topper

Workforce Management Solutions
focus    phone number graphic 
     

GDPR Statement

Introduction

The General Data Protection Regulation (the GDPR) comes into effect on 25th May 2018, and is the biggest change to data protection legislation since 1995.

The regulation seeks to update existing data protection laws for the internet age. The full details of the regulation can be found here. The best source of further information for UK businesses can be found at the Information Commissioner's Office.

At HR Industries the security of our customers’ data is of paramount importance to us, and critical to the ongoing successful operation of our business. Furthermore, we think that keeping data secure and complying with current legislation is something we should be helping our customers to do better and easier, rather than hindering their journey to compliance.

The purpose of this document is to outline areas of responsibility for using Focus Workforce Management software in a post GDPR world. It should not be considered legal advice, and we always advise our end users perform their own due diligence in this regard.

Follow the links below to navigate this document.

Personal Data
Data Controller
Data Processor
Special Category Data (Biometrics)
Further reading and more info

Personal Data

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Where the GDPR is expanding its reach here is with the inclusion of things like ‘identification numbers’, ‘location data’ and, with broad reaching power, ‘online identifiers’. This means your IP address, mobile browsing data and even the cookies that are stored on your computer could all be considered personal data.

Data Controller

“[A Data Controller] means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

With Focus, the end user is the Data Controller.

The Data Controller has ultimate responsibility for compliance to the GDPR, but their responsibilities can be broadly described as follows:

  1. The Data Controller determines what personal data is required to perform the various tasks that are needed.
  2. The Data Controller puts in place the means to lawfully collect and securely store the personal data required, using Data Processors where necessary.
  3. The Data Controller manages the relationship with all Data Processors, including using written contracts to formalise responsibilities.
  4. The Data Controller manages the long term security of the personal data, including its removal when it is no longer required.
  5. The Data Controller manages Data Subjects’ rights, such as the Right to Erasure and the Right to Rectification.
  6. The Data Controller will act on any data breach, including where necessary reporting it to the relevant authority (the ICO in the UK).

Data Processor

“[Data] Processor means a natural or legal person, public authority, agency or other body which

processes personal data on behalf of the controller”

While customers install and operate Focus on their own servers, they also perform the role of Data Processors. With hosted or cloud based systems, there are other parts of the puzzle in play. In this case, please speak to your individual distributor about the levels of responsibility in place.

There may be occasions where HR Industries or one of our distributors acts as a Data Processor on behalf of a customer. This will typically be done in a technical support capacity, and only at the direct and documented invitation of the customer. We have no ongoing ‘link’ to the customer’s personal data and follow our own rigorous data security guidelines in the cases where we do provide support.

Once we have completed the specific task we have been asked to perform by our customer, we return or securely destroy any personal data that we have been supplied with.

Special Category Data

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”

The GDPR does not allow the processing of Special Category data unless one of the following criteria is met:

  1. That the data subject has given explicit consent.
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment
  3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body
  5. Processing relates to personal data which are manifestly made public by the data subject
  6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  7. Processing is necessary for reasons of substantial public interest

For Focus, the only element of Special Category Data we deal with is biometric recognition. We use biometrics in certain time and attendance terminals - the employees fingerprint, hand scan or face is used as a form of ID.

Security measures for our biometric systems are already in place. The image of a person’s fingerprint, hand or face is stored as an encrypted algorithm by the system. In the event of a data breach it would be impossible to recreate any personal information from the information stored in the terminals.

Biometric data can still be used post GDPR for time and attendance, workforce management or access control. After following a direct consultation with the ICO we have concluded that it can be done so without acquiring explicit consent from the employees, as:

  1. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment

Of course this doesn’t affect the employee’s rights under the GDPR, including the Right to be Informed. It simply means that to process biometric data you do not need to obtain and document specific consent. The employee still should be aware of why you are using biometric terminals (eg to record the employees time at work, to manage time and attendance), how you intend to do use the data (eg to process payroll, perform reporting) and how you will store the data (securely and for no longer than is required to meet your own responsibilities).

More Information and Further Reading

As mentioned, this is not intended to serve as legal advice. The single best source of information concerning the GDPR for UK businesses is the Information Commissioner's Office

HR Industries are comitted to the continuing developement of Focus remaining GDPR compliant, and that the software follows a Security by Design model at all times. The security of personal data is everyone's responsiblity, and we are doing everything we can to be a help rather than a hindrance in the quest for compliance.

 


Call now on 0115 860 2204, This email address is being protected from spambots. You need JavaScript enabled to view it., or

request more info

for free, expert advice.