If your timesheet data is stored outside the EU, it could land you in Jail!

Many UK businesses choose a cloud-based timesheet system online. They are easy to use and offer tremendous benefits to any organisation, in terms of both profitability and cost reductions. However, when choosing a system it is vital that you understand the Data Protection Act (DPA) and the rules that govern storing personal information.

The DPA:

• Sets out the rules and processes that must be followed when processing information about individuals;
• Grants rights to individuals regarding their information; and
• Creates an independent body to supervise these rules.

So what has that got to do with timesheet data? Well, if your timesheet data is deemed personal data then your organisation must conform to the Data Protection Act.

What is Personal Data

The Information Commissioner’s Office defines Personal data as data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

If data on timesheets is deemed to be personal data then the timesheet system and practices for processing this data must comply with the DPA.

It does, of course, depend on the data elements that you store in your timesheet system as this will determine if it is personal data or not. It is highly likely, however, that the data stored on a person’s timesheet is likely to identify them as a person and so is personal data.

At a recent Information Commissioner’s ruling (Information Commissioner’s Decision Notice: (FS5056238)) it was ruled that the data held on the timesheets of a Parish Council was in fact personal data and as such the Council was bound by the rules and regulations in the DPA.

Why comply?

You may feel that this is bureaucracy gone mad. However, many breaches of the Data Protection Act are criminal offences and, in some cases, the officers or directors of an organisation could be personally liable. I think that I may now have your attention!

Transfers of Personal Data outside the European Economic Area Economic (EEA)

Under the DPA, transfers of personal data to countries outside the EEA are prohibited unless the destination country has adequate data protection rules and regulations. Currently, very few countries outside the EEA are determined by the European Commission to have adequate provision.

Implications for You

The Data Protection Act must not be treated as an unnecessary bureaucratic measure. It is serious legislation with potentially serious consequences if you do not conform to this act.

This blog is not intended to go into the details of the DPA, but to highlight its importance and especially the importance of transferring data outside the EEA.

Many of the leading timesheets that are ranked high in Google searches are not based in the EEA. Therefore if you use these you are, by definition, transferring data outside the EEA.

If the country that the personal data is being transferred to is deemed by the European Union to have inadequate data protection you may be breaching the DPA.

Conclusion

A recent prospect – now a client – of ours, was looking at our timesheet system, PM3time, and their first question to us was, “where is your information stored?”

Our data is stored in the UK which is clearly part of the EEA. They were – quite rightly in my opinion – not going to consider any system where data was being stored outside the EEA.

If you are looking for a new timesheet system, it would be advisable to check where the data is stored. Also, if you are already using a timesheet system, you may want to check if the timesheet data is deemed to be personal (it is almost certainly personal). If it is personal data as defined by the DPA, you may wish to switch to a vendor that stores its data in the EEA.