Sony, Talk Talk, the NHS are big organisations caught by hackers. But small businesses are vulnerable too, perhaps more vulnerable since few realise the risks they are running. With the General Data Protection Regulations (GDPR) coming into force in May 2018 and covering all employers, even microbusineses, now is a good time to address the issue.
There is preparatory work to be done for the GDPR, not least in relation to your employees.
Is your data secure?
Lax password control is arguably the greatest threat to security. For a hacker, gaining an employee’s email password is invariably a route to all their other passwords. Employees can be tricked by plausible emails, by plausible calls from people masquerading as IT support staff, or by using a misleading WiFi connection in a hotel lobby.
Passwords are an enigma. Too memorable and they are insecure because they may be guessed or at the least not accepted by certain applications. Too strong, too many or changed too frequently and employees either forget them or write them down. We’ve all seen post-it notes attached to computer screens. There are some hints on passwords here.
Employees need to be made aware of these vulnerabilities through induction, training or, as a last resort, discipline.
Locate the data that you hold
The first task is to establish the personal data that you hold. It is only lawful to hold such data if either you have the person’s consent or a legitimate reason for holding it. Any information that identifies or can be related to an living person is personal data. Thus email@example.com is personal data.
You will need to record that you have identified and located the data, perhaps providing an audit trail that you have done so. Employee data is held in multiple locations: paper personnel records, computer records, CCTV, payroll and perhaps others that you may need to identify. It may also be held with external agencies such as recruitment agencies. These can be different physical locations, for example, the HR department, the IT department, employees’ homes. In addition data may be accessible from different locations: a employee’s home or a hotel lobby as well as business premises.
Much data, including personal data, is held on Clouds. Do you know where those clouds are located?
Record that you have a legitimate reason (or consent) for holding the data
As a broad guide “employment purposes” is a legitimate reason for holding personal data and that includes sensitive personal data such as health information. Data held for one reason cannot be used for another. For example it is common for payroll to deduct Trade Union dues from an employees’ pay. For payroll purposes it is legitimate to know an employee is a Trade Union member. However such data must not be shared with managers considering a promotion decision, for example. That would mean using the data for a different purpose. Use of such information would contravene the Data Protection Act and hence the GDPR. It might also provide prima face evidence of unlawful discrimination.
Who has access to the data?
This may be wider than you think. We have assisted in the dismissal of an IT Manager who had access to, and misused, personal data that was held on a server by the employer. We hear stories of managers accessing and removing HR files without any signs of control over their reasons for access or even a record that they have removed them.
You might share data with external agencies, perhaps an HR Consultancy such as ours. Do you know that the data is safe?
Where Clouds are used there may be a question of who has access to data on such facilities. The possibility that the Trump administration might overturn privacy laws may cause some to have doubts over applications that use Clouds that are located in the U.S.
How long to keep personal data?
Some years ago I was involved in an exercise to remove out-dated personnel data some of which went back to the first world war! Given these paper wallets were filed in alphabetical (not chronological) order it was quite a task. Being able to access data by means of a readily accessible date is clearly important.
Different personal data needs to be retained for different periods of time. Job applications for a few months, pension details for 60 years or more.
The CIPD offer some more specific guidance on keeping records here.
Educate your staff
“We cannot protect organisations only through technology. An awful lot of it is human behaviour and action” says Peter Cheese Chief Executive of the CIPD.
Employer Solutions are expert trainers in employment matters, we can assist.
Malcolm Martin FCIPD is an experienced HR specialist offering general guidance. The information here s not intended as a substitute for specific legal advice.