Avoiding the pitfalls in data protection

The
use of personal data at work can be a sensitive issue. This summary provides an
invaluable guide to the key features of the new draft Code of Practice on Data
Protection.  By Joan Lewis
and Linda Goldman

The
new Data Protection draft code of practice covers a very wide range of
standards and best practice on the use of personal data at work. This summary
sets out examples of some of the key areas of particular interest to OH
professionals. Our aim is to highlight the importance of this new code that is
set to come into force later this year.

A
full copy of the code should be obtained from the Data Protection Commissioner
so that any necessaryfull-action plans can be made by management, human
resources and OH departments.

The
code, which is a large document, is useful as a general human resources and OH
guide. It proposes a more restrictive approach than is apparent from the 1998
Act itself and indeed from the new Regulation of Investigatory Powers Act 2000
(RIP) and the Telecommunication (Lawful Business Practice) Regulations 2000.

The
code refers throughout to "employees" but makes special provision for
contract and agency staff so that the same standards apply.

The
table provides examples from the code. It gives a flavour of the wide range of
standards covered by the draft that will have a direct effect on OH policies
and practice.

Discipline
and dismissal

Matters
of discipline and dismissal are not set out in the table as these come within
the ambit of all record keeping, particularly with reference to data being
obtained and used fairly and lawfully (Principle 1). Also, retention of records
of former employees is covered in most other areas of record-keeping. The
recommended time limits for keeping old records are shown below.

Application
form and duration of employment


References received – 1 year


Payment and tax information – 6 years


Sickness records – 3 years


Annual leave records – 2 years


Unpaid or other special leave records – 3 years


Appraisal or assessment records – 5 years


Promotion or disciplinary records – 1 year from end of employment


References of information enabling reference provision – 5 years from
reference/end of employment


Summary record of employment – 10 years from end of employment


Records of accident or injury – 12 years from end of employment

Linda
Goldman, LLB, BDS, is a barrister specialising in employment law and
medico-legal matters, and training consultant to Advisory Training and
Consulting Associates Ltd and Virtual Personnel. Joan Lewis, MA (Law &
Employment Relations) is a consultant specialising in employment law and
relations for ACT Associates & Virtual Personnel

Data
Protection Act 1998 Occupational Health Notes

Principle
1
Data must be fairly and lawfully processed

Applicable
to recruitment

Verification standards
– Give applicant the opportunity to rebut third-party information

Pre-employment
vetting
– Only vet where a job offer is to be made
– Ensure vetting is specific to the job and the individual and no more
– Ensure compliance with at least one of the sensitive data conditions where
data is sought about family or close associates

Retention
of recruitment records
– Obtain informed consent to retention of records for use for a potential
further vacancy

Applicable
to employment records

Collection
of information
– Inform new staff what information will be kept about them, where
obtained, how used and circumstances where and to whom it may be disclosed
– Obtain informed consent to use of personal data
– Ensure that personal information is relevant and not excessive to the
employment relationship

Maintaining
records
– Ensure that personal information is relevant and not excessive to the
employment relationship

Sickness
records
– Only hold sickness records with explicit consent of the employee or if
one of the other conditions for processing sensitive data is satisfied
– Explicit consent depends on each employee being told the extent of
information that will be held in sickness records and how this will be
used.  Obtain evidence of consent
– Release of sickness records to managers should be limited to information
reasonably required for management purposes

Occupational
health schemes
– Obtain written consent to processing of data concerned with health. The
employee must know the extent to which information given to a health
professional directly or indirectly is made available to and used by others

Applicable
to medical testing

General
standards
– Establish the specific business reason for testing
– Medical tests should be proportionate to the risk involved in failure to test
whether by risk to others or to the individual concerned or if in relation to a
health benefit such as sick pay
– Pre-employment medicals are justifiable to determine whether an employee is
fit for the particular job or if eligible to join a pension or insurance scheme
– Proportionate measures such as the use of a health questionnaire should be
given first preference
– Only carry out tests on properly targeted employees unless blanket testing is
justifiable

Principle
2
Data must be processed for limited purposes and not in any manner
incompatible with those purposes

Applicable
to recruitment

Retention
of recruitment records
– Vetting information should be kept securely until complete then
destroyed, save for keeping a record that vetting has been carried out

Applicable
to employment records

Occupational
health schemes
– Obtain written consent to processing of data concerned with health. The
employee must know the extent to which information given to a health
professional directly or indirectly is made available to and used by others

Applicable
to medical testing

General
standards
– Establish the specific and genuine business reason for testing

Principle
3
Data must be adequate, relevant and not excessive

Applicable
to recruitment

Application
form standards
– Require minimal personal information specific to the job in question
– State if information is to be taken from other sources

Pre-employment
vetting
– Only carry out vetting if all other criteria for making a job offer have
been satisfied

Applicable
to employment records

Tell
new employees of their rights under the DPA 1998

Collection
of information
– Obtain informed consent to use of personal data and ensure that personal
information is relevant and not excessive to the employment relationship

