290 likes | 477 Views
18 th March 2014. Data Protection webinar: Data Protection & Human Resources. Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers turned on and you will shortly hear a voice! .
E N D
18th March 2014 Data Protection webinar:Data Protection & Human Resources Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers turned on and you will shortly hear a voice!
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
What Data Protection is about: 1 Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data Protecting data Protecting people Employees Volunteers Donors Service users Members Professional contacts 4
What Data Protection is about: 2 Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide things or go behind people’s back Offer people a reasonable choice over how you use their data, and what for Give us more money! Support our campaign! We sold your details to someone else 5
Comply with specific legal requirements, such as: What Data Protection is about: 3 • Right to opt out of direct marketing • Right of Subject Access • Notification • (And others) 6
Best practice with HR records External suppliers (e.g. payroll) The wider role of HR Contracts and staff handbooks But first: The Data Protection Principles The definition of Personal data Confidentiality The main topics for this webinar: 7
The Data Protection Principles Data ‘processing’ must be ‘fair’ and legal You must limit your use of data to the purpose(s) you obtained it for Data must be adequate, relevant & not excessive Data must be accurate & up to date Data must not be held longer than necessary Data Subjects’ rights must be respected You must have appropriate security Special rules apply to transfers abroad 8
Personal data The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded: • on a computer or automated system • in a ‘relevant filing system’ • with the intention of going into one of these systems 10
Data Protection and Confidentiality overlap a lot, but they are not the same Data Protection Confidentiality Clear boundaries 11
How confidential is confidential? Reasons for absence Sickness records Pregnancy Disability Disciplinaries Supervision notes Welfare/home circumstances
Gossip Scams Passwords Taking confidentiality seriously
You could be breaking the law if you don’t respect confidentiality It is a Criminal offence ‘knowingly or recklessly’ to: access data you are not authorised to access allow another person unauthorised access Examples: Criminal record and fine for operator who looked to see if her friends were on the police database Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife 14
HR records: Principle 1 Transparency & Choice You must always ensure that Data Subjects are not in the dark about: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using their data or check what you are doing You must give people a reasonable choice over how their data is used – and in any case you must meet at least one of the ‘Schedule 2’ Conditions Fair Processing 15
‘Fair Processing’ conditions With consent of the Data Subject (“specific, informed and freely given”) For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government & judicial functions In your ‘legitimate interests’ provided the Data Subject’s interests are respected 16
HR records: Principle 2Limited purposes When you obtain information your purpose(s) must be clear ‘Staff administration’ is likely to cover almost all HR functions You must use information only in ways that are ‘compatible’ with the original purpose(s)
HR records: Principles 3 & 4Data quality The Data Protection Act says that data must be: Adequate Relevant Not excessive Accurate Up to date (where necessary)
HR records: Principle 5Retention • Not longer than ‘necessary’ • Refer to employment law book • Take account of any regulations specific to your organisation’s area of work • Broad brush approach: • Short term (up to 6 months? current year?) • Medium term (often 6 to 7 years) • Long term (effectively indefinite)
HR records: Principle 6Data Subject rights (access) • Subject Access is important • Can run alongside open files/self service • The right is to access alltheir personal data, this includes e-mails about them • There are exemptions: negotiations, planning … • You may have to ‘redact’ third party information • Where someone else is the source • Where the information is about someone else
HR records: Principle 6Data Subject rights (references) • References you have given are exempt from subject access • References you have received should be shown unless they are confidential • When giving a reference: • Is the information you have still accurate and up to date? • Make it clear whether the reference is confidential or not
HR records: Principle 7Security The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. £500,000 The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. 22
Key security measures • Protect ‘data in transit’ • Passwords & encryption on USB devices and laptops • extreme care when faxing, e-mailing & posting • think about encryption on e-mails if appropriate • BYOD policy • Access controls, clear desks, locked filing cabinets • HR information held by line managers • External contractors (‘Data Processors’) • Secure destruction – shredding, etc.
Data Controller A trading company is a separate Data Controller Organisations can be joint Data Controllers Good practice to have a Data Protection Officer • The ‘person’ legally responsible for complying with the Data Protection Act 24
Data Processor An organisation that work is outsourced to, which involves accessing Personal Data The Data Controller remains responsible for what happens to the data There must be a written contract with the Data Processor, setting out: what they are to do what the relationship is security others worth looking at (checklist) 25
The role of HR in promoting good Data Protection practice I Job descriptions Employment contracts Staff handbook Behaviour/Code of conduct HR Policies and procedures Induction Training Monitoring Discipline (Don’t forget temps, interns, placements, etc.)
The role of HR in promoting good Data Protection practice II • Policies & procedures in operational areas: • Service users • Fundraising, membership & supporters • Volunteers • Safeguarding • Complaints procedure • Repository of good practice • Written in full collaboration with relevant managers
Data Protection:the absolute basics We are trying to: Prevent harm by Keeping data only in the right hands (and being clear what ‘the right hands’ are) Holding good quality data (accurate, up to date and adequate) Reassure people so that they trust us Making sure people know enough about what we are doing Giving people a choice where possible 28
Many thanks Follow-up questions: paul@paulticher.com To come by e-mail: • Link to evaluation questionnaire • Link to download the presentation, after you have completed the questionnaire