Working with Data Protection - Part 2
Any business – regardless as to its size, must follow the rules on data protection if that business stores or uses personal information.
This applies equally to information kept on staff, customers, and account holders, e.g. when you might.
• Recruit staff
• Manage staff records
• Market your products or services
• Use CCTV
This could include.
• Keeping customers’ addresses on file
• Recording staff working hours
• Giving customer information to a delivery company
Data Protection Rules
A quick recap to remind you that you must keep all the information you hold securely, and make sure it is accurate and kept up to date.
When you collect the information in the first place, you must tell them who you are, how you will use the information, and especially let them know if the information is going to be shared with any other businesses (e.g. delivery businesses/printers etc).
You must also tell them that they have the right to.
• See any of their information you hold, and correct any errors
• Request you delete their data
• Request their data is not used for certain purposes
Always remember the ‘kept secure, accurate and up to date’ rule. It will never go away!
You must keep any data you collect on staff secure - lock paper records in filing cabinets or set passwords for computer records, for example. Only keep the information for as long as you have a clear business need for it, and dispose of it securely afterwards - by shredding, for example.
You must give the name of your business and contact details (or those of the agency) on job adverts.
Only collect the personal information you need on application forms, and do not ask for irrelevant information, like banking details, or motoring offences (unless relevant to the job).
Keeping Staff Records
You must ensure that only appropriate staff, with the right training, can see staff records, and store sensitive information (such as health or criminal records) separately. Only those with a need to know should be able to access sickness records.
Your staff have the right to ask for a copy of any information you might hold about them, including grievance and disciplinary issues. You must respond to their request within 30 days.
You may only be able to withhold some information when responding to a request if the information concerns someone else. An example of this might be to protect the identity of a whistle blower or someone who has made a valid complaint. In each case their identity needs to be erased.
If it is proven that a business is not complying with these obligations, it can be ordered to pay a fine or compensation.
Monitoring Staff at Work
It is imperative to be able to justify monitoring staff at work, which could include:
• Using CCTV
• Recording phone calls
• Tracking employee’s email and internet use
• Physical searches of individuals or their workplace.
We all understand that individuals, whether staff or not, have rights. Some of these rights are enhanced at work and if you do not treat them fairly, they could take to you to an employment tribunal or complain to the Information Commissioner.
If staff are going to be monitored – simply tell them. You can make it clear in the employment contract, employer handbook, or by an email. It really does make sense to include all this in an appropriate set of policies.
You can only monitor staff without their knowledge if you reasonably suspect that they are breaking the law and that if you told them about your concerns, it would be harder or impossible to detect the crime.
Any monitoring like this should cease immediately when the investigation is complete.
Using CCTV generally
If your business uses CCTV, you must register your details with the Information Commissioner’s Office (ICO) and pay a data protection fee, unless you are exempt.
The cost of your data protection fee depends on your size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60.
Charities and small occupational pension schemes only pay £40 regardless of their size and turnover.
Importantly, you are required to:
• tell people they may be recorded, usually by displaying signs, which must be clearly visible and readable
• control who can see the recordings
• make sure the system is only used for the purpose it was intended for - for example, if it was set up to detect crime, you must not use it to monitor how much work your staff do.
Who can see the Recordings?
Anyone who is recorded can ask to see images that you have recorded of them. Usually, you must usually provide the footage free of charge within 1 calendar month. Police or other regulators may have statutory powers to examine footage depending on the circumstances.
Data protection rules do not apply if you install a camera on your own home for household purposes - for example, to protect it from burglary.
Customers must always positively consent to you handling their data and must express so before you collect it. A ‘fair processing notice’ is a short statement advising them what data will be kept, for what reason, how it will be stored and who may see it. Implied consent and pre-ticked boxes are no longer good enough!
What do I do to get Compliant?
Someone within your organisation needs to have a working understanding of the Data Protection regime. Larger organisations may have an appropriate department. Smaller companies may need to appoint someone with overall responsibility.
We suggest the Following Steps
- Consider paying for someone to be trained appropriately who in turn can deliver in-house instructions and check policy and process. Remember that breaches need to be reported to the ICO within 72 hours of the breach.
- Check your employment contracts have clauses relating to how you treat data/monitoring/CCTV etc.
- Check your supplier contracts to double check that you are both catering for any data passing between you.
- Check your supply chain to satisfy yourself that of data is being passed over or received, it is being handled properly. If data is being passed over – make sure that any individual has consented to this happening.
By proving to stakeholders, employees, potential and existing customers that your organisation is compliant with new laws that protect the rights of citizens just like you (and your customers), you could bring in more business. Compliance can and does invariably add value to your business!
27th May 2020
How GDPR compliant are you?