Sometimes an employee of your organization may request to access the personal data you have about him or her. Such requests are also known as Subject Access Requests. “Personal data” is not just a figure of speech - it’s also a very important legal term when it comes to corporate policy.
For example, you may think that your name is personal data because it’s information that other people and organizations use to identify you. However, by itself, your name is not always personal data because there can be many people in an organization with the same name. At the same time, a combination of your name and other information that makes you uniquely identifiable, for example, you name, address and telephone number, do become personal data.
The Data Protection Act of 1998 is a law in the UK that deals with the issues of personal data collection, protection, and processing. It defines eight principles that organizations need to understand and adhere to in order to ensure lawful handing of personal information.
Your company starts to collect personal data about the employees from the moment they apply to work for the organization.
Personal data is not limited to obvious personal information such as name, address, or date of birth. It also includes employment history with, employee training, disciplinary actions, external website usage and more. This data can be contained in a variety of media - from print to electronic sources.
According to the Data Protection Act of 1998, employees have the right to know what information their employer collects about them and they also have the right to access the information.
While this may seem easy on the surface, it’s not. For example, during the tenure of an employee, an organization is likely to collect an array of information about external online resources that employees have access to such as website analytics, stock photo websites, news and blogs. This is a TON of information. Access to social media also poses a challenge. The organization may store personal data on central servers, individual computers, USB keys, external hard drives and mobile devices.
Organizations often use personal data to outline a path to accomplishing goals by analyzing personal relationships of their employees with customers, vendors, and employees of other organizations. For example, a sales manager may want to know which sales people have a background and connection in a certain industry before sending them to the industry trade show.
An organization may also use personal data to identify employees that pose risks to the organization or, on the opposite end of the spectrum, are the best candidates for promotions.
Some of the recent issues about the privacy of employee data have appeared because of employer health programs. According to an article in Fast Company Magazine called “How Fitbit Became the Next Big Thing In Corporate Wellness,” employers all around the world are providing their employees with activity trackers to promote exercise and healthy lifestyles, which, in turn, decreases the rates of obesity, diabetes and cancer and boosts employee productivity.
In the United States, FitBit’s corporate customers include BP, Bank of America and IBM. The retail giant Target agreed to offer 335,000 Fitbit trackers to the employees as a part of its health program. Barclays offered the trackers to 75,000 employees.
These are just a few examples that come with sensitive privacy and personal data handling issues. For this reason, you want to be sure that you know what the law states when it comes employee data, subject access requests, and processing them properly.
IBEC, a business and employer association for organizations based in Ireland, stated in an article from 2016 that the Data Protection Commissioner has observed a steady rise in the number of subject access requests in the recent years. Most of them are regarding complaints from individuals that occur after “relationship breakdowns.” If you want to avoid costly lawsuits and inquiries from the government about the ways your organization handles personal data, you need to make sure that you process all subject data requests as required by law.