Data Protection webinar: Data Protection & Human Resources Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers turned on and you will shortly hear a voice! 18th March 2014

Please note: If you want to make the links and animations in this presentation work, you need to Show it as a slideshow (press F5) If you can see this slide, you are not in Show mode and the links and animations won’t work

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

What Data Protection is about: 1  Protecting data Protecting people  Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data Employees Volunteers Donors Service users Members Professional contacts 4

What Data Protection is about: 2 Give us more money! Support our campaign! We sold your details to someone else Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide things or go behind people’s back Offer people a reasonable choice over how you use their data, and what for 5

What Data Protection is about: 3 Comply with specific legal requirements, such as:  Right to opt out of direct marketing Right of Subject Access Notification (And others) 6

The main topics for this webinar: Best practice with HR records External suppliers (e.g. payroll) The wider role of HR Contracts and staff handbooks But first: The Data Protection Principles The definition of Personal data Confidentiality 7

The Data Protection Principles Data ‘processing’ must be ‘fair’ and legal You must limit your use of data to the purpose(s) you obtained it for Data must be adequate, relevant & not excessive Data must be accurate & up to date Data must not be held longer than necessary Data Subjects’ rights must be respected You must have appropriate security Special rules apply to transfers abroad 8

Personal data Data Not data Personal Not personal

Personal data The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded: on a computer or automated system in a ‘relevant filing system’ with the intention of going into one of these systems 10

Data Protection and Confidentiality overlap a lot, but they are not the same Clear boundaries 11

How confidential is confidential? Reasons for absence Sickness records Pregnancy Disability Disciplinaries Supervision notes Welfare/home circumstances

Taking confidentiality seriously Gossip Scams Passwords

You could be breaking the law if you don’t respect confidentiality It is a Criminal offence ‘knowingly or recklessly’ to: access data you are not authorised to access allow another person unauthorised access Examples: Criminal record and fine for operator who looked to see if her friends were on the police database Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife 14

HR records: Principle 1 Transparency & Choice You must always ensure that Data Subjects are not in the dark about: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using their data or check what you are doing You must give people a reasonable choice over how their data is used – and in any case you must meet at least one of the ‘Schedule 2’ Conditions Fair Processing 15

‘Fair Processing’ conditions With consent of the Data Subject (“specific, informed and freely given”) For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government & judicial functions In your ‘legitimate interests’ provided the Data Subject’s interests are respected 16

HR records: Principle 2 Limited purposes When you obtain information your purpose(s) must be clear ‘Staff administration’ is likely to cover almost all HR functions You must use information only in ways that are ‘compatible’ with the original purpose(s)

HR records: Principles 3 & 4 Data quality The Data Protection Act says that data must be: Adequate Relevant Not excessive Accurate Up to date (where necessary)

HR records: Principle 5 Retention Not longer than ‘necessary’ Refer to employment law book Take account of any regulations specific to your organisation’s area of work Broad brush approach: Short term (up to 6 months? current year?) Medium term (often 6 to 7 years) Long term (effectively indefinite)

HR records: Principle 6 Data Subject rights (access) Subject Access is important Can run alongside open files/self service The right is to access all their personal data, this includes e-mails about them There are exemptions: negotiations, planning … You may have to ‘redact’ third party information Where someone else is the source Where the information is about someone else

HR records: Principle 6 Data Subject rights (references) References you have given are exempt from subject access References you have received should be shown unless they are confidential When giving a reference: Is the information you have still accurate and up to date? Make it clear whether the reference is confidential or not

HR records: Principle 7 Security The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. £500,000 The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. 22

Key security measures Protect ‘data in transit’ Passwords & encryption on USB devices and laptops extreme care when faxing, e-mailing & posting think about encryption on e-mails if appropriate BYOD policy Access controls, clear desks, locked filing cabinets HR information held by line managers External contractors (‘Data Processors’) Secure destruction – shredding, etc.

Data Controller The ‘person’ legally responsible for complying with the Data Protection Act A trading company is a separate Data Controller Organisations can be joint Data Controllers Good practice to have a Data Protection Officer   24

Data Processor An organisation that work is outsourced to, which involves accessing Personal Data The Data Controller remains responsible for what happens to the data There must be a written contract with the Data Processor, setting out: what they are to do what the relationship is security others worth looking at (checklist) 25

The role of HR in promoting good Data Protection practice I Job descriptions Employment contracts Staff handbook Behaviour/Code of conduct HR Policies and procedures Induction Training Monitoring Discipline (Don’t forget temps, interns, placements, etc.)

The role of HR in promoting good Data Protection practice II Policies & procedures in operational areas: Service users Fundraising, membership & supporters Volunteers Safeguarding Complaints procedure Repository of good practice Written in full collaboration with relevant managers

Data Protection: the absolute basics We are trying to: Prevent harm by Keeping data only in the right hands (and being clear what ‘the right hands’ are) Holding good quality data (accurate, up to date and adequate) Reassure people so that they trust us Making sure people know enough about what we are doing Giving people a choice where possible 28

Many thanks Follow-up questions: paul@paulticher.com To come by e-mail: Link to evaluation questionnaire Link to download the presentation, after you have completed the questionnaire