The Data Protection Act of 1998 has been replaced with the GDPR (General Data Protection Regulations) (directive 95/46/EC) and affects all UK Companies who process or store personal information.
Susan Reading Bookkeeping is a registered Controller with the Information Commissioner Office which enforce the GDPR and as such is subject to scrutiny by the Information Commissioner’s Office.
The basis of the regulations is to formalise the procedures which should be followed when a business process or store personal data. Data may essentially be held in an electronic or manual form but under the regulations a business must provide access to data on request and ensure that any data is processed in a fair and reasonable way.
Under the legislation, individuals (data subjects) have the right to add information to their records, have inaccurate data deleted and to stop information being used for marketing purposes. Individuals have a legal right to know what data is held and what if anything that data is used for.
Individuals also have a right to know from where information was obtained and if it has been used for any automated decision-making processes eg: electronic profiling in order to shortlist job applications.
The regulations state that a business must respond to request for information within 40 days.
There are both criminal and civil penalties for non-compliance with the regulations. Challenges may also be made against offenders under the Human Rights Act.
What exactly is Sensitive Data?
All businesses have a duty to maintain the highest possible levels of security whilst handling data under Schedule 3 of the Data Protection Act.
This category covers areas relating to health, sexuality, religion, ethnicity and trade union membership.
For matters concerning sick pay within a payroll, specific consent is required from the employee to the handling of data. Eg: the reasons for sickness quoted by a doctor on a sick note is sensitive data.
Outsourcing of any data processing to third parties does not relieve obligations of a business under the Act and written agreements should be in place documenting exactly what responsibilities each party accepts.
Any personal data should not be transmitted outside the European Economic Area as global protection may not be provided.
Impact on our Company
Any issues arising which may give rise to GDPR impact must be referred to the owner of the firm, Susan Reading.
Any information gathered by the staff must be for specific purposes and not be more intrusive than is reasonable in order for us to fulfil the immediate obligations upon us.
Wherever possible, data held must be and remain as up to date and accurate as possible. Data should not be retained any longer than necessary.
Processing of data must be in accordance with the rights of the individual(s) concerned. Processing of data must be done using appropriate technological measures to ensure access can be restricted if required.
- Any data held must be subject to consent.
- Publishing of statement on GDPR within any marketing literature, mailing lists etc used.
- Ensure that whenever a data collection event happens we will have adequate methods of recording.
- Knowledge of the regulations sufficient to ensure that a breach of confidentiality does not arise – breaches can be transmitted verbally, in written form, e-mail, via a website etc.
- A need to monitor internally that processes are in place and evidence of such monitoring taking place.
- Ensuring that we do not breach the regulations on interventionary protection. (This is dealt with through out Internet Usage Policy).
How do we collect information?
- For clients we collect information at the first meeting which we hold on a database – This information will be added to throughout the period of time during which we act and, in most cases, it may extend beyond then.
- For suppliers we collect information when we trade with them and this may arise very early in the process e.g.: at tender or quote stage.
- For introducers to the Company we gain information through business cards, introduction letters, incoming mail shots etc.
- For staff recruitment purposes we gain information from applications, CV’s and telephone conversations and correspondence which for appointed staff will be added to throughout their working period with the Company.
- It should be noted that data collection is often by word of mouth.
Under no circumstances whatsoever should personal data be given to any third party without consent from the individual.
An indicative, but not exhaustive list of examples is given as Appendix B but staff must use their best judgement in this area.
Consent is best obtained in writing from a subject, but may be by telephone if we know for certain that the person responding is the subject, (in which case a telephone record must be made), or in person at a meeting (when an authority should be signed at the time). Consent by e-mail is not acceptable as we cannot guarantee security of the sender’s equipment.
Consents sent to us by third parties apparently signed by an individual should not be accepted at face value without double checking with a subject.
We will seek to obtain all necessary consents within 3 working days of a request for data. This is considered reasonable except where a subject may for any reason be unavailable. In such cases data must not be transmitted.
Individuals applying for jobs with the Company will be informed of the use of personal details.
Security and confidentiality are an inherent part of our work and staff should understand the necessity of such.
