Data protection in the workplace is an area of growing significance as the collection, storage and processing of personal data has become increasingly integral to the operation of businesses as a whole.  Consequently, it is essential for businesses to ensure that their workforce operates in a way that complies with UK data protection regulation regime, as set out under the Data Protection Act 1998 (DPA). Businesses cannot constantly scrutinise and watch over their employees and their actions; this is not feasible from a practical perspective, nor in the interests of efficiency and productivity. To remain compliant, a key element is the need to create a workplace culture of data protection and security.  In order to achieve this, businesses need to provide adequate training and support to their staff and implement appropriate systems and security throughout the workplace.

General principles

In order to establish a workplace culture of data protection, businesses first need to consider exactly how their particular operational structure fits in with the data protection regime and what steps they need to take in order to ensure effective compliance.

The DPA obligations are particularly key in relation to the collecting, processing and storing of personal data; higher obligations apply when dealing with sensitive personal data.  Businesses may become involved in processing personal data in a wide variety of different situations, which include:

  • dealing with customer or client data;
  • handling data of other third parties such as contractors, suppliers, distributers and so on;
  • processing personal data relating to other internal staff members, such as benefits and payroll; and
  • storing and maintaining internal HR records and files, including background, criminal records and right to work checks, along with disciplinary records.

It is important that businesses identify the situations where they will be processing personal data and appreciate that the type of data being processed and, therefore, that the nature of the applicable protection measures which should be implemented, may vary accordingly. For example, HR departments dealing with the personal data of internal workers will, in many cases, be processing "sensitive personal data" and, consequently, may have to take into account additional regulatory requirements (such as the need to obtain their consent to the processing).  Where employees are working on contracts or projects that involve data processing of third party information, such information may similarly pose difficulties and higher obligations.

Specific issues may also arise for larger, multi-national businesses, particularly those with operations outside of the EEA. These organisations will also need to consider potential restrictions on transfers of personal data, even within the corporate group, if these cross into jurisdictions outside of the European data protection regime.  There may also be a need for additional storage and processing facilities in certain jurisdictions, as is likely to be the case in Russia, for example.

Cloud storage also poses difficulties in terms of complying with data protection obligations, both in terms of security obligations and any additional jurisdictional requirements, and businesses and their employees alike should be alive and alert to the issues with this method of data storage.

Businesses which have located or outsourced certain aspects of their operational structure to other jurisdictions, including cloud storage arrangements, will need to ensure that their employees understand the applicable restrictions on transferring personal data to these regions.  Businesses will also need appropriate systems in place for regulating such transfers. In the absence of such measures, staff may not appreciate the full consequences of such transfers especially when, in their own mind, such transfers are effectively within the business itself.  This is particularly an issue for cloud storage and for centralised data storage systems used by multi-national companies.

Training

It is fundamental that the workforce understand the obligations regarding data protection and security for the business as well as their personal obligations under the DPA. At the heart of this is the business's data protection policies. These policies should act as detailed guides explaining responsibilities of both the business and the individual under the DPA in a manner that is clear, concise and easy to understand.  These policies should be regularly reviewed and updated to ensure that they adequately reflect what is likely to be a continuously changing regulatory landscape.

As obvious as this may sound, it is also essential that employees actually read, understand and implement these policies. Therefore, it is best that such policies are provided to any worker at the outset of their engagement and good practice would be to ask employees to sign an acknowledgement that they have read and understood the policy and their obligations under it.

Businesses should also provide initial training to their workforce regarding the specific data protection risks and obligations relevant to that business and arrange for updates or refresher sessions where necessary. Given that the particular considerations to be taken into account when dealing with personal data may vary depending on which part of the business a particular worker is involved in, businesses may wish also to provide role-specific training in certain specialised areas, such as HR.  Training should be maintained and reinforced, both to keep data protection at the forefront of employees' minds when working and to make sure employees are aware of any developments within the law.

Particularly where businesses routinely engage agency workers or independent contractors (very common in certain sectors), businesses should consider how to ensure that independent contractors, consultants, agency workers and other workers like apprentices or interns, are made aware of and required to comply with the business' data protection policy.

One way of achieving this would to be to issue the data protection policy routinely to any worker, irrespective of their status or label, and to require compliance with the policy.  Any handbook should make clear that certain policies, including the data protection policy, will apply to independent contractors and so on as well as to employees (to avoid employment status issues) and, again, good practice would be to ask workers to sign an acknowledgement that they have read and understood the policy and their obligations under it.  Businesses should also consider making compliance with data protection a term of any master services agreement, consultancy contract or other relevant agreement.

Systems and security

As part of their obligations under the DPA, businesses are required to ensure that any personal data which they are processing is protected by adequate security measures. The security measures include both digital and organisational systems designed to prevent any breaches of data security.

In the case of data stored electronically, such measures will consist of having adequate firewalls, encryption and digital protection; both in relation to data stored on the business's internal hard drives or servers and in relation to any file-transfer or email facilities used.  As regards internal storage, businesses should consider where data should be saved and stored, for example, will all computers and laptops be on a network; will staff be encouraged to save all data to the network or will they be permitted to save data to their personal drive or computer; and what are the associated risks for the business in doing so?

Critically, businesses should ensure that staff are made aware of the need to follow such security measures.  In particular, businesses should make clear to their employees that the use of less secure file transfer facilities such as Dropbox, Google Drive and personal email accounts may potentially put the security of that personal data at risk and be in breach of the business's obligations under the DPA.

Guidance on the use of such systems should be reflected in the data protection policies and provided in any initial systems training at the outset of any member of staff's engagement. Businesses should consider implementing a standard document transfer procedure, including preferred file transfer sites, as this should reduce the likelihood of staff members using more risky methods of data storage and transfer.

Particular consideration of these security obligations will be required where businesses allow or require staff to use personal laptops or other devices in performing any duties involving the processing of personal data. Businesses with home workers, flexible workers or remote workers are particularly at risk here, given there may be no home office or physical supervision, and businesses should consider additional measures in order to comply with their obligations under the DPA.

Businesses should identify the additional security risks involved and ensure that adequate security measures are in place in respect of any personal devices. Businesses may wish to provide for any remote access to company files to be restricted to online server access or, to the extent that this facility is not available, provide for remote hard drive deletion facilities in the event that such devices are lost or stolen.  At a basic level, employees should be required to keep data physically secure (i.e. to keep any laptop or documents in a secure location, not to leave the laptop or documents vulnerable to theft or distortion and so on), and also to protect the data and its location with passwords and other appropriate security methods.

In addition to any software-based security measures, the businesses must also ensure that there are adequate practical and organisational systems in place to protect the security of personal data. These organisational measures may consist of providing employees with appropriate reporting lines for data protection queries or in the case of suspected breaches. Organisations may also find it useful to appoint a specific data protection officer within the organisation to deal with any such queries and manage communication with the ICO.  Businesses should consider any powers they may have to monitor employee activity in general, and any software or practical measures they could put in place to monitor and track the transfer and processing of data.  Given the risks associated with breaches and the speed with which information can be transferred and disseminated, businesses should be considering any relevant measures for enforcement and evidencing breaches as well (see 'Investigating employee misuse of data').

Creating a workplace culture of compliance is key for businesses in relation to their data protection obligations and there are many different elements to consider when building and maintaining such a culture.  Companies should be looking at the risks and requirements specific to their business, sector and clients, and developing a tailored data protection policy and systems in order to best meet their needs and obligations.