Category Archives: data protection

HR trends for 2018

Now the excitement of the Christmas and New Year festivities has faded it’s time to get down to business and look ahead to identify the HR trends for 2018.

One major trend is the increasing need to focus on data protection. In May 2018 there will be major shake up of data protection laws which have existed in the UK since 1984 designed to protect employees and consumers in how their personal information is held and managed by organisations.  Organisations will need to undertake an audit of data protection procedures across departments to ensure personal information is handled in accordance with the new laws.  An audit should methodically identify what data is held and why, who manages the data, what procedures are followed,and what needs to be altered to ensure compliance with the law. Subject access requests must now be handled within one month and without charging a fee.  Employees and potential new employees must be informed as to the exact reasons why their personal data will be processed.  Organisations need to draw up a privacy notice that should indicate what and how personal information will be managed.  To be honest data protection isn’t the most exciting area of HR but unfortunately if companies don’t comply the consequences could be huge fines. To find out more there is a wealth of information on the Information Commission website https://ico.org.uk/

Following the success of Unison in the Supreme Court in July 2017 employment tribunal fees have been abolished.  The fees were introduced in July 2013 and meant that if an employee wanted to take their employer to an employment tribunal for unfair dismissal they had to find £1200 which is a hefty sum if you have just lost your job. The Supreme Court decided that the fees were unfair and were a barrier to justice.  Anyone who paid employment tribunal fees since 2013 is entitled to apply for a refund.

The statistics from 2013 –   https://www.gov.uk/government/collections/tribunals-statistics –  showed a dramatic reduction in the number of employment tribunal claims being lodged which was the main intention of the Conservative government.  Since the abolition of the fees there has been a noticeable increase in the number of claims being lodged although at the moment they have not reached anywhere near the level in 2013 before the fee introduction.  However, give it time.  There remain a lot of unscrupulous employers out there who fail to treat their employees well.  It now costs nothing to lodge a claim so during 2018 we could well see the trend in the number of claims rising.

The latest unemployment figures show the rate is 4.6% which means there is very little wriggle room for employers to find new staff.  The skills shortage and therefore this trend in the UK will continue and may get worse.  This is a phenomenon that has been around for quite a while in the UK with many industry sectors suffering and competing for staff.  The skills shortage may get worse in some industry sectors with Brexit causing an impetus of skilled staff returning to their homes elsewhere in Europe.

ECHR Ruling: Employers Can Read Employees’ Private Messages

laptop-and-mail-100125686

Source: Free Digital Photos/Renjith Krishnan

In a landmark case the ECHR (European Court of Human Rights) have deemed that employers can read employees’ private messages whilst they are work.  This has implications for UK employees who use Facebook, Twitter and other social media platforms to communicate with family and friends during their working day and highlights the increasing blur between workplace privacy as working hours become longer.

The case was taken by a Romanian engineer who messaged his partner on a private messaging platform.  His employment was terminated by his employer who had a policy in place that banned staff from its employees making use of company resources for personal use.  The employer had accessed his private messages on Yahoo as he also used this medium for work-related messages.

The ECHR decision goes to the heart of the employment contract with the implied term that in exchange for wages an employee commits the whole of their time to the employment for which they are being paid.

Some legal experts have warned that even after work hours have ended an employee should not use private messaging platforms for personal use with company smartphones, tablets or laptops.

Many employees may now assume that their employer could monitor their online activities whilst in work and should seriously consider what they do in this regard, however, it is important to note that in order to undertake monitoring of online activities, a policy should be in place that clearly states that this may or will take place.  If there is no policy in an employee handbook for example, employers should now consider the need to establish this.  An existing policy should be reviewed in accordance with this development.

A statement referring to online activity monitoring should ideally be included in an IT and/or internet use policy.  An employment practices code linked to the Data Protection Act 1998 published by the Information Commission gives useful guidance on this matter.  In the light of this ruling, the Information Commission may need to review its own guidance now.

In a policy the employer should be clear about the purpose of monitoring including the nature, extent and who will be doing the monitoring.  With larger companies it would expected that it would be done by the IT department but small businesses would need to identify who would undertake the activiiy.  The benefits of online monitoring should be included in the policy and ideally an impact assessment done to establish the risks.  Monitoring should not be excessive and should only be done to meet a clearly defined purpose otherwise employees will develop mistrust of their employers intentions which is not conducive to a harmonious working environment.

Individuals who are undertaking the monitoring should be provided with training that includes maintaining privacy and confidentiality if accessing personal information.  These individuals should have clear written guidelines in this regard.

If monitoring is to enforce company rules a link to the disciplinary policy should be stated with the procedure clearly explained along with sanctions for non-compliance.

Employees should be made clearly aware that the policy is being implemented or exists and has been reviewed. New employees should be informed as part of an induction procedure. Ideally an employer should get explicit written consent to monitoring in writing by implementing a consent form.

 

 

Data Protection Reform Delayed

The European Council has announced that EU data protection reforms will not be implemented until 2015.  The General Data Protection Regulation, which was originally expected to be finalised by May 2014, will introduce a single data protection framework throughout the EU.  It was previously anticipated that the data protection reforms would be finalised before the European Parliamentary elections in May next year.

The Data Protection Act was first introduced into the UK in 1984 and covered the use of paper records.  In 1998 it was updated to include records held on computer.  There are eight legal principles which organisations have to abide by when processing personal information which can include names, addresses, date of birth, bank details, etc.

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Information Commission website http://www.ico.org.uk/ provides  independent advice and guidance about data protection and freedom of information.

The plan is to modernise the data protection legislation across the EU.  David Cameron has sought to avoid a deadline being brought in as the government fears the implementation of the new legislation will damage business due to increased costs, but has now agreed to the date of 2015 as a compromise. Data protection law will be implemented consistently across all member states.

 

 

Data Protection Rules to Change

The EU has decided that the UK is being too lax in implementing data protection law therefore later this year there are going to be some key changes that will take place.  Companies with 250+ employees must employ a data protection officer whose role will be to ensure they deal with personal information of staff and customers correctly.
The Information Commission has also stated it will ensure that:
People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.

Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.

Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.

In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.

From May 2012 organisations that break the rules will face severe penalties – up to £500,000 for companies that are guilty of breaches.

Individuals who fail to notify the Information Commission that they are processing personal information may be fined up to £1,000.