Human Resources and Payroll Data Protection Policy

Introduction                           

Purpose

HR and payroll are dedicated to maintaining transparency about how we collect and use personal data throughout the employment lifecycle. 

This policy applies to the personal data of job applicants, employees, workers (including agency workers), volunteers, apprentices, work experience students and former employees, referred to as HR and Payroll related personal data. This policy does not apply to the personal data of clients/customers or other personal data processed for business purposes.

Arun District Council (ADC) has appointed the group head of law and governance as its data protection officer. Their role is to inform and advise the organisation on its data protection obligations. 

Questions about this policy or requests for further information should be directed to the HR manager or payroll manager.

Definitions

"Personal data" The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier (the data subject).

This definition provides for a wide range of personal identifiers to constitute personal data, including, but not limited to; name, identification number or payroll number, location data or online identifier, reflecting changes in technology and the way an organisation collects information about people.

 "Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or a person's sex life or sexual orientation.  

"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data protection principles

We process HR and payroll related personal data in accordance with the following data protection principles:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purpose.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

ADC tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notice. It will not process personal data of individuals for other reasons. Where we rely on its legitimate interests as the basis for processing data, it will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.

Where we process special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with the privacy notice on special categories of data and criminal records data.

The organisation will update HR and payroll related personal data promptly if an individual advises that their information has changed or is inaccurate.

Personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship will be held in electronic format, and on HR systems. The periods for which the organisation holds HR and payroll related personal data are contained in its privacy notices to individuals and in the retention of documents section of this policy.

ADC keeps a record of its processing activities in respect of HR and payroll related personal data in accordance with the requirements of Article 30 of the General Data Protection Regulation (GDPR).

Individual rights

As a data subject, individuals have a number of rights in relation to their personal data.

Subject Access Requests

Individuals have the right to make a Subject Access Request. If an individual makes a Subject Access Request, ADC would be able to confirm:

  • whether or not their data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual
  • to whom their data is or may be disclosed and the safeguards that apply to such transfers
  • for how long their personal data is stored (or how that period is decided)
  • their rights to rectification or erasure of data, or to restrict or object to processing
  • their right to complain to the Information Commissioner if they think the organisation has failed to comply with their data protection rights; and
  • whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making
  • ADC will also provide the individual with a copy of the personal data undergoing processing, if requested

If the individual wants additional copies, ADC will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.

To make a Subject Access Request, the individual should use Arun's e.form for making a Subject Access Request which can be found on the council’s website. In some cases, we may need to ask for proof of identification before the request can be processed. We will inform the individual if verification of their identity is needed and the documents required.

ADC will normally respond to a request within a period of one calendar month from the date it is received. In some cases, such as where the council processes large amounts of the individual's data, it may respond within three months of the date the request is received. The council will write to the individual within one month of receiving the original request to tell them if this is the case.

If a Subject Access Request is manifestly unfounded or excessive, ADC is not obliged to comply with it. Alternatively, the organisation can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which the council has already responded. If an individual submits a request that is unfounded or excessive, the council will notify them that this is the case and whether or not it will respond to it.  This decision will be based on ICO guidance which can be found in the ICO’s Subject Access Code of Practice.

Employees may request to view their electronically held HR file. To do this, the employee should email AskHR with their request giving at least 24 hours’ notice so that HR can arrange authorisation to access to the file. 

Other rights

Employees have a number of other rights in relation to their personal data. In summary, the GDPR provides the following rights for individuals: -

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

To ask the council to take any of these steps, the individual should send the request to the HR manager.  Any decision to refuse a request will be taken in consultation with the data protection officer.

Data security

ADC takes the security of HR and payroll related personal data seriously. The council has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. Data relating to employees is held electronically and access is restricted and limited to those who need to access the information in the course of their duties.

Where the council engages third parties to process personal data on its behalf, such parties do so based on written instructions through an information sharing agreement, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Impact assessments

Some of the processing that the organisation carries out may result in risks to privacy. Where processing would result in a high risk to individual's rights and freedoms, the council will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

If the council discovers that there has been a breach of HR and Payroll related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The council will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

International data transfers

The council will not transfer HR and payroll related personal data to countries outside the EEA.

Individual responsibilities

Individuals are responsible for helping the council keep their personal data up to date. Individuals should let human resources or payroll know if data provided to the council changes, for example if an individual moves to a new house or changes their bank details.

Other individuals such as line managers, directors or trade union representatives may have access to the personal data of other employees in the course of their employment, contract, volunteer period, or apprenticeship. Where this is the case, the council relies on individuals to help meet its data protection obligations to staff.

Individuals who have access to personal data are required:

  • to access only data that they have authority to access and only for authorised purposes.
  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
  • not to remove personal data, or devices containing or that can be used to access personal data, from the organisation's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
  • not to store personal data on local drives or on personal devices that are used for work purposes; and
  • to report data breaches of which they become aware to the Data Protection Officer immediately emailing Infomanagement@arun.gov.uk

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the council's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

Training

The council will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional support to help them understand their duties and how to comply with them.

Retention of Documents

There’s a substantial amount of UK and EU legislation that has an impact upon the retention of HR and payroll related records.

These records can generally be split into two categories: -

  • records where there are statutory retention periods, with the statutory authorities
  • records where there are no statutory retention periods, with recommended retention periods

Please refer to the table below for the types of records that HR and Payroll hold and the corresponding retention periods.

Statutory Retention Periods
 
Statutory Retention Periods
Type of record Retention period
Formal performance monitoring and review. 6 years after the record was created.
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH). 40 years from the date of the last entry.
Medical records containing details of employees exposed to asbestos and medical examination certificates. Medical records - 40 years from the date of the last entry.
Income tax and NI returns, income tax records and correspondence with HMRC. Not less than 3 years after the end of the financial year to which they relate.
National minimum wage records. 3 years after the end of the pay reference period following the one that the records cover.
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity. 6 years from the end of the scheme year in which the event took place.
Statutory Maternity, Adoption and Paternity Pay records, calculations, certificates (Mat B1s) or other medical evidence. 3 years after the end of the tax year in which the maternity period ends.
Wage/salary records (also overtime, bonuses, expenses). 3 years after the end of the pay reference period following the one that the records cover.
Working time records. 2 years from date on which they were made.
Non-statutory Retention Periods
Non-statutory Retention Periods
Type of record Retention period
Application forms and interview notes (for unsuccessful candidates). 6 months. 
Assessments under health and safety regulations and records of consultations with safety representatives and committees. 6 years after employment ceases.
Inland Revenue/HMRC approvals. Permanently.
Money purchase details. 6 years after transfer or value taken.
Parental leave. 18 years from the birth of the child.
Pension Records. Permanently.
Personnel files (including grievance records) and training records. 6 years after employment ceases.
Disciplinary records. For the duration of the investigation or disciplinary sanction.  (Anonymised information may be retained to enable reporting of equal ops data or FOI requests).
Redundancy details, calculations of payments, refunds, notification to the Secretary of State. 6 years from the date of redundancy.
Statutory Sick Pay records, calculations, certificates, self-certificates. 6 years.
Trade union agreements - including minutes from the CEO/Unison Consultation and Liaison Meetings. 10 years after ceasing to be effective.

October 2024