The Data Protection Act has given Human Resourcing a lot of extra work since its introduction in 1998, but 12 years later with several high-profile cases of data loss, protecting data is still an important issue.
There have been horror stories regarding data loss over the past decade that it would have been hard to miss: The Ministry of Defence lost 600,000 Army recruits’ personal records in 2008; information on 35 million child benefit claimants were lost by the government; and Marks & Spencer lost the details of 26,000 employees in 2007, all due to laptops or discs being stolen. The government has also called for a restructuring in the way in which its staff handle information security, and so data protection seems to still be a big issue for everybody.
But what has been learnt over the past 12 years? And what does this all mean for Human Resourcing?
Data protection is thought to be extremely important in the employer-employee relationship. After all, the access allowed to, and security of, employees’ personal information affects the extent to which employees will trust their employers. If it is not taken seriously, data security can damage this vital relationship.
In terms of Human Resourcing, it has been argued that its role of acting “rock solid” is crucial in ensuring that thorough records are kept and that there are clear policies on how information should be handled by staff. The Data Protection Act has encouraged this, but even after a decade of legislation the consideration with which these things are done has not been excessive enough in all companies, as the horror stories described above demonstrate. As a result, the Information Commissioner is planing more pot checks.
A review of information security in the government has called for mandatory annual training for those dealing with personal and confidential data, although some question: shouldn’t that have been happening already? An employment lawyer at Morgan Cole, Annabel Field, says that training often only occurs at management level, and information about data protection ends up never filtering down to subordinate employees. She adds that junior workers can end up having access to an extraordinary amount of information without the right training to deal with it.
The conclusion is that training on data protection needs to be applied across the entirety of a company and its staff; there is still a lot to learn in order for data protection to be refined.
What to do in case…
In case of data loss, an admirable method of dealing with the aftermath should be called upon: that is, how Marks & Spencer coped with their crisis:
After the event, M&S:
1. sent letters to the affected staff explaining what had happened, all within 24 hours.
2. set up a helpline for the staff to answer any questions that they might have.
3. offered employees an unlimited number of credit checks to protect against identify fraud, free of charge.
4. amended its IT security policy so that all of their laptops are now encrypted.