The World of Data Protection and Security for Human Resource
Today in the era of Digital Transformation, security is considered to be the top most aspect for any organization irrespective of industry, service line or even any business. And when we start thinking about security we all get focused on hacking, threats, vulnerabilities, attacks etc. Which are off course is the key area in cyber security today, but we should also give equal importance and respect to data security. Well it is not at all a small area and neither it is simple to understand. Data security changes with law, rules, and other criteria continuously over a period of time.
Human Resources play a critical role in helping manage and train this fast changing workforce especially when it comes to data security. Whether employees, professionals or part-time workers, are in their first jobs or change in jobs, it is important that everyone has a basic knowledge of standards of privacy and security and be also responsible for keeping organization’s data secure. And training and education are not only the scope here for HR, doing proper risk assessment; communicate with people on regular basis and encouraging on each and everyone’s responsibility on data security does so. Data security is not only providing training about the best practices. It’s also important to understand why employees make the decisions they do. And it’s the HR who oversees employee training, onboarding, cultivating a positive corporate culture, and redressing employee conduct — which are the heart of good data security according to The Law Insider.
Now let’s start exploring the world of Data Protection and Security for Human Resource.
Data protection means that those who decide how and why personal data are processed must comply with data protection principles. Those about whom data is stored and handled also have with rights. According to CIPD, data protection is a topical and extremely complex issue which all employers need to pay careful attention to. All organizations must take steps to handle process and store data responsibly and keep up to date with legal developments in this area. Data protection issues can have implications for most HR activities such as the handling of recruitment, employer references, record-keeping and performance monitoring.
In legal terms, what does Data Protection means for us?
It’s important for employers to understand that data protection is a global issue which makes the legal position even more complicated. International developments can affect data protection matters, for example: A major overhaul of EU data protection law is underway, with new legislation called the General Data Protection Regulation expected by June 2018. This will create one set of data protection rules for the whole of the EU. The focus will be on internet consumer data protection, but employers are likely to be affected. Employers must ensure they are data protection compliant and may need to designate a data protection officer by training and developing existing staff.
According to the Data Protection Act 1998 (DPA), which implements an EU Directive (the Data Protection Directive 95/46/EC) and both the Act and the Directive aim to give individuals rights concerning the processing of personal data. The DPA applies to personal data in a computerized format, as part of an accessible record or held manually as part of a relevant filing system. For public authorities, the DPA is extended to all personal recorded information.
The law means that those who decide how and why personal data are processed (data controllers), must comply with certain data protection principles. Those about whom data are processed have a number of rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers and applicants will be data subjects.
Personal data means data which relate to an identifiable living individual and includes any expression of opinion about that individual. So personnel records, including sickness absence, performance appraisals, recruitment notes etc. will clearly be personal data. The DPA also gives extra protection to certain types of personal data called sensitive personal data which includes information about the subject’s race, ethnicity, politics, religion, trade union status, health, sex life or criminal record. Such data should be treated with particular care. In addition, the ICO considers that financial data, although not technically defined as ‘sensitive personal data’ under the DPA should be treated in the same way.
Processing information or data, means obtaining, recording or holding it or carrying out any operation on it, including its retrieval, consultation or use.
The DPA has eight principles which specify that data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept for longer than is necessary
- Processed in line with an individual’s rights
- Not transferred to countries outside the European Economic Area (EEA) without adequate protection.
It’s against the law if a data controller, for example an employer, doesn’t follow these principles, and substantial penalties may be imposed. The Information Commissioner can issue undertakings, enforcement notices, and for serious breaches, high civil monetary penalties expected for a breach of one or more of the principles.
So what is expected by an organization?
- Appoint a data protection officer to be in charge of all aspects of information including the DPA and Freedom of Information Act (for public authorities).
- Audit information systems to find out who holds what data, and why.
- Consider why information is collected and how it is used. Issue guidelines for managers about how to gather, store and retrieve data.
- Ensure that all information collected now complies with the Data Protection Act 1998.
- Check the security of information stored.
- Check the transfer of data outside the EEA.
- Check the organization’s use of automated decision making.
- Review policy and practice in respect of references.
- Review or introduce a policy for the private use of telephones, email and post.
It’s important that employers understand their responsibilities and potential liabilities under data protection law. Employers that ignore their legal obligations risk reputational damage and potential prosecution in the courts. However, our research shows that, where employees feel they are under excessive monitoring or surveillance, they have more negative attitudes to their employer and are more likely to suffer from stress. Employers should therefore develop policies in this area that take a compliant, but balanced, approach and ensure that employees are aware of, and understand their rights and obligations under data protection law.
HR records include a wide range of data relating to individuals working in an organization, for example, pay or absence levels, hours worked and trade union agreements. This information may be stored in a variety of media such as paper files and, increasingly, on computer databases. It is important for all organizations to maintain effective systems for storing HR data, both to ensure compliance with all relevant legislation (for example in respect of the minimum wage or working time regulations) as well to support sound personnel administration and broader HR strategy.
End of 2015 , the EU institutions agreed on the text of the EU’s successor privacy legislation: the General Data Protection Regulation (GDPR). The General Data Protection Regulation (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.
The new GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It address many of the shortcomings in the DPD: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization.
It’s important to note that the EU GDPR covers personal data. It’s what we in the US would call personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses.
One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.
For these reasons, it is fair to say that the GDPR is the most important change in data privacy law in the last twenty years. Moreover, it will affect all businesses, all over the world — as every organization has employees and contacts, even if they don’t have individual customers.
The GDPR significantly enhances the rights of data subjects.
Firstly, with regard to the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR-related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security.
Secondly, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data are no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn his/her consent.
The GDPR introduces a number of new obligations for companies, which should trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.
Instead, the GDPR expects companies to implement a number of measures such as: appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities.
These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.
On top of the accountability package, the GDPR introduces a general obligation to notify data breaches. While most US-based companies are already familiar with the concept, this will be an important change for many EU businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data protection regulator within 72 hours. If the notification is not done within 72 hours, there has to be a justification for this delay.
If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if the data was encrypted.
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.
The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer (“data processors”). This is an important change compared to the current legal framework, where HR service providers only have a contractual obligation vis-à-vis the employer but are not directly accountable for complying with the data protection regulations.
But how companies are taking GDPR so far?
According to Help Net Security, 97 percent of companies don’t have a GDPR plan. Explanation of this survey can found on the provided link.
Please also go through the best practices to address GDPR requirement from Help Net Security. According to them the main practices are:
- Hire a data protection officer (DPO).
- Deploy an access governance solution.
- Control access management.
- Protect the Network.
- Facilitate secure mobile access.
- Ensure email security.
And these are definitely adding value for any organization for their data security strategy. As there are lots of data protection challenges and issues for the organization and one must need to take it very seriously to avoid any legal consequences and high penalties.
Another interesting aspects are the data protection issues and it is always a wise choice to look after over the data protection issues from the beginning and plan accordingly. What are the Top Data Protection issues for HR Professionals? According to SQUIRE SANDERS, an international law firm here are the top ones.
Data Breach Response
EU Data Protection Rules impose specific requirements for storing, processing and transferring personal data about EU employees — employer’s liability exposure is increased by failure to prepare for data breach incidents.
Bring Your Own Device (BYOD)
EU Data Protection Rules impose obligations on data controllers (employers) to ensure the security of personal data they hold about their employees.
User devices can easily pass malware and viruses onto company platforms and impact security levels. Combining personal data of employees with company data may complicate compliance with EU data protection rules.
Employers must abide by EU data protection rules when rolling out a global HR information system involving the processing of EU employee data outside of Europe.
Employee Monitoring and Cross-Border Investigations
EU rules limit the ability of EU legal entities to process personal data within Europe, and to transfer it to foreign affiliates and third parties, including non-EU governmental authorities.
Data Subject Access Requests
EU data protection rules give employees the right to access personal data about them that is held by their employer, and also to correct inaccurate information or request its deletion.
Proposed EU Data Protection Regulation
A new and highly controversial Regulation on data protection is currently being debated by the EU institutions and, if adopted, will become directly enforceable law in all EU Member States.
There are many more and companies definitely need to take them seriously. It’s important that employers understand their responsibilities and potential liabilities under data protection law. Employers that ignore their legal obligations risk reputational damage and potential prosecution in the courts. However, our research shows that, where employees feel they are under excessive monitoring or surveillance, they have more negative attitudes to their employer and are more likely to suffer from stress. Employers should therefore develop policies in this area that take a compliant, but balanced, approach and ensure that employees are aware of, and understand their rights and obligations under data protection law.
For more info please follow EU Data Protection.
Originally published at peopleconscience.com on October 18, 2016.