The HR Guide to Employee Data Protection

Employee data protection is becoming increasingly important for organizations that are aiming to comply with global privacy laws. This puts pressure on the HR department of all organizations to be responsible custodians of their employees' data.

Back in 2016, an employee data breach occurred at Snapchat. Payrolls for 700 current and former employees were breached by an attacker pretending to be the social media company's CEO Evan Spiegel. This was catastrophic for the company’s reputation.

This article talks about common misconceptions held by employers in relation to the protection of employees’ personal data. It then discusses modern privacy regulations, followed by an overview of an employer’s obligations during the entire employee’s lifecycle.

What is Employee Data Protection?

Employee data protection is the act of ensuring the protection of an employee's personal data while working in a company. Personal data includes information like name, address, social security numbers, bank account details, etc. The company should ensure that no one has access to this information without the employee's consent.

Employee Data Misconceptions

When an employer hires an employee, they have a number of rights on the use of their personal data. More often than not, employers have certain misconceptions about what they can and can’t do with employees’ personal data under the law. Here are the top common misconceptions that an employer may have with regard to protecting their employees’ data.

1. Employers believe that they do not need to notify employees before processing data. However, most global privacy laws require employers to notify their employees on every instance of data collection and data processing.
2. Employers believe that they have an unrestricted right to monitor their employees for security and productivity reasons. However, most global privacy laws allow monitoring of employees only under certain conditions and as long as such monitoring is not unreasonably intrusive to employees.
3. For an employer sitting in the US, they believe that laws from other countries do not apply to them. This is incorrect, as laws such as the GDPR may also apply in the US if, for example, they are processing data belonging to EU residents. Most global privacy laws have extra territorial application. Therefore, it is important for an organization to identify which privacy laws apply to them depending on their employees’ residencies, citizenships, place of work, or any other appropriate factors.
4. Employers believe that a data breach will result in fines. This can be the case, but it depends on the severity of the breach and its impact. Apart from fines, employers might also be asked to provide further mitigation services to employees affected by the breach as well as overhaul or upgrade their security frameworks to ensure that the breach does not take place again.

Global Data Privacy Laws on Employees Data Protection

If we look at any organization, the HR department always has large volumes of personal data and sensitive personal data stored about their former, current, and potential employees.

The range of the personal data stored by an organization’s HR department can be from their name, social security number, address, date of birth, previous addresses to their medical, financial, and other sensitive personal information. In the wrong hands, this data can be dangerous and run the risk of identity theft, among other threats.

In order to curb this issue, data privacy regulations from all around the world have laws set in place which obligate employers to protect the employees’ personal data and prevent an incident of a breach occurring. These laws also provide rights to employees over their data. Let’s look at the obligations that employers have under major global privacy laws.

European Union

1. Law regulating applicant and employee personal data?
General Data Protection Regulation (GDPR)

2. Do I need to have a privacy statement or agreement?
The principle of transparency requires employers to inform their employees about their rights in relation to their personal data and their data-collecting practices. Therefore, it is important to have a privacy statement or agreement.

3. How long must I retain employee data? What is best practice?
The GDPR requires employers to keep the data in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which it is processed.

4. Can I transfer employee data overseas?
Personal data transferred to a third country outside the EU can take place only where an adequate level of protection is ensured or there are safeguards in place in cases of transfers to non-adequate countries. Data shared outside the EU and subsequent access by other entities within the group must remain limited to the minimum necessary for the intended purposes.

5. Can I transfer employee data to a third party?
While sharing employees’ personal data with third parties, an employer is responsible for assessing that the data processor is compliant with the GDPR’s requirements.

6. What are the consequences of a breach?
The GDPR caps punishments at 4% of global annual turnover or 20M euros—whichever is higher, based on the kind and severity of the breach. Data subjects have the right to complain with a supervisory authority and receive compensation.

United States of America (California)

1. Law regulating applicant and employee personal data?
California Consumer Privacy Act (CCPA)

2. Do I need to have a privacy statement or agreement for employee data practices?
It is recommended but not required under the law.

3. How long must I retain employee data? What is best practice?
The CCPA does not require information to be held for any fixed period, but it is advised to not hold information longer than necessary.

4. Can I transfer employee data overseas?
There are no specific restrictions on overseas transfers of personal data.

5. Can I transfer employee data to a third party?
Businesses must enter into contracts with service providers with whom they disclose their employees PI for business purposes. The transfer or sale of employee PI to a third party is unrestricted - employers only need to inform their employees on what is being sold and to whom in the notice provided at the time of collection of PI.

6. What are the consequences of breach?

• Investigation by the California Attorney General;
• Filing of a civil action by the Californian Attorney General if it is discovered that the cause of the breach was lack of implementation of reasonable and appropriate security measures to protect the PI of employees.
• Maximum civil penalties of $7,500 for intentional violations and minimum civil penalties of $2,500 for unintentional violations of the CCPA can be granted by the court;
• Employees can file private lawsuits for between $100 to $750 damages or for actual damages (whichever are higher) for each incident of breach if it is discovered that the cause of the breach was a lack of implementation of reasonable and appropriate security measures to protect the PI of the employees.

