Netherlands
Germany
France
Canada - EN
United States
Australia
India
Singapore
China
Malaysia
Philippines
Hong Kong (SAR)
September 12th, 2016 | Sterling
Personal Information: The Importance of Training
Background screening, by its very nature, requires the collection, use and storage of personal information. The consequences of misusing this information can be severe and far-reaching, so it stands to reason that handling it correctly is of major importance to any organisation involved, either directly or indirectly, in processing personal information.
Due to the need for discretion when handling, the employees who process personal information need the skills and awareness required to handle information in a respectful, fair and consistent manner. But how can we provide and test for these skills? And what level of training in data processing is appropriate to meet and exceed obligations for the correct handling of personal information?
The first step is to understand which obligations are placed on organisations processing personal information.
As articulated by the Information Commissioner’s Office (ICO), the seventh data protection principle from the Data Protection Act states:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
It goes without saying that technical measures relate to IT security which is fundamental in protecting the confidentiality, integrity and availability of personal information. However, organisational measures, which focus on the people and policies within an organisation, must not be overlooked, and so we need to understand what they involve. Touching on this, the Data Protection Act states:
The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
This suggests organisational measures encompass, among other things, employee reliability, but there is no explanation of how this should be achieved. Reliability through background screening is a good starting point, but after hiring an employee training is usually required and nowhere is a direct requirement to train employees in the handling of personal information to be found. It would, however, be a mistake to assume that training is not a vital element in maintaining a dependable date protection strategy.
There are logical arguments for this view. An employer cannot take for granted that an employee has the appropriate knowledge and awareness without seeing evidence of this and without providing a means for that knowledge to be acquired. Assuming an employee is equipped to handle their responsibilities correctly without some way to gauge their understanding would be a dangerous gamble with the personal information that employee is entrusted with. When considering the ever-evolving legal landscape surrounding use of personal information, the need to not only acquire, but then to maintain employee-awareness, be it through updates or additional training, is also apparent. Yet despite this, though a company may face action for misuse of information, it is the misuse, rather than the initial lack of adequate training, which may be punishable.
The ICO is the UK’s data protection authority and is responsible for upholding information rights in the public interest. It is the ICO which handles complaints made against organisations and which takes action against organisations that fail to meet their data protection obligations.
Despite no direct obligation on organisations to provide training, in 2014 the ICO served an enforcement notice to Wolverhampton City Council requiring that all staff complete privacy training. The ICO went further and, in June 2016, additionally required that all staff take refresher training at regular intervals not exceeding two years.
The ICO has clearly recognised that training within an organisation is important and that it contributes to good data handling practices. This suggests that, regardless of whether the Data Protection Act contains direct obligations in the area of employee privacy training, any privacy conscious employer should consider it an area of importance as well.
Sterling takes this stance and has introduced a role-based privacy training curriculum which focuses on tailoring training to the responsibilities of each employee. This equips employees with the relevant knowledge and awareness required for the correct handling of personal information.
For example, members of Human Resources are trained to correctly handle employee information, whereas those who work with clients are taught how to handle the unique and various types of information to which they are exposed, ranging from information about the clients themselves, to the personal details of those clients’ candidates who are undergoing employment screening.
Finally, as demonstrated by the ICO’s action above, one off initial training for new employees is not enough by itself. Sterling provides updates and internal webinars to maintain the visibility of privacy and good data handling practices, and it is through this continued focus on the correct handling of personal information, and through the education of each individual employee, that the obligation to protect and correctly handle personal information can best be upheld.
White Paper: How to Avoid a Bad Hire
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.