1. Data Protection webinar: Data Protection & Human Resources
Welcome. We’re just making the last few preparations for the webinar to start at Keep your speakers turned on and you will shortly hear a voice!
18th March 2014

2. Please note:
If you want to make the links and animations in this presentation work, you need to Show it as a slideshow (press F5)
If you can see this slide, you are not in Show mode and the links and animations won’t work

3. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

4. What Data Protection is about: 1
Protecting data
Protecting people 
Prevent harm to the individuals whose data we hold, or other people
Keep information in the right hands
Hold good quality data
Employees Volunteers
Donors Service users
Members Professional contacts 4

5. What Data Protection is about: 2
Give us more money!
Support our campaign!
We sold your details to someone else
Reassure people that we use their information responsibly, so that they trust us
Be transparent – open and honest, don’t hide things or go behind people’s back
Offer people a reasonable choice over how you use their data, and what for 5

6. What Data Protection is about: 3
Comply with specific legal requirements, such as: 
Right to opt out of direct marketing
Right of Subject Access
Notification
(And others) 6

7. The main topics for this webinar:
Best practice with HR records
External suppliers (e.g. payroll)
The wider role of HR
Contracts and staff handbooks
But first:
The Data Protection Principles
The definition of Personal data
Confidentiality 7

8. The Data Protection Principles
Data ‘processing’ must be ‘fair’ and legal
You must limit your use of data to the purpose(s) you obtained it for
Data must be adequate, relevant & not excessive
Data must be accurate & up to date
Data must not be held longer than necessary
Data Subjects’ rights must be respected
You must have appropriate security
Special rules apply to transfers abroad 8

9. Personal data
Data
Not data
Personal
Not personal

10. Personal data
The Act applies to information that is ‘personal’ and ‘data’
The personal part means that it is about:
identifiable, living individuals
The data part means that it is recorded:
on a computer or automated system
in a ‘relevant filing system’
with the intention of going into one of these systems 10

11. Data Protection and Confidentiality overlap a lot, but they are not the same
Clear boundaries 11

12. How confidential is confidential?
Reasons for absence
Sickness records
Pregnancy
Disability
Disciplinaries
Supervision notes
Welfare/home circumstances

13. Taking confidentiality seriously
Gossip
Scams
Passwords

14. You could be breaking the law if you don’t respect confidentiality
It is a Criminal offence ‘knowingly or recklessly’ to:
access data you are not authorised to access
allow another person unauthorised access
Examples:
Criminal record and fine for operator who looked to see if her friends were on the police database
Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife 14

15. HR records: Principle 1 Transparency & Choice
You must always ensure that Data Subjects are not in the dark about:
who is collecting their information
what purposes you hold their data for
who you might pass the data on to
how to contact you if they want to stop you from using their data or check what you are doing
You must give people a reasonable choice over how their data is used – and in any case you must meet at least one of the ‘Schedule 2’ Conditions
Fair Processing 15

16. ‘Fair Processing’ conditions
With consent of the Data Subject (“specific, informed and freely given”)
For a contract involving the Data Subject
To meet a legal obligation
To protect the Subject’s ‘vital interests’
Government & judicial functions
In your ‘legitimate interests’ provided the Data Subject’s interests are respected 16

17. HR records: Principle 2 Limited purposes
When you obtain information your purpose(s) must be clear
‘Staff administration’ is likely to cover almost all HR functions
You must use information only in ways that are ‘compatible’ with the original purpose(s)

18. HR records: Principles 3 & 4 Data quality
The Data Protection Act says that data must be:
Adequate
Relevant
Not excessive
Accurate
Up to date (where necessary)

19. HR records: Principle 5 Retention
Not longer than ‘necessary’
Refer to employment law book
Take account of any regulations specific to your organisation’s area of work
Broad brush approach:
Short term (up to 6 months? current year?)
Medium term (often 6 to 7 years)
Long term (effectively indefinite)

20. HR records: Principle 6 Data Subject rights (access)
Subject Access is important
Can run alongside open files/self service
The right is to access all their personal data, this includes s about them
There are exemptions: negotiations, planning …
You may have to ‘redact’ third party information
Where someone else is the source
Where the information is about someone else

21. HR records: Principle 6 Data Subject rights (references)
References you have given are exempt from subject access
References you have received should be shown unless they are confidential
When giving a reference:
Is the information you have still accurate and up to date?
Make it clear whether the reference is confidential or not

22. HR records: Principle 7 Security
The Data Protection Act says you must prevent:
unauthorised access to personal data
accidental loss or damage of personal data
The security measures must be appropriate.
They must also be technical and organisational.
£500,000
The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. 22

23. Key security measures Protect ‘data in transit’
Passwords & encryption on USB devices and laptops
extreme care when faxing, ing & posting
think about encryption on s if appropriate
BYOD policy
Access controls, clear desks, locked filing cabinets
HR information held by line managers
External contractors (‘Data Processors’)
Secure destruction – shredding, etc.

24. Data Controller
The ‘person’ legally responsible for complying with the Data Protection Act
A trading company is a separate Data Controller
Organisations can be joint Data Controllers
Good practice to have a Data Protection Officer   24

25. Data Processor
An organisation that work is outsourced to, which involves accessing Personal Data
The Data Controller remains responsible for what happens to the data
There must be a written contract with the Data Processor, setting out:
what they are to do
what the relationship is
security
others worth looking at (checklist) 25

26. The role of HR in promoting good Data Protection practice I
Job descriptions
Employment contracts
Staff handbook
Behaviour/Code of conduct
HR Policies and procedures
Induction
Training
Monitoring
Discipline
(Don’t forget temps, interns, placements, etc.)

27. The role of HR in promoting good Data Protection practice II
Policies & procedures in operational areas:
Service users
Fundraising, membership & supporters
Volunteers
Safeguarding
Complaints procedure
Repository of good practice
Written in full collaboration with relevant managers

28. Data Protection: the absolute basics
We are trying to:
Prevent harm by
Keeping data only in the right hands (and being clear what ‘the right hands’ are)
Holding good quality data (accurate, up to date and adequate)
Reassure people so that they trust us
Making sure people know enough about what we are doing
Giving people a choice where possible 28

29. Many thanks Follow-up questions: paul@paulticher.com
To come by
Link to evaluation questionnaire
Link to download the presentation, after you have completed the questionnaire