Brazil

1. Law regulating applicant and employee personal data?
Lei Geral de Protecao de Dados (LGPD)

2. Do I need to have a privacy statement or agreement for employee data practices?
Businesses must inform employees of their data practices in the privacy notice.

3. How long must I retain employee data? What is the best practice?
Employers are expected to terminate employee personal data when:

• The purpose of the processing has been achieved, or that the data are no longer necessary or pertinent to achieve the specific purpose intended;
• The processing period has ended;

However, employers may retain personal data in storage for certain exceptional reasons, such as compliance with a legal or regulatory obligation.

4. Can I transfer employee data overseas?
The LGPD has strict restrictions on the transfer of personal information overseas. The destination country should have an “adequate level of protection,” or a safeguard must be employed to protect the transferred data or there must be some other justification for the transfer.

5. Can I transfer employee data to a third party or processor?
The LGPD requires data subjects’ consent be obtained by the data controller before sharing the data subject’s personal data to a third party (unless a waiver applies).

6. What are the consequences of breach?
Following an investigation by the ANPD, fines of up to 2% of an entity’s revenues in Brazil for a financial year (capped at up to a total maximum of fifty million reais), as well as daily fines, blocking and deletion of the vulnerable personal data, including partial or full suspension of processing activity for 6 months and partial and total prohibition of data processing activities in Brazil is a possibility. It is also important to remember that the Brazilian constitution and consumer law allows data subjects or their representatives to institute private actions against data controllers for harm caused by LGDP non-compliance.

New Zealand

1. Law regulating applicant and employee personal data?
New Zealand Privacy Act 2020 ("Privacy Act").

2. Do I need to have a privacy statement or agreement for employee data practices?
The Privacy Act requires employers to make its employees aware of the facts that the information is collected, the purposes for which the information is collected for, the intended recipients of the information, the consequences for not providing the information, and their rights of access to and correction of their personal information. Therefore, it is recommended to have a privacy statement.

3. How long must I retain employee data? What is best practice?
An employee's data must not be kept longer than is required for the purposes for which it may lawfully be used.

4. Can I transfer employee data overseas?
The employer can transfer employees’ personal information outside New Zealand only if the destination country provides comparable safeguards to those in New Zealand’s Privacy Act, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the employee expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.

5. Can I transfer employee data to a third party?
The employer must not disclose the employees’ personal information to another organization or any person unless there are reasonable grounds to do so under the Privacy Act.

6. What are the consequences of breach?

• Criminal prosecution (may be liable on conviction to a fine not exceeding $10,000.
• Civil penalty via action taken by the Director of the Human Rights Review Tribunal.
• Private right of action by aggrieved individual or a representative on behalf of the individual or a class of individuals.

Singapore

1. Is there a law regulating applicant/employee personal data?
Personal Data Protection Act 2012.

2. Do I need to have a privacy statement or agreement for employee data practices?
Yes. Under the PDPA, organizations should formulate and implement policies and practices to notify employees of the purposes for which their personal data (including CCTV footage of them) is collected, used, or disclosed and obtain their consent unless any exception applies.

3. How long must I retain employee data? What is the best practice?
The PDPA does not prescribe the retention period of personal data. However, an organization should cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with a particular employee as soon as it is reasonable to assume that the purpose of collection is no longer served by the retention; and retention is no longer necessary for business or legal purposes.

4. Can I transfer employee data overseas?
Yes. The PDPA requires that measures are taken by the organization transferring personal data overseas to ensure a comparable standard of protection of the personal data overseas.

5. Can I transfer employee data to a third party?
If employee data is transferred to a third party for the purpose of managing or terminating employment relationships, no consent is required for such transfer, but the employer must notify the employees concerned of the purposes of such transfer.

6. What are the consequences of the breach?
If an organization is found to be in violation of any provision of the PDPA, Personal Data Protection Commission may commence an investigation into the conduct of an organization. The organization may also be directed to take any remedial measures to ensure compliance with the PDPA, including paying a financial penalty of up to SGD 1 million. The PDPA also prescribes that any person who suffers loss or damage directly as a result of a breach by an organization may commence a private civil action in respect of such loss or damage suffered.

HR Employee Obligation Lifecycle

The HR department of any organization needs to be mindful of their obligations throughout the entire tenure of the employees’ lifecycle, from the moment of recruitment to the end of the employment period. Let’s look at the obligations that HR needs to be mindful of during the lifecycle of an employee.