Occupational
health schemes
– Obtain written consent to processing of data concerned with health. The
employee must know the extent to which information given to a health
professional directly or indirectly is made available to and used by others.
Data must be processed in accordance with standards set out in the ethical
guidelines of the Faculty of Occupational Medicine of the Royal College of
Physicians

Applicable
to medical testing

General
standards
– Ensure testing is carried out as a necessary and proportionate matter to
ensure there is no risk to health and safety of the individual or others or to
secure a health benefit such as sick pay
– Pre-employment medicals are justifiable to determine whether an employee is
fit for the particular job or if eligible to join a pension or insurance scheme
– Only carry out tests on properly targeted employees unless blanket testing is
justifiable
– Drugs and alcohol testing should be part of a voluntary programme for
detection of abuse
– Substance testing should be by properly qualified persons

Principle
4
Data must be accurate

Applicable
to recruitment

Verification
standards
– Give applicant the opportunity to rebut third-party information

Vetting

– Ensure vetting is specific to the job and the individual and no more
– Attempt to ensure accuracy where there is justification for obtaining
information about the applicant’s family or close associates as it will be
difficult for them to rebut

Applicable
to employment records

Maintaining
records


Ensure information in employee records is accurate and up to date.  Good practice: provide every employee with a
copy of his/her basic record annually and ask for identification of
inaccuracies and what amendments are needed
– Incorporate accuracy, consistency and validity checks
– Require emergency contact not "next of kin"

Applicable
to medical testing

General
standards
– Testing for drugs and alcohol should be by properly qualified persons
(The commission refers to tests of "the highest technical quality"
and to interpretation of results by a medically qualified person competent in
the field of drug testing)

Principle
5
Data must not be kept for longer than necessary

Applicable
to recruitment

Retention
of recruitment records
– Establish and adhere to retention periods for recruitment records where
they need to be kept for business purposes. Suggested retention periods:
4 months from the date of confirmation of an unsuccessful application
4 months from the date of confirmation that another candidate was appointed to
a  shortlisted position


Vetting information should be kept securely until complete then destroyed, save
for keeping a record that vetting has been carried out

Principle
6
Data must be processed in accordance with the rights of the individual

Applicable
to recruitment

Applicable
to access and disclosure
Subject access
– Ensure that information is available within 40 days of the request being made
and on receipt of the current £10 fee
– Ensure that information is only released to actual data subject
– Provide information on file with reasons for why it is kept and explanation
of any otherwise  unintelligible terms
– Ensure information is not provided which identifies other persons unless the
third party consents to its release

References
– Ensure identity of third party is not revealed
– If third-party information is integral to the reference, special procedures
are set out in the code appendix allowing for consent by the third party or the
overriding interest of the data subject

Principle
7
Data must be kept securely

Applicable
to recruitment

Application
form standards
– Provide secure method of transmission for on-line applications
– State for whom data is being provided and how it will be used

Applicable
to retention of records generally

Standards
of keeping sickness records
– Release of sickness records to managers should be limited to information
reasonably required for management purposes

Standards
of security
– Apply proper security standards as identified in BS7799 to protect from
risk of accidental or unauthorised intervention leading to loss or destruction
of or damage to employment records
– Use system and password controls for information to be released to defined
persons on a "need to know" basis
– Maintain a log and audit trail of all access to the records
– Ensure reliability of staff having access to records
– Unauthorised or otherwise improper access to records is a serious
disciplinary offence and may also constitute a criminal offence
– Take stringent precautions when transmitting data by e-mail or fax to ensure
security encryption and receipt by the individual addressee

Occupational
health schemes
COMPLIANCE IS REQUIRED WITH THE STANDARDS SET OUT BY THE FACULTY OF
OCCUPATIONAL MEDICINE
– Obtain written consent to processing of data concerned with health. The
employee must know the extent to which information given to a health
professional directly or indirectly is made available to and used by others
– Security measures to be appropriate to the nature of sensitive data processed
in connection with an occupational health scheme. Information should not be
released even to occupational health professionals unless on a "need to
know" basis

Applicable
to access to records

Disclosure
of references
– Confidential references should not be given without the express consent
of the subject to disclosure of the reference

Disclosure
requests
– Clear policies should be established and adhered to so as to ensure
disclosure is only made to the proper subject who is entitled to access.
Security measures include only accepting written requests and informing the
Commissioner where it is suspected that an attempt is being made to obtain information
by deception:  remember that there is no
legal requirement to disclose even where a failure to do so would prejudice
crime and taxation
– Disclosure should be by staff trained in data protection procedures
– Records should be kept of non-routine disclosures
– Disclosure records should be checked and procedures updated regularly
– Remind staff regularly that disclosure to the wrong person is a criminal
offence.  It should be a disciplinary
offence as well. Errors or deliberate releases of information should be
reported to the Commissioner

Principle
8

Data
must not be transferred to countries which do not have adequate protection.

Exercise
particular caution with any information transfers outside the European Economic
Area and seek permission from employees in these circumstances.

Comments are closed.