· Comment

What can HR learn from the MoD hack?

"Data breaches can pose a real risk of identity theft and are a threat to an individual’s rights and freedoms," says solicitor Oliver Allanach

HR data privacy made headlines this month when the Ministry of Defence (MoD) was subject to a hack that exposed the personal data of an estimated 270,000 current and former military personnel.  

This kind of data makes an attractive target to hackers, although the affected MoD personal data was limited.

If details including names, addresses and 'special category' or sensitive personal data (such as health records, parts of an individual’s personnel file, bank details and identification documents) are breached, this poses a real risk of identity theft, and a threat to an individual’s rights and freedoms.  

Organisations have an increasingly critical duty to protect employee data, and HR teams play a key role in this. Incidents like this shine a light on some of the key legal learnings for organisations to stay proactive.    

Employers remain primarily responsible for employee data protection

Procuring third-party IT platforms to capture, store and manage data in areas such as payroll management, recruitment and employee engagement is common.


Read more: Armed forces payroll hacked


While clearly the use of such IT vendors is necessary, organisations should manage risks appropriately and ensure they are comfortable with the security measures applied to such platforms so as to safeguard the relevant data.  

Ultimately, under data protection laws, employers are the ‘data controllers’ of personal data, even if a third party is used to process the relevant information, with overall responsibility for safeguarding employee data. Importantly, these duties cannot be contracted out to external providers.  

Working with third parties 

As data controllers, employers and HR teams have to be diligent around the use of third parties. Even though they might be working with a market leader, this does not guarantee that data will be 100% secure.  

There are tools within contracts which can help mitigate risk. Data privacy laws allow data controllers a reasonable right of audit with third-party processors. Depending on the contract terms, this can range from a comprehensive right of audit to third-party security certifications. This is a useful right to invoke to ensure compliance with the contract.


Read more: Employee data breaches hit five-year high


Throughout the contract lifetime, HR teams, in partnership with technical and legal support, can instigate running their own checks as to whether the security and privacy offering continues to be satisfactory.   

Data storage duties 

Alongside legal obligations to collect only employee data which is deemed necessary, employers cannot hold data for excessive periods. When it comes to storing ex-employee data, it cannot be retained forever; an appropriate retention period should apply to it.  

UK GDPR requires that data is not kept "longer than necessary". Employers must justify their chosen retention period.  

Minimising risk effectively lies in proactivity and pragmatism, with all types of data. Assessing and considering how to store data for as long as is necessary before its safe disposal represents a significant active step, to mitigate breach risks and legal ramifications.   

HR’s role following data breaches 

Organisations face a challenging time when HR data breaches occur.  

There are legal requirements depending on the nature of the breach, which can include reporting to the Information Commissioner’s Office (ICO). Even if the ICO does not need to be told, employers need to be open and transparent with their employees.   

Employers should react quickly to provide clear, timely, proactive communications to employees who have been affected by a breach.  

Essential details include the nature of the incident, what privacy risks employees have been exposed to and measures they can take to reduce threats, along with any remedial actions the employer will be taking in response to the breach, to ensure that it does not happen again. 


Read more: BBC, British Airways and Boots payroll hacked


This can be a highly emotive issue, especially if sensitive and special category data is breached. Wellbeing must be prioritised.  

HR teams should consider dedicating resources to offer tailored advice and even one-to-one counselling to employees most anxious about privacy risks. This is vital to safeguarding employee wellbeing and ensuring that employees continue to trust their employers with their personal data.

By Oliver Allanach, solicitor and employment law specialist for the law firm Gordons