The nature of the UK's future relationship with the EU is yet to be determined, but local authorities should still be taking steps to prepare for the incoming General Data Protection Regulations (GDPR).
The new measures - formally adopted last summer and fully applicable from May next year - change the rules around the handling of personal data. To comply, most organisations will need to make considerable improvements to the way they collect, store and disclose personal information.
An obvious focus for local authorities has been addressing the management and governance of large quantities of sensitive, personal citizen data. However, it's important for councils to remember that the new rules covering employee data are just as stringent and will carry the same severe penalties if breached.
According to the latest figures from ONS, 2.1 million people are currently employed by local government. The onus is on councils to ensure their data handling policies and procedures as major UK employers are prepared for the step change.
Here are three key considerations for local authorities looking to update the way they handle employee data after GDPR comes into effect:
1. Check the wording of employment contracts
The standard 'consent to process data' clause that features in most employment contracts is unlikely to be sufficient after the GDPR come into force. Local authorities will need to consider alternative ways of obtaining more explicit and detailed consent from employees. This is likely to take the form of a separate document, which will also need to outline a mechanism for employees to retract their consent, which they will have the right to do at any time.
2. Streamline internal HR processes
The incoming regulations will reduce the amount of time which an employer has to respond to 'data protection subject access requests' ("SARs"), from the current 40 days to one month. Dealing with SARs is a time-consuming process and local authorities will need to ensure their HR teams make the processes required to deliver this more efficient to meet the more stringent timeframes.
3. Be aware of the new rights the regulations afford employees
The introduction of a new 'right to be forgotten' rule will limit councils' ability to retain employment records and information. It will allow ex-employees to request all of the data their former employer holds on them to be erased. It's an area that could cause a clash between good data protection practice and the need for awareness of historic disciplinary issues and working arrangements. Taking steps now to amend current HR procedures to account for a potential lack of information will soften the blow once the GDPR comes into force in eight months' time.
Mark Leach is a partner and employment law specialist in Weightmans LLP's local government team.
