This blog was written by Johannah Palmer, Edgecumbe’s Office Manager, Data Protection Officer, Information Security Administrator and Service Manager for the Doctor 360 team. This is the third blog in our series on psychometrics data within the context of GDPR. In her first blog, Johannah set out the issues to consider when using psychometrics for employment purposes. Blog #2 investigated why psychometrics are special category data and the consequences of their special status for HR professionals. In this third blog, Johannah discusses the practical considerations for HR professionals around psychometric data security.
Practical considerations to achieve data security
Psychometrics can significantly improve your ability to hire, develop and retain the people you need in your business. But they are powerful tools, and can be dangerous in the wrong hands, so ensuring confidentiality, integrity, and security are both a legal requirement and a moral imperative when handling special category data such as psychometrics. Quite rightly, in today’s digital landscape, data security has become a top priority for businesses across all sectors. Handling special category data such as psychometric data requires HR professionals to take extra care. This is not easy to do in practice and requires proactive efforts from HR professionals in a wide range of areas:
- Legal basis: Data subjects must understand the purpose, scope, and potential consequences of the data collection. The appropriate lawful basis for processing special category data under Article 6 and the permitted exception under Article 9 of the UK GDPR must be established (a topic we focused on in our previous blog).
- Access control: Strong access controls, such as assigning user permissions and role-based access, along with regular reviews to align access rights when roles and responsibilities change, can lock down special category data to meet compliance requirements.
- Secure storage: Special category data must be stored in secure systems with appropriate security measures, such as firewalls, intrusion detection systems, and access controls. Consider utilising encrypted databases or secure cloud services that meet stringent security standards. Regular backups and secure storage of backups should also be implemented to prevent data loss.
- Encryption: Encryption techniques can protect data both at rest and in transit. Transforming data into an unreadable format makes it much harder for unauthorised people to access the information. Encrypting databases, files, and communication channels that handle special category data can reduce the risk and impact of potential breaches.
- Pseudonymisation and anonymisation: Pseudonymisation replaces a data subject’s name with a unique identifier, which means the data can only be related to a person if you hold the key which links names and pseudonyms (whilst ensuring that data can be used for future person-focussed analysis). Anonymisation completely removes any unique identifier from the data, maximising security but also making person-focussed analysis impossible.
- Data classification: Clearly identifying and classifying special category data (such as psychometrics) within HR systems will help distinguish sensitive information from other types of data and enable targeted security measures.
- Data minimisation, retention and deletion: By limiting the data stored, the risk of exposure or breaches is reduced so clear policies and robust procedures for data retention and deletion should be established. Only the special category data required for the specific purpose for which it was gathered should be collected and retained, and should only be retained for as long as necessary (and in accordance with legal requirements). Secure mechanisms should be developed for permanently deleting or anonymising data when it is no longer needed.
- Regular audits and assessments: Regular internal audits, penetration testing, and vulnerability assessments should be performed to identify gaps in the protection of special category data.
- Employee training and awareness: Employees who handle special category data should receive comprehensive training to educate them about the sensitivity of the data, their responsibilities in protecting it, and best practices for data security. This training should be regularly reinforced through awareness programs and reminders of the importance of data security practices, such as secure password management, recognising and reporting suspicious activities, and adhering to privacy policies and regulations.
- Supplier management: Conduct due diligence when selecting and engaging third-party suppliers who have access to special category data. Evaluate their data security practices, adherence to privacy regulations, and sign them up to robust data protection agreements.
- Compliance with regulations: Stay informed about relevant data protection regulations, including the UK GDPR and other applicable laws and seek legal advice if you are in doubt.
Essential questions for suppliers prior to allowing them to handle your data
When contracting suppliers to handle special category data, the client organisation usually remains responsible under the UK GDPR for what suppliers do with the data and for ensuring that they have robust data security measures in place. Here are some key questions to ask suppliers before allowing them to handle your data:
“What data security measures do you have in place to protect special category data from unauthorised access or breaches?”
(This question helps assess the supplier’s overall approach to data security and their commitment to protecting sensitive information.)
“How do you pseudonymise or anonymise special category data to minimise the risk of exposing personally identifiable information?”
(This helps assess whether the methods used by the supplier to protect the identity and privacy of individuals whose data they handle are adequate.)
“How is data protected during transit? What encryption protocols do you use for data transmission?”
(This question focuses on the security measures in place during the transfer of data between systems or across networks.)
“What procedures do you have for securely deleting special category data when it is no longer needed?”
(Understanding the supplier’s data deletion practices is essential to ensure that data is securely and permanently erased from their systems and backups when it is no longer required.)
“How often do you conduct security audits or assessments to identify vulnerabilities and ensure compliance with relevant data protection regulations?”
(This question helps gauge the supplier’s commitment to ongoing security assessments and compliance with data protection regulations. Regular audits and assessments demonstrate a proactive approach to data security.)
“Do you subcontract any data processing activities related to special category data? If yes, how do you ensure their compliance with data protection requirements?”
(If the supplier engages subcontractors, it is important to understand how they ensure compliance and data security throughout the entire supply chain.)
Asking these essential questions allows HR professionals to assess the data security practices of their suppliers and make informed decisions when selecting partners to handle special category data.
Data security at Edgecumbe
At Edgecumbe we routinely handle highly sensitive and special category data, and we take our responsibilities under the UK GDPR to comply with the regulations and provide sophisticated data security solutions for our clients extremely seriously.
Our research has highlighted that many clients and psychometric providers are not treating psychometrics as special category data or handling them in accordance with the UK GDPR. We appreciate that this is a complex issue, and we are happy to share our expertise to educate our clients and help them navigate these complexities. Please do get in touch through our website or by emailing us at email@example.com if you would like to find out more, or to find out about an upcoming seminar where we will discuss in more detail the topics from our blogs.