What should employers do to protect employee data?
As employers, you will hold a lot of personal information about your employees, from whether or not they have a medical condition to their salary and bank account details. That’s why in the workplace it’s important to develop a culture of respect for private life, data protection, security and confidentiality.
A few years ago I wrote about the modernisation of our Privacy laws just prior to the implementation of the Privacy Act 2020 (PA20) and intended impact that these changes would have on the workplace. Now, two years on, it is good practise to revisit the changes you may have made in your business to meet the requirements of ensure that they are effective and that all of the obligations you may have towards your team are being met.
PA20 has 13 information privacy principles that govern how businesses and organisations should collect, handle, and use personal information.
The first four principles govern how you can collect personal information. This includes when you can collect it, where you can collect it from, and how you can collect it.
Principles five, six, and seven govern how you store personal information. People have a right to access and seek correction to their personal information.
The remaining principles govern how you use and share personal information. Make sure information is accurate, and you use and share it appropriately.
Your priority is, of course, to make sure you’re meeting the prescriptive requirements of the PA20, through the implementation of good data protection policies and practices in your workplace, which in turn results in;
Increased trust in your organisation as a result of a more transparent environment
Increased efficiency by deleting out-of-date information and freeing up filing systems so that important information is easy to find
Avoidance of legal action through protecting yourself and yourr employees by making them aware of the importance of data protection.
Beyond that, here are some best practices to protect your employees and safeguard your organisation from the risk of a data breach.
Know what you’re collecting and why
Employers today are able to collect more data on their employees than ever before. However, you do need to let your team know what data you’re gathering and how you’re using that information.
Throughout your employment relationship, you will need to collect different kinds of personal information about your employees. As long as it is for a legitimate and necessary business purpose, then you can do so without too much hassle. Certain pieces of employee data may be necessary to capture for administrative and HR purposes. For example, an employee’s family details might be important for your employee benefits scheme or emergency contact requirements, or keeping employee discipline records might help you to monitor workplace behavior. However, when you start gathering data about team members, you should always ask yourself why you need the information and avoid collecting data that doesn’t have a specific purpose.
You are not allowed to collect employees’ personal information just because you can - you have to be able to justify why you need to collect the information in order for the business to function. If you cannot provide a legitimate purpose for collecting an employee’s personal information, you should not gather that information. For example, you may collect some personal information with consent directly related to an employee’s fitness for employment. This includes:
criminal conviction information;
information relating to anti-money laundering or a credit check;
information from referees; and
health information where appropriate.
Additionally, you cannot collect information in ways that are unfair or unreasonably intrusive. For example, asking a remote employee to have a camera in their home at all times raises considerable privacy concerns and is likely to be considered unfair and unreasonable as it places the employee under constant surveillance.
And remember, you must not use the employees’ personal information that was obtained in connection with one purpose for any other purpose unless there are reasonable grounds to do so.
Choose the right software and systems
Principle 5 of the Privacy Act says all agencies are required to protect personal information by security safeguards that are reasonable in the circumstances, including protecting the information against loss, access, use, or other misuse.
Most of us now use digital tools to process and store data. Many, especially those with remote or hybrid working environments, use cloud-based solutions, like CloudmyStaff (a solution we recommend for our clients here at Yellow). This is wise, as paper records are vulnerable to destruction by fire or flood or can be physically removed from a safe space.
Online document and data storage systems let you keep everything securely in the cloud. Secure cloud-based solutions enable you to restrict access to documents through user access controls, encrypt data, set passwords, and even see who has accessed records.
To reduce the risk of a data breach, work with apps and software that have strong privacy policies, like CloudmyStaff. Use strong passwords and update them regularly. Get to know your software and apps so you can enable security features that let you keep employees’ information private.
Be transparent with your employees
Being transparent can help you create a culture of trust. When asking employees (or prospective employees) to provide personal data, explain why you need that information. This can help calm any worries and helps employees to understand how their data is being used.
You need to ensure your employees know when you collect and use their personal information, so it is a good idea to include a privacy clause detailing this in their employment agreement. For example, many businesses use CCTV for security purposes. You need to ensure your employees know that you are filming them and only do so when you need to.
