Tag Archive for: Data Protection

Home | Data Protection

M&S, Harrods, and Co-op have all recently been victims of cyber-attacks. How can HR help prevent one at your company?

A few weeks ago, my wife got a concerned call from her mother. She was not able to buy a rotisserie chicken from M&S. The chickens were there, cooked and ready to eat. The problem was that the M&S systems were not able to print the tickets with the all-important barcode. This was bad news for my mother and father-in-law’s planned meal and even worse news for M&S. Later that day, the story broke that M&S had been the victim of a cyber-attack. Since then, further news has come that Harrods and the Co-op have also recently been victims of similar attacks.

Why are we talking about this? Have Narrow Quay HR had a radical rebrand to become IT specialists? No, the reason is that we want to think about the role of HR in preventing attacks and then in dealing with the consequences of them.  

What is the role of HR in preventing attacks?

Whilst the IT team obviously play an important role in trying to prevent attacks, the Verizon 2025 Data Breach Investigations Report, stated that 60% of breaches involved a human element. It’s therefore important that staff are trained in spotting and avoiding potential attacks. Many attacks come as a result of members of staff inadvertently clicking on a link in an email which then allows the virus to enter an IT system.

HR teams can assist with designing training to help ensure that policies have been read and understood and that employees don’t just take a ‘tick-box’ approach to say that they have read them.  Things to think about when designing this training might include:

  • ensuring the training explains why there are data security policies in place, what the risks are of a cyber-attack and the role staff play in helping to prevent one occurring.
  • refresher training: given the importance of this training, you should consider requiring all employees to attend refresher training every so often to keep the message in the forefront of their minds. Your employees need for instance to understand the importance of approaching emails with a healthy degree of scepticism and caution.
  • reporting mechanisms: staff must understand the need to swiftly report any concerns they have.  If for example they have inadvertently clicked on a link, speed is vital in dealing with it, computers might need to be isolated, systems shut down and so the sooner that IT are alerted the better.
  • no blame culture: mistakes can and do happen so it’s important that organisations foster a culture where employees who may be embarrassed by their possible mistake still speak up as soon as possible, without fear of negative consequences.

The attack has got into your systems – what can HR do then?

So despite the organisation’s best efforts, the virus is in your systems. What happens next? While the focus is likely to be on IT’s efforts, it’s important to remember to keep staff informed, of what is happening. You don’t need to give them every single detail, but remember that it’s likely to be an uncertain time for them and you want to avoid them getting their news from possibly ill-informed media or social media messages. You’ll also need to think about whether it’s possible for them to still work from home while you are dealing with the IT challenges. Once the immediate threat has been resolved, HR can support with reflecting on lessons learned and devising adaptations to training and policies, to avoid the likelihood of future occurrence.

With the increasing threat of cyber-attacks, HR teams have a lot to think about. If you would like to discuss this topic further or need our assistance on any other HR matter, please contact Simon Martin in our team on 07384813076.

Home | Data Protection

The announcement earlier this month that the Princess of Wales was undergoing treatment for cancer reignited discussions about the delicate balance between an individual’s right to privacy and the public’s interest in their personal affairs. We look at similar implications for employees who are away from work unexpectedly and consider what employers should do to manage this.

Kate Middleton’s decision to share her diagnosis publicly was undoubtedly a courageous one and sparked an outpouring of support and empathy from around the world.  However there was also a sense that as speculation reached fever pitch she was left with little choice. Her experience serves as a reminder of the complexities surrounding privacy for those in the public eye.

When employees are off sick or are suspended during an investigation in the workplace, there can be similar considerations about how much information can and should be shared, which need to be handled delicately. Some level of communication will be usually be required, whether that is to clients, colleagues or other stakeholders. This can become more pressing when the rumour mill kicks in and it becomes apparent that there is unhelpful speculation surrounding an absence.

What steps should employers take?

