Category Archives: Data Protection

COVID-19, data protection and common concerns

COVID-19, data protection and common concerns

The ICO has indicated that in these challenging times employers should adopt a proportionate approach to data protection giving guidance on the following key areas of concern:

Do data protection laws prevent employees from working at home?

Data protection laws should not prevent homeworking during the pandemic.

Does the current situation negate the need for data security measures when employees are working remotely?

No. Employers should introduce the same security measures as they would usually adopt for all homeworkers.

It is our view that employers implementing widescale homeworking should introduce clear guidelines to manage expectations, control health and safety and protect confidentiality and data.

In the case of data security and confidentiality for homeworking, we would recommend as a starting point that employers:

  • Assess the risk of a data breach arising from homeworking. This will assist to identify what measures and controls need to be introduced.
  • Ensure employees are aware that data security and confidentiality is their responsibility. Now is the time to direct them to your policies governing IT and communications, data protection and data retention. Consideration should be given as to whether these may need to be updated to reflect homeworking.
  • Issue specific guidance relevant to the business regarding data security in the context of homeworking. For example, the mandatory use of encryption and passwords, keeping all papers securely and not allowing household members to use company IT equipment.

Make sure employees know what to do and who to contact if they discover a security or data breach.

Can we tell employees about cases of COVID-19?

Yes. Staff should be kept informed about cases of COVID-19. This is on the basis employers need to satisfy their duty of care regarding health and safety. Individuals must not be named and no more information than is necessary should be provided.

What if we are asked by the public health authorities to share employee health information?

Organisations may share employees’ health information with authorities for public health purposes.

FG Solicitors are experts in all areas of Employment Law and HR, including Data Protection and we can provide guidance around the issues that may arise if you are currently transitioning from office-based working to homeworking. Feel free to call us on 0808 172 9322 for a no obligation discussion.

Fail to plan…. Plan to fail – GDPR is fast approaching!

The countdown to the replacement of the current Data Protection Act with the General Data Protection Regulation (“GDPR”) is now in full swing and the GDPR will become law with effect from 25 May 2018.

Early indications are that there is a lack of awareness, particularly within the SME community, of the sea change in not just structure but also attitudes that will be required to become GDPR compliant. At the very least, by now Company’s should have made the preparations for GDPR a Board level agenda item and identified a project team or project leader to evaluate the process and administrative changes that are necessary to become GDPR compliant. The responsible individuals should then create a timetable leading up to 25 May 2018 with checklists and milestones identified and agreed.


Although it is not mandatory to have in place a Data Protection Officer (“DPO”) unless you are a public authority or a Company involved in the large scale monitoring of individuals, it is certainly good practice. In short the role of the DPO is:

· to act as advisor to the organisation about its obligation to comply with the requirements of the GDPR and to provide information to its employees;

· to monitor and manage internal data processing activities to ensure compliance with the GDPR, train employees, conduct internal audits and provide guidance on impact assessments associated with data processing;

· Be the point of contact for the Information Commissioners Office (“ICO”), which is the supervising authority for the UK.

A note of caution, compliance with the GDPR is not the responsibility of any one individual but requires top down support and the awareness and engagement of Department heads, managers and individuals as to their roles and responsibilities.

Set out below are two examples of how the GDPR will change the existing law.


The data subject access right in the GDPR makes some changes to the rules on responding to a data subject access request.

Data subjects will continue to have the right under the GDPR to access personal data concerning them and to obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients of the data. Under the GDPR, the employer will have to inform the data subjects:

· of any recipients of the data in countries outside the European Economic Area and the safeguards applied on a third country transfer of data;

· the envisaged retention period for the data, or the criteria used to determine that period; and

· the data subject’s rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.

Employers, and other data controllers, will have to respond to a data subject access request ‘without undue delay’ and within one month at the latest. This can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the current rules, data controllers have 40 days to respond to a request.

Data controllers will no longer be able to charge a fee for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive,’ in particular because it is repetitive.

If an employer receives a request that is manifestly unfounded or excessive, it will be able to charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively, it will be able to refuse to act on the request.

Where the data subject makes a request by electronic means, the information will need to be provided by electronic means where possible, unless the data subject requests otherwise.


The GDPR amongst other things, contains provisions relating to the collection of personal data about job applicants during a recruitment process.

The new rules will apply to data obtained from the applicant or from a third party such as a recruitment agency.

Prospective employers will need to provide applicants with an information notice. This notice will need to contain certain information, including the purposes for which the data will be processed, the legal basis for processing and the period for which the data will be retained.

Employers will be able to provide the information notice on their website, and send a link or copy of the notice in correspondence to individual applicants. Where the employer advertises a post on a website owned by a third-party, it should ensure that the details of the vacancy include a link to the information notice.

Employers should retain only the minimum data required and only keep it until the relevant limitation periods for bringing potential tribunal claims have expired.

Employers who intend to keep the details of unsuccessful candidates on file for future recruitment rounds must obtain the candidates’ consent to this. Employers who keep unsolicited CVs on file for future recruitment rounds, will need to inform candidates of this in the information notice.

Job applicants will have the right not to be subject to a decision based solely on automated processing. Employers will only be able to use automated decision making if it is:

· necessary for entering or performing a contract;

· authorised by law; or

· with the applicant’s explicit consent.

Employers who use automated decision making will need to advise applicants of this in the information notice. They will also have to provide safeguards for applicants by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision using human intervention.

Employers who use recruitment agencies should satisfy themselves that the agency will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.

