Personal Assistant (PA) employers must comply with GDPR – The General Data Protection Regulation. The GDPR came into force on 25 May 2018. The regulation replaced the Data Protection Act 1998 and we now have a new Data Protection Act 2018 (DPA) which supplements the GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) and DPA are concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. All organisations and employers that hold or process personal data must comply.
The regulation contains 7 principles:
- Personal data should be processed fairly, lawfully and in a transparent manner.
- Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
- The data should be adequate, relevant and not excessive.
- The data should be accurate and where necessary kept up to date.
- Data should not be kept for longer than necessary.
- Data should be kept secure. This includes keeping employees’ personal data safe, secure and up to date.
- You must be able to demonstrate compliance with all of the above (‘accountability’).
Data an employer can keep about their employee include
- Date of birth
- Sex (special category data*)
- Education and qualifications
- Work experience
- National Insurance number
- Tax code
- Details of any known disability (special category data*)
- Emergency contact details
- Employment history with the employer
- Employment terms and conditions (e.g. pay, hours of work, holidays, benefits and absence)
- Any accidents connected with work
- Any training taken
- Any disciplinary action
Personal data may also include special categories * of personal data. These are considered to be more sensitive and you may only process them in more limited circumstances.
What an employer should tell their employees
- What records are kept and how they are used
- The confidentiality of the records and how you will store them
- How these records can help with their training and development at work
This can be done in the form of Privacy Notice.
You can find further information on GDPR at the ACAS website found below.