Becoming an employer (4) - protecting employee data
The moment you receive a CV from a prospective employee, you're processing personal data, and that means you need processes in place to protect that data. Hopefully you wouldn't carelessly leave that CV on the bus... but there are many other ways that personal data could become lost and misused.
Lots of people think data protection is just a bunch of annoying rules trying to stop us doing anything, but then those same people would be angry if their own identity was stolen. We all have a responsibility to respect the privacy of individuals, and once you become an employer there are some specific things you need to do. The Information Commissioner's Office (ICO) has some really useful information to help you get started, that's focused on smaller businesses: https://ico.org.uk/for-organisations/sme-web-hub/
You also need to register with the ICO, which you may have done already if you store and process client data. It's often only £40pa, but you can be fined if you're processing personal data without being registered. I registered as soon as I started my business and will be renewing shortly.
My employee data protection compliance started with me thinking about what data I actually NEEDED in order to employ someone, and it wasn't actually very much - most of it is the information I need about someone to set them up for payroll.
full name (ideally matching exactly what's on their passport and what HMRC has on record)
date of birth
full home address
National Insurance number
From their P45 (if they have one) I will also collect their
leaving date from their last job (if relevant)
existing tax code
total pay and tax paid to date for the current tax year (if relevant
student loan deduction status
There is a starter checklist from HMRC that I can get them to fill out if they don't have a P45 from their last employer.
In order to pay someone, I will also need their bank details. To communicate with them, I probably want their mobile number and email address.
So, at this point, I am already starting to amass quite a bit of personal data. I'm sure the same is true of all new employers. To check they have the right to work in the UK, I need to take a copy of their passport.
As you add to this list, it's important to keep a record of what you are collecting, holding and using. Keeping records is vital to all your other data protection activities - as is the idea of "data minimisation", so only collecting what you actually NEED for a specific purpose. I've approached this by creating a spreadsheet that's my Employee Data Schedule. It lists all the items of personal information I may hold about someone, why I need it, where I store it, how I use it and when I destroy it. Writing it all down helps me focus on whether I really do need that piece of information or not.
For each piece of personal data, you have to have a lawful basis for holding and using it. For almost all the information types I list above, the lawful basis I am relying on is "the processing is necessary for a contract you have with the individual". I cannot employ someone without paying them and I need all that information to pay them. I hold the copy of their passport based on "the processing is necessary for you to comply with the law" - without it I could not evidence their right to work in the UK. I hold their contact details to help me run my business so "the processing is necessary for your legitimate interests".
You will notice that the lawful basis for holding the data I have is NOT consent. Consent can be withdrawn, so don't ask your employees to consent to you holding their data unless it really is optional for them - perhaps emergency contact details might be an example.
Although you're not asking for consent, you do have to make sure that the people whose data you have know what you have and what you'll be doing with it. This includes applicants for jobs and any employees, workers or freelancers that you hold data about. This communication normally comes in the form of a Privacy Notice. You can download templates from the internet that vary from 1 page to 30 pages. The important thing is to make sure the content of your Privacy Notice is true and accurate (not just aspirational), easy for people to understand, and properly tailored to your business. The aim is to ensure transparency, not confuse everyone even more!
My Privacy Notice for employees ended up being 5 pages long and was based on the ICO template for small businesses.
When you hold personal data, you need to make sure it's secure. This may mean putting paper documents in a locked drawer where only you can access them. If you're holding information online then it can be a bit more challenging to check what security is in place. So I recommend talking to someone who can advise you on this. Things to consider include making sure your network is secure, that you only use secure applications, that your devices and software are kept up to date, and that you have the right access controls set up.
I got a cyber security expert (who also happens to be my husband?!) to help me think about all the systems I use that hold employee (or client) personal data and how I can reassure myself that it is all protected to a reasonable level for a business my size. One example of actions I took, is that I chose the paid option of Google Workspace that meant any data held in my Google applications is stored within the UK/EU (you have to declare any transfers of data outside the UK/EU as the privacy laws elsewhere may not be up to scratch!). I also have strong passwords on systems and don't reuse them between different systems.
There is a lot more to the UK data protection legislation than I can cover here, but the first step is to realise that when you become an employer you have a whole new set of data protection responsibilities and there are actions you need to take. The ICO website takes you through everything in a pretty straightforward way, but you can always get help and advice from data protection specialists (I can recommend some if you get in touch).
What's important to remember is the "accountability principle" within the legislation, which means it's not enough to just comply with the law, you also have to be able to evidence that you have complied. This means you need to go through the requirements carefully, make records of the decisions you take, and keep everything under review as things will no doubt change over time.
I'm comfortable with data protection requirements, and have trained plenty of managers on this topic in the past, but if you're feeling in the dark about what you need to do then get in touch and I'll hopefully at least provide a torch for you to see the way ahead. It doesn't have to be scary or hard work.
Look out for my next topic in this series: paying people and dealing with HMRC