it's saying is that the employee has got to think about data protection at the start of the process and then make a statement about what they thought off on the impact that the processing of the data is going tohave. And finally, it's just worth remembering the issues relating to international use of data, particularly given the very large number of organizations that operate on an international basis. Any organization that operates in more than one European Union member stay and carousel cross border processing has toe identify their lead data protection soup of Israel Authority on That's usually going to be the country where the head office is based on, therefore must ensure that they are a deering Teoh the data protection legislation there as well as in their own country where the data data is being held. I hate you found that this session has been useful
00:29:48