From the recruitment of new employees to termination, employers collect and maintain a wide range of employee data. Data are personal or sensitive information collected by employers, such as an employee's date of birth, medical records and other personal information.
Employers are required by law to safeguard the personal data of their employees by developing security measures to protect employees' data, which include but not limited to developing and drafting policies for data protection, creating a firewall, securing computer systems from hackers and protecting employees' emailing system. This article will explain the concept of data protection as well as explore various ways employers can protect their employees' data.
(a) Personal data or information means any information that identifies a particular person, such as the person's name, address, phone number, bank details, email address, photo, a unique identifier (such as MAC address, IP address, IMEI number, IMSI number, SIM, etc.), physiological factors, and so on.
(b) Sensitive personal data or information is a form of personal data or information that reveals a person's race, ethnicity, sexual orientation, political opinions, religious or other beliefs, trade union membership, criminal records, medical information or other sensitive personal information.
(c) Data subject is a term used to describe the person whose data has been collected and is being processed, which is the employee in this case.
(d) Data controllers and processors are parties that collect, use and process data.
(e) Data processing involves any operation done on an employee's personal or sensitive information, such as collection, storage, maintenance, alteration, deletion, retrieval or destruction of data.
(f) Data breach means any incident resulting to accidental or unlawful unauthorized access, transmission or disclosure of personal data.
While Nigeria is yet to have any strict data protection law, the Constitution of the Federal Republic of Nigeria, 1999 guarantees the protection of an individual's privacy and the recently issued Nigerian Data Protection Regulation (NDPR), 2019, safeguards the rights of data subjects and their personal data. Other relevant laws may include the Cyber crimes (Prohibition and Prevention Act), 2011 and the Freedom of Information Act, 2011.
Data protection is the process of preserving employee data or information from unauthorized access or use. Whenever an employer collects data, data protection must always be applied. This is because without protecting any data collected, anyone can have unrestricted access to an employee's personal information or file.
For instance, if Company A hires Mr. A, Company A obtains certain private information from Mr. A, which Mr. A may not want to disclose to anybody. This information includes Mr. A's full name, race, religion, beliefs, sexual orientation, date of birth, residential address, medical records, identification card, criminal records, and other private or sensitive information. Therefore, the law requires Company A to develop guidelines to protect this information from unauthorized access
Employers are required by law to develop a set of rules, policies, and procedures for employee data protection. An organization may do so in the Employee Handbook or Employment Contracts or their Employee Privacy Policy book. The data protection policies simply define the type of information the employer collects or stores and describes how the organization will protect this information. The policy should state the purpose of the data collection as well as prohibit unauthorized access or transmission of employee personal data.
It is important to comply with all laws relating to data security and ensure that the data policies and procedure of the organization complies with these laws. The laws may state the type of information that can be collected and how it can be stored and processed. For instance, the NDPR regulation states that before processing a person's data, the consent of the data subject must be obtained.
Employees' records such as, date of birth, medical records, contact addresses are private information that should be stored properly to avoid data breaches. Electronic records should be encrypted and passwords should be protected and maintained on a secure server. Employers should create or install firewalls on their computer systems to protect their computers from unlawful access. Paper records or files should be stored in a locked or secured system. In other words, this information should be stored in places that can not be accessible to others.
As an employer, it is important to restrict people's access to your employees' data. One way to do that is to ensure that only persons who require these data should have access to it. For example, the human resources person and the management of an organization should only be given access to an employee's information.
Employers should train their human resources persons, supervisors and other persons in charge of employee data storage and maintenance on their data security policies. Employers can also organize training and seminars on data protection rules and guidelines. These employees should be taught how to store personal data properly, manage security breaches, and dispose of data properly.
Once you have proper security systems in place, the next step to take is to monitor the information to ensure that all employee data remain secure. Monitoring means constantly checking the storage system to ensure that no one gains unauthorized access to the data and ensuring that the security systems are working perfectly. You can also take steps to improve the security system by changing any storage system that is outdated or not working properly and replacing them with more sophisticated ones.
At the end of an employment relationship, employers should dispose of the employee's information properly. This may include burning, shredding or simply deleting and destroying them.
With the data breaches on the rise, it has become extremely important for employers to develop data protection mechanisms to ensure the security of their employees' private information. This can be done by creating data protection policies and guidelines, ensuring that storage systems are properly secured, limiting access to employees' data, and checking their security systems regularly to make improvements where necessary.
Vivian Umelue is an attorney and legal templates programmer at Wonder.Legal and is based in Nigeria.