General Data Protection Regulation (GDPR)

Under the GDPR law there are the six principles employers must follow:

• information is processed lawfully, fairly and in a transparent manner in relation to individuals
• information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• information held is adequate, relevant and limited to what is necessary, in relation to the purposes for which they are processed
• information is accurate and, where necessary, kept up to date - every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay
• information is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Employee rights under GDPR

GDPR gives employees a number of rights over their data:

• employees must be told what will happen with their data – usually through data protection notices
• employees must be able to access their data on formal request - this is often called a data Subject Access Request
• employees have a right to request their data be corrected if inaccurate or incomplete. The employer has 1 month to respond to such a request
• employees can request data is deleted if it no longer needs to be held. This can be refused by the employer if they can show that holding the data is still necessary and legitimate

Record management

The required standards of practice in the management of records for those who work within or under contract to NHS organisations in Scotland are detailed in The Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012.