Data protection – or rather the lack of it - is often in the news. Earlier this year data held by the HR department for the US Federal government Office of Personnel Management (OPM),was hacked affecting almost four million government past and current employees. The attack was thought to have been carried out by Chinese cyber-hackers.
The UK has also seen some serious breaches of personal data. Brighton and Sussex Hospitals NHS Trust was fined £325,000 in 2010 after sensitive records were found on hard drives sold on eBay. Sussex Police was fined £160,000 earlier this year after a data breach allowed the disclosure of an interview with a victim of sexual abuse via a DVD.
Data protection runs through almost every aspect of business. For example, if an employer monitors use of its employees’ email and collects personal data about employees, it must say how it intends to use the information and use only for that purpose. Sales will have lists of confidential clients. Marketing and PR may have confidential data on potential customers’ buying preferences. HR will have data on every employee, worker and self-employed consultant with whom the company deals.
Individuals can easily stumble into having a great deal of responsibility over personal data, and may not realise the extent of their legal obligations. How often have you done the following?
- Reviewed the length of time you keep personal data?
- Considered the purposes you hold the information for in deciding whether (and for how long) to retain it?
- Securely deleted information that is no longer needed?
- Archived or deleted information that has gone out of date?
Ignorance of the law is no excuse, but if the Company wants to avoid data breaches and the embarrassment that goes with them, it must make sure that employees understand the rules. That means training them, updating them on legal changes, and making sure you have a clear record of the training being administered. If you hold a position of trust, particularly in relation to children or vulnerable people, the risk of fall-out from such a breach increases. The Company must be able to prove it has done all it reasonably can to ensure employees know and follow the law.
Professional services firm PwC has surveyed a cross-section of employers and found that more and more are falling behind in data security and, in particular, defending against cyber-attacks. Frighteningly the CIPD has reported that a cyber security incident now, on average, costs an organisation £1.7 million.
A third of those companies surveyed by PwC reported their employee records being compromised by such a breach. That not only puts your own employees at risk and may therefore make retention of good staff difficult, but it also damages your reputation in recruitment. Employers will benefit from reviewing and ramping up their systems and training their staff in both data protection law and in security / confidentiality good practice.
Cloud-based systems are becoming popular, but put firms (particularly small businesses with fewer resources to defend themselves) at greater risk to hackers as the cyber world becomes more interconnected. Only 36% of firms in the survey said they had a security strategy to protect their data.
Companies demand a lot of personal data from employees with good and legal reason. Copies of eligibility to work are often scanned and saved instead of printed off and slotted into a locked filing cabinet. National Insurance numbers, bank account details and diversity surveys may also be on the cloud somewhere.
In the UK fines issued by the Information Commissioner are currently capped at £500,000 but this may change. New EU proposals for more stringent data protection could mean the introduction of far higher fines of up to EU100,000, or 5% of a company’s annual turnover. If the regulation becomes law, any business with European customers will have to comply with the new requirements, which includes adopting reasonable steps to implement procedures and policies to protect the data from attack.
There will always be someone out there with the brains and mind set to hack a firm’s data. Some data protection law is not clear cut – what is a reasonable length of time to hold certain data? But that doesn’t excuse employers and employees who don’t make the effort to follow the law and fulfil their obligations.
Subscribe to our free monthly HR newsletter. Russell HR Consulting employment law newsletters are emailed automatically to our ever-growing number of subscribers every month.
Latest blog posts
- Absent Friends
22 / 04 / 2021
- Time Spent on Reconnaissance is Seldom Wasted
07 / 04 / 2021
- Are Staff on Sleep in Shifts Entitled to NMW for the Entire Shift?
24 / 03 / 2021
- How to Deal with Toxic Employees
10 / 03 / 2021
- Can I Make Vaccinations Mandatory?
24 / 02 / 2021
- Being Sent Distracted – and How to Avoid It
17 / 02 / 2021
- Speed It Up
09 / 02 / 2021
- Saying Goodbye Forever
02 / 02 / 2021
- Adapt or Die
27 / 01 / 2021
- Never Waste A Good Crisis 19 / 01 / 2021