HR data security principles; how to include them in 'business as usual'

HR data security principles; how to include them in ‘business as usual’

HR data security, the need to protect personal data, impacts many HR activities daily, from recruitment, performance management, health and reward to the need to know an employee’s next of kin. While it’s important that employers have a good grasp of data protection principles, the real challenge for HR departments will be in making sure that acting on those principles is ‘business as usual’.

Employers should have the following in place:

  • Privacy Statement.
  • A separate recruitment Data Privacy Statement for applicants.
  • Up to date employment contracts, covering data privacy obligations.
  • Data Protection Policy.
  • Data Retention Policy.
  • Updated contractor/consultant agreements that include a data processing agreement.
  • Data processing agreements with third parties who process your employee data – e.g. pension and other benefits providers, IT support.

HR departments will want to regularly audit their HR data security practices and also work closely with other functions, such as IT and Company Secretarial, to make sure they can properly respond if any problems do arise, e.g.:

  • Review data security provisions and consider issues that could arise from the receipt, storage or other processing of personal data.
  • Review all data breach reporting mechanisms to test your ability to report a data breach within 72 hours.
  • Test your ability to respond appropriately to a subject access request (SAR) within one month.
  • Issue guidelines and training for employees and line managers about how to manage personal data.

Easing the personal data management burden

There are various low-cost systems that can reduce the administrative burden of collating, storing, maintaining and deleting personal data and give employers added security around the security of their data processing.

The most commonly used of these include:

Applicant Tracking System (ATS)

An ATS is used to support the recruitment and hiring processes and helps companies to collect, organise and filter applicants.  When an employer receives a CV, they are receiving personal data about the applicant and need to process it in a compliant way.

The benefits of an ATS include:

  • An online portal for candidates to easily submit their CV and contact data.
  • Recruiting managers access candidate details through the portal – no need to circulate CVs or hold them on laptops or shared folders.
  • Shortlisting, candidate contact, interview scheduling etc. is all done through the portal.
  • Historical data is automatically deleted.
  • The candidate is in control of their data and can withdraw their information at any time.
  • The ATS can be linked to the company careers page so that agencies can also submit candidates’ details into the same portal, putting all data in one place.
  • Some provide access to additional services, e.g. online testing.
  • They can link to HRMS for pre-employment onboarding and auto-population of core data fields.

HR Management System (HRMS)

During an employee’s time with a company a wide range of information about them will be collected, shared and updated; from their address, bank, and pay details to information about their health, performance and conduct. Data protection principles apply to all such data, and an HR Management System is a great way for employers to control it.

The benefits of an HRMS include:

  • Access to data is managed through security protocols on a ‘need to know’ basis.
  • Self-service access gives employees visibility of and control over much of the personal data held on them.
  • Data can be quickly and easily accessed, deleted or corrected.
  • Employee data is kept in one place.
  • Documents can be held in the same system – e.g. employee handbook and policies.
  • Additional features are often available, e.g. holiday booking, attendance recording, performance management and reporting.
  • Cloud-based systems can be easily accessed.

HR Data Security and Payroll Systems

With the proliferation of low cost, cloud-based payroll software options on the market there is no excuse for employers to still be emailing (or worse still printing) payslips.  In addition to ensuring accurate payroll, tax and pension calculations, a good payroll software system will:

  • Give every employee access to their own pay information, 24/7, through a secure, password-controlled portal.
  • Provide secure links for data reporting to HMRC, Finance functions and some benefit providers.
  • Self-service options to reduce the administrative burden on payroll.

Data management systems such as these are available at a surprisingly low cost. They not only help companies comply with GDPR, but they also help with the administrative burden that goes with employing people.

If you are an SME who would like more information or help on working with GDPR, or on introducing people related software, please get in touch with our HR Services team at

(Image Source: Shutterstock)