research shows a wide gulf between the views of the Data Protection
Commissioner and employers on issues such as sickness absence records. David
Shepherd, editor of IRS Employment Trends, reports
of access and disclosure are central to the Data Protection Act. “Employees,
like any other individuals, have a right to know what information is kept about
them,” says the Data Protection Comm-issioner, Elizabeth France. Moreover, for
some categories of information, such as “sensitive personal data”, the explicit
consent of employees may be required before employers can legitimately hold
the commissioner’s view, it is good practice for employers to, “Provide every
employee with a copy of his/her basic record annually and ask him/her to
identify inaccuracies and amendments needed.” Unfortunately, a majority of the
employers’ panel surveyed by research company Industrial Relations Services and
employment lawyers DLA Advance, falls short of her recommendations in this
to a questionnaire were asked whether or not every em-ployee in his/her
organisation is provided with a copy of their basic personnel record and asked
to identify inaccuracies and amendments needed. While public-sector respondents
are evenly split on the issue, about three-fifths of both private services and
private manufacturing and utility employers did not provide employees with a
copy of their basic record as a matter of course.
were also asked if their organisations automatically provide em-ployees with
copies of their records and how often they did so. More than half do so
annually, although one-tenth do so less frequently (up to every three years)
and around one-sixth say they do so on an ad hoc basis.
it is assumed (generously) that most of the employers providing employees with
copies of their records on an ad hoc basis do so at least once a year – this
means that less than one-third follow the commissioner’s notion of good
practice by providing for an annual employee update.
disclosure of basic personnel records to employees may be a matter of good
practice, but disclosure following a legitimate access request from an employee
is a matter of law. Employees have a legal right to know what information is
kept about them.
to the Data Protection Commissioner, “A subject access request is any written
request (including e-mail) from a prospective, current, [or] past employee or any
other person who indicates they want to know what information is kept about
him/her. Employers can charge up to £10 for responding to each re-quest and can
ask for information that helps them locate the records – for example dates of
comply with the DPA, and in particular with principle six, (Greater
difficulties) the Com-missioner says employers must “have in place a system
that enables [them] to locate all the information about an employee and provide
him/her with a copy of that information promptly – in any event within 40 days
of receiving a subject access request”.
are some important exemptions from this subject access right. Most notably, in
the employment context, information kept for management planning or forecasting
can be withheld where supplying it would “prejudice the employer’s business”.
were asked whether or not their organisation has a procedure in place through
which employees can make an access request to see their records, and learn the
uses to which their personal data will be put.
three-fifths said their organisation has an access procedure. A further quarter
reports its organisation plans to introduce such a procedure. All but one of
the latter group expects to introduce their procedures later this year.
Therefore, by 2002, it appears that just under one-sixth of the IRS/DLA panel
may be in danger of failing to comply with this provision of the Act as
interpreted by the commissioner.
then asked respondents in organisations with a formal employee access procedure
whether or not a period of written notice is required from the employee. Around
two-thirds of respondents say this is the case, with both private manufacturing
and utility firms and private services companies being more likely to require
notice than public sector employers.
how much notice is required from employees seeking access to their records,
around two-fifths of the relevant respondent group surveyed report a figure of
40 days, which is in line with the maximum deadline allowed under the
legislation. Most of the remainder specify periods of between one and 14 days,
although one reports that “reasonable” notice is required, and two say no
notice is needed.
are entitled to charge up to £10 for each access request, as noted above.
Nevertheless, less than three-quarters do not charge an administration fee. Of
those that do, most told us they require £10 or “up to £10”, although one
to the Data Protection Comm- issioner, an employee’s explicit consent “will
often be required to legitimise the holding and use” of records that include
“sensitive personal data”.
is defined as personal data consisting of information on the data subject’s
racial or ethnic origin; political opinions; religious beliefs or other beliefs
of a similar nature; membership or non-membership of a trade union; physical or
mental health or condition; sexual life; commission or alleged commission of
any offence; and subjection to proceedings for any offence committed or alleged
to have been committed by the data subject, the disposal of such proceedings or
the sentence of any court in such proceedings.
respondents were asked whether or not their organisations have arrangements for
ensuring that sensitive personal data is processed only with the explicit
consent of the employee concerned. Seven-tenths of respondents report this is
the case in their organisations, leaving the remaining three-tenths appearing
not to comply with the DPA as interpreted by the commissioner.
commissioner says, “A record that a particular employee had 20 days’ sick leave
last year will be sensitive personal data. It might not be actual information
about the employee’s health but it will be information as to his/her health.”
