Keeping your employees’ data safe

Data security if not often something that is considered in the role of HR, and it’s something that is sometimes considered as someone else’s responsibility. However, as an employer, there is a lot of data that you will hold and handle on a daily basis about your employees, so it is important to understand what data you can collect, what authorisation you need for this, and how to store this data safely. The cost of getting employee data wrong can be very substantial, and in some cases, fines can reach millions. However, it doesn’t have to come to that, and we can help you ensure that your employee’s data is collected and stored in the appropriate way.

Essentially employee data is no different to any other data that you may have and you should only hold data on your employees that is needed, this this be held securely and confidentially and shouldn’t be held for any longer than necessary.

Employee Data

As an employer there are two main types of data that you may want on your employees. The main type is the employee’s basic information, such as name, address, date of birth and employment details. This type is considered as necessary date to ensure the ongoing employment relationship, and as such you can collect and store this without the need for specific permission from your employee. For example, you will need basic information on your employees such as name, address, salary details etc in order to be able to set them up on your payroll and fulfil your part of the employment contract by paying them for the work they do.

The other type of data that you may wish to have on your employees is considered ‘sensitive’ data, and can include information relating to the employee’s race and ethnicity, religion, trade union membership etc. As this information is considered more sensitive you do need the employee’s permission if you want to collect and hold this.

Gaining authorisation or permission for employee data doesn’t need to be a complicated process and can just be added to your recruitment or induction process. A simple form that outlines the data you will gather from employee and explains what this will used for, that employees are then able to sign to show they agree would be sufficient.

Storing & Accessing

Whilst employees may be happy for you to hold information on them, particularly if it allows them to be paid, they will still want to know that it is being held securely. To do this, you should ensure that the data can only be accessed by designated individuals that need to have access to it, which may vary depending on the specific type of information. For example, a manager may need to know what training an employee has received previously, but they wouldn’t need to know their home address.

Keeping data secure is particularly relevant in the current pandemic, with some people accessing information from places outside the workplace, and on different devices. Therefore it is important to ensure that all devices are up to date with security software, to help prevent viruses etc which could compromise the security, they are password protected to ensure that only relevant people can access the information and you have policies in place to remind staff about the procedures.

Retaining the data

You should only keep hold of employee data for as long as it is needed, and any data that is no longer needed should be deleted. There are certain retention periods (both statutory and

recommended) that employee information needs to be kept for, so this should give a good timeframe for the retention of your data. For example, once an employee has left, it is recommend that their files are kept for 6 years after they leave in case any of the information is needed. Once you hit the end of these periods, the data should then be deleted/destroyed. Whilst it is easy to forget to do this, especially after long periods of time, it is important to have systems in place to ensure that it is carried out.

Staying on top of record management is also particularly important if the situation arises where an employee asks for a copy of the data you hold on them under GDPR. By ensuring that you have deleted any information that you are no longer required to keep means that there will be less data to go through and so any request would be easier to complete.

We appreciate that collecting and storing data can be a complicated matter, therefore we do have own data protection service, with a data protection officer. If you are already signed up to this or just want to find out more information on it, then please do get in touch on kelly@almc.co.uk. Alternatively if you have any general queries on employee data, then please do contact by either by emailing catherine@almc.co.uk or phoning 0117 970 2755 and we would be happy to help.