Data protection for HR

Data protection for HR

Data protection permeates on every people issue likely to be faced by the HR team - from employee recruitment to the storage of their exit interviews when they leave.

We know that many HR teams also have responsibility for employee data protection within their organisations, but the law on data protection is complex and commonly misunderstood.

Getting it wrong can not only land your business in hot water with the Information Commissioner's Office (ICO), it can also be a public relations disaster.

Ignorance is not bliss! The first step for many employers is often, simply, to begin to understand the extent of their legal responsibilities. This is where our business training can be invaluable in educating staff about what the law requires so they can become more aware of data protection issues in the workplace.

We can then carry out a data protection audit looking at the whole of your organisation's processes to help ensure appropriate structures for compliance are in place.

Data protection and privacy issues around employees and their data crop up every day. If you don't know the answer to any of the following, our team of specialists can help:

  • Is your data protection registration up to date and does it cover all the processing you carry out?
  • Does your staff handbook include data protection policies?
  • How do you recognise a 'subject access request' from an employee and what should you do if you get one?
  • Can you monitor employees' email use?
  • What pre-employment checks can you carry out on candidates?
  • How long can you keep personnel records?
  • Can you retain unsuccessful applicant's CVs? If so, for how long?
  • Do you need an employee's consent before sending them for a medical?
  • Do you have to physically remove spent disciplinary warnings from employees' files?

Our commercial colleagues can also help with data protection issues arising outside HR's remit, for example, in relation to customer information.

Work highlights

  • Drafting model clause agreements for the transfer of employees' personal data where the IT function was moving to the parent company in the USA.
  • Advising on detailed subject access requests issued prior to / during employment litigation by way of a fishing expedition, including assisting an employer with the processing and response to the request and liaising with a third party IT organisation regarding the retrieval of data.
  • Advising on the transfer of data outside of the EEA.
  • Delivering data protection training for HR teams and in-house lawyers (including 'train the trainer' sessions).
  • Advising on CCTV policy and monitoring of employees including advising on the installation of in-vehicle monitoring systems.
  • Advising on the employment implications of a 'mystery shopping' exercise at a retail outlet.
  • Advising on third party requests for disclosure of employees' personal data.
  • Advising on pre-employment vetting procedures for regulated and non regulated businesses.
  • Assisting employers to obtain relevant consents relating to occupational health and other medical referrals.
  • Drafting and advising on electronic communications policies and procedures for staff handbooks, including social media policies.
  • Drafting employment contracts to ensure compliance and protection for employers including capturing employees' consent to processing.
  • Advising on the data protection law aspects relating to employee's personal data in the context of mergers and acquisitions.
  • Amending and updating ICO notifications for clients in respect of employee data processing.
  • Advising on employee drug and alcohol testing.
  • Conducting impact assessments and data protection audits.