How does GDPR affect Right to Work data processing and storage?
There is a statutory obligation for organisations to undertake Right to Work checks. As such, they have to copy and keep the sensitive identity documentation obtained during the performing these checks.
This is not affected by GDPR. Article 6 of the regulation includes a legal obligation for processing:
The processing is necessary for you to comply with the law (not including contractual obligations)
In essence, because you are complying with other legislation, the processing is necessary.
However, this is not the end of the matter
Organisations need to be aware of the issues arising from GDPR. This is especially true given the sensitive nature of the data being processed.
Special category data is personal data which the GDPR says is more sensitive. As such, it needs more protection. Right to Work checks require the examination, copying and storage of sensitive personal information – passports, visas, birth certificates etc.
Article 5 of the GDPR requires that ‘personal data’ (information which could directly or indirectly identify an individual) must be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
As such, we recommend organisations review their current Right to Work policies and procedures. Pay particular attention to the following:
1. Examining and retaining the right documents
The organisation needs to be confident that its recruitment staff are only checking the essential documents. They must also be following the correct procedure for examination and retention. As the ICO point out:
‘It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is a necessary for the stated purpose, not whether it is a necessary part of your chosen method of pursuing that purpose’.
2. Data storage methods and procedures
Are your Right to Work checks securely stored and protected?
Particularly exposed are organisations with many, remote sites. This is due to the storage of checks in both central and remote locations.
Manual, paper based storage systems are also worth consideration. Filing cabinets with minimal (if any) restrictions to access are a risk. Spreadsheets on local hard drive storage carries the inherent risks of lost data due to a variety of computer threats.
3. Data deletion
Organisations have a legal obligation to store Right to Work checks for 2 years once an employee has left the business. GDPR increases the emphasis on the need for a robust process to ensure this actually happens.
There needs to be a process in place to manage this requirement. Consideration must be given as to how this data is controlled and audited. Data/paperwork must then be confidentially disposed of at the end of the required period.
We have a solution to make this process a lot easier…
Rightcheck is an app providing complete end-to-end Right to Work management workflow
Rightcheck enables your recruiting staff to follow a simple process to complete a fully compliant Right to Work check from start to finish.
A simple interface will guide them on which documents to review and capture according to the nationality and circumstances of the applicant/candidate. This logic is automatically updated whenever the law changes.
Rightcheck will then take care of the storage and management of the check. This includes controlling the deletion of the check 2 years after an employee has left your business.
Via a secure cloud-based system, you can decide on user access rights/privileges and configure the system to reflect your organisational structure and hierarchy. A full audit search functionality allows easy inspection of checks by auditors.