Opinion Uncategorized #BTColumn Dear HR . . . Does data protection law affect my role in HR? Barbados Today Traffic09/02/20220328 views Disclaimer: The views and opinions expressed by the author(s) do not represent the official position of Barbados TODAY. by Carol-Ann Jordan and Jacqueline Belgrave The short answer to this question is Yes, it does. The legislation provides guidance on what can and cannot be done with employee information or personal data (i.e. any data in the company’s possession that can identify the individual). The legislation gives the individual control over his/her personal data i.e. control over how the data is used and what happens to it after it is used. It also gives greater accountability by stipulating what companies can and cannot do with the personal data that they have. Why is it important? Employers collect data on employees for various reasons. These include: to comply with the law (e.g. income tax), to assist in recruitment and selection for employment, to assist in decisions regarding promotions, to satisfy training needs, to manage employee performance, to maintain health and safety standards and personal security. Barbados’ data protection legislation, The Barbados Data Protection Act, 2019-29, now legislates how personal data and, by extension, employee data is to be handled. It provides a framework for the protection of personal data in the light of present technological advancements. The ILO advises that with the wide range of data collected, employers must safeguard the dignity of workers, protect their privacy and guarantee their fundamental right to determine who may use which data for what purposes and under what conditions. The Barbados Data Protection Act satisfies these conditions. By calling for companies to justify what is actually done with the data that they collect, to some degree they are now forced to determine what information is essential. What are some examples of the personal data which HR holds? A company is an information warehouse and, in today’s world, information is one of the most valuable resources. HR is the one department which is often held responsible for employee personal data and for sharing this information with internal departments and external agencies. The data held in HR includes: names, addresses, telephone numbers, national registration numbers, next of kin and their contact information, banking and payment details, mortgage details, drivers’ licenses, personal insurance details, passport details in some cases, copies of identification cards, passports, birth and marriage certificates, copies of academic qualifications, medical information, employee photographs, biometric data (e.g. fingerprints) and the list goes on. What are key aspects of data protection? Companies now must ensure that: 1. Personal data is processed in a manner that is lawful, fair and transparent. a. Lawful: this means that there must be a legal basis for the processing of the information e.g. for the payment of NIS, income tax to facilitate the payment of salaries or wages b. Fair: though fairness is a subjective criterion, it is measured by what a reasonable person would expect. Fair processing means that the data should be processed (captured, collected, stored and destroyed) in a way that is neither detrimental nor misleading to the employee concerned. c. Transparent: this means that individuals must be given all the information about what is being collected, why it is being collected and what it will be used for. The data must then be used only for the purpose(s) given to the employee when it was collected. Additionally: 2. The personal data collected must enough for the stated purpose and not more than is necessary. Less employee data held suggests that there will be less data to be exposed in the event of a breach. 3. Data collected must be accurate and must be kept up to date. 4. Personal data should be kept only for as long as necessary and for the purposes for which it is being processed. Data should not be kept for longer than necessary for specified purposes. 5. Data should be processed in a manner to ensure that it’s integrity and confidentiality is maintained. Personal data should be protected against inappropriate processing and accidental loss. (To do this, the appropriate technical and organisational measures need to be implemented across the company.) 6. Companies must be accountable – they must be able to demonstrate that the appropriate data management policies and procedures are in place to ensure compliance with privacy requirements. How can HR’s efficiency be impacted? The below examples are being shared to highlight the changing environment within which business is now being conducted and to illustrate the challenges which can be posed to HR in this new environment. 1. On a job application, an employee has provided references from two former workplaces. Is this implied consent? What information, and how much of it, can the former workplaces share? While the recruiting workplace may have the employee’s permission to ask for the information, does the former workplace have the necessary permission from the employee to share the data? 2. A company’s policy may be that, during periods of illness, the employee will be paid in full (during what would normally be a period of no-pay). This may be done on the condition that the company is reimbursed by the employee signing over the NIS benefit to the company when it is received. The employee returns to work and refuses to indicate whether the National Insurance benefits were received. Without the employee’s stated consent can the company request information from the National Insurance Department? Can the National Insurance Department divulge this information so that follow-up conversations and further action can be taken to ensure the company is refunded? 3. A company has advertised for persons interested in a vacant position to submit their applications. The recruitment process is complete, and the successful candidate has accepted the offer. What is usually done with the applications of the unsuccessful candidates? Are they kept in a filing cabinet, in folder on the computer system or both? Who has access to these systems? What about the data packages the panel of interviewers receive – or the Board of Directors if it goes that far? If you are in a public sector entity how will information sharing be modified to ensure compliance with the legislation? How will information shared with the parent ministry be protected? What safeguards must be insisted on or formally established to ensure compliance? What needs to be done to fulfil legal obligations, minimise the risk of inappropriate processing and ensure the required level of confidentiality? HR must be able to guide the organisation on the most appropriate policies to be put in place to ensure compliance with the Act. Although reference is being made to the role and impact of HR, it must be noted that these requirements obtain whether a company has an HR Department or not. Every business has control of its employees’ personal data and must comply with the legislation. Every business has a duty to safeguard its stakeholders and the personal data it holds. About Lifeline Labour Solutions: Lifeline Labour Solutions is a boutique partnership providing people management solutions to workplace challenges. Partners Carol-Ann Jordan and Jacqueline Belgrave are established practitioners with a wealth of knowledge and experience in Employment Relations, Labour Relations and Human Resource Management between them. Email: info@lifelinelabour.com; Tel: 1(246)247-5213