Q&A: protecting personal data

With the recent spate of government mistakes on losing personal data, XpertHR spells out the correct procedures for handling employee information.

Q How does the Data Protection Act 1998 actually define ‘personal data’?

A Under the Data Protection Act 1998, ‘personal data’ simply means information held on record about an individual. Information held in paper format, data stored on a computer system and data processed through e-mail are all covered by the Act, which regulates the processing of data about individuals in employment.

Where information is held manually, it must be ‘structured in such a way that specific information relating to a particular individual is readily accessible’ to be covered by the Act. This means, in effect, that the data filing system must be easy to find and follow.

The Court of Appeal has further held that, to constitute ‘personal data’, information must be significantly biographical and have the individual as its focus.

Q What is ‘sensitive personal’ data, and can it be held on a personal file?

A Sensitive data comprises information about an employee’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation, or criminal (or alleged criminal) activities, proceedings or convictions.

Such data must not be held on an employee’s personal file without that employee’s express consent unless the information is necessary to comply with the employer’s legal obligations. Sensitive personal data volunteered on a job application form or during an interview should be deleted from the employee’s personal file, unless retained for legal reasons or in connection with any legal proceedings.

Q What principles are employers obliged to follow to ensure that personal data is handled correctly?

A Employers are obliged under the Data Protection Act 1998 to adhere to eight data protection principles which state that employers must:



  • Process personal data fairly and lawfully (which means that personal information must not be obtained or used unless either the employee has consented or one of a limited range of conditions has been met)
  • Obtain and process data only for specified and lawful purposes (ie use personal information only for clearly agreed purposes)
  • Ensure data is adequate, relevant and not excessive in relation to its stated purpose (ie not store more information than is necessary about a person)
  • Ensure that data is accurate and kept up to date
  • Not keep data for longer than is necessary in relation to its purpose
  • Process data in accordance with the rights of individuals
  • Take appropriate measures against unauthorised or unlawful processing and against accidental loss, damage or destruction of the data
  • Not transfer data outside the European Economic Area without ensuring adequate protection of the data.

Q Does an employer have the right to retain any personal data gathered during the recruitment process?

A The Data Protection Act 1998 created new obligations for employers in relation to information they gather and retain about job applicants (and existing employees). The Act covers all personal information held about an individual, whether the files are set up manually or held on computer. To ensure compliance with the Act, the application form should include a statement about the employers’ intent to process the information and ask the applicant to signify their consent.

Q Does an employer have the right to approach an employee’s GP for information about their health?

A An employer must not approach an employee’s GP for a medical report without first obtaining the employee’s written consent. When doing this, the employer is obliged to inform the employee of their rights under the Access to Medical Reports Act 1988. The employee has the right to see a copy of the report once it is prepared and before it is given to the employer.

The employee also has the right to ask the doctor to remove information that they consider damaging or irrelevant or to refuse to allow the doctor to release the report. These rights do not generally extend to reports prepared by an independent doctor paid for by the employer.

Q For how long should an employer keep an employee or ex-employee’s personnel files?

A The Employment Practices Data Protection Code provides guidance on compliance with the Data Protection Act 1998 regarding the retention of employees’ and former employees’ records.

The Act itself sets no specific period, stating only that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed.

Employers can therefore set their own retention periods, so long as these are based on business needs and take into account any professional guidelines.




Comments are closed.