Obligations during recruitment and selection process:

During the recruitment process, an employer must keep in mind the following data protection obligations:

1. Employers must inform job applicants about the types of personal data they would require them to submit and the purpose for which it will be used for.
2. The collection of data during the recruitment process should be limited and relevant to the performance of the job which is being applied for.
3. Application forms should contain authorizations from job applicants if their personal data is collected from third parties such as previous employers or referrals.
4. Background checks must not be overly intrusive, and authorization of the job seeker should be sought before they begin - the results of these checks are highly sensitive information and should thus be protected carefully.
5. Retention of unsuccessful job applicants’ personal data should be limited - only retain their data to consider them for future job openings if they consent to it - or delete the personal data.
6. Evaluation of candidates using publicly available data is allowed under some global privacy laws such as the CCPA. However, the requirements may differ from one law to another. For example, the GDPR allows employers to run background checks from publicly available information only if a legal ground is available to process that data. This requires employers to take into account whether the publicly available information, such as the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection.

Obligations During the Employment Tenure

During the employment period, an employer must keep in mind the following data protection obligations:

1. Most privacy regulations such as GDPR and CCPA/CPRA require employers to provide notice to their employees before the collection and processing of their personal data.
2. The collection, processing and retention of employees’ personal data should be limited to what is necessary, relevant, and proportionate to any function the employer has in the context of the employment relationship.
3. An employer should generally avoid relying on employees’ consent for most data processing at work due to the imbalance of power between an employer and employee. Exceptional circumstances where consent can be relied upon may include taking consent from employees for voluntary employee benefit programs as there are no adverse consequences on the employment relationship for refusal. Such consent must be freely given and well documented.
4. Employers may be able to monitor their employees for productivity, security and enforcement of the company’s policies. However, they are required to inform employees of such monitoring prior to undertaking it and employ adequate safeguards to protect the data collected from the monitoring activity.
5. Employers must conduct risk-based assessments and adopt measures to mitigate the privacy risks to their employees before they conduct profiling or any other high-risk data processing activity with their employees’ data. High-risk data processing activities may include the collection of medical data for medical insurance, profiling for performance evaluation, or other employment-related decision-making processes.
6. Employers are required to fulfill employees’ DSR rights within stipulated deadlines. These rights include the right to request access to their personal data, to delete their personal data, or opt-out of certain forms of processing. Generally, access to and amendment of data that would be prejudicial to managing and functioning of the employer or contains third-party information is exempt from employees’ DSR requests.
7. Employers must ensure that they have appropriate and reasonable security measures to protect their employees’ data. If employees’ data is accessed, acquired or compromised in a security incident, employers must notify the impacted employees and/or regulatory authorities within stipulated time frames as per the applicable privacy law.
8. Employers must assess the privacy practices of external third parties and vendors they contract with for processing their employees’ data for any reason e.g. HR services, security contracts or medical insurance services, etc. It is best practice to have contractual agreements containing safeguards for the protection of the transferred data.
9. Employers must regularly update their HR records to reflect accurate and necessary personal information about their employees. Inaccurate, obsolete, or unwanted information should be modified or removed.

Obligations During End of Employment

Once an employee leaves the organization, employers must keep in consideration the following data protection obligations:

1. Employers must have a clear data retention policy and procedure in place. Personal data of employees and former employees that is no longer needed should be deleted, and anything that is required for legitimate purposes (legal, accounting, tax purposes, or future job roles) must be kept in separate secure databases with limited access.
2. Employers must obtain consent from exiting employees if they wish to retain their data for future job roles.
3. Former employees have rights to access their personal data held by an employer. However, employers are not obliged to keep the personal data of former employees updated and corrected.

How Securiti can Help?

Data is growing at an exponential rate, and employers are collecting more and more of their employees’ personal data. In order to stay compliant with privacy laws, organizations need to have a streamlined and automated process through which they can manage their employee data.

• Securiti offers a 360 solution for employers to cover all the bases of any privacy regulation and enable compliance. Here are some of the modules that Securiti uses to help organizations stay compliant.
• Securiti’s Data Mapping Solution helps employers conduct effective data mapping that can help them identify the correct legal basis and ensure lawful data processing.
• Securiti helps employers create privacy notices and incorporate sensitive data intelligence to achieve privacy compliance across all data processing activities and projects.
• Securiti’s Data Privacy Impact Assessment solution incorporates AI to enable Assessment Automation to trigger and conduct risk-based assessments.
• Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilises built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
• Securiti’s Vendor Management Solution allows employers to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with applicable privacy regulations.
• Securiti offers the DSR Automation Solution to help employers honor all rights of their employees and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises efficiently process data subject requests and enable coordination between stakeholders for reviews and approvals.

Conclusion

Manual methods are becoming obsolete and a future without automation looks like a dark one. If employers hope to comply with increasing demands of global privacy regulations, they need to operationalise their processes and move towards automation.

Securiti is the pioneer in robotic automation and has built an entire solution revolving around this very concept. See how Securti and the PrivacyOps Framework can help you comply with global privacy laws with ease and efficiency. Request a demo today.