All employers hold data about their employees, but most managers are fully aware that, particularly since the implementation of the General Data Protection Regulation in 2018, there are fairly stringent obligations in terms of how data is handled, and a sense that the whole issue of personal data is complex and fraught with difficulty.
There a number of requirements and obligations placed on organisations when it comes to the data they hold, and ensuring compliance with these starts right at the beginning, when you make a decision about what information you are going to request. This might be on an application form or a new employee details form or similar, but it will be a decision-making process you continue to use as you implement new benefits, say, or make changes to procedures or systems.
When it comes to deciding what information you need, there is one key question you should ask yourself –
“Why do I need it?”
It sounds very basic, but it is surprisingly often overlooked completely. Often forms are designed without that question having been asked, and data requested without having considered it either. Information is sometimes requested out of habit, or because it’s always been kept, or because there is some perception that employees ‘should’ provide it to employers.
But asking yourself exactly why you need each piece of information you’re asking for is vital for the following reasons:
1. It will help you identify the legal basis for retaining that data
For every piece of information you are processing, you must have (and be able to state) at least one of a number of permitted specific legal bases for doing so. The most commonly-used legal bases in an employment context are: compliance with a legal obligation, performance of a contract and legitimate interest. If you have asked yourself the question “why do I need this information”, that will help you identify which legal basis is applicable.
2. Access rights
Having asked yourself why you need the data will also help you identify who needs access to it. If you’re processing data without a clear reason, you will also not be in a position to accurately restrict access to the right people, something you are required to do as part of data protection legislation. If you know exactly what it will be used for, you will also be able to pinpoint exactly who will need to see it.
3. Retention periods
As part of your data protection obligations, it’s essential you don’t keep any data for any longer than absolutely necessary, and that you are able to explain retention periods used and how you made the decision how long to keep the data.
If you’ve asked yourself for what reason you are requesting the information, you’ll then be able to identify a suitable retention period based on that, rather than guessing how long roughly it should be kept, or keeping it too long, which is a common mistake.
4. Avoiding excessive data
If you are considering requesting a piece of information and are unable to come up with a satisfactory explanation why you need it, you shouldn’t be keeping it. Asking yourself this question right at the beginning will therefore ensure that you strip your data processing to the minimum needed, which is exactly what you should be doing.
Reducing data to the minimum needed also has the side benefit of making your data processing compliance more straightforward, particularly when it comes to responding to a data subject access request.
Asking that one simple question when designing application forms, information forms, HR system requirements, equal opportunities monitoring, and any other format in which you are requesting data will set you on the right path to easily complying with several of your data protection obligations and avoiding some of the most common pitfalls.
If you’d like some guidance on deciding what data you need about employees, do get in touch.