The
key issue for employers over the new Data Protection Act is forward planning.
The new Act is more complex than its forebear and uses new terminology. Mike
Hibbs offers a guide to formulating a policy
The Data Protection Act 1998 will come into force on 1 March 2000, although
it received Royal Assent on 16 July 1998 and was scheduled to be fully
implemented in 1999. There are, however, transitional rules in relation to
exemptions for some manual data which postpone the requirements until 23
October 2007.
HR departments and other people likely to have dealings with the Act need to
prepare in advance. Those affected should be aware that the new Act, which
replaces the 1984 version, is more complex, and the 19 Statutory Instruments
currently being drafted – 15 of which have been completed so far – can only add
to the complexity.
One problem posed by the new Act and numerous regulations is the use of new
terminology. Some terms are defined in the Act but the parameters of the
definitions will have to be set by the tribunals.
The Act creates traps which the unwary could fall into because of grey
areas. The best policy is transparency and keeping staff informed as to what
information about them is held and what will be done with it. Forward planning
is the key – policies need to be drafted now to anticipate and deal with
anything new under the Act.
What information?
One of the most significant changes introduced by the 1998 Act is the fact
that information held on a relevant filing system will now be deemed to be data
and therefore subject to the provisions of the Act. Manual information will be
covered as well as information held on automated systems.
What exactly is a relevant filing system? When debated by the Government, it
was clear that the intention was that information on random pieces of paper
which is not readily accessible should not count. On the face of it, the
information needs to be held as a structured set which is readily accessible,
such as a file. But the information need not be in order. Information about an
individual could become structured by way of reference numbers or stickers.
Without any tribunal case law for guidance, this is a grey area for the time
being. Employers should remain cautious and treat all information which falls
under the definition of personal or sensitive personal data as subject to
protection under the Act.
Personal data shall be processed fairly and lawfully
There is guidance in the Act as to what personal data is. Practically
speaking, this will cover not only the name and address of the individual but
also any opinion about him, and whether there is an intention to promote or
demote him. Usually, such information can only be obtained and used with the
consent of the individual. The main exception is if such information is needed
for the administration of justice.
Consent already poses problems. To avoid any doubt, a policy should contain
a provision that such information will only be disclosed with the express consent
of the individual. Ideally, this should be in writing but express verbal
consent is theoretically acceptable. The only problem with any verbal
communication is proving it took place if there is a dispute. A consent form
would eliminate any doubt.
Sensitive personal data
This information includes the racial or ethnic origins, political opinions
or religious beliefs, sexuality, state of health or commission of an offence.
This information often comes to the fore in application forms, or forms monitoring
the ethnic or racial origins of employees. Such forms usually contain a
provision explaining that the information is confidential.
The requirements for using this sort of information under the Act and the
draft Data Protection (Processing of Personal Data) Order 1999 are stricter
than that of personal data. People who have access to personnel files need to
be wary of this. The explicit consent of the individual is needed – again, in
writing would be strongly advisable.
One of several other conditions must also be met. The two most likely to be
relevant are where the information is for the protection of the individual’s
vital interests, and the use of the information for the legitimate interests of
the person using the information.
In practice, this will cover the situation where medical information is
needed by a hospital about the employee when he has been involved in a serious
accident. It will also cover the release of information in relation to a survey
monitoring the racial or ethnic backgrounds of staff in a certain profession,
for example.
Policies need to reflect these strict requirements. Consider what is a vital
interest or what is a legitimate interest in your employees’ and business
circumstances.
Accuracy
The information held in relation to individuals must be accurate. The onus
is on the person holding the information to ensure that he takes all reasonable
steps to ensure that the information is up to date. Any policy should advise
staff to notify the relevant person of any changes to information held about
them. An individual has the right to request that inaccurate information about
them is erased.
Right of access to records
Employees should be advised of their right to access information held about
them in a policy – this is an issue of transparency. When the original EC
directive was being drafted, the intention was to create a final version which
balanced the individual’s right to privacy against freedom of information.
Staff need to know what information their employer holds about them.
After a written request, which can also be by way of e-mail, and an
administrative fee if the employer so desires – £10 at most and within 40 days
– the employee must be provided with details of what personal information is
being processed, why it is being processed and to whom the information is to be
disclosed.