For further information and support with your GDPR compliance preparations contact FG Solicitors on 01604 871143 where a member of the team will be happy to assist.

We can help you get GDPR-ready

The team at FG Solicitors are experienced data protection experts and we can help you with tailored best-practice HR and Legal audit solutions, beginning with evaluating your current data protection framework enabling you to confidently establish a GDPR compliance roadmap.


We will work with you to identify remedial action tailored to your method of operation thus ensuring a best-fit data compliance framework. Regardless of the size of your organisation, we can tailor our GDPR support services to your specific needs. AUDIT! REMEDIATION! IMPLEMENTATION! TRAINING!

Contact us for a no obligation informal discussion.

01604 871143

Book now for the GDPR Seminar: Gather, Distribute, Process, Retain No Info

Book now for the GDPR Seminar

FGS GDPR Maze Social Media

On Thursday 22nd February, FG Solicitors will be giving businesses a chance to gain a better understanding about GDPR; a UK data protection law that will affect every business.

FG Solicitors, in line with its continuing dedicated support to employers, will be hosting a series of seminars to be held between now and the 25 May 2018 designed to support employers in ensuring that they are prepared for the significant changes that the GDPR will bring.

UK Data protection law will fundamentally change on 25th May 2018 when the current Data Protection Act 1998 is replaced by the General Data Protection Regulations (GDPR).

Now this is YOUR chance to find out what impact it will have on you as an employer and on your business.

So what can you expect at the seminar?

The seminar will focus on the application of the GDPR to employers and what they should be doing now to prepare, and in particular, will cover:

  • Key differences between the current and new data protection regimes;
  • ‘Brexit’ considerations;
  • The extended rights of data subjects under GDPR;
  • New requirements including Privacy Impact Assessments and Privacy by Design;
  • The now critical role of the Data Protection Officer;
  • The new enforcement and €20M penalties regime under GDPR; and
  • The requirement that the Data Protection Officer act as the contact point for the supervisory authority on issues related to the processing of personal data.

Floyd Graham, Principal and Founder of FG Solicitors will be the speaker of the seminar. Floyd is a dedicated employment solicitor who has practised in this area of law for over two decades providing commercially sound expertise and guidance to Employers. Floyd is considered a thinker and leading light in the employment law sphere and is a regular speaker and highly regarded commentator on the intricacies of the employer/employee relationship with a devout following.

Places are limited. To book your place please email:

Safe Harbor – Shipping Out?

160212 Data TransferSUMMARY: Employers who transfer employees’ personal data to a US office should be aware that they can no longer rely on the Safe Harbor decision to comply with data protection laws.

A recent European ruling means that the Safe Harbor decision is invalid.  Since then, employers have wanted to understand what this means in relation to transferring employees’ personal data; below are some frequently asked questions.

Q1: What is the Safe Harbor decision?

The Safe Harbor decision previously enabled certified organisations to transfer personal data from the EU to the US without breaching European data protection laws.

The Snowden revelations about the US National Security Agency’s surveillance of data held by Safe Harbor participants meant that Safe Harbor’s credibility was seriously undermined.  The revelation indicates that the US is not ensuring an adequate level of protection for personal data.

Subsequently, the European Court of Justice (ECJ) has held that the Safe Harbor arrangement is invalid.

Q2: Does the ECJ’s decision concern our organisation?

Personal data transfers between the EU and the US

If your organisation transfers personal data between the EU and the US it will be of concern; you can no longer rely on the Safe Harbor decision when transferring such data.

The European Commission is attempting to agree a new Safe Harbor package but has not given any time frame for finalising this.

Continuing to transfer data on this basis therefore carries a level of risk.  We suggest ways in which you can manage risk in relation to this at question 3.

Personal data transfers within the EU

If your organisation only transfers personal data within the EU, this decision will not affect you.

Q3: If we cannot rely on the Safe Harbor framework, what are the alternatives?

EU organisations should now consider alternatives to the Safe Harbor when transferring personal data to the US.  These include:

1. Having an employee’s informed express written consent.  Consent may, however, be withdrawn at any time.  Note that it may be considered unfair to make it a contractual requirement for an employee to consent to a transfer of his/her data to the US.

2. Implementing the following:

  • Model contracts – contracts adopted by the European Commission which provide standard wording for the transfer outside the EU; and
  • Binding Corporate Rules – a set of approved internal Codes of Conduct.  The EU’s Article 29 Data Protection Working Party have developed a number of documents to assist.

3. Anonymising or pseudonymising data exported from the EU to the US.

A paper trail should always be kept of any steps taken.

Q4: What are the possible sanctions if we transfer personal data to the US without appropriate alternatives in place?

Legal sanctions in the UK, if the organisation breaches data protection legislation, include:

  • a fine of up to £500,000;
  • the Information Commissioner taking enforcement action against the organisation; and
  • conviction for a criminal offence (which could result in an unlimited fine).

Organisations should also be aware that a breach of the Data Protection Act 1998 is likely to result in damaging adverse publicity and individuals could bring a civil claim against the organisation.

Contact Details

For more details about the issues in this article or if you would like a data protection policy, which we advise all organisations to have, please contact:

+44 (0) 808 172 93 22

This update is for general guidance only and does not constitute definitive advice.

FGazette October 2013

131001 Thumbnail

Welcome to the latest edition of FGazette! The quarterly newsletter of Floyd Graham & Co – Lawyers for today’s employers.

Our final edition of 2013 focuses on whether employees have the right to access all areas of their personnel records. Click the FGazette image to read more.

If you have any problems viewing this link, please contact us on 01604 871143 or