Home > Case Studies > Company Privacy Policy: A Case Study

Company Privacy Policy: A Case Study

By: Kevin Watson MSc - Updated: 25 May 2018 | comments*Discuss
Privacy Policy; Personal Information;

Louise Klaust is the Head of Human Resources at a major business. When she joined the company a few years ago, she was surprised it didn’t have a privacy policy for staff.

Lack of a Policy

“The company had a privacy policy for customers and one for its website. I could find little about employee privacy, however, except in a staff induction document.

“I arranged to speak to the board of directors. I outlined the need for an employee privacy policy, referring to both the Data Protection Act, and the Freedom of Information Act. I also emphasised the need to clarify staff rights, and the company’s obligations. The board agreed that I should write an employee privacy policy. I set to work and produced a draft document.

The Draft Policy

“The first heading was about the law. This included full references to the legal basis of the policy. The second heading was about the information the company held about employees. This covered everything from names and addresses to staff appraisals; interview notes from promotion hearings; and relevant medical details.

Retention and Maintenance of Information

“I wanted the next section to deal with the way the company retained employee information, and how it updated and removed it. First, though, I had to review the company’s procedures. All in all, I found the procedures secure. They gave the basis for explaining in the policy what happened to information given by each employee, and to the details gathered from elsewhere.

Access to Information

“In the following part of the privacy policy, I wrote about access to employee details. From experience, I knew this was a key aspect. Employees rightly want to know who can access their information and how. I began with the right of the police to see personal information in the pursuit of criminal enquiries. I then went on to stress the secure measures the company had in place to prevent access by other third parties.

“This lead to the right of an employee to see his or her personnel file. I explained how to go about asking for sight of the file, and how to correct the details in it. I also wrote about the mediation process employees could use if they had concerns about anything on their files.

Putting the Policy Into Effect

“I gave the draft to the company solicitor. I wanted to ensure the privacy policy was legal and had suitable wording. The solicitor made some helpful suggestions. Once I’d added these, I presented the draft policy to the board. The reception was encouraging. I therefore proposed to run the policy by the staff. The board agreed. The employee response was good. Some even commented that they hadn’t appreciated what their rights were.

“The final stage was to publish the privacy policy on the company’s intranet so that all staff could view it. I also sent an email to staff. This asked each of them to confirm in writing they had read and understood the document. I believe the exercise was a positive step in improving employee relations with the company. It was also a useful way of checking that the company’s retention of personal information was legal and secure.”

NB *The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

Organisations are obliged to have technical and procedural measures in place to safeguard the personal information they hold. If you do not believe that an organisation that you have entrusted your records to is behaving responsibly, you have cause to complain to them, or ultimately to the Information Commissioner.

You might also like...
Share Your Story, Join the Discussion or Seek Advice..
Why not be the first to leave a comment for discussion, ask for advice or share your story...

If you'd like to ask a question one of our experts (workload permitting) or a helpful reader hopefully can help you... We also love comments and interesting stories

(never shown)
(never shown)
(never shown)
(never shown)
Enter word:
Latest Comments