Guidance on Data Protection in the Employment Context
The Gibraltar Regulatory Authority (the “GRA”), as the Information Commissioner, has today published a Guidance Note which aims to assist in ensuring data protection compliance in the employment context, as required by the Gibraltar General Data Protection Regulation and the Data Protection Act 2004.
The document provides general guidance on the legitimate expectations of employees with regards the processing of their personal data by employers, as well as the legitimate interest of employers in deciding how best, within the boundaries of data protection law, to run their organisations.
Additionally, guidance is provided on several specific areas as relevant to the employment context, including, but not limited to-
- The obligations of the employer - The importance of complying with the data protection principles, with particular emphasis placed on the concept of accountability and implementation of appropriate security measures to protect employee personal data.
- Recruitment and selection - Best practice recommendations in relation to the processing of personal data in areas such as ‘advertising and applications’, ‘interview notes’, ‘vetting’ and ‘retention’.
- Employment records - The responsibility of the employer to appropriately notify employees of the personal data processing activities being undertaken.
- Monitoring in the workplace - The data protection implications that must be considered.
- Remote working - In particular, the additional risks presented regarding the security of personal data.
- The employees’ individual rights - The requirement on employers to uphold data protection rights and obligations in a compatible, administrative infrastructure that allows adequate protection of such rights.
The Guidance Note is intended to serve as a reference document, to be consulted as and when necessary, alongside relevant legislation. Importantly, data protection obligations will vary according to the size and nature of the business. Organisations are responsible for assessing what aspects are relevant to their personal data processing activities, and for introducing reasonable and appropriate measures, as applicable.
The Guidance Note is available to download from the GRA’s website (https://www.gra.gi/data-protection/guidance).
For further information, please contact the GRA on +350 20074636 or email: This email address is being protected from spambots. You need JavaScript enabled to view it..
