The 6th June saw Helen Iles, Senior Associate and Head of Training at Hugh James visit the Forum to discuss Data Protection and GDPR. Read our review of the event.
Breakfast review: how protected are you from social and data breaches?
According to Google’s chairman Eric Schmidt, every two days we create as much information as we did since the dawn of civilisation up until 2003. The issue organisations face today is how they manage this information and more important how they protect themselves from any misuse.
Helen Iles, Senior Associate and Head of Training at Hugh James addressed the Forum on both these issues at our most recent Breakfast Seminar.
Over the course of 50 minutes or so Helen provided an insight that should serve as a wake up call for all organisations, regardless of size, sector or location.
“Let me introduce you to Miss Morse,” said Helen. Miss Morse is a fictional character based on a real-life scenario where she is the only female employee in a male- dominated office. Two of her colleagues view and download sexually explicit material from the internet, and Miss Morse subsequently brings a claim against her two colleagues and her employer. So how successful was she and who was found to be liable?
Under current legislation, also known as Vicarious Liability, both the two main protagonists and the organisation itself were found to be liable. This, Helen stated, highlighted two very important factors.
First, the downloading of images didn’t need to be brought to Miss Morse’s attention for her two colleagues to be held liable – the very act itself made it so. And second, the organisation was also found to be liable for the actions of its staff.
Helen said: “The law states that anything your people do in the course of their employment, is treated as having been done by your organisation even if you didn’t know what your staff were doing in the first place.”
Another example of this is that of the staff Christmas party where a female member of staff has had a few too many drinks and proceeds to pinch the rear of her male colleagues. “On the basis of this [Vicarious Liability] definition,” said Helen, “the organisation is 100% liable for that female staff member’s behaviour.”
She said it’s about setting the standard of expected behaviour across the people management function and in doing so you as an organisation will be in a stronger position: “Every business is liable, will be liable and will always have their backs against the wall – it’s the steps you take to manage and mitigate that liability that is important.”
This then brings us onto the use of personal data within the organisation, but what exactly is ‘personal data’.
“[Personal data] is classed as anything about a living, identified or identifiable individual,” Helen explained. For instance, personal contact or bank details or even a CV all fall under this umbrella and the key issue is the way in which this data is processed.
Under the Data Protection Act there are eight key principles that must be adhered to – one of which is that organisations do not retain the details of an individual any longer than is necessary.
There is a common misconception, Helen said, that organisation’s are permitted to keep information for up to seven years. But “nowhere in the Act does it either state a seven-year period or any other timeframe for that matter.” What it in fact does say is that once the information held no longer has a “specified purpose” then it must be automatically deleted. Under the new GDPR, the penalties for not doing so can be severe.
Since April 2010, the Information Commissioner’s Office has been empowered to issue fines of up to £500,000 for data breaches, irrespective of the size of your organisation, the resources you have at your disposal or the sector you operate.
However, from 25 th May 2018, UK data protection rules are about to change with the introduction of GDPR - the EU General Data Protection Regulation to give it its full title – which is coming into forces despite Brexit.
While the current penalty for data breaches is relatively high, it is a “mere drop in the ocean” compared to the maximum penalty of €20 million under GDPR. Take a simple job application as an example. Under current legislation, you can keep that candidate’s details ‘on file’ so that you can contact them if a suitable vacancy comes up in the future. Under GDPR, this will not be permissible unless you acquire ‘explicit consent’ from the individual.
“There are five key risks your business faces of you staff don’t understand what is expected of them in terms of information management,” said Helen. One of which is defamation.
Helen cited the case of an employee who posted on the then Norwich Union intranet site that one of their main competitors, Western Provident, was in financial difficulties. They weren’t and Western Provident sued Norwich Union for defamation and won…to the tune of £450,000 in damages.
Staff need to be made clearly aware that the social media policy you have in place applies to both internet and intranet usage. As Helen says, the key message is this: “If you don’t want people to see it, don’t use it, don’t post it and don’t do it…an opinion on somebody is that person’s personal data.”
“Motive,” Helen stressed, “is irrelevant. There is no defence in court for an individual to claim ‘I didn’t mean it’. It is the perception of the victim that is key.” Take the instance of a 65-year old female employee who was given a birthday card depicting an elderly woman portrayed in a non-complimentary way. Said employee took offence and supposed that her colleagues viewed her in the same way as was shown on the card, she found it humiliating and she took a case against her employer for harassment. She won.
Then there was the case of an employee working for Argos who posted on his personal Facebook account that he hated working for the company. He was later dismissed. But even non-verbal posts can have serious implications.
Another case had the same outcomes and involved an employee who described their boss as being as useful as a chocolate teapot - a colleague ‘liked’ the chocolate teapot comment and they too were sacked.
The extent to which you as organisation follow through on your social media policy is an individual decision, you just need to ensure that it is clearly communicated and that everyone within the businesses understands where the parameters are.
To summarise, Helen highlight the key ways employers can minimise their risk:
- Clarify what is permissible and what isn’t
- Communicate the consequences for ignoring policy, and
- Warn staff that all communications are likely to be monitored