The GDPR is causing many employers to re-think how they manage employee information.
How should I store information about employees?
It is essential that all information you have about employees is kept secure. This includes information that you use or access electronically or keep in some form of filing system. For example, if a line manager carries out a performance review, a disciplinary hearing, or a return to work interview, and keeps his own records or notes of this, he must ensure that they are kept secure and allow the employee to access them on request (see below).
You need to think about where and how information about employees is kept, who has access to it and why. Electronic information about employees should be password protected and the password changed regularly. Paper documents and records need to be kept in secure drawers or cabinets and not left lying around or shared with other managers or colleagues.
You also need a simple means of accessing all of the information you hold about an individual employee quickly and so it maybe that all records and information are kept in a central location and/or by a nominated person within your business or that certain records and information is kept in specific places so make it easily accessible on demand.
What information am I allowed to have?
You are only allowed to gather, use and keep information that has been obtained for a specific and lawful purpose. For example, if an employee applies for a specific job and sends you his CV, you can use that CV to assess him for that job. If there is another job, perhaps in another department, you think he might be interested in you must obtain his specific consent before you forward his CV to another manager.
Most of the information you have about an employee is directly related to his employment – either to comply with your contractual obligations or your legal obligations. This would include the employee’s address, perhaps a personal 'phone number, a photo of him for his ID card, or his driving licence and/or passport details. You may have information about his performance (probationary and annual reviews); training he has received; about his health (medical certificates etc); and personal information such as the fact that she is pregnant or his childcare arrangements.
It is extremely important to ensure that the information is only used for the specific and legitimate purpose for which it was gathered. For example, obtaining a photo of the employee for ID purposes but then using it for marketing or on a website would be a breach of the regulations unless you had their specific written consent to use it for these purposes.
Sensitive personal information
Some information you have about an employee is regarded as particularly sensitive – this includes information about an employee’s health, their ethnic origin, their religion or beliefs, or their sexual orientation. You are allowed to keep and use this information but only for employment law purposes, such as not to discriminate against an employee or dismiss him unfairly; to establish, exercise or defend a legal claim; to monitor equal opportunities or equal pay; to assess the employee's working capacity/capability; or to ensure that they are treated lawfully, for example if they are pregnant or make a flexible working request.
Where sensitive personal information is concerned you must have an appropriate policy document in place explaining your procedures for complying with the data protection principles, and your policies for retention and erasure of this ‘special category’ information. You must also maintain a record of your processing activities and you may be required to make these documents available to the ICO upon request.
What if the employee tells me other personal things about himself?
Generally this should not be written down, kept or used for any reason. The exception would be if the employee told you it as part of an internal procedure – for example, during a return to work meeting an employee might tell you that he is stressed because he is getting divorced, or during a grievance about a colleague an employee might reveal that he is gay. If he needs emergency time off for a dependant he might tell you that this is because his son has been excluded from school or that his mother has died. You should keep a record of the request (and your response) but it should be kept securely (perhaps in a sealed envelope in his personnel file marked strictly private and confidential).
These are extremely private matters and, whilst they can be kept as part of the records of the procedures you are following, this information should be kept very secure and not communicated to anyone unless absolutely necessary (your HR or legal adviser for instance). Managers need to be very clear about this and about the need to avoid ‘gossiping’ about them.
Can I still monitor my employees?
If you monitor your employees for a legitimate purpose, perhaps by using CCTV, accessing their email or telephone calls or a clocking in device, you can continue to do so but you must make them aware of the nature and reason for the monitoring. This should be done in your privacy notice with more information provided in your policy document(s).
So what should I do right NOW?
1) Issue all employees, workers, contractors and consultants with a privacy notice
2) Update your employment documents (particularly your contracts, Handbook and your Data Protection Policy)
3) Review how you gather, use and store employee information and how you retain it
4) Review and update security measures
5) Train your staff to raise awareness of information security issues
6) Appoint a ‘responsible person’ to manage this process
The GDPR is the biggest shakeup of how companies gather, use, share, store and use information ever. And the potential fines are huge. We can help you manage the information you have about your employees safely and in a way that is least likely to bring you to the attention of the ICO. We can offer training, advice, help and guidance on all aspects of the GDPR so please ask a manager or your HR consultant to contact us for further information.
