DATA PROTECTION IN THE EMPLOYMENT & PENSIONS SECTOR
Privacy laws are more relevant today than they were before and in the world of today personal data is regarded as a valuable asset. This is seen in the Data Protection Act (the “Act”) which was assented to on the 8th of November 2019 and came in to govern what was otherwise a lawless regime. Numerous sectors within the country have felt the far reaching effects of the Act. It has numerous objectives including giving effect to Article 31 of the Constitution on the right to privacy, regulation of the processing of personal data and providing for rights of data subjects.
In the employment and pensions sector, personal information is frequently collected. It could be applicants providing their personal information when filling out a job application. It could be a member in a pension scheme giving out information on their next of kin for purposes of the Nomination of Beneficiary form. It could be payroll information, leave or medical information, residential data. All these are considered personal data and any processing of the same is now regulated under the Act. Processing of data can be via collection, storage, use, disclosure or destruction of personal data.
Employers and Scheme Trustees qualify as data processors under the Act. With the role, comes the responsibility to comply with the data processing principles set out in section 25 of the Act. These principles include processing data in accordance with the right to privacy, ensuring that personal data is collected only for a necessary and legitimate purpose & providing valid information to the employee before collecting personal data.
Trustees and employers will need to take additional steps as data processors in order to ensure compliance with the Data Protection Act. Below are examples of a few that can be implemented to ensure compliance.
a) Ensuring that employees and members are aware of the rights availed to them under the act.
- the right to be informed of the use to which their personal data is to be put;
- the right to access their personal data in custody of data processor;
- the right to object to the processing of their personal data;
- the right to correction of false or misleading data; and
- the right to deletion of false or misleading data about them.
b) Registration as a data processor. Section 18 of the Act requires all data processors to be registered with the Data Commissioner as per the prescribed thresholds required for mandatory registration. As the thresholds are yet to be prescribed, the requirement for mandatory registration is not in place yet. Employers and Scheme Trustees should however ensure that they have all the information required for the application such as a description of the personal data that will be processed, the category of data subjects and a description of safeguards and security measures put in place to ensure protection of personal data.
c) Safeguards & Security Measures. For purposes of the application for registration as a data processor, safeguards and security measures will have to be put in place to ensure that the personal data of employees is protected. Some of these measures can include having an up to date data security policy that is regularly circulated, encrypting of employee data, password management & multifactor authentication. The relevant policies, procedures and practices will have to be redrafted, implemented and maintained in accordance with the Act. Employers should also audit their data management processes to regularly test, assess and evaluate the effectiveness of the security measures.
d) Consent Checklist. Consent is a very important aspect of the Act as personal data should not be processed unless it is collected directly from the subject and with their consent. Consent must be express and informed. The employer can therefore use the following employment consent checklist in relation to personal data:
- implement a process for identifying circumstances in which the employer may need to rely on consent to process personal data;
- implement a process to maintain a written record of all consent the employer has obtained in relation to each processing; and
- implement a process to manage consequences of withdrawal of consent where it is relied on.
e) Legal Obligations & Legitimate Interests. Personal data should only be collected where it is absolutely necessary and be in the least intrusive manner possible. It should also only be processed for purposes of complying with a legal obligation and for a legitimate interest except where the interest overrides the interest of or the fundamental rights of the employee.
f) Data Protection Clause. Relevant documents such as employment contracts and trust deeds should be amended to include data protection clauses. The clause can provide for elements such as the duration of processing of the data, the nature and purposes of processing, types of personal data and the relevant Data Subjects. This clause should also apply to third party agreement such as those with scheme administrators, fund managers & custodians.
g) Collective Bargaining Agreements. Trade unions are likely to initiate claims that exercise employees’ rights under the Act. For purposes of protecting their members, collective bargaining agreements between employers and trade unions may be amended to include additional or stricter requirements for processing of personal data.
h) Relationship with Sponsor or Founder. Employers frequently give Scheme Trustees personal data on an employee for the purposes of administration of the scheme. There should be in place a protocol, policy or agreement which formally documents the ways in which personal data will be shared between the trustees and the sponsoring employer.
In conclusion, it is clear that the impact of the Act will be felt and therefore employers and scheme trustees should be ready to comply with it. By following the steps set out above, one will surely be one step closer to the required compliance.