The HR Guide to Employee Data Protection

Employee Data Misconceptions

  1. Employers believe that they do not need to notify employees before processing data. However, most global privacy laws require employers to notify their employees on every instance of data collection and data processing.
  2. Employers believe that they have an unrestricted right to monitor their employees for security and productivity reasons. However, most global privacy laws allow monitoring of employees only under certain conditions and as long as such monitoring is not unreasonably intrusive to employees.
  3. For an employer sitting in the US, they believe that laws from other countries do not apply to them. This is incorrect, as laws such as the GDPR may also apply in the US if for example they are processing data belonging to EU residents. Most global privacy laws have extra territorial application. Therefore, it is important for an organization to identify which privacy laws apply to them depending on their employees’ residencies, citizenships, place of work, or any other appropriate factors.
  4. Employers believe that a data breach will result in fines. This can be the case but it depends on the severity of the breach and its impact. Apart from fines, employers might also be asked to provide further mitigation services to employees affected by the breach as well as overhaul or upgrade their security frameworks to ensure that the breach does not take place again.

Global Data Privacy Laws on Employees Data Protection

European Union

United States of America (California)

  • Investigation by the California Attorney General;
  • Filing of a civil action by the Californian Attorney General if it is discovered that the cause of the breach was lack of implementation of reasonable and appropriate security measures to protect the PI of employees.
  • Maximum civil penalties of $7,500 for intentional violations and minimum civil penalties of $2,500 for unintentional violations of the CCPA can be granted by the court;
  • Employees can file private lawsuits for between $100 to $750 damages or for actual damages (whichever are higher) for each incident of breach if it is discovered that the cause of the breach was lack of implementation of reasonable and appropriate security measures to protect the PI of the employees.

Brazil

  • The purpose of the processing has been achieved or that the data are no longer necessary or pertinent to achieve the specific purpose intended;
  • The processing period has ended;

New Zealand

  • Criminal prosecution (may be liable on conviction to a fine not exceeding $10,000.
  • Civil penalty via action taken by the Director of the Human Rights Review Tribunal.
  • Private right of action by aggrieved individual or a representative on behalf of the individual or a class of individuals.

Singapore

HR Employee Obligation Lifecycle

  1. Employers must inform job applicants about the types of personal data they would require them to submit and the purpose for which it will be used for.
  2. The collection of data during the recruitment process should be limited and relevant to the performance of the job which is being applied for.
  3. Application forms should contain authorizations from job applicants if their personal data is collected from third parties such as previous employers or referrals.
  4. Background checks must not be overly intrusive and authorization of the job seeker should be sought before they begin — the results of these checks are highly sensitive information and should thus be protected carefully.
  5. Retention of unsuccessful job applicants’ personal data should be limited — only retain their data to consider them for future job openings if they consent to it — or delete the personal data.
  6. Evaluation of candidates using publicly available data is allowed under some global privacy laws such as the CCPA. However, the requirements may differ from one law to another. For example, the GDPR allows employers to run background checks from publicly available information only if a legal ground is available to process that data. This requires employers to take into account whether the publicly available information such as the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection.
  1. Most privacy regulations such as GDPR and CCPA/CPRA require employers to provide notice to their employees before the collection and processing of their personal data.
  2. The collection, processing and retention of employees’ personal data should be limited to what is necessary, relevant, and proportionate to any function the employer has in the context of the employment relationship.
  3. An employer should generally avoid relying on employees’ consent for most data processing at work due to the imbalance of power between an employer and employee. Exceptional circumstances where consent can be relied upon may include taking consent from employees for voluntary employee benefit programs as there are no adverse consequences on the employment relationship for refusal. Such consent must be freely given and well documented.
  4. Employers may be able to monitor their employees for productivity, security and enforcement of the company’s policies. However, they are required to inform employees of such monitoring prior to undertaking it and employ adequate safeguards to protect the data collected from the monitoring activity.
  5. Employers must conduct risk-based assessments and adopt measures to mitigate the privacy risks to their employees before they conduct profiling or any other high-risk data processing activity with their employees’ data. High-risk data processing activities may include the collection of medical data for medical insurance, profiling for performance evaluation, or other employment-related decision-making processes.
  6. Employers are required to fulfill employees’ DSR rights within stipulated deadlines. These rights include the right to request access to their personal data, to delete their personal data, or opt-out of certain forms of processing. Generally, access to and amendment of data that would be prejudicial to managing and functioning of the employer or contains third-party information is exempt from employees’ DSR requests.
  7. Employers must ensure that they have appropriate and reasonable security measures to protect their employees’ data. If employees’ data is accessed, acquired or compromised in a security incident, employers must notify the impacted employees and/or regulatory authorities within stipulated time frames as per the applicable privacy law.
  8. Employers must assess the privacy practices of external third parties and vendors they contract with for processing their employees’ data for any reason e.g. HR services, security contracts or medical insurance services, etc. It is best practice to have contractual agreements containing safeguards for the protection of the transferred data.
  9. Employers must regularly update their HR records to reflect accurate and necessary personal information about their employees. Inaccurate, obsolete, or unwanted information should be modified or removed.
  1. Employers must have a clear data retention policy and procedure in place. Personal data of employees and former employees that is no longer needed should be deleted and anything that is required for legitimate purposes (legal, accounting, tax purposes, or future job roles) must be kept in separate secure databases with limited access.
  2. Employers must obtain consent from exiting employees if they wish to retain their data for future job roles.
  3. Former employees have rights to access their personal data held by an employer. However, employers are not obliged to keep the personal data of former employees updated and corrected.

How Securiti can Help?

  • Securiti offers a 360 solution for employers to cover all the bases of any privacy regulation and enable compliance. Here are some of the modules that Securiti uses to help organizations stay compliant.
  • Securiti’s Data Mapping Solution helps employers conduct effective data mapping that can help them identify the correct legal basis and ensure lawful data processing.
  • Securiti helps employers create privacy notices and incorporate sensitive data intelligence to achieve privacy compliance across all data processing activities and projects.
  • Seucriti’s Data Privacy Impact Assessment solution incorporates AI to enable Assessment Automation to trigger and conduct risk-based assessments.
  • Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilises built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
  • Securiti’s Vendor Management Solution allows employers to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with applicable privacy regulations.
  • Securiti offers the DSR Automation Solution to help employers honor all rights of their employees and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises efficiently process data subject requests and enable coordination between stakeholders for reviews and approvals.

Conclusion

--

--

--

All Thing Data Privacy & Security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Legal Risks of Adversarial Machine Learning Research

Client Showcase — GiftedHands

Thank you to Adrien-Marie Legendre and Carl Gustav Jacob Jacobi for their symbols

Log4j: The Worst Vulnerability In Nearly A Decade?

{UPDATE} Ambulancia De Bomberos Y Resca Hack Free Resources Generator

Honey Pot: Ireland

Vote to Win — CTSI Single List Vote on Gate.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Privacy Research Team, Securiti

Privacy Research Team, Securiti

All Thing Data Privacy & Security

More from Medium

Traditional Cocktails That Can Be Whipped at Home

What we learnt by putting on a hybrid away day

A group of people in a events space with someone presenting

Elevate employee experience with implementable solutions

Embrace technology and save time