Data protection

In this series, we delve into the XpertHR reference manual to find essential
information relating to one of our features. This month’s topic…

The Data Protection Act 1998

The now-repealed Data Protection Act 1984 laid down rules relating to the
processing of personal data held on a computer or computer disk. With the Data
Protection Act 1998 (DPA) coming into force, the rules apply not only to
computerised records but also to data held in a ‘relevant filing system’; that
is to say, in any manual or paper-based filing system that is structured either
by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular individual
is readily accessible.

Meaning of personal data

This means data relating to a ‘living individual’ (an employee) who can be
identified from that data or from that and any other information held by the
employer (the ‘data controller’), or that is likely to come into the employer’s
possession. It also includes any expression of opinion and any indication of
the employer’s intentions (or that of any other person within the employing
organisation) in respect of that employee – whether contained in (or attached
to) a letter, memorandum, report, certificate or other document, or held in a
paper-based file, on computer, or by any other automated or non-automated

Any personal data ‘processed for the purposes of management forecasting or
management planning’ may be withheld if disclosing it would be likely to
prejudice the conduct of the employer’s business. Nor do employees have the
right to access personal data which contains information concerning their
employer’s bargaining position in relation to negotiations or discussions about
employee pay and benefits or the like.

Sensitive personal data

This consists of information about an employee’s:

– Racial or ethnic origins

– Political opinions

– Religious beliefs

– Trade union membership

– Physical or mental health or condition

– Sex life or sexual orientation

– Criminal (or alleged criminal) activities

– Criminal proceedings, criminal convictions or sentences

Sensitive personal data must not be held on an employee’s personal file
without their express consent – unless it is held in compliance with an
employer’s legal obligations or to protect the employee’s vital interests.

Such data may be retained only for as long as necessary, for the purpose of
defending a complaint of unlawful discrimination on grounds of sex, race,
disability or trade union membership (or non-membership), or (so long as
appropriate safeguards are in place) for reviewing, monitoring, promoting or
main-taining an equal opportunities policy.

Sensitive personal data volunteered on a job application form or during an
employment interview or held with the express consent of the employee in
question, should be deleted from the employee’s personal file, unless retained
for legal reasons.

It may be necessary to retain health records if legislation precludes the
employment (or continued employment) of people in specified occupations or in
work involving exposure to certain hazardous substances.

If a job application form requires a job applicant to provide information
which could be characterised as ‘sensitive personal data’, the form should
explain the employer’s reasons for requiring that information, together with an
assurance that the information will be held in the strictest confidence. It
should also state that (in keeping with the applicant’s rights under the DPA)
it will not be disclosed or otherwise made available to any unauthorised third
party; and that it will be destroyed if the candidate’s application for
employment is unsuccessful. The same rule applies to ‘sensitive personal data’
volunteered by a job applicant in a CV or similar document.

Duties of employers

Personal data must be accurate, adequate and relevant; must not be disclosed
to unauthorised third parties without the express consent of the ‘data subject’
(the employee); must be kept up to date; must be processed fairly and lawfully;
and must not be held for longer than is strictly necessary. See The eight data
protection principles below.

However, the DPA allows that certain personal data volunteered by a job applicant
or existing employee needs to be held on file for contractual or legal reasons,
consistent (in the latter case) with an employer’s duties and liabilities under
legislation such as the Social Security Contributions and Benefits Act 1992,
the National Minimum Wage Act 1998, the Working Time Regulations 1998, the
Maternity and Parental Leave etc Regulations 1999, health and safety
legislation, and so forth.

The Management of Health and Safety at Work Regulations 1999 require
employers to monitor the health of employees who are, or may be, exposed to
hazardous substances, and to maintain any associated health records for a
specified number of years, for example.

Evidence of an employee’s entitlement to parental or maternity leave, time
off for dependants, annual holidays and such like, must also be retained for
obvious reasons. An employer would be justified in keeping documentary evidence
relating to an employee’s dismissal (for whatever reason) against the
possibility of a complaint of unfair or unlawful dismissal or an action for
damages arising out the employer’s alleged negligence or breach of a statutory

The same would be true of allegations of sexual or racial harassment or of
an employer’s failure to make reasonable adjustments to accommodate a disabled
employee. Attendance records (supported by doctors’ sick notes, accident
reports, etc) must be maintained for that same reason, as must records of
disciplinary warnings and hearings.

Keeping details of an employee’s age, nationality, marital status,
parenthood, next of kin, home address, telephone number, bank account, etc can
be justified on a variety of practical and legal grounds (for example to comply
with age limits on working hours and periods of employment, in the case of
accidents and emergencies, and for the purposes of the national minimum wage,
payroll, pensions).

The eight principles

Under the DPA, personal data held on an employee’s personal file or on any
associated or computerised record must be:

1. Processed fairly and lawfully, either with the employee’s consent, or for
contractual or legal reasons, or in the employer’s legitimate interests; or to
protect the employee’s vital interests; and, in the case of ‘sensitive personal
data’, not without the employee’s explicit consent – unless that data is held
in compliance with any statutory duty, or to protect the employee’s vital
interests, or for the purposes of legal proceedings, or for medical purposes or
(in the case of data concerning an employee’s racial or ethnic origins) for the
purposes of identifying, monitoring, promoting or maintaining the employer’s
equal opportunities policy

2. Obtained only for one or more specified and lawful purposes, and must not
be further processed in any manner incompatible with that purpose or purposes

3. Adequate, relevant and not excessive in relation to the purpose or
purposes for which it is processed

4. Accurate and, where necessary, kept up to date

5. Processed in accordance with the ‘subject access’ rights of employees
under the DPA

6. Protected (by ‘appropriate technical and organisational measures’)
against unauthorised or unlawful processing or disclosure, and against
accidental loss, damage or destruction.

And it must not be:

7. Kept for longer than strictly necessary (but, again, subject to any legal
requirements to the contrary)

8. Transferred to any country or territory outside the European Economic
Area (EEA) (for example in connection with a transfer or secondment overseas)
unless that country or territory ensures an adequate level of protection for
the rights and freedoms of data subjects in relation to the processing of
personal data.

For further information log on to:

Action point checklist

– Check recruitment and selection
procedures to ensure they comply with the DPA

– Ensure automated systems are not used as the sole basis for
shortlisting candidates for promotion, transfer or further training. Give
rejected candidates an opportunity to make representations about the
objectivity, fairness and consistency of such systems

– Scrutinise job application forms, health questionnaires, etc
to ensure the questions asked are relevant. If necessary, accompany them with a
document explaining the justification for certain questions ("Are you
pregnant or have you recently given birth?", for example, or "Do you
have a disability?")

– Keep application forms, CVs and other documents from rejected
job applicants under lock and key and destroy them within four months of the
date they were informed their application was unsuccessful. If there is a
chance of an offer of employment being made at a later date, inform the
candidate accordingly and ask for their written permission to retain that
information on file

– Most workers now have the right of access to their personal
file. Scrutinise files and, where necessary, launder them to remove irrelevant
personal data

– Inform employees of their rights under the DPA, in particular
to access to the information kept about them

– Better still, provide each employee with a copy of his or her
basic personal file at least once a year. Invite the employee to identify
inaccuracies and suggested amendments.

Questions and answers

Can an employer approach a
worker’s GP for information on their health?

Not without obtaining their written consent. The employer is
obliged to inform the worker of their rights under the Access to Medical
Reports Act 1988. The worker has the right to see a copy of the report before
it is relayed to the employer, and can ask the doctor to remove information
they consider damaging or irrelevant, or forbid the doctor to release the
report to the employer. These rights do not generally extend to reports
prepared by an independent doctor paid for by the employer.

Can employers use computers alone
to judge performance, reliability or conduct?

An employer is duty bound to notify a worker of any significant
decision affecting them that has been taken solely on the basis of an automated
computer system. The employee may respond in writing within 21 days asking the
employer to reconsider the decision or to take a new decision other than on
that basis. The employer must reply within 21 days specifying the steps it will
take to comply with the employee’s request.

Can an employee insist information
about them is removed from their personal file?

An employee may ask for information to be deleted if it is
inaccurate or likely to cause them substantial unwarranted damage or distress.
The employer must remove the information or explain why the request is
unjustified within 21 days. The employer need not comply with a request if the
worker consented to that information being held, or if it is necessary for
contractual or legal reasons, or to protect the worker’s interests. From 24
October 2007, employees may apply to a civil court for an order requesting the
removal or destruction of inaccurate personal data.  

Comments are closed.