May 4, 2023
According to data protection laws in the UK, a business must be transparent about the personal data they collect and process about any data subject.
Slow down, what do these words mean?
Personal data is any information that can identify an individual person, whether directly or indirectly. Examples include first and/or last name, date of birth, email addresses, home addresses, job titles and financial details such as bank account numbers.
A data subject is an individual person about whom you collect personal data. They have rights under data protection laws that they can enforce against your business to make sure their information is accurate and protected.
Being transparent in the world of data privacy means having the right policies and procedures in place and publishing these to the relevant data subjects. There is a principle under data protection law that requires businesses to provide this information in a way that is easily accessible and easy to understand.
We should mention that the employer is also referred to as the data controller in the context of a privacy notice – this means that they make decisions about what happens to the data, and are responsible for keeping it secure.
Ok, please continue.
A privacy notice is a document that sets out all this information, including where data is stored, how it is kept secure, who it is shared with etc, in a clear and concise way. You’ll usually find this on a company’s website in the footer of every page, and in some cases, in the email signature of their employees. Now, this kind of notice applies to the company’s external contacts, such as website visitors, clients and suppliers.
In contrast, an employee privacy policy is directed at the company’s staff and explains how the business processes their personal data whilst they are in employment. The information processed may vary depending on specific roles and personal circumstances, for example, if your role dictates that you work with third parties to the business, such as clients or suppliers, your data is more likely to be shared with those externals so that you can do business with them.
This, as you may have guessed, is an internal-facing document that is usually published on the intranet or in a Handbook for employees to access. It is usually recommended that this document is read alongside the company’s other data protection policies, so that each team member has a fuller understanding of the business’ approach to privacy.
It does not form part of an employee’s contract of employment, but the employer is obligated to comply with data protection laws, so this protects the employee’s personal data from a different angle.
If the employer relies on “consent” as the “legal reason” for collecting and processing an employee’s personal data, then they must seek the employee’s signature to evidence this. Usually, an employer will rely on “legitimate interests” (i.e. justifiable business aims) to record information about their staff, to avoid this admin headache.
Your staff have the same rights as other data subjects, such as your website visitors, in relation to their personal information. You must follow the same rules and provide the same information and level of transparency to your team as you do to external clients. Therefore, your other data protection policies, such asData Breach, Data Subject Access Requests, and others, apply to your employees by virtue of this Employee Privacy Notice.
It is also a good way to make sure the information you hold about your staff stays up to date, as the notice gives personnel the right to request that their data is amended and updated, which is useful for your records.
We hope it never comes to this, but in the event that an employee who resigned, or who you dismissed or made redundant wanted to bring a claim against you, for example, because they believe they were unfairly or wrongfully dismissed, or were discriminated against during their employment with you, then they may contact you asking for access to the personal data you hold about them. This is known as a “data subject access request” (DSAR). This might be to gather evidence from emails that could cause detriment to your defence to such a claim.
Data protection and employment cases are often interlinked on this basis, so it’s important to seek legal counsel when you receive a DSAR from a former employee, even if it seems to be on an amicable basis. It’s often likely that they have taken advice from a lawyer to ask you for this information, in order to support their claim.
We can help you navigate the rules on what you can and cannot withhold from the data subject in this instance, how to redact documents and communications to protect yourself and your business information – because confidentiality (of both your business and your clients) can come into play as well – and what communications and acknowledgements are needed in response to the DSAR.
If you’re in need of advice or support in drafting an employee privacy notice, our team can help you with that! You can get in touch with the team here.