Data Privacy laws apply to all individuals in the UK, including employers who process employee or candidate personal data. It is essential to ensure you comply with the legislation in order to avoid legal action and maintain trust of individuals whose data you deal with.
There are many situations where you may process individual’s personal data, including recruitment, health information and monitoring.
The GDPR (General Data Protection Regulation) came into effect in May 2018. The regulation is designed to protect individual’s privacy, giving them control over how their personal data is processed (collected, stored and used. Any data related activity is legislated by the GDPR and DPA 2018.
Key Principles
The UK GDPR sets out seven key principles, which should be central to any Data Protection policies or principles within your organisation.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Subject Access Requests / Right to Data
Under UK GDPR employees have the right to access personal data. There are processes which you must follow if you receive a request for personal data to be disclosed.
If you receive a Subject Access Request (SAR) there are legal timescales (1 month from receipt of the request) in which you must respond. This can only be extended (by a further 2 months) if the request is complex or if a number of requests are received. SARs can be made in writing, or verbally (in writing does not have to be a letter, it could include social media or text for example).
All information or data you hold about the individual must be disclosed under SAR, including emails, texts, and other written correspondence. You can only refuse the request if it is “manifestly unfounded or excessive”.
Communicating with Staff
Every business must nominate a Data Controller (the person who is responsible for data and information). When staff are employed or engaged, it is a mandatory requirement that you tell them how their data will be used and stored. This is in the form of a Privacy Notice, which is usually sent along with the Contract of Employment.
If you have any questions about data protection / GDPR within your own organisations, or require any training / refresher sessions, please contact us (team@hrprime.co.uk) to discuss.
