Alongside mandatory information, good-quality workforce data is a valuable asset that drives organisations forward and maintains HR’s role as a critical business partner. This has led to evolving regulations that protect individual privacy – such as the UK GDPR – and mitigate risks posed by hacking and cyber incidents. Breaches at major high street brands targeting employer data highlight this issue.
This can present challenges for HR professionals who have a responsibility to capture, securely store and appropriately use employee data while respecting individual privacy.
Most organisations use third parties to store, host and manage employee data through procured IT platforms. These are often Software-as-a-Service (SaaS) platforms where third parties host data in the cloud. Examples include recruitment, payroll and employee engagement platforms. However, HR teams are data controllers so cannot ‘contract out’ of their data protection obligations. Ultimately, they are responsible for safeguarding employee data and take full responsibility for what is collected, how it is sourced and who has access to it.
Data minimisation and data retention
Data minimisation means organisations are legally required to only collect the data that is necessary to perform their function. ‘Insight’ cannot come at the expense of breaching data protection laws and, as such, organisations face a balancing act to establish what necessary data to collect.
Data retention determines how long collected personal data needs to be held for. The UK GDPR requires that data is not kept ‘longer than necessary’ and it is for employers to justify their chosen retention period.
This is not always a blanket approach, as certain types of data have different legal different retention periods. ‘Special category’ data such as EDI information covering ethnicity, health and sexual orientation face tougher data protection requirements. Organisations must make sure processing this sort of data is lawful, fair and transparent. This is important for supporting EDI strategies, so employers should consider whether they can anonymise and aggregate this data, which brings data out of scope of the UK GDPR.
Some employers gather and hold excessive levels of data gathered since ‘day one’ of an employee’s contract. Conversely, some retain very little employee information. Alongside depriving HR teams of valuable data insights, it also hampers the ability to defend post-termination employment claims.
Optimising data minimisation and retention can be a significant challenge, and this is where external, pragmatic guidance from data privacy experts can be useful.
Using third parties: privacy assessments and ongoing monitoring
With employers acting as ‘data controllers’, they should execute due diligence and assess and document privacy risks through a data protection impact assessment before allowing third parties to process it.
A preliminary measure is considering whether employee data needs to be hosted externally and whether the same benefits can be gathered by hosting locally.
During contract negotiations, employers should ensure that responsibility for data protection compliance, and liability – including the ability to back up and restore data should things go wrong – is documented.
Once a third party has been onboarded and throughout the contract lifecycle, under data privacy laws, employers should check whether the security and privacy offering continue to be satisfactory.
It is important to remember that working with a market-leading third party does not necessarily mean the data will be 100 per cent secure or that they will cover client losses following a breach. In fact, some SaaS providers typically heavily limit their liability under their standard terms and conditions, which acts as a barrier to recoverability.
Staying ahead of employee data challenges
Employee data insights will be in the HR professional’s toolkit for years to come as they continue to shape the future of the workplace and in increasingly strategic areas such as EDI. However, it is essential for teams to be proactive and thorough when deciding both what data to collect, and who is entitled to process it, given heavy regulation around the use of this type of data.
Lauren Wills-Dixon is a solicitor and data privacy expert at Gordons