In 1998 David Beckham sported a sarong, Monica Lewinsky and Bill Clinton were outed for their antics with a cigar, and TV hard man Bear Grylls became the youngest British mountaineer to climb Mount Everest. Less memorably, it was the year the Data Protection Act (DPA) was introduced.
A decade ago, most organisations ran their HR records on IT systems but they were restricted by storage limits, access speeds and, in most cases, limited internet usage. In 2008, the amount of personal data a company can hold on an employee is almost limitless, and there is more information available through the internet than ever before. Employers are expected to obtain evidential data on almost every aspect of someone’s life from their GCSE certificates to their ethnic background.
The DPA is even more important today than it was in 1998 because of the amount of data that employers are generating and holding, according to Annabel Lyell, IT and data protection solicitor at law firm Morgan Cole.
“Data protection is really a trust issue. Employees want to know that their employer will look after the data it holds on them,” she says.
Several high profile government organisations, including the Home Office and the Department of Health, have been in the headlines for breaching data protection regulations, which can be very damaging for the employer’s brand.
“If there’s a breach it’s not only damaging in monetary terms, but also in terms of reputation,” Lyell says. “If people don’t think you can look after your data they may not want to work for you.”
Most companies have a data protection policy in place but HR staff don’t necessarily know what to do with it, according to Lyell, and training can be a major issue.
“Any data that can be linked to an employee, such as information on their salary or medical history, should be securely stored. But there are still lots of ambiguities about how long a company needs to retain the data and what information they need to keep,” she says.
The DPA states that the information should be “adequate, relevant and not excessive”, but what exactly does this mean? It’s certainly a flexible guideline for employers to work with but can also be confusing for HR departments. Lyell says HR practitioners should review their data regularly to ensure all the information is relevant and up to date, as far as possible.
Gagandeep Prasad, a solicitor at law firm Charles Russell, says complying with the DPA requires co-ordination across many functions.
“It’s helpful if a senior member of HR is made responsible for achieving a co-ordinated approach to data protection compliance, with the first step being carrying out an audit,” she says.
The audit should highlight what information the organisation holds and for what purpose.
“This will then assist whoever is responsible to ascertain whether the organisation is complying with the DPA, and where there is a need for further training and understanding of the principles behind the DPA,” Prasad explains.
Brad Taylor, head of HR at the Chartered Institute of Management Accountants (CIMA), says data protection may not always be a top priority for HR, but it needs to be taken very seriously. “It can be seen as a fairly dull topic but the consequences of breaching the Act cannot be overestimated,” he says.
Going too far
Employees are more aware than ever of their rights and can question why their employer needs to request and maintain certain information on them, such as their marital status and whether they have a criminal record.
“Often we, as an employer, like to keep a record of these sorts of things for data monitoring purposes,” Taylor says. “But we need to make sure we explain that to the employee so they know why we’re asking.”
CIMA issues a six-monthly reminder to all 350 staff about its data protection policy and the importance of keeping data securely. The seven-strong HR team also conducts ad hoc refresher courses with the IT department and all new employees are briefed about the institute’s data protection policy when they join.
“Our IT department developed the data protection policy but we have ownership over what happens when anything goes wrong,” Taylor says.
If an employee were found to have breached the Act in any way they would be subject to a disciplinary procedure and receive data protection training.
Lyell says it’s important for HR practitioners to differentiate between types of data.
“There are two different types of data – personal and sensitive personal data. Sensitive personal data includes information on ethnicity, trade union status, religious beliefs or medical information. It’s awarded a higher level of protection and employers have to obtain an employee’s consent to keep it,” she explains.
Personal data, however, is usually more general and includes information on salary and previous jobs. Lyell says it sometimes surprises people to know that financial information is not classified as sensitive for the purposes of the Act.
“Salaries and other financial data probably weren’t categorised as sensitive because when the DPA first came in, many people, especially weekly paid workers, didn’t really use bank accounts and were paid by cheque, so there was much more transparency around pay.”
Code of conduct
However, Alison Levy, director of HR and organisational development at charity Crime Reduction Initiatives (CRI), says data protection is no more significant now than it was 10 years ago when the DPA was first introduced.
“We have some requests for data but few and far between and these have not increased over the past few years,” she says.
Data protection requests are dealt with by CRI’s seven HR practitioners and although the team hasn’t received specific training, they have various levels of knowledge about the Act.
“We have a code of conduct policy, which covers data protection, but we are reviewing this to ensure we highlight the area of security breaches,” Levy says.
Prasad says losing data can be one of the most common security breaches. “Particular care should be taken where there is remote access to systems and data is moved, whether by e-mail, disc or otherwise,” she says.
“Other breaches include failure to notify and deal adequately with subject access requests and to obtain the employees’ consent to data processing. In addition, employers sometimes disclose sensitive personal data to third parties without going through the appropriate process.”
Lyell agrees that taking data out of the office can be a very contentious area for employers.
“Companies must have a data transfer agreement in place. Larger companies with an outsourced division or a US subsidiary, for example, will probably pass information outside the EU,” she says.
“What lots of companies don’t realise, however, is that they need a specific agreement in place to do this.”
With an increasingly global workforce this can be a frustrating issue for employers. Although no major amendments have been made to the Act since it was first introduced, the damage to a company’s reputation and kudos from losing or abusing data is more heightened than ever before, and employers have to make sure they stay on top of it.
The world has, of course, moved on a great deal since 1998, but can the DPA keep up?
What powers does the information commissioner have to impose penalties on organisations that breach the data protection act?
The Information Commissioner’s Office (ICO) has extensive powers to impose penalties on organisations that breach the DPA. For example, it can:
- Conduct assessments to check organisations are complying with the DPA.
- Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period.
- Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps to ensure they comply with the law.
- Prosecute those who commit criminal offences under the DPA.
- Conduct audits to assess whether an organisation’s processing of personal data follows good practice.
A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates’ court, and an unlimited fine in the Crown Court.
Gagandeep Prasad, solicitor, Charles Russell
Five steps to avoid breaching the data protection act:
- Write a data protection policy for your company that applies specifically to the type of information you hold and the industry sector you work in.
- Carry out regular audits to ensure all the information held is relevant and timely.
- Make sure everyone in the HR team is fully aware of the key points of the Act.
- Make sure all the information is password protected and don’t share passwords unless absolutely necessary. Make sure passwords are changed regularly.
- If you need to take any data outside the office, ensure it is encrypted and only accessible to relevant employees within the company.
Annabel Lyell, IT and data protection solicitor, Morgan Cole