Ensuring GDPR Compliance Regarding Your Employee Data in the SME Sector.
By Louisa Meehan, Woodview HRM
The new General Data Protection Regulation (GDPR) regulations come into effect in Ireland on May 25th 2018. There has been much discussion in the business community regarding preparation and compliance regarding our customer data, but what about your employee data? When it comes to our employees, often we can hold much more sensitive and personal data than we ever would for a customer so are we giving them the same consideration regarding this information?
The Basics
Let’s take the opportunity to refresh on some of the basics first:
- Personal data is any information related to an identified or identifiable natural person (‘data subject’). This definition not only includes names and other factors specific to the identity of the individual but also online identifiers such as an IP address and location data.
- Sensitive personal data are specific categories of personal data related to a person’s: race or ethnicity; political, religious or philosophical beliefs; sexual life or sexual orientation; health; genetic or biometric data; criminal record; or trade union membership. There are additional requirements for the protection of sensitive personal data.
- Processing of personal data – this can cover the many different uses of that data, including: collecting, recording, storing, adapting, using, disclosing, destructing and deleting data.
- The General Data Protection Regulation (GDPR) applies to both ‘data controllers’ and ‘data processors’:
- A data controller is a person/company/other body, who either alone or with others, controls the contents and use of personal data.
- A data processor is a person/company/ other body, who processes personal data on behalf of a data controller but does not include an employee of the data controller who processes such data, in the course of his/her employment.
- The rights cover data related to identified or identifiable persons (e.g. customers or employees) held either electronically or physically – this includes physical files, emails, Customer Relationship Management (CRM) systems, images or recordings of individuals. (Source: IBEC, 2018)
That’s a lot to take in, so let’s make it simple! Organisations need to have a plan in place regarding why and how they obtain any personal data (especially sensitive personal data) regarding anyone, who can access it, how it is stored, and when / how it is destroyed. In addition, should someone, an employee for example, make a data request (also known as a Subject Access Request or SAR) then then organisation must be in a position to provide all personal data held regarding that individual within 30 days of the request.
As a business, you get to decide on your policy regarding your HR data retention policy, however it must be realistic and justifiable. The industry sector, the relevant legislation and data type need to be taken into account when making this determination.
Typical HR Data
During the employee lifecycle, quite a lot of personal and potentially sensitive data is requested and created. A key action for any organisation to take is to identify what data they hold and create guidelines regarding its retention. The creation of a template, such as this example regarding recruitment below, would be beneficial:
Stage in Lifecycle | Data | Storage Location | Access | Retention Period |
Recruitment | Applications | Recruitment and HR File | HR | Employment Period for employee 1 year post recruitment date for applicants |
CV | Recruitment and HR File | HR | Employment Period for employee 1 year post recruitment date for applicants | |
Medical Forms | HR File | HR | Employment Period | |
Pension Details | HR File | HR | In line with Pension and / or Death | |
P45 | Payroll File | Payroll | In line with revenue | |
Selection Grid | HR File | HR | Employment Period for employee 1 year post recruitment date for applicants | |
Interview Notes | HR File | HR | Employment Period for employee 1 year post recruitment date for applicants | |
Passport or other proof of identity | HR File | HR | Employment Period | |
Other |
Each organisation will be unique in terms of the employee data they gather, but what they all need to do however is have clarity on this process and know why the data is being kept. They need to be able to identify why it has been requested, how it is used, who has access to it, where it is stored (this should be very secure; a locked area for hardcopies; a secured IT drive with appropriate back up, encryption and security access for soft copies) and how long it will be retained for. The sample above is just that, an example. In real terms this would require more input and details with organisational specifics.
This is an excellent opportunity for an organisation to review the type of data being held regarding their employees and gain clarity on the necessity behind retaining a copy of same.
Other typical areas that organisations will need to consider will be performance management, grievance and disciplinary handling, leave requests (forms / letters / emails), next of kin records, pension records, payroll / tax / PRSI records, life insurance policy, health insurance policy, medical information and health insurance. There may well be other areas in your company. A good way to do a review is to carry out a sample HR audit on files and documents to ascertain what data is stored on them, whilst also reviewing the ‘other’ information HR, line managers, payroll, occupational health, pensions hold as well.
When setting retention periods organisations should consider statutory requirements, company needs, limitation periods and data protection requirements. Some employee data has minimum statutory retention periods, for example:
Wage Information | 3 years |
Working hours and related information | 3 years |
Collective redundancy information | 3 years |
Parental leave records | 8 years |
Carer’s leave | 3 years |
Employment permit records | 5 years or period equal to duration of employment (whichever is longer) |
Accident records | 10 years |
Other data needs to be retained taking claim periods into account, e.g. breach of contract is 6 years, unfair dismissals 1 year, personal injuries are 2 years.
Employees
When it comes to employees, you could be forgiven for thinking of your current pool of staff that you work with on a daily basis, however you would be mistaken. Employee’s include anyone who has applied for a position in the company and past employees.
With applicants, it is recommended to retain the recruitment file for a period of up to 12 months following the completion of the recruitment campaign should an unsuccessful applicant take a case against the company in the WRC e.g. under the Equality Legislation.
For past employees, it is recommended that the full HR file is retained for a period of 12 months should an employee take a case of unfair dismissal following termination of employment. Following this, a record of the period of employment will need to be retained along with necessary tax and pension information, once same has been identified.
First Steps
Understanding what data you have and limiting this to what you need is the most important first step. As with all things HR the most important thing to do is set your policy, be clear and follow your policy. For GDPR that means asking the following questions:
- What data do you hold?
- Why do you hold the data?
- Where the data is stored hard / soft copy – have you ensured security of same?
- When do you need this data: set retention periods for each type of data stored?
- Who in the organisation (HR/Finance/MD/Line Manager/Payroll etc.) has access to each piece of data, understanding that an employee can request all data held on them at any time?
- How have you reached your conclusions? Ensure your policy is both realistic and justifiable.
And as with all data that is ‘constructed’ online or offline (i.e. printed in hard copy), it’s important to have a destruction policy for the data, post the expiry of the retention policies that are listed above. Investing in a cross cut shredder is an imperative and this must be at level P-5, due to the sensitive nature of the data that is and will be destroyed in your organisation.