How to comply with Data Protection requirements for HR-related Data

It is important to be transparent about how the council collects and processes personal data. Councillors are responsible for a compliance culture where individuals know what their responsibilities are and what to do if an issue arises.

Understand

• It is important to have a understanding of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (which supplements the GDPR in the UK) and to help build a compliance culture in the council.

• Undertake an audit of your data; refer to the ICO guidance.

• Train employees in the regulations to help them understand how it applies to them in their day jobs and what their responsibilities are. Ensure that employees know what personal data is, how it should be dealt with, the importance of data security and the repercussions of data breaches.

Document

• Develop a thorough plan to ensure that all policies, procedures and practices in the council are compliant.

• Ensure that Privacy Notices and Data Protection Policies are reviewed to consider any changes and tested periodically to check ongoing compliance. These documents should explain how the council processes and stores personal data and on what basis.

• Document your record retention processes.

Respond

• Respond to subject access requests. Employees have the right to make a subject access request and can make a complaint to the Information Commissioner if they believe that the council has failed to comply with their data protection rights.

• Respond to data breaches immediately. Evidence of the breach should be kept and notes taken. A breach must be reported to the Information Commissioner's Office within 72 hours, where it is likely to result in a risk to the rights and freedoms of individuals. Employees must be notified if there is a breach.

Individual rights under GDPR

Employees have the right to:

• Make a subject access request

• Rectify inaccurate personal data

• Erase personal date where it is no longer necessary and where the employee withdraws their consent and where there is no other legal ground for processing

• Restrict processing in certain circumstances

• Object to processing that is based on the employer’s legitimate interests.

Concerns about data protection

It is important to ensure that employees who raise concerns about data protection issues are adequately protected against dismissal or detrimental treatment because they have raised concerns. The protection available should be clear in the council’s whistleblowing and data protection policies as well as in practice.

This document was commissioned by the National Association of Local Councils (NALC) in 2019 for the purpose of its member councils and county associations.

Every effort has been made to ensure that the contents of this document are correct at time of publication. NALC cannot accept responsibility for errors, omissions and changes to information subsequent to publication.

This document has been written by the HR Services Partnership – a company that provides HR advice and guidance to local (town and parish) councils. For more information about their services, contact them on 01403 240 205.

© NALC 2019