The fee is only a fall-back provision, as employers should be encouraged to
provide this information within a reasonable time in an attempt to maintain
openness in an organisation.
The main exception to this rule is access to examination scripts. As for
exam marks, staff have a right to know the result within five months of a
request or 40 days from the announcement of results, whichever is sooner. Of
course, employers can provide this information much sooner if they are able to.
A policy could state that this information will be imparted as soon as is
reasonably possible after it comes to the employer’s attention.
Other rights for the individual
Under the Act, an individual is entitled not to suffer substantial damage or
substantial distress to him or another when personal data pertaining to him is
processed. Compensation may be payable if he does suffer such harm.
The individual can serve a written notice on the person processing such
information to cease if he will suffer such damage. A reply must be sent within
21 days.
In practice, to avoid such a cumbersome process, a policy could state that
such information will not be processed without consulting that person. Then, if
the individual considers that no harm will ensue and explicitly consents, the
processing could go ahead.
Exemptions
Personal data is exempt from protection if it is needed for the purpose of
safeguarding national security. Also, personal data is exempt from the rule
that it shall be processed fairly and lawfully if it is needed for the
prevention or detection of crime, the apprehension or prosecution of offenders
or for tax or duty assessment. A policy should contain a provision to this
effect.
The Data Protection Commissioner
The commissioner has the power to draw up a code of practice which employers
will be expected to follow. It is likely to provide that employers will be
unable to dismiss or discipline staff solely by using information from
automated systems such as cameras and computers. There have been examples of
employers obtaining information by reading employees’ e-mails or listening into
phone calls, and in some instances cameras have been installed in toilets to
see whether staff spend time there as a break. Employers may need to revise
their policies once the new code of practice is produced, which may be later
this year.
Enforcement
In the event that an employee thinks the employer has exceeded his rights
under the Act, there should be a provision in a policy explaining who the
employee should contact in the first instance. Maintaining openness between the
two parties is most likely to avoid any future confrontation.
Employers should know, however, that an individual has the right under the
Act to apply to the Data Protection Commissioner to have an enforcement notice
implemented against the employer. Under the Data Protection Tribunal
(Enforcement Appeals) Rules 1999, an employer can appeal to an employment
tribunal against an enforcement notice within 28 days of the date of the
notice.
If in doubt
Trying to translate a new Act with new terminology into practical terms is
always a difficult task. And while many of the potential problems can be
foreseen, many more are likely to emerge when employers come to devise their
own policies.
The best that employers can do is devise a policy outlining the issues
raised by the Act. There also needs to be consent provisions where, for
example, personal or sensitive personal data is likely to be processed. To
avoid liability, employers should err on the side of caution until some
parameters have been set by the tribunals.
Under the Act any person directly affected by the processing of personal
data can ask the Data Protection Commissioner to assess whether the provisions
of the Act are being complied with. Again, a policy should state that internal
discourse between the two parties should precede any such consultation. If no
agreement can be reached, the commissioner should then be consulted by the
individual.
Mike Hibbs is head of employment law at Shakespeares Solicitors and
visiting professor of employment law at the University of Central England
Checklist
– Go through all manual and anticipated personnel data and check for any personal
or sensitive personal data, such as any opinions about an employee, his race
and so on. Make sure all systems have been covered, including those held by
departmental managers.
– Remove any unnecessary or unhelpful data.
– Devise a data protection policy:
a) What do we need to hold and why?
b) Who should have access to the information?
c) Consider who should hold such information.
d) Make time limits clear – 40 days for access to records and 21 days for
your reply to an access to information request.
e) Make the exemptions clear, such as the administration of justice
exemption.
f) How will disputes be dealt with? Follow the internal procedure first.
g) Revise your disciplinary and grievance procedures to cover abuses of data.
– Devise consent forms for processing personal data as well as processing
sensitive personal data.
– Devise plans for the regular updating of information. You should consider
the regular circulation for new addresses and so on.
– Make sure new employee information is taken correctly.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
– Work out how you will answer requests for information within 40 days and
whether you will make an administrative charge (up to 10).
– Plan to revise policies as soon as the Data Protection Commissioner
publishes the Code of Practice, probably in summer 2000.