The GDPR will cover how practices handle data they hold on their employees as well as patients. NHS Employers has produced a useful guide, in conjunction with law firm Capsticks, to help employers understand their responsibilities. This article summarises some of the key points from that guidance and highlights relevant information from the Information Commissioner's Office (ICO).
From a HR perspective practices need to consider the following points.
Identify and meet your data protection officer
GP practices are public authorities under the Freedom of Information Act so you will need a data protection officer. This can be done within the practice or your federation or CCG may have a data protection officer that will be responsible for you. Contact your CCG and federation to find out if this is being arranged locally at scale.
If the data protection officer will be appointed at practice level then the practice manager will be involved with drawing up the job description and responsibilities associated with this role. The data protection officer role can be taken on my someone already employed in the practice. NHS Digital's Information Governance Alliance guidance says: 'A practice manager, or one of their colleagues, can be appointed as data protection officer in addition to their existing roles as long as they have some data protection experience and are not the final decision taker about data use in the organisation (which would be seen as a conflict of interest).'
You will need to carry out a data audit of current HR and other data-related processes to identify what data is held about staff and job applicants, the reasons for which it is processed and to whom it is disclosed. The ICO has provided a sample template, which you can download here.
Understand the legal grounds for processing personal data
Practices need to make sure they understand the legal grounds for processing personal data about employees. NHS Employers says that where consent is currently relied on, you should check that it continues to meet the GDPR requirements.
It says the legal bases for processing employees' personal data include:
- to comply with legal requirements
- for the discharge of an organisation's tasks and functions
- because the processing is necessary for the purposes of a contract with the data subject (for example, an employment contract).
The ICO has said that because of the imbalance of power in the employer/employee relationship, consent should not be relied on for employee records. Using consent also entitles to certain additional rights under the GDPR.
There is a legal basis for employers to hold information on their employees such as checking the employee has the right to work in the UK, but you must inform employees what information you hold on them and give them the right to rectify and/or erase incorrect information.
Review any self declarations of consent that you currently use to ensure that the reasons you are collecting the data and what you will do with the data are explicit and that the rights of the individual are made expressly clear.
What are employees' rights?
The ICO explains that the GDPR gives data subjects the following rights, and these will also apply to employees:
- the right to be informed, this means that employers need to explain how their personal data will be used
- the right of access, this is similar to those rights under the Data Protection Act (DPA) and icnludes subject access requests
- the right to rectification of data that is inaccurate or incomplete
- the right to erasure under certain circumstances;
- the right to restrict processing of personal data
- the new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.
Draft a privacy notice for employees
This will demonstrate that you have informed your employees about how their personal data may be used and who it is shared with.
Under current data protection laws, employers are required to make available to employees and job applicants a privacy notice setting out certain information
NHS Employers explains that in future, under GDPR, employers will need to ensure they provide more detailed information within their privacy notices such as:
- the identity and contact details of the employer
- contact details for the data protection officer
- who data will be shared with, including any information that may need to be shared with other professional bodies
- how long data will be stored for
- the individual’s right to have personal information deleted (the right to be forgotten) or rectified in certain circumstances
- the individual’s right to make a subject access request
Any information provided to individuals including employees in this regard must be clear, concise, transparent and easily accessible.
NHS Employers recommends that employers review all documents that require a self-declaration from job applicants and employees to ensure they clearly explain the rights of individuals.
Update your policies
Ensure that all the data that you hold can be justified under the data protection principles: (it is lawfully processed, it is processed for limited purposes, it is not excessive, it is accurate and kept up to date, it is not retained longer than necessary, it is kept secure and not transferred without adequate protection).
Check that your policies conform to these principles and the requirements of GDPR. The priority needs to be the data protection and IG policies and your HR policies. Check that you are actually following your policies. Do you conform to your records retention schedule for example? Do you still hold any employee files of employees who left decades ago? What information is held on your email or your shared drive?
The spirit of the GDPR is that organisations 'meet the principles of data protection by design and data protection by default.' This implies a systematic review of your systems and processes and looking at measures that can strengthen the way you look at data protection at all levels of the practice.
The NHS Employers guidance suggests that measures that could be considered to strengthen data protection include:
- data minimisation or reducing the amount of personal data you hold
- pseudonymisation or replacing identifiable fields within a data record
- allowing individuals to monitor processing to review systems and suggest improvements
- creating and improving security features on an ongoing basis.
Depending on the size of your practice psedonymising your HR records may feel excessive, however an overall review of how you hold and protect your employee idea is a good idea. It is likely that there are ways to strengthen security or tighten adherence to policies that will result in better data protection. Keeping records of this review will help you evidence the steps that you have taken to meet GDPR.
Check any third party suppliers
Where outsourced data processing providers are used, ensure that the need for due diligence is placed on them and that contracts with them are updated to reflect the further requirements of GDPR. This would apply where you outsource your HR functions. Many practices outsource their payroll and so it is worth checking with them that they are aware and prepared for GDPR.
Communication and training
The introduction of GDPR is the biggest change to data protection since the introduction of the Data Protection Act in 1998. It is really important that all staff understand how their data is used and any staff involved with HR functions have training to ensure that they follow policies correctly.
- Fionnuala O'Donnell is a practice manager in Ealing, West London, and a CCG board member
|Read more on the GDPR