Increasingly HR managers are using Cloud-based HR systems as a cost-effective and efficient way to manage staff and data across the world. But what employment law considerations should HR managers be aware of when thinking about and operating such a system? To understand this, it is helpful to know why Cloud-based systems differ from more traditional “hosted” HR software.
One of the issues with a typical “public” Cloud is that a single piece of software serves multiple client organisations simultaneously. This means that the customer has little opportunity to customise the software. The supplier decides where to store the customer’s data and can move it around different data centres across the world to save on costs (although some suppliers will offer territory-specific solutions in response to customer demands, e.g. EEA-based services to aid Data Protection Act compliance). This may also mean that there are multiple copies of the customer’s data held in different locations.
Security considerations
When considering a Cloud-based HR solution, HR managers should bear in mind that all of the data stored on the system will be transferred via the internet and then it may also be transferred around the internet by the supplier to maximise cost savings, as described above.
Data security is therefore an important consideration and encryption of data is essential. Given the standardised nature of Cloud solutions, the supplier is unlikely to agree to comply with the customer’s security policies. Therefore, HR managers should:
- Ensure all employee data is appropriately encrypted and regularly review the encryption levels.
- Undertake due diligence to ensure that the supplier’s security matches your own. You may need special arrangements in place, for example if your own employees are required to have any form of clearance before accessing employee data, you may wish to impose this requirement on your Cloud supplier as well.
DATA PROTECTION CONSIDERATIONS
Processing of personal data
In a Cloud-based HR system, the employer remains responsible for its employees’ data under the Data Protection Act 1998 (“DPA”) and must ensure that the supplier complies with the DPA principles. The UK Information Commissioner’s Office (which oversees the implementation of the DPA in the UK) (“ICO”) provides guidance on the protection of personal data in the Cloud. The ICO recognises that it is difficult to exercise any meaningful control over the processing of personal data by the supplier in a public Cloud scenario because of its nature. This may be lead you to consider whether a typical ‘public’ Cloud is the most appropriate type of solution available.
- You will need an employee’s consent if processing their sensitive personal data, such as medical records.
- You should inform employees of the way in which their personal data will be gathered and processed.
- You should use reasonable endeavours to understand the supplier’s data protection policy and undertake a risk assessment to ensure compliance with DPA principles.
Data Transfer Rules
Personal data may only be transferred to countries outside the EEA in the following situations:
- the data subject (in this case, the employee) has consented to the transfer; or
- the transfer is made on terms that are approved by the ICO as ensuring adequate safeguards for the rights and freedoms of data subjects; or
- the transfer has been authorised by the ICO as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
The European Commission has made findings of adequacy about certain countries, including Switzerland, Australia, Canada and New Zealand (but not the US) so you can freely transfer data to these countries. In respect of the US (where many Cloud suppliers are based), the European Commission has agreed a framework with the US government under which data can be transferred to companies provided they have signed up to the ‘safe harbor’ arrangement.
If the business does not participate in the ‘safe harbor’ framework, the data controller must impose certain contractual requirements on the US business known as ‘binding corporate rules’, which have been approved by the ICO. However, given the standardisation in Cloud contracts, this may be difficult. Failure to comply with the data transfer rules could lead to a fine by the ICO of up to £500,000. If the supplier is a US company which does not participate in the ‘safe harbor’ framework you must seek employees’ consent to the transfer of their data outside the EEA, unless the supplier is willing to depart from its standardised terms by entering into binding corporate rules.
AVAILABILITY OF & ACCESS TO DATA in the cloud
Availability
Under the DPA, data controllers are required to ensure that appropriate and technical organisational measures are put in place against the unauthorised or unlawful processing personal data and against accidental loss, destruction of or damage to personal data. Normally this would involve a review of a supplier’s guarantees of availability, confidentiality and integrity, including a site visit in order to audit this. However, with data that is held in the Cloud, this is not practical. You should use reasonable endeavours to understand the supplier’s policy on accidental loss, destruction or damage and undertake a risk assessment to ensure compliance with DPA principles.
Under a typical Cloud contract, the customer takes the risk of internet availability and internet outages. For example, if there is an internet outage the day before you are due to run payroll, you may not be able to access the data required to run the payroll and you will have no recourse against the supplier. For this reason it may be best to retain a copy of the data on your own servers as back-up.
Access
Standardisation means that it is difficult for the employer to negotiate rights of access for disclosure purposes, for example in employment tribunal litigation or for the purposes of a data subject access request. Likewise, on termination, access may be limited. Typical termination provisions state that the supplier is only required to give you back your data within 30 days. Again, for business continuity/seamless service reasons when a changing a provider or in the event of a disclosure obligation you may wish to consider retaining a copy of the employee data on your own systems, using the Cloud solution as a service provider rather than as data storage.
OTHER COMPLIANCE ISSUES
If the supplier is providing you with any sort of compliance support (such as international payroll and tax advice), you should bear in mind that ultimate responsibility for compliance remains with you as the employer. It is, therefore, important that you understand your obligation to ensure that the service levels are appropriate and that the supplier is performing well. Where possible, in the agreement with the supplier you should ensure that responsibilities are clearly delineated between the parties.
CONCLUSION
When considering implementing a Cloud-based HR solution, HR managers should consider what is the most suitable format/service. You may want to select a provider who can give assurances about the location of your data. You should also undertake a risk assessment of the nature of the data to be moved into the Cloud (for example whether it is necessary to transfer sensitive personal data which will need employee consent) and what security and access requirements you will need. So far as is possible, the use of the Cloud-based system should be monitored regularly throughout the term to ensure DPA compliance, security and accessability.