Your Key Info Limited (YKI) & GDPR
Introduction
Following the adoption of new data rules in the UK we understand that many of our clients are concerned about GDPR compliance in their organisation and with their suppliers.
In the run up to the changes (YKI) Group worked hard to audit processes, contracts and notices. Key staff attended external training courses and we implemented a training plan for all staff. We are confident that we have taken all necessary steps to ensure compliance with the new legislation.
The main challenge for the recruitment industry is the right to process data on individual candidates/workers and the legislation sets out the acceptable principles under which personal data can be held. We have reviewed the typical circumstances under which (YKI) receives, processes, transfers and holds an individual worker’s data and established how we can do so compliantly under the new rules.
Prior to the new legislation we informed all workers that we updated our Privacy, Data Processing and Retention Policies advising workers to read the new documents.
Controller or Processor?
(YKI)’s data processing activities exceed those of a processor (as defined by the legislation) and therefore we are a Data Controller and (YKI) will meet its obligations under this role.
(YKI) Compliance with each of the GDPR principles
Lawfulness, fairness & transparency
(YKI) has in place contracts of employment with its employees and policies which describe what categories of personal data are collected and processed and the lawful basis for doing this.
Personal Data held on the (YKI) platform about individual Data Subjects is there for the purposes of fulfilling our:
Contractual obligations under contract or terms herein with the worker,
Legal obligations in relation to any government department, lawfully requesting such data,
Legitimate business interests under our supply agreements with agencies or intermediaries.
Data minimisation
(YKI) captures most personal data in specific pre-determined fields which correspond to those defined in contract. Where documents are uploaded (e.g. identity documents) these are done so to facilitate specific performance of contractual obligation or to fulfil a legal obligation.
Accuracy
Some personal data can be corrected by workers within their secure access portal. Additional access, correction or deletion requests, can be actioned via specific email addresses set up for GDPR.
Data Retention Policy
In summary, where workers details have been retained, (YKI) must hold their personal data in their portal until they request deletion, holding this data acts as their work history, possibly for completing personal tax returns or employment reference information.
We will communicate to workers that we will follow these data retention rules from 25 May onwards:
a) If we have processed and held data within a Key Information Document for the worker, we will retain their personal data for a period of six tax years. We are required to retain their data and it cannot be deleted.
b) If we have not processed a Key Information Document for the worker, but they have provided us with personal data and accepted our data processing terms, we will retain their personal data for a period of 12 months, at the end of which period it will be deleted from our systems, unless they refresh their agreement to our data processing terms. They can request deletion of all of their data at an earlier stage.
c) If we have not processed a Key Information Document for the worker, but they have provided us with personal data and not accepted our data processing terms, we will retain their personal data for a period of six months, at the end of which period it will be deleted from our systems, unless they subsequently indicate their agreement to our data processing terms. They can request deletion of all of their data at an earlier stage.
d) If we have not processed a Key Information Document, but we received their personal data from a third party to whom they provided it (e.g. a recruitment agency) and they have not accepted our data processing terms, we will retain their personal data for a period of one month, at the end of which period it will be deleted from our systems, unless they subsequently indicate their agreement to our data processing terms. They can request deletion of their data.
e) Where a worker whose data is due for deletion subsequently updates their agreement to the (YKI) data processing terms this has the effect of renewing the compliant period to 12 months (as per ‘b’ above). Each month (YKI) systems will identify workers who data is due for deletion. They can request deletion of their data.
Accountability
(YKI) is fully capable of tracking data processing though our secure systems and provide compliance confirmation to regulatory bodies or as required contractually.
Integrity & confidentiality
(YKI) adopts various technical and organisational measures to prevent:
• Accidental or unlawful destruction, loss or alteration of Personal Data
• Unauthorised disclosure, transmission or processing of Personal Data
• Cyber penetration or hacking
(YKI) carry out regular vulnerability testing of our systems to ensure all data remains secure. We are in the process of applying for Cyber Essential Plus and will thereafter apply for ISO27001. (YKI) already apply the following principals to maintain the integrity and confidentiality of our data.
Asset Management:
• All assets are clearly identified, documented and regularly (annually) in an asset register
• All assets designated owners/custodians listed in the asset register
• All employees must use company assets according to the acceptable use of assets procedures
Access Control
Access control is the selective restriction of access to a physical site or other resource. (YKI) operates controls across all electronic forms of information processing systems including operating systems, applications, networks and mobile access to platform. Procedures cover:
• User registration and de-registration
• Access privilege assessment
• Control of password use, password change and password removal
• Management review of access rights
• Network service access, control method for authentication of remote users
• Configuration of ports, segregation of networks
User Registration
(YKI) procedures:
• Staff users have a unique user ID based on a standard naming convention
• Formal authorisation process for provisioning of user IDs
• Audit trail available of all requests to add, modify or delete user accounts/IDs
• Access rights are immediately revoked for any employee leaving (YKI)
• Privileges are allocated to individuals on a ‘need-to-have’ basis
• Records of privilege accounts are maintained and updated on regular basis
Operating system and application control policies include:
• All users in the organisation have a unique ID
• No systems or application details are displayed before log-in
• The number of unsuccessful log-in attempts is limited to 5 attempts
• During log-in process, all password entries are hidden by a symbol
• The use of system utility program is restricted
• The platform has a dedicated administrative menu to control access rights of users
Network security assurance
• Access to company’s network is only provided to authorised users
• Controls are in place to manage remote users
• All equipment can be recognised uniquely
• Networks are segregated based on needs
• Network routing protocols are enabled
• Authentication mechanisms are used to control the access by remote users
• Allocation of network access rights is provided as per the business and security requirements
Compliance with data subject access rights
1. Right to be informed: (YKI) will notify the data subject when their information has been received from self-registration or provision by third party, as soon as it is added to the platform.
2. Right to access: subject access rights may be met by the secure user portal (GDPR best practice). Requests can also be made via the dedicated email address set up for GDPR access requests.
3. Right to correct data: either directly on their secure user portal or via the dedicated email address for GDPR corrections.
4. Right to erasure of personal data: requests can be made using the dedicated email address for GDPR erasure. Rules are applied according to the data storage guidelines above.
5. Right to data portability: (YKI) provides personal data to the data subject in CSV file format.
Other compliance obligations
1. Transfer of data outside the EU: Where we have supplied data to agencies as Data Controller and the agencies wish to process or transfer this data outside of the EEA they will have to secure separate consent directly from each worker.
2. Data Protection Officer: (YKI) has appointed web master as DPO.
3. Sensitive data: As a default, (YKI) will not be handling sensitive personal data for the normal purpose of its service provision. (YKI) must be informed if sensitive Personal Data is required to be processed.
If you have questions relating to GDPR please email info@yourkeyinfo.com