The Data Protection Act came into force on 1 March 2000 and will be phased in fully over the next several years. The Act regulates the "processing" (broadly the using, obtaining, holding and disclosing) of data relating to individuals. From a personnel viewpoint, the Act could have a significant effect. "Data" includes automated or computerised data, and also manual files and records forming part of a "relevant filing system", which loosely means a structured set of paper records from which one can readily extract particular information on an individual. It also covers "accessible records" including health records. Any data relating to employees which is covered by the Act needs to be processed in accordance with the "data protection principles". The following points should be borne in mind.
Key points
Employees can make a formal access request to see their records on payment of a fee and learn the uses to which personal data will be put (although there are exemptions for confidential references, without prejudice negotiations and business planning).
Included in the definition of data are opinions. As data must be processed "fairly and lawfully", care should be taken where opinions are recorded on personnel files.
Data can be processed if the employee consents the processing, or processing is necessary to comply with the employer’s legal or contractual obligations or to further the data controller’s "legitimate interests". This should mean that information on employees may be disclosed to a prospective transferee in Tupe situations.
"Sensitive personal data" (such as information on disabilities, ethnic origins etc) may only be processed with the explicit consent of the employee. However, anonymous statistics on, say, ethnic origins can be processed without such consent.
Data must be adequate, relevant, not excessive, accurate, up-to-date, and held for no longer than necessary. This means spring cleaning personnel files to weed out expired disciplinary warnings and removing excessive and out-of-date documentation.
Multinational companies should not transfer data to a country outside the European Economic Area unless the country has an "adequate level of protection" in relation to data processing. This does not apply where the transfer is necessary to conclude a contract between employer and employee or where the employee consents to the transfer.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
An employee may apply for a court order to rectify, block, erase or destroy inaccurate personal data and receive compensation for damage.
The scheme of Registration under the 1984 Act, has been replaced with a scheme of Notification to the Data Protection Commissioner. As is the case now, a data controller’s register entry will have to include a description of the data held, the categories of data subject and the purposes for which data is processed. It is an offence to process data unless the controller of that data has a register entry (except in respect of manual files and records).
