Data protection for employers

The difficulty, challenges and need for employers to keep personal data safe and the dangers in failing to do so were emphasised again with two alarming high-profile breaches.

All employers have key legal obligations with regard to data protection and General Data Protection Regulation (GDPR)[1 cited 14.8.23]

The legislation requires all businesses to take appropriate technical and organisational measures to protect personal data from unauthorised or unlawful processing, accidental loss, destruction and damage.

Put in simple terms, employers must avoid the risk of data leaks or breaches.

Private and confidential personal information should be collected, used and kept safe  in a lawful, fair and transparent manner.

The need for employers to work hard to protect personal data was highlighted in the Cyber Security Breaches Survey 2022 which revealed that in the previous 12 months more than one in three (39 per cent) of UK businesses identified a cyber-attack, remaining consistent with previous years of the survey[2 cited 14.8.23]

We have recently seen the consequences of prominent organisations failing to prevent a cyber security threat, and the problems that can be caused by simple human error.

Northern Ireland's police chief said he was ‘deeply sorry’ about two ‘industrial-scale’ breaches of internal data, revealing the identities of thousands of his officers and staff[3 cited 14.8.23]

The Police Service of Northern Ireland (PSNI) mistakenly shared details about 10,000 of its employees.

Details of a second data breach the previous month emerged less than 24 hours later.

In a press conference Chief Constable Simon Byrne acknowledged that the PSNI could face a financial hit if it was required to update its data systems, pay compensation or face a fine from the Information Commissioner’s Office.

And the Electoral Commission was forced to apologise after it fell victim to a cyber-attack, which exposed electoral registers to ‘hostile actors’.

The commission said the breach occurred two years ago but it could not ‘determine conclusively’ what data had been accessed.

The attackers reportedly gained access to reference copies of electoral registers with the names and addresses of millions of voters registered between 2014 and 2022, in a major security breach.

The commission published details of the breach on its website and the measures it had taken in[4 cited 14.8.23].

Data breaches can affect millions of people and cause serious financial issues and reputational damage to employers.

There have been many high-profile data breaches and hacking incidents in the UK in recent years.

In 2020, the budget airline EasyJet revealed that the personal information of nine million customers was accessed in a ‘highly sophisticated’ cyber-attack on the airline[5 cited 14.8.23]

British Airways was fined £183m in July 2019 after hackers stole the personal information of half a million customers. In the same month, the hotels group Marriott was fined £99.2m for a breach that exposed the data of 339 million customers worldwide.

Businesses of all sizes are vulnerable to cyber threats and attacks, and must take cyber security seriously.

It is not just about protecting personal data and assets, but also safeguarding customers’ trust and loyalty too.

Everyone has a role to play and employees should be trained in data protection. It is a legal obligation and good practice for any business that processes personal data.

Data protection training helps to make sure employees fully understand GDPR rules and their responsibilities when handling personal data, such as customer or employee information.

Training can also help to prevent data breaches, protect privacy rights and maintain trust and reputation.

An employer can be held responsible for a data breach and face enforcement action, such as fines, audits, or orders to stop processing data. Any individual affected by a breach may also claim compensation.

Any employer can be found legally responsible for breaching its obligations if it fails to put in place the right level of security appropriate to the risk of the personal data it processes.

An organisation can also be liable for the actions or omissions of any employee, even if the business itself was not to blame.

All employers can cut the risk of liability by having robust security policies and procedures, ensuring staff are properly trained on the importance of data protection and cyber security, and monitoring and reviewing systems regularly.

The Information Commissioners Office (ICO) regulates and enforces data protection law in the UK, provides guidance and advice, handles complaints and requests and promotes good practice and awareness[6 cited 14.8.23]

The ICO has various powers to take action for a breach of the UK GDPR or Data Protection Act (DPA) 2018.

Legal Obligations and GDPR

The main legislation governing data protection is the DPA 2018, which reflects the GDPR[7 cited 14.8.23]

The law covers all businesses whether large or small, and which handle any personal data

Data protection law is complex and it is advisable that employers seek appropriate legal advice if unsure about any aspect of it.

An employer that fails to adhere to its legal obligations risks reputational damage, potential prosecution and heavy financial penalties.

Definition of Personal Data

Personal data covers any information that can be used to directly or indirectly identify any individual.

It can include their name, email address, phone number, location data, online identifier or biometric data.

If it is possible to identify a person directly from the information, then it may be personal data.

If the individual is not directly identifiable from the information, then consideration needs to be given as to if it is possible that they can in some way still be identified from it.

An employer should always take into account the information it is processing along with all the means reasonably likely to be used by either it or any other person to identify an individual.

Even if an individual is identified or identifiable, directly or indirectly, it is only considered personal data if it ‘relates to’ the individual.

Data Collection and Consent:

Data collection is how employers gather and use personal data.

The UK GDPR sets a high standard for consent, which must be unambiguous and involve a clear affirmative action (an opt-in).

Consent must be freely given, which means giving people genuine ongoing choice and control over how their data is used.

It must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

There is no specified time limit for consent. How long it will last is dependent on the context. Employers should review and refresh consent as appropriate.

Protecting personal data

All employers, large and small, have a responsibility to protect the personal data of their employees, customers, and other individuals that they collect and process.

Some common steps that can be taken to protect personal data are:

• Appoint a data protection officer to cover all aspects of information including DPA and Freedom of Information Act compliance[8 cited 14.8.23]

• Review the security of information stored. Measures to protect data may include encryption, password protection, access control, firewalls, antivirus software, backup systems, staff training and audits.

• Review information systems to identify who has access to what data, and for what purpose.

• Evaluate how data is used, and provide guidance for managers on how to handle data.

• Continually monitor data compliance.

What to do in the event of a data breach

The ICO explains that a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data[9 cited 14.8.23]. It means that a breach is more than just losing personal data.

An employer only has to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals.

If a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned must be informed directly without undue delay.

An employer has to report a notifiable breach to the ICO within 72 hours of when it became aware of it.

If an employer is unsure if a breach is serious enough to report, it should use the ICO’s self-assessment tool or contact the helpline for advice.