DATA PRIVACY IN HUMAN RESOURCE
- Collection, recording, organization, structuring
- Storage, adaptation, or alteration
- Retrieval, consultation, or use
- Disclosure by transmission, dissemination otherwise making available; or
- Alignment or combination, restriction, erasure, or destruction.
Human resource professionals are involved in the data processing. They come into contact with employees’ data which is usually personal and confidential. The Data Protection Act provides regulations for processing personal data, the rights that data subjects have over their own data, and the obligations of data controllers and processors. Data Privacy ensures that data is processed in a manner that protects the privacy of the data subjects. Initially, the data subjects have not had any control or rights over their own data including the sensitive data. The Act has so far given data subjects rights and remedies for protecting personal data from any processing that may not be in line with the requirements of the Act. Data privacy subject provides that personal data should be:
▪ Processed in accordance with the right to privacy of the data subject;
▪ Collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes;
▪ Adequate, relevant, limited to what is necessary for relation to the purposes for which it is processed;
▪ Collected only where a valid explanation is provided whenever information relating to family or private affairs are required;
▪ Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
▪ Kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
▪ Not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject
Every data subject has the right under the Data Protection Act to the following:
▪ Informed of the purpose for which their data is to be put.
▪ Access their personal data
▪ To object to the processing of all or part of their data
▪ To the correction of false or misleading data and to deletion of false or misleading data about them.
In this era of information technology, HR professionals have been exposed more to information management systems that have increased their access to personal data as well as the frequency of processing such data. An example being the use of HRMIS to process payroll, recruitment, leave, biometric data, training for staff, performance appraisals, background checks, medical insurance among other systems that are used to process employee data. Information technology has increased the exposure of information systems to cyber threats, for instance, the automation of HR processes has exposed personally identifiable information that is entered into the information systems to cyber-attacks.
Research in information security has shown that people are the weakest link in the information security control landscape in organizations. Awareness is therefore key to curb cybersecurity flaws and should target HR professionals especially.
Failure to comply with the Data Protection Act has consequences to the organization, staff, and to the data subject.
To the Organization
▪ The organization may face heavy penalties and fines of up to 2% of the previous year turnover.
▪ It may cause a huge reputation risk to the organization.
To the Staff
▪ It may lead to disciplinary measures which may cost them their job as well as their reputation.
To the Data Subject
▪ To a data subject, his or her reputation may be affected depending on the data that has been exposed.
- Creating awareness by training staff on Data Privacy.
- Consider implementation of ISO 27001 for Information Security and extend the Security. Controls to address Privacy (ISO 27701).
- Defining Roles, Responsibilities and Authorities to Data Privacy
- Consider conducting Compliance Assessments regularly based on Data Protection Act.
- Conducting a Privacy Impact Assessment on its processes