Your workplace deals with a lot of sensitive information about you. Our guide looks at GDPR in the workplace. It’s important to understand what your rights to data protection are in the workplace. From HR records to private conversations about medical information, all are covered by the legislation.
What is GDPR?
The General Data Protection Regulation (“GDPR”) is essentially a new piece of legislation which tells everyone how they have to deal with and look after data.
GDPR came into force on 25 May 2018 and replaces the Data Protection Act.
GDPR applies to any organisation that handles personal data, and it is mandatory to comply with the new rules.
What is Personal Data?
Personal data is any information that can identify an individual. This might be an employee, volunteer, customer, trade partner etc – literally anyone!
Personal data will include:
- Payroll details
- Staff number
- Personnel file including disciplinary records
- Occupational health records or any medical details
- Staff photos
- Customer address, phone number or email
The Right to Confidentiality at Work Under GDPR
All employees have the right to confidential data at work being kept private. This means that a breach of privacy at work could leave the employer open to a complaint being made to the ICO.
Using the examples above, that means an employer should never hand out personal contact details of a staff member. Even to another employee.
Medical information should also not be shared without consent. The most obvious example of this is if an employee discloses a pregnancy. This information should be kept private, and not disclosed to other staff members. Our guide on health confidentiality in the workplace has more information.
GDPR Data Example
Sounds obvious , but what about information that organisations may hold without ever having direct contact with a person?
For example – Mrs X contacts her local florist and tells them that Mrs W has recently fallen and broken her leg. She wants to send Mrs W flowers, but asks that they are left in the porch as Mrs W isn’t very mobile and so will struggle to answer the door. The florist writes it all down.
Does the florist hold personal data?
Yes! The florist will have Mrs W’s personal data, as they know her name and address. They also hold “sensitive personal data” (a category of personal data that holders must take extra care with) as they have details of her current medical condition. The florist must therefore follow the new GDPR rules.
What are the new GDPR rules?
GDPR sets out 6 principles which must be followed. Data must be:-
- Processed fairly, lawfully and in a transparent manner.
- Obtained for a specific lawful reason and only processed for that reason.
- Adequate, relevant and not excessive.
- Accurate and kept up to date.
- Not be kept longer than necessary.
- Kept securely.
Examples of GDPR breaches:-
A – ABC Company Ltd has an HR file for all their employees. They are kept just in a pile on the floor in the corner of a meeting room.
“This is a breach of principle 6, to keep data securely. HR records should normally be kept in a locked filing cabinet, or even better, paperless on a secure server requiring password access.”
B – Bob’s Building Company Ltd gets all employees to fill in their address and next of kin details upon joining the company. Bob knows that one of his employee’s wife sadly died last year, and that two recently moved house. The records have not been updated.
“This is a breach of principle 4, to ensure data is accurate and kept up to date.”
Rights of Employees Under GDPR
GDPR has given, or clarified, a person’s rights to data held about them. Focusing specifically on employees, these rights include:
1. The right to view
Employees have the right to see a copy of all personal data held by an employer about them. You simply need to make a request to your employer (see below re how to request).
2. The right to be informed
An employer must confirm to employees how they intend to process personal data. This must be in a concise, easily accessible format, and be written in plain English.
3. The right to rectification
An employee has the right to demand that any information held about them is corrected if it is incomplete or inaccurate. For example, your address is incorrect. Any information must be rectified within 1 month of a request to rectify being made, though this can be extended to 2 months from the date of request if the process of updating all the required data is particularly complex.
If the employer has needed to pass on that information to a third party (for example to a separate payroll company), they must update the third party company with the correct information.
4. The right to be forgotten
An employer must securely destroy or delete data if:
- It is no longer required for the purpose it was collected.
- The employee withdraws consent to process their data and there are no other legal grounds to do so.
- The employee objects to their data being processed and there is no other legitimate business reason to override that objection.
The employer does not however have to erase any data that they require in order to comply with legal obligations, or to pursue or defend claims.
In reality, this is likely to mean that companies will refuse to delete any data about employees that is under 3 years old (being the general time limit for injury claims to be brought, and the HMRC minimum required time to keep payroll records).
How to Request to See the GDPR Data Held About You by Your Employer
1. Simply speak to your employer. They will usually be able to quickly and easily provide you with a copy of what you require.
2. If your employer is unable or unwilling to provide you with a copy on an informal basis, make a subject access request. Essentially you just need to write to your employer including your name, address, contact information and any identifying payroll or work ID number, and set out what information you want to see with any relevant dates (e.g. any disciplinary records from 2014 to date).
3. Your employer must then deal with the request within 1 month of receipt. There should be no charge for dealing with your request unless the request is ‘manifestly unfounded or excessive, in particular because of its repetitive character’.
In order to get information quickly, and maintain a good relationship with your employer, be as specific as you can about what information you require (or don’t require).
For example you may only want a copy of your pay slips from the last 3 months (for example to show a rental agent), and not require all payslips since you started at the company 5 years ago!
If your employer is refusing to comply with a GDPR request or you have any concerns, you can seek help from one of the following: