OH departments need to get their records straight to meet the new Data
Protection rules, or face hefty fines.
By Rachael Heenan
The threat of compensation pay-outs means that occupational health
professionals must work with personnel managers to ensure they are not in
breach of the Data Protection Act 1998.
The Act, which came into force last month, will mean more rights for
employees. This may include criminal prosecution for those employers who do not
act to ensure that they comply with the new legislation.
This will not be easy, as it has emerged that vital guidance from the Data
Protection registrar is not ready to help employers implement the Act.
Under the new Act, manual data such as that held on personnel files – both
electronic and paper – may be subject to regulation. The law not only extends
an employee’s right to see certain data relating to them, but also includes a
new right to know the logic behind decisions which affect them and their
performance at work. The Act came into force on 1 March but will apply
retrospectively to new data held after 24 October 1998.
The definition of data has been substantially widened by the 1998 Act.
Unlike the 1984 Act it includes manual files and records. The definition of
manual files and records is still far from clear and will probably remain so
pending a ruling from the courts.
The consideration is whether manual data is held in a "relevant"
filing system, and in deciding that, there must be:
– A set of information about individuals.
– Structure to the set, which should make the information readily accessible
and should work by either reference to individuals, or by reference to criteria
relating to individuals.
The definition of processing has also been widened to include alignment,
combination, blocking, erasure or destruction of the information or data.
Data processing must be necessary:
– For the performance of a contract to which the individual is a party or
for the taking of steps at the request of the individual with a view to
entering into a contract
– To comply with any other legal obligation
– To protect the vital interests of the data subject (very limited)
– For the administration of justice for the exercise of any other functions
exercised in the public interest
– For the purposes of legitimate interests pursued by the data controller
The 1998 Act has also introduced a new category of data – sensitive personal
data. This covers information relating to an employee’s ethnic or racial
origin, political opinions, religious beliefs or beliefs of a similar nature,
trade union membership, physical and mental health, sex life or the commission
or alleged commission of any offence.
The processing of such data is not only subject to the eight data protection
principles, but also has to satisfy on of the following, more onerous,
– The employee has given their explicit consent to the processing
– It is necessary for the purposes of exercising any right that is conferred
or imposed by law on the employer in connection with employment
– It is necessary in connection with any legal proceedings or for obtaining
– It is necessary for the administration of justice, for the exercise of
functions confirmed by statute or of any functions of the Crown
– It relates to sensitive data as to racial or ethnic origin; is necessary
for the purpose of monitoring equality of opportunity or treatment between
persons of different racial or ethnic origins with a view to enabling such
equality to be promoted or maintained; and is carried out with appropriate
safeguards for the rights and freedoms of data subjects
The most important point is that the employee has to give their explicit
permission for the data to be processed.
All data controllers will be under a duty to comply with the data protection
principles unless one of the limited exemptions apply.
The Act introduces a new system of notification which will replace the
existing registration scheme. This will result in a register of data
controller’s replacing the present register. There is no requirement for a
register entry where the only personal data held is personal data in a relevant
filing system and personal data within non-automated accessible records.
It is unlawful to process personal data without notification unless it fits
in the above category. This is an offence, liable to a fine of £5,000 in the
Magistrates court or unlimited in the Crown Court.
The 1998 Act contains a number of provisions designed to protect the rights
of data subjects. These rights include:
– Access to and information about personal records.
– Obtaining rectification of errors.
– Objecting to processing of personal/sensitive data.
– Restrictions on enforced subject access
– Rights as to compensation.
– Right to request assessment from commissioner.
All employees will be able to obtain access to, including permanent copies,
of most information about them held by their employer electronically or in
certain manual files.
The employee will have the right to: be told by the employer whether
personal data about them is being processed; be given a description of the data
concerned, the purposes for which it is being processed, and the recipients or
classes of recipients to whom it is or may be disclosed. They must be given
"in an intelligible form" the personal data and any information
available to the employer as to the source of the data, and; be informed in
certain circumstances of the logic involved in computerised decision making.
The employer is not obliged to provide the information mentioned above
unless the employee has made a written request and has paid a modest fee of
£10. The employer must comply with the request within 40 days.
Where disclosure will reveal information relating to an individual other
than the data subject who can be identified from that information, the data
controller only has to comply with the request: if the other individual has
consented to the disclosure of the information; or if it is reasonable in all
the circumstances to comply with the request without the consent of the other
Also, there is an expressed exemption in respect of confidential references
given by the employer for the purposes of education, training or employment;
appointment to any office; or the provision by the employee of any service.
There is already a right to see health records under the Access to Health
Records Act 1990. But it is expected that regulations released under Data
Protection will grant individuals wider rights to the access of health files.
The 1998 Act sets out a number of criminal offences relating to breaches of
the Act. Proceedings in connection with these offences may be instituted by the
commissioner or the director of public prosecutions. The offences include:
knowingly or recklessly, without the consent of the data controller, obtaining
or disclosing personal data or the information contained in the personal data,
or procuring the disclosure to another person of the information contained in
personal data and selling or seeking to sell personal data obtained in breach
of the Act.
The maximum penalty will be a £`5,000 fine, so it is worth finding out how
this will effect the work of the occupational health department and how the
human resources are responding.
Rachael Heenan is a barrister specialising in employment law at national
law firm Beachcroft Wansbroughs
Data Protection checklist
All organisations should audit their files containing manual data before the
first transitional period ends on 23 October 2001. After that date, erasure and
destruction of data amounts to processing of information under the Act.
The organisation should:
– Carry out an audit to establish all collections of information in the
organisation including unofficial data held by managers
– Draw up an information policy based on the data protection principles
– Incorporate this policy into a staff handbook
– Notify staff of information usage
– Ask individuals for explicit consent to process sensitive data
– Ensure the information it holds is adequate, not excessive, not held for
an unnecessary period of time and removed from the file once it is no longer
– Date and record the source of all processed information
– Monitor staff who have access to personal data. All employees who have
access to the data should be trained to process it in accordance with the Data