Data Protection Issues

Personal data night be found in databases, manual filing systems, word processing programmes, e-mails, CCTV records, telephone records, internet logs, automated payroll systems and records of automated door entry systems such as swipe cards.

Employers have data protection obligations in relation to current and former job applicants, employees, and agency, contract and other casual workers.

Personal data is defined as information which relates to a living person

• who can be identified from that data alone or from that data and other information in the possesssion of, the data controller; and
• is about that living person (whether in his personal or family life, business or professional capacity).

An example of personal data is details of an employee's salary and bank account held on an organisation's computer or in a manual filing system.

When personal data is being processed, the eight data protection principles set out in Part I of Schedule 1 to the DPA must be complied with. The data must be:

• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant and not excessive.
• Accurate and up to date.
• Not kept for longer than necessary.
• Processed in line with data subject's rights.
• Secure.
• Not transferres to other countries without adequate protection.

Requests for data

Under the DPA, employees may access data held about them by their employer where they make a request in writing and pay a fee of up to £10. Employers should be aware that this right of access effectively provides employees with a means of ascertaining whether or not their data is being propery processed in accordance with the DPA and this may have an impact on their relationship with their employees as well as their reputation as an employer.

Data retention

Personal data must be accurate and kept up to date. Employees should therefore be asked to update information held by their employer regularly. Once an employee has provided personal data, the employer is then responsible for security of that information and needs to take account of the risks of unauthorised access, accidental loss or damage to the information.

Health information

An employer should not seek to collect more information about an employee's health than is necessary. For example, pre-employment medical reports should focus solely on the employee's fitness for employment in the job for which they have applied and should not include more medical information than is relevant to that question. Employees should not be medically examined or tested unless there is a real likelihood that they will be appointed. All information obtained through medical examination of employees should be relevant, accurate, up to date and kept secure. If an employer seeks a medical report from the employee's own GP or consultant they will need to obtain the employee's consent before making an application to their doctor.

Notification

Before an employer can begin to collect and use personal data about its job applicants and employees, it may need to provide details about the processing of personal data which it intends to carry out to the Information Commissioner. If an employer is required to notify, it must renew its notification annually and failure to do so is a criminal offence. There are some significant exemptions to the notification requirement which will, depending on their business sector, almsot certainly exclude the smaller employer who has relatively simple data processing arrangements.

Data protection policy

Organisations which process a lot of personal data should have a data protection policy. Such a policy should be tailored to the organisation, actively communicated to staff and monitored. It should be distributed to all who may come into contact with employee records.

The policy should recognise that not only current employees and workers but also applicants for employment, interview candidates and ex-employees are covered by data protection requirements; outline the company's internal procedure for notifying the employer of any changes to the way in which employee records are processed; state that no personal information held by the employer will be processed unless the requirements for fair and lawful processing can be met and it should confirm that no processing of personal data will be carried  out unless the employee has given consent or the processing can be justified under one of the conditions in Schedule 2 of the DPA. In addition, the policy should explain what constitutes "personal data" and "sensitive personal data" and state that employee records must be accurate and kept up to date, and should not be kept longer than is necessary. The policy should also acknowledge that individuals have a right of subject access and explain how this right can be exercised, and the internal procedure to be followed when a data subject access request is received.

Sanctions and remedies

Individuals are entitled to compensation from data controllers for damage caused by any breach of the DPA. In addition, individuals can obtain a court order for the rectification, blocking, erasure or destruction of data which is inaccurate, and the Court may also, where it considers it reasonably practicable, order the data controller to notify third parties to whom incorrect data has been passed of such rectification, blocking, erasure or destruction.

Breaches of certain rules give rise to criminal offences on the part of the data controller, for example, breach of the obligation to notify or inform the Commissioner of any changes to registerable particulars.