Maintaining confidentiality and respecting the employee’s privacy rights while addressing the concerns of other employees can be challenging. Here are some options available to employers in such circumstances:

  • Communicate clearly with the affected employee: The employer should communicate with the affected employee directly. Ideally work with them to come up with a form of words that will be used. In some situations, such as suspension, often the less that is said the better and using the term ‘suspension’ should be avoided in most cases. In others, it will be a case of what the individual is comfortable sharing. Check back in with the employee after a period of time to check the messaging is still appropriate or if it needs updating.
  • Share that messaging as needed: Communicating the agreed messaging can help to dispel rumours and put a halt to speculation. Don’t dwell on the reason for absence but focus minds back to interim arrangements and getting back to business as usual. Think about how you will handle requests from employees to get in touch with the affected employee and have a response agreed.
  • Respect privacy: Employers should respect the privacy rights of the absent employee. While it may be tempting to disclose details about the situation to quell further speculation, doing so could create upset for the affected employee and give rise to further risks to the business.  
  • Address misinformation: If rumours are spreading that are false or damaging to the absent employee’s reputation, the employer should take steps to address and correct misinformation. This can be done through staff meetings, internal memos, or other forms of communication.
  • Enforce confidentiality policies: Employers should remind employees of the organisation’s confidentiality policies and the importance of respecting the privacy of their colleagues. This can help prevent further speculation or gossip about the absent employee’s situation. This is particularly crucial where employees are to be interviewed as part of an internal investigation and may therefore be privy to further sensitive information.
  • Maintain professionalism: Throughout the process, employers should strive to maintain professionalism and treat all employees with dignity and respect. This includes refraining from engaging in or tolerating gossip or speculation about the absent employee’s situation.
  • Obtain specialist support: If it is a particularly high profile or controversial absence that may attract media interest, involve your internal marketing and communications team if you have one or consider getting specialist support so press releases can be prepared as needed.

By taking these steps, employers can effectively manage rumours and speculation surrounding an employee’s absence, while upholding confidentiality and respecting privacy rights. Careful thought, clear communication and an adherence to policies and procedure are essential for maintaining a positive work environment.

If you would like support in managing a similar situation in your organisation, please contact Sarah Martin in our team on 07799 136 091.

Home | Data Protection

If you are responsible for GDPR matters in your workplace then you should take heed of recent guidance from the Information Commissioner’s Office (ICO) regarding the storage of COVID vaccination data.

The ICO, which is the UK’s information body set up to uphold information rights, has published guidance called ‘Data protection and Coronavirus-19 – relaxation of government measures‘. This is to help organisations and employers to comply with their data protection obligations following the Government’s relaxation of the rules relating to COVID-19.

Sharing Vaccination Data

Some employers may have checked people’s COVID-19 vaccination status historically. The ICO has outlined in this recent guidance some key things organisations need to consider around the use of this type of personal information.

Why Hold Vaccination information?

Employers may wish to seek voluntary proof of vaccination:

  • to track staff vaccination levels within the workforce and assess the risk of transmission
  • to ascertain an employee’s eligibility under any vaccination incentive scheme

If an employer has vaccination data it may help them with internal risk assessments and planning from an operational viewpoint.

What Is Your Purpose for Storing Information?

Now is the time to review your current practices in respect of collecting and storing this type of data. Employers now need to understand from a data protection viewpoint, what information they can request and record about their employees’ vaccination status.

An employer should consider carefully whether capturing this information can be justified, given the current position taken by the Government. Employees’ health information falls into the category of special personal data so employers must identify a lawful reason to request and process this data under data protection legislation.

The ICO guidance states that if employers collect vaccine information they must be clear what they are trying to achieve by doing so and demonstrate how it helps them achieve it. The use of data must be fair, relevant and necessary for a specific purpose.

There must also be a compelling reason for collecting this information and ‘just in case’ will not be good enough. The intention of using and processing this vaccination data must also be transparent from the employer and should not provide any risk to the employee or any detrimental impact to them.

How Long Should an Employer Retain Vaccination Data?

If you have vaccination data for your employees you should review it and ensure that it is still reasonable, fair and appropriate for you to retain this data going forward. You should safely dispose of this data if it is no longer relevant or required. If you need to store vaccination data you should do so for only as long as is necessary and review regularly.  

For specialist support on managing your employee vaccination data, please contact Helen Couchman in our team on 07799 901 669.