The Draft Policy“The first heading was about the law. This included full references to the legal basis of the policy. The second heading was about the information the company held about employees. This covered everything from names and addresses to staff appraisals; interview notes from promotion hearings; and relevant medical details.
Retention and Maintenance of Information“I wanted the next section to deal with the way the company retained employee information, and how it updated and removed it. First, though, I had to review the company’s procedures. All in all, I found the procedures secure. They gave the basis for explaining in the policy what happened to information given by each employee, and to the details gathered from elsewhere.
“This lead to the right of an employee to see his or her personnel file. I explained how to go about asking for sight of the file, and how to correct the details in it. I also wrote about the mediation process employees could use if they had concerns about anything on their files.
NB *The EU General Data Protection Regulation (GDPR) superseded the UK Data Protection Act 1998 on May 25, 2018. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.
Organisations are obliged to have technical and procedural measures in place to safeguard the personal information they hold. If you do not believe that an organisation that you have entrusted your records to is behaving responsibly, you have cause to complain to them, or ultimately to the Information Commissioner.