This means that, to comply with the DPA, and in particular with principle one,
(Making sure systems are able to delete out-of-date unwanted information)
employers should “only hold sickness records of employees if [they] have the
explicit consent of each employee or if one of the other conditions for
processing sensitive data is satisfied”.
organisations that hold sickness absence records (all but two of the sample)
under three-tenths had not obtained specific consent of each employee to hold
compliance with the DPA and adherence to the Data Protection Commissioner’s
view of what constit- utes good practice require significant efforts from
employers in the area of employee communication.
comply with the Act, as interpreted by the commissioner, and in particular to
comply with principle one, employers must “inform newly appointed staff what
information will be kept about them, where it is obtained, how it is used and
who, if anyone, it will be disclosed to” and they must “explain clearly how any
sensitive data is to be used” (as well as obtaining a clear indication of the
to adhere to the commissioner’s notion of good practice, employers must “inform
new employees of their rights under the Data Protection Act 1998, in particular
their right of access to information kept about them”.
gauge the extent to which the organisations communicate with their employees
about data protection issues, they were asked what methods were used to communicate
with employees. The most popular ways of communicating data protection issues
to the general population of employees are via the staff handbook and specific
letters to staff – both of which methods are used by more than half the
second question concerned the last time respondents’ organisations had issued a
communication to employees covering data protection issues. The responses
suggest a high level of recent communication.
of respondents report that data protection last featured in a communication to
employees within the past three months, a further third report a communication
within the past six months, and another sixth within the past year.
gives a total of just under four-fifths of the sample that have communicated
with employees on data protection issues within the past year.
contrast, only one-tenth of our respondents report that their organisations
have never issued a communication of any kind to their employees on this
the new code be a solution or a nasty shock?
DPA and the associated good-practice guidance provided by the Data Protection
Commissioner place major responsibilities on employers.
the three-tenths of the IRS/DLA panel who have not read the draft code may be
in for some nasty surprises when the final version is published.
who have read the draft were asked what effect they think the code will have on
employee relations in their organisations.
a four-point scale, nearly half believe the code’s effect on their organisation
will be “neutral”, two-fifths believe it will be “positive” and one-sixth
believe it will be “negative”.
believes the impact will be “very positive”.
the reasons identified are:
Effects on my organisation will be positive. “It provides reassurance and clear
guidance for ensuring compliance with [the DPA]”
– Effects on the wider economy will be positive. “Given the rise in global
communications, this should offer some protection and control within the UK”
– Effects on my organisation will be neutral. “The code only implements the
– Effects on my organisation will be negative. “It is overkill. We cannot do
our job if we do not have [employees’] details
– Effects on the wider economy will be negative. “The resource implications of
the draft code are so large as to make it difficult for an organisation to
the survey was carried out
provide a snapshot of employers’ policies and procedures on the use of personal
data in employer-employee relationships, IRS and DLA jointly surveyed a panel
of employers a year after the 1998 Act came into force.
questioned them about the extent to which practice in their organisations
complies with the DPA and about the extent to which they use some of the
“good-practice” procedures set out by the commissioner in the code of practice.
panel comprised 53 respondents, 49 of whom submitted detailed questionnaire
replies in time to be included in the main analysis. All but six responses are
in respect of whole organisations; the others refer to a specific division,
department or site.
panel represents a cross section of economic activity Two-fifths of it is drawn
from the private services sector and a similar proportion from the public
sector, with the rest from manufacturing and utility companies.
was a bias towards medium-sized and large employers in the sample: the average
workforce size among respondent organisations is 1,850. Broken down by broad
sector, the median workforce size is 2,600 for public sector respondents, 785
for the private services sector and 450 for manufacturing and utilities.
Overall panel members employ 304,000 people – 127,000 (public sector), 157,000
(private services) and 20,000 (manufacturing and utilities).
recognition of the sensitive nature of some of the issues involved, respondents
were offered the chance to participate in the research without their responses
being attributed to their organisations by name.
Code of Practice: the use of personal data in employer/employee relationships
issued for consultation by the Data Protection Commissioner, October 2000,
available at wood.ccta.gov.uk/dpr/dpdoc.nsf
Employment Review 724, March 2001, available from Fawzia Ittoo, Industrial
Relations Services, 020-7354 6747, or e-mail email@example.com price
£25. www.irseclipse.co.uk For a
full summary of the report’s main findings go to www.personneltoday.com/features