In order to comply with the GDPR, businesses will need to work out what personal data they are actually holding. But are you clear on what information actually counts as personal data and where to look for it?
Here is some guidance for small businesses on where employee personal data might be found and what kind of information they might be holding which could constitute personal data falling within employee or other HR-related categories.
What constitutes ‘personal data’ under the GDPR?
The definition of ‘personal data’ for the purposes of the GDPR is any information relating to an identified or identifiable person. As long as an individual can be identified from the data, it is likely to count as personal data.
And don’t forget someone can be identified by information other than just his/her name. If there is sufficient information that it is possible to identify who the data is about, that will be personal data about that individual.
What constitutes ‘sensitive personal data’ under the GDPR?
Sensitive personal data – or, more accurately, ‘special categories of personal data’ as it is referred to under the GDPR – is personal data which is about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Where might personal data be held?
Employee filing systems
You probably have paper-based personal files for each employee, and the contents of these would be personal data, or sensitive personal data.
You will also have online information about employees. If you have an HR information system, the contents of that would be personal data or sensitive personal data.
The types of more obvious personal data you probably hold in specific employee filing systems would include:
- Salary information
- Personal contact details
- Any personal health information
- Information relating to employee benefits the individual has, e.g. company car, gym membership, private health insurance
- Information about what hours the individual works
- Annual leave records
But anything about that individual in a paper-based or online specific employee filing system will be personal data.
Elsewhere in the organisation
As well as the formal filing systems you may have for employee information, you are likely to hold data elsewhere as well. It is generally those pieces of data which aren’t held in an employee’s personal file or in a specific online HR system which get forgotten, and where legal compliance is most likely to slip.
- Letters you have written to the employee and saved in a folder
- Performance appraisal notes you have made and saved in a folder
- Emails where the employee was the subject of the email, or emails to and from the employee
- Sickness absence records including fit notes
- Recruitment notes including selection for interview/interview notes/any other selection test or process used
- Minutes of meetings where the individual was the subject of discussion, or portions of minutes where part of the meeting was discussing a clearly-identifiable individual
- The fact that the individual attended (or failed to attend) a meeting where the minutes record this
- Performance records where it is possible to identify the work performance or productivity of a specific individual
- Any CCTV or other monitoring where an employee’s activities are recorded.
If you are unsure whether some information you are holding comes under the GDPR, or are concerned there may be locations you might have missed in an audit of HR data, do seek advice. And remember the above only relates to HR personal data – your organisation may well hold and process personal data for other categories as well, such as marketing activities or customer information.
If you would like more guidance on identifying employee personal data within your business do get in touch.