Are Human Resource practitioners paying attention to the Data Protection Act?

In a recent poll of some 400 persons, that was conducted during a live broadcast of the PSOJ CovidCastJa live that discussed the Data Protection Act, impressively the majority of the viewers were aware of the passage of the Data Protection Act. Anecdotally however the majority of business operators while they may be aware of the Act have formed the view that if they don’t have a business to consumer business, where they treat with customer personal data, the legislation may not necessarily impact on them.This view is incorrect as employees for the purposes of the Data Protection Act are also data subjects.

This is not unusual as emphasis has often been placed on the privacy rights of consumers. A closer reading of the definition of the data subjects as set out the Data Protection Act coupled with the example of the recent monetary penalty of €35,258,707.95 issued by the German Commission of Data Protection against retail clothing juggernaut H&M on October 1, 2020 should quickly adjust this incorrect perception.

The Data Protection Act defines data subjects as a named or otherwise identifiable individual who is the subject of personal data. This wide definition includes customers, suppliers, members, employees all citizens of Jamaica whose personal data is being processed.by a data controller (an employer). It follows that if you operate a factory that sells to other businesses or any other business to business operation and have employees and collect any form of personal data relating to the employee you are subject to the data protection Act. As a data controller you are expected to respect the privacy rights of your employees in the same manner as you are to respect the privacy rights of your customers.

In the H&M decision it was a situation where some of the employees were subject to extensive recording of their private life circumstances. For example, after vacation and sick leave, the senior staff conducted a so-called “Welcome Back Talk” with the employees. In this way, information on symptoms and diagnoses of illness was obtained and stored. In some cases, these recordings were very detailed, updated on an ongoing basis, and enriched with other known information about employees’ private lives, eg regarding known family problems or religious beliefs. These notes were accessible to other managers throughout the company. Among other things, the data was used to obtain a profile of the employees for decisions in the employment relationship.

The European General Data Protection Act, which is very similar to our Data Protection Act, states that personal data shall be processed lawfully, fairly and in a transparent manner and shall be lawful only if: (a) the data subject has given consent to the processing of his personal data; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The Commissioner found that the combination of collecting details about their private lives and the recording of their activities led to a serious encroachment on employees’ civil rights. In light of the foregoing the Commissioner issued a penalty in the sum of €35,258,707.95. We take a deeper look at this decision in our weekly podcast Design Privacy Weekly.

This decision brings into sharp focus the type of personal data that is collected by human resource departments and the risks companies are exposed to by virtue of the processing of this data. The personal data collected by HR is often sensitive personal data i.e. information about a potential employees or employees’ health status and criminal antecedents. The processing of sensitive personal data requires that additional steps be taken to protect the privacy of data subjects. On the flip side as demonstrated by the H&M case a breach of a data processing standard that involves sensitive personal data would attract higher monetary penalties.

Companies must now address their minds to what they do with , either solicited or unsolicited, resumes that they receive. Is your business in a position to account for all the resumes that have been received? Would you be able to account to an applicant who submitted an unsolicited resume, in which you had no interest, if he were to exercise his first data subject right and request information about all the information that you are processing about him. Would you be able to provide him a copy of the resume he submitted.If you are interested in hiring an applicant and you decide to do background checks or because you are a regulated entity you specifically required to do background checks, how do you go about this exercise. What information do you collect and once collected what do you do with it?

There are a multitude of issues that now arise as a result of the passage of the Data Protection Act that now have to be addressed by companies that have employees.In general as a first step personal data collected, must be clearly defined, assessed and evaluated in the light of rights and freedoms of the data subjects. Based on that, the process is drafted, defined and adjusted beginning with data minimization and purpose limitation and then with fairness and lawfulness (before applying the rest of principles).

Chukwuemeka Cameron is a Podcaster and an Attorney with a Masters in Information Technology and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and build trust with your customers. Feedback can be sent to ccameron@designprivacy.io