Guidelines on using HR data
Guidelines and principles on using HR data, and security access request forms.
Data residing in the HR systems (People and Money, HR Sharepoint, Management Information) is classed as personal data and as such comes under the Data Protection Act (1998). These guidelines have been developed with the principles from this Act in mind.
The general principle to be observed at all times is that information about staff is confidential to the University and to the individual member of staff. Information should not therefore be disclosed by any member of staff except for good, duly considered reasons.
If data are extracted from any of the HR systems then the same principles apply and it is the responsibility of the user extracting the data to ensure that the recipient of the data (or a subset of the data) is aware of the confidentiality of the data and the security implications of using this data. There are a number of directives in the Act concerning the use of personal data and these include:
- the data shall be adequate, relevant and not excessive in relation to the purposes for which they are kept
- the data shall be accurate and kept up-to-date
- the data processed for any purpose shall not be kept for longer than is necessary for those purposes
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These have a direct impact on data that has been extracted or printed from any of the HR systems.
In particular consideration needs to be given as to how long this extract exists and a timescale agreed as to when this extract should be destroyed. There is a formal process for the authorisation of access to the HR systems and this covers the type and level of access required as well as the rationale behind the need for this data. It will not be possible to access the HR systems without first seeking approval.
Passwords and security
Each approved user will have both user identification and password. It is important that this password is not given to anyone else.
For multiple types of access one user may have a number of different passwords. It is important that the HR Systems Team is informed of any change to the access privileges required. The use of HR systems and access to HR data is on the basis of trust and the responsibilities that go along with this trust. Any concerns that trust is being abused the HR Systems Team should be informed and the matter will be investigated. It is critical that an up-to-date security environment is in place and it is therefore vital that any individuals who have access to the HR systems and are either leaving the University or changing their role (and their requirement for HR data changes) have their access privileges amended.
When considering local security procedures covering the use of HR data outside of the HR systems, it may be appropriate to take advantage of local IT security to enable these procedures.
An example of this is protecting an extract by password if it is stored on a shared drive. Manual approaches may also be appropriate.
For example printouts must be stored in a secure location and users of extracted data must acknowledge that they take responsibility for the security of the data.
Please contact HR Helpline via Service Request to discuss possible approaches if you have concerns in this area.
Security access form
Please complete the Access to HR Data form and send to HR Helpline via Service Request.
Please ensure the appropriate person has completed Section 5 to authorise the access before sending to HR Systems.