Create privacy and employee data protection policies
It is important that you engender a positive culture around privacy protection in the workplace and that your employees are receptive to this culture. If an employee breaches the privacy of another employee, client or a customer, your business will usually be the one responsible. This is unless you can prove you have taken all reasonable steps to prevent employees from breaching another person’s privacy.
There are two policies that I recommend that can help you keep worker data safe.
First, is a privacy policy for your workplace. This can help outline how you handle customer, client and employee data. For example, you might state that you don’t share personal information unless it’s necessary. You can also explain what you need for payroll, benefits, and other important parts of doing business. A privacy policy can also help employees understand their own obligations. For example, if you require team members to BYOD (bring & use their own devices), tell them whether they can access personal email or social media during working hours.
The second is an employee data protection policy. This is an internal document for your team. It tells people at your company what they can do to keep worker data safe. It’s different from a privacy policy as these are typically external and explain how you protect data. You can use an employee data protection policy to explain exactly which employee data is protected. You can also create company rules for keeping this sensitive information private. For example, you can request that any files with employee data be labeled as “private.”
Update employee records regularly
It pays to always ensure that employees’ data it has is accurate, up-to-date, complete, relevant and not misleading. Remove unnecessary and outdated information from your employee files and database. If your systems are hacked, having outdated information could boost any claims that you didn’t care for your employee records. Storing unneeded documentation also puts more of your team at risk.
While you’re at it, conduct regular audits on your employee records and data storage systems. Make sure the data is still secure and that previous employees or other unauthorised people don’t have access to it. Ensuring that you have security systems, such as malware protection, in place is important. As is using the latest versions of software to avoid security vulnerabilities.
Consider who you do business with
Chances are, you need to share employee information as part of your business operations. For example, you may need to send payroll information to a bookkeeper or an accountant or share financial data with a benefits provider or the IRD.
Be sure to look over other organisations’ data protection policies before sharing your employee’s data with it. You can minimise risk by sharing only the minimum amount of data needed to operate.
Evaluate how employee data is shared internally
Take another look at sharing employee information internally, too. Casually forwarding an email with an employee’s personal information could make you liable if that information is misused.
A simple solution is to use a platform like Teams from Microsoft Office. It allows your team to stay in touch via a secure chat setting without needing to share contact information.
Train employees and managers on data protection
Employee data protection is only as strong as your team’s understanding of privacy and relevant laws. Managers who don’t understand the rules can easily put workers’ personal data at risk. Workers can also pass on information that another employee personally shared with them.
Train employees on how to recognise and handle personal data. The Office of the Privacy Commissioner offers free online privacy education. Their e-learning modules can be accessed at elearning.privacy.org.nz
Appoint & Train a Privacy Officer
As well as being required under PA20, having a privacy officer is useful for your organisation. Good privacy builds trust and enhances a business’ reputation. An internal privacy adviser who is familiar with the business and privacy law adds value to your organisation. Privacy officers can prevent or fix privacy issues before they become serious problems. This can save you money, or lost business. If someone complains that your organisation has breached their privacy, your privacy officer can help resolve things quickly and effectively.
The person responsible for privacy matters depends on the size of your organisation, the work it does, and what personal information it handles.
In smaller organisations, the manager is normally responsible for all legal compliance, including privacy. Often an in-house complaints, human resources, or legal team will do privacy work as part of their duties. Large organisations, or organisations that handle a lot of personal information, may need one or more employees focusing exclusively on privacy matters. Whoever takes on the duties of a privacy officer, it’s important for managers in the organisation to take their advice seriously.
Have a plan in place in case of a data breach
Even if you do everything right, the wrong people may gain access to employee information. In case sensitive employee information falls into the wrong hands or is compromised, you’ll want to have a clear plan in place for how you will handle the situation, keeping in mind that any serious privacy breach MUST be reported to the Privacy Commissioner.
Summary: Five golden rules to follow
Only collect personal data for specific purposes, don’t use it for any other purpose than specified to the employee (and only keep personal data for as long as necessary)
Ensure that data gathering is relevant rather than excessive
Store and transfer any data securely
Develop policies to meet your legal and operational obligations
Educate your team about privacy policies and appoint a Privacy Officer
Disclaimer This article, and any information contained on our website is necessarily brief and general in nature, and should not be substituted for professional advice. You should always seek professional advice before taking any action in relation to the matters addressed.