HR Data Protection: 4 Key Things Employers Need to Know

March 11, 2014

hr data protection

Cloud based software applications have transformed the HR process from a paper based, laborious manual process to a dynamic, highly automated, technologically empowered web based process.

HR teams are now managing more and more personal data, and storing it and sharing across networks and the internet on an unprecedented scale. Of course, all this is happening at a time when cyber-crime is on the rise and organized gangs have turning stealing personal data into a global industry.

This means that HR professionals have a duty of care to look after personal data in a way which keeps it safe from theft and misuse. But, there is nothing to be alarmed about, HR professionals should simply comply with data protection requirements under the Data Protection Act. And to help with this, below we have set out 4 key things that HR professionals need to know about Data Protection.

  1. You can’t just store any personal data about employees. You need to ensure that the data that you hold about employees is, ‘adequate, relevant and not excessive in relation to the purpose that you are storing it for‘. For example, if you paid your staff in cash, you would not have a legitimate requirement to store bank details and should not store them.
  2. You are also required by law to take steps to ensure the data is protected from, ‘theft and/or unlawful use and accidental loss and destruction‘. Talk to your technical team or HR software vendor and make sure there are industry standard security and backup systems protecting all your data.
  3. You can send personal data to other offices in the UK or EU, but you can only send personal data to offices in countries outside of the EU if you can be sure the country has an adequate level of protection, meaning they have signed up to the ‘Safe Harbour Scheme’ or have a Commission ‘positive finding of adequacy’. So, if you have workers in countries outside the EU or you plan to use cloud based HR software with servers based outside the EU you need to consider this third point closely.
  4. An employee can request to see personal information that you are holding about them and for you to provide them with a copy of that information. This is known as a subject access request and you are required to respond within 40 days of receiving the request. Our tip is to try and choose a HR system which has ‘self service’ enabled so the employee can view their personal data when they wish. This should reduce or eliminate the need for Subject Access Requests.

For more information on this subject, visit the Information Commissioners Office

Stay ahead with HR

Get free HR insights, expert tips and exclusive interviews, and start making more impact at work

Please enter a valid email address

See People HR in action

View our short video demo

Get started absolutely free

No credit card required

Talk with an expert to learn how People HR could help your organisation