GDPR for HR | Pay gaps, data access and IT security

Welcome to this month's edition of our GDPR for HR newsletter, bringing you a snapshot of developments, cases and insights relating to privacy in the workplace.

New DSAR guidance

On 24 May 2023, the Information Commissioner's Office (ICO) issued new guidance for employers on how to respond to a data subject access request (DSAR) from a current or former employee. This was designed to assist employers in handling DSARs and ensuring they fulfil their data protection obligations.

Key updates:

• If the business utilises social media platforms or chat channels for business purposes, they are considered the controller for the information processed on those platforms. When companies receive a DSAR, it is essential to search these social media platforms for any relevant personal information that falls within the scope of the request.
• DSARs can also be received through these social media channels as there is no requirement for requests to be in a certain format in order to be valid.
• The guidance specifically deals with disclosure of witness statements and whistleblowing reports including some factors to consider when determining whether it is appropriate (or not) to disclose these.   
• The guidance stresses the importance of having policies and procedures in place so that workers are aware of what they can and can’t do on the company's IT system; that is, a reasonable use or a personal use policy. 
• CCTV footage is potentially in scope of a request so it's important to check, when installing a CCTV system, that data can be extracted in response to a request and third-party data redacted where necessary. 
• A settlement or non-disclosure agreement cannot override an individual's right to obtain a copy of their personal information.  Any provisions in a settlement agreement purporting to fetter or restrict the right of access will be unenforceable. 
• Equally, employers cannot refuse to comply with a DSAR because of ongoing grievance or tribunal processes, even if the information requested has already been disclosed as part of those proceedings. 
• In respect of emails, all information in an email relating to the requester should be disclosed – even if the contents of the email are about a business matter. The individual's name and email address alone are their personal data so this should be disclosed – even where this is the only information relating to them.  

The ICO recently reprimanded Plymouth City Council and Norfolk County Council for non-compliance with information access requests. In 2022, the ICO also took action against seven organisations for failing to respond to DSARs. 

What are 11 practical ways to keep your IT systems safe?

On 19 April 2023, the ICO updated their 11 practical ways to keep your IT systems safe and secure. This provides practical steps that businesses and their staff can take to safeguard personal information and ensure data is kept safe and secure. 

1.    Back up your data
Regularly back up your data to an external storage device kept separate from your main workplace to minimise the risk of losing data in the event of a break-in, flood or disaster. Encrypt and lock away the backup.

2.    Use strong passwords and multi-factor authentication
Create strong passwords for devices and accounts storing personal information. Consider using multi-factor authentication, requiring two or more forms of identification for access. The National Cyber Security Centre (NCSC) recommends using three random words to ensure data security.  

3.    Be aware of your surroundings
Be cautious about your environment, especially in shared spaces, to prevent others from seeing sensitive information on your screen. 

4.    Be wary of suspicious emails
Train staff to spot suspicious emails, such as those with poor grammar, urgent demands and payment requests. NCSC provide training materials to help you and your staff spot suspicious emails.

5.    Install anti-virus and malware protection
Use up-to-date anti-virus software to protect your devices from malware, particularly when employees are working away from the office.

6.    Protect your device when it's unattended
Lock your screen when temporarily away from your desk and securely store your device when leaving it unattended for an extended period. 

7.    Make sure your Wi-Fi connection is secure
Always use a secure internet connection, especially when using public Wi-Fi. When using a public network, consider using a secure virtual private network, or VPN.

8.    Limit access to those who need it
Implement access controls to ensure that employees can only access the information relevant to their roles. Suspend access to systems for former employees or long term absentees. 

9.    Take care when sharing your screen
Before sharing your screen in virtual meetings, close unnecessary tabs and documentations and disable notifications and pop-up alerts to ensure sensitive information is not exposed.  

10.    Don't keep data longer than you need it
Delete data when no longer needed to save storage space and reduce the risk of cyber attacks or data breaches.

11.    Dispose of old IT equipment and records securely
Before disposing of devices, ensure that no personal data is kept on them. Use deletion software or hire a specialist to wipe the data.

New UK ethnicity pay gap reporting guidance – why should you bother?

On 17 April 2023, the UK government issued its first official guidance on ethnicity pay gap reporting. The guidance aims to enable employers to take meaningful action on pay gaps while minimising burdens on businesses. The focus is not only on pay but also on understanding the underlying reasons for disparities, such as limited progression opportunities. The guidance encourages a holistic approach to addressing internal and external factors affecting diversity and inclusion.

Determining which ethnicity groups to include is a challenge due to various factors including parentage, heritage and self-identification. The guidance advises against aggregating all ethnic minority groups into one category, as it can hide specific disparities. Allowing employees to self-identify is recommended, following the categories used in the latest Census, with an option for individuals to select "prefer not to disclose" to ensure compliance with the UK GDPR.

To compare pay data, the guidance suggests aggregating individual ethnicity information into five groups: Asian, black, mixed, white and "other". Although ethnicity pay reporting is currently not mandatory, businesses that adopt the practice early and ensure accuracy may benefit from valuable insights, including from a public relations perspective.

Read more about the government's new ethnicity pay gap report in our recent Employment Law Coffee Break.

Annual Data Forum: June 2023

Last month, we hosted our annual Data Forum, where Osborne Clarke's international data team provided a UK and EU perspective on the world of data law and regulation, covering a host of topics including UK data protection law reform, upcoming non-privacy data regulation including the EU's draft Data Governance Act and Data Act, data aspects of broader digital regulation such as the Digital Services Act, data developments in direct marketing and digital advertising, whistleblowing, data and artificial intelligence and data litigation. 

If you would like to know more about how we can help you with strategic thinking about your overall data strategy, please take a look at our Data Unlocked offering. Do also keep an eye out for our Dipping into Data series which will return in the autumn.