Data relating to staff at the Company will be maintained on individual staff record files and available only to Directors.
Payroll details held on computer will be password protected and payroll details held manually will be retained in files within a secure environment.
Security of client data will be as detailed in the office manual including methods of processing data within a secure environment.
Data held on the computer network will be backed up within the Cloud Server instantaneously and daily backups will be made after the end of each working day.
Confidentiality of client data including any data relating to clients’ employees or agents is restricted to staff of the Company.
Data relating to employees of the Company is restricted in access to the Owner. Consent will be obtained as stated above prior to release of data to third parties.
Data will only be used for the purpose of answering specific requests and should relate only to information necessarily required.
Professional judgement and ethics must be observed and utilised in dealing with any sensitive data.
Data relating to clients will be maintained for such periods as are laid down by the professional bodies responsible for the conduct of the Company.
Data relating to Company staff will be maintained for a period of time based upon a reasonable business need to retain them which for purposes of future references shall not extend beyond 6 years.
Any matter relating to data protection may be referred to the Owner in the first instance but checks on good practice can be accessed via the Information Commissioners Officer website www.ico.gov.uk
A copy of the draft codes of practice are available from the website and a copy is available within the firm, from the Owner.
For criminal convictions it must be clear that spent convictions do not have to be declared unless covered by certain exceptions relating to a specific post.
We will act for clients on payroll, only where consent to hold records has been received by us.
Where clients request payroll details be despatched by email, we must ensure that the methodology is secure and will send documents via a password protected file.
Any confidential information handed to the Business Owner for onward transmission to the relevant Pension Company should be in a sealed envelope and as such will not be accessed by anyone prior to despatch.
We may from time to time request that applications for posts at the Company contain details of ethnicity, sexuality, disability or other characteristics, but this will be only for the promotion of our Equal Opportunities Policy.
Last updated: 24 May 2018
Author: Susan Reading
Third party requests for data relating to employees
Release of Third Party Information in Response to a Subject Access Request.
Seek the consent of the third party to release of the information unless it is impractical to do so (eg: the third party’s whereabouts are unknown) or consent cannot be given (eg: the third party does not have sufficient mental capacity).
If consent has not been given, decide whether in all the circumstances it is nevertheless reasonable to give access. This involves balancing the employee’s right of access with the third party’s right to respect for his/her private life.
In doing so take into account :
Bear in mind that the release of confidential information or information where there has been an express refusal of consent is unlikely to be justified unless the information has had or is likely to have a significant adverse impact on the employee.
Third parties who may request data from us and where consent is required for release include the following:
- Inland Revenue
- Dept for Work & Pensions (formerly DSS)
- H M Customs & Excise
- Other Government Regulatory Bodies Police/National Criminal Intelligence
- Pension Providers
- Service Banks & Building Societies
- Other Lending & Financial Institutions Credit Agencies
- Training Agencies
- Colleges & Universities
- Previous or Prospective Employers Professional Organisations
- Accountancy Firms
- Estate Agencies/Surveyors
- Staff Representing Clients
- Employment or similar Agencies
The list is indicative and not exhaustive – staff must use the highest levels of discretion and confidentiality in dealing with any requests for data from third parties.
- whether you owe a duty of confidence to the third party
- any express refusal of consent
- the impact the information has had or is likely to have on actions or decisions affecting the employee
- the nature of the third-party information, in particular whether its release will be damaging to the third party or whether it is sensitive
- the extent to which the employee is already likely to be aware of the information
- whether the information includes facts which might be disputed by the employee where he/she aware of them
- whether the third-party information relates to the third party acting in a business or personal capacity
Retention Periods for Employee Records
- Application Form – Duration of Employment
- References Received – Duration of Employment
- Payroll & Taxation Information – 9 years
- Sickness Records – 3 years
- Annual Leave Records – 2 years
- Unpaid/Special Leave Records – 3 years
- Annual Appraisal Records – 5 years
- Notes regarding Promotion, Training & Disciplinary matters – 1 year after end of employment
- References given & relevant Information used – 5 years after end of employment
- Records relating to Accidents or Injury at work – 12 years after event
The above criteria are for guidance only but if longer periods are considered appropriate then justification must be given.