Last night, I visited a local community café for a fascinating talk about ‘story’. The gist of the evening centred around how humans think and dream in script form rather than in bullet points. A case in point? You dream in vivid, moving events, not static images.
Every part of our lives involves in story. Music is the story of events in lyrical form, whilst books and films introduce characters with backstories which shape their character going forwards. An example? In the Harry Potter books, Harry and Voldemort have the same backstory (magical orphans with horrible childhoods who are ‘saved’ by Hogwarts School) but both deal with that in different ways – i.e. one becomes good and one becomes evil.
Everybody has an individual story, whether in their social lives or during their employment. So, why am I going on about ‘story’?
Well, as an Employment Solicitor, I sometimes become a part of the story of employees during their employment whether that be by advising their employer in relation to a flexible working request, pay dispute, drafting their contract or, at worst, advising on a potential disciplinary process (to name just a few). Normal practice would see all of these events recorded in the personnel file of that employee.
I’ve received a lot of queries in the last few months about the incoming General Data Protection Regulations. No doubt this is largely due to the news that the maximum fine under these new Regulations is up to €20 million and the fact that there is already talk of the average fine being around 15 times higher under the new Regulations than the current Data Protection regime.
However, for a sizable number of employers, the main Data Protection risk remains the information within their staff personnel files. Nowadays, an equal number of personnel files are held electronically rather than physically. Whichever form they come in, employers have a continuing obligation to keep that information safe. How does an employee achieve this?
Well, if an employee’s personnel file is stored within a physical file, this should be kept in a locked drawer or filing cabinet and/or in a locked room. It should never be left on a desk where an unauthorised individual can view the information inside or take pictures. Simply leaving the file on a desk and leaving the room, and in doing so allowing an opportunity for an individual to see that information, is a potential Data Protection breach. This is because of the fact that the information within (i.e. contact information, data of birth, address) is sensitive personal information which is afforded high protection under Data Protection rules.
Likewise, if an employee’s information is held on an electronic database, let’s say an electronic server, then the folder containing that information should be password protected and/or restricted to those who require access. Again, no employee without sufficient authority should be able to access any other individual’s details through a server or electronic database.
Now, there is always the risk of theft and/or hacking attacks but the Data Protection regime is here to ensure that employers make reasonable efforts to keep employee’s sensitive personal information safe. It doesn’t require Fort Knox but it does place a duty on businesses to ensure that they do everything reasonably within their power to prevent unauthorised access.
In relation to fines, it isn’t the actual unauthorised access to confidential information itself which is likely establish liability on its own but, additionally, that the employer failed to reasonably mitigate against that particular risk. So, to use the ‘story’ analogy from the start, it is all about the business’s backstory in terms of what they did to prevent the breach rather than the breach itself.
So there we go, simply keeping sensitive information from employees’ personnel files safe should help businesses achieve their ‘happy ever after’. (Sorry, I couldn’t resist…)