Data protection privacy notices: who needs one and what should it say?
The General Data Protection Regulation (GDPR), which takes effect from 25 May 2018, requires organisations to give individuals certain information about how their personal data is collected and used. This can be done via a privacy notice.
Read on for some key points on privacy notices in an employment / HR context.
Who should get a privacy notice?
Under GDPR, privacy notices should be issued to:
- Employees, workers and contractors
- Job applicants
- Volunteers and interns
- Individuals who provide references for job applicants
Organisations will usually have separate privacy notices for workers, job applicants, and referees. Strictly speaking, a privacy notice for individuals who are named by staff as emergency contacts may also be required. This is likely to be difficult from an administrative perspective, however, so employers may want to wait on guidance from the Information Commissioner before going down this route.
When should a privacy notice be issued?
A privacy notice should be issued at the time data is collected. This means that:
- A ‘recruitment privacy notice’ should be issued at the start of the recruitment exercise; and
- A ‘worker privacy notice’ should be given to employees, workers and contractors at the start of the engagement.
What should a privacy notice say?
A privacy notice explains how individuals’ personal data is collected and used and sets out their rights in relation to that data. It must be:
- Tailored to the business, reflecting the data processed, and the reasons and legal bases for processing each type of data;
- Concise, transparent, easily accessible and in plain language.
To comply with GDPR, privacy notices must include certain information:
- The identity of the organisation and contact details
- Details of the data protection officer (if there is one)
- The types of information processed
- The source of the data (if it doesn’t come from the worker)
- The legal basis and reasoning for processing each type of data
- The recipients, or categories of recipients, of the data
- Any ‘legitimate interests’ relied on as a basis for processing
- If personal data could be transferred outside the EU or to an international organisation, certain information about that
- The retention period for the data
- The rights of the individual whose data is being processed in relation to access; rectification; erasure; restriction of / objection to processing; data portability; withdrawing consent (if relevant); complaining to the Information Commissioner
- Whether information is required by statute or contract
- Information around automated decision-making (if used)
Need more help?
More detailed information on worker privacy notices and other HR GDPR materials are available to Brodies Workbox subscribers, including template privacy notices with drafting notes; a data protection policy; contracts of employment with updated data protection clauses; and FAQs. If you’re not a Workbox subscriber, and would like help with updating HR policies and procedures in preparation for GDPR, please speak to your usual Brodies’ contact.
The post Data protection privacy notices: who needs one and what should it say? appeared first on Brodies Blog.