Staff records: your data protection obligations
The Data Protection Act is concerned with personal data - information about living, identifiable individuals held on computer or in certain structured manual filing systems.
Six principles for processing of personal data
The GDPR sets out six data protection principles that you must comply with when processing personal data. These are that data should be:
- Lawfulness, fairness and transparency - make sure workers understand why you are collecting the data and how you will use it.
- Purpose limitation - you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary.
- Data minimisation - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
- Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you rectify incorrect data that relates to them.
- Storage limitation - you must delete personal data when you no longer need it. Individuals have the right to request that you delete data that relates to them, you must do this within one month of receiving the request.
- Integrity and confidentiality - you must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
You must keep these principles in mind when deciding what information to collect, when establishing procedures for processing this information and when dealing with requests from workers.
Personal information should be kept secure. You should use appropriate security to prevent the personal data being compromised.
This will involve having the right physical and technical security, backed up by robust policies and procedures and well trained staff.
Read Information Commissioner's Office (ICO) guidance on information security.
Penalties for a breach of personal data
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should keep a record of any personal data breaches regardless of whether you are required to notify the ICO.
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover.