In this article our Employment Law Consultant Director, Andrew Wilson, considers the questions regarding Data Protection laws, obtaining employee data and sharing it.
We get asked a lot about GDPR (General Data Protection Regulations 2015), so just to be clear. Our laws for obtaining, keeping and sharing personal data, like employment records, are all government by the Data Protection Act of 2018. GDPR was absorbed into this Act and has been superseded.
Here are a few pointers from Andrew regarding common questions that get asked of our employment law team:
- When installing monitoring equipment into a workplace other than for a very specific surveillance reason then anyone who is affected by the captured data must be informed about it. They must be told that surveillance, such as call monitoring, CCTV, dashcams or software usage, is happening, why it happens and how the data may be used and then stored.
- Personnel data relating to an individual, say an employee, must be held only for specific reasons and for a period of time that is deemed legitimate and proportionate. This might be for employment reasons, tax records, occupational health, safety, worker eligibility or ongoing litigation, to name but a few. Such information should only be disclosed to others with the persons consent, or for legal reasons. Sharing such information must be done in a secure manner, with an understanding as to how that data will be received, held, used and then destroyed.
- Sharing COVID vaccine records with other organisations, except in connection with work in care and nursing establishments, should be avoided. Some businesses are being asked to provide names, dates of birth, home addresses and NI numbers to validate their COVID vaccine status. The employer can verify all of this and keep the personnel data secure. The only information to be shared outside of the business is the workers status – double vaccinated, or not, in this case.