The
draft Code of Practice for the Data Protection Act has been met with much
criticism and controversy. Kirsty bamford and Paul Killen look at the original
Act, consider the draft proposals and explain how the Code will work in practice
Last
October, the Data Protection Commissioner published a draft Code of Practice
entitled The use of personal data in employer/employee Relationships (the
Code). The draft Code sets out standards with which employers should comply
when processing personal information, to avoid falling foul of the Data
Protection Act 1998 (the Act). Although the Code aims to give practical
guidance for employers when implementing the Act, the commissioner Elizabeth
France, has gone beyond the scope of the Act, setting out recommendations for
what is considered to be "best practice".
Publication
of the final version of the Code was originally planned for this spring but,
following a great deal of criticism, has been postponed until later in the
year. Much of the criticism has centred on the fact that the section dealing
with employee monitoring in the draft Code is not harmonised with the
Telecommunications (Lawful Business Practice) (Interception of Communications)
Regulations, which were issued under the Regulation of Investigatory Powers Act
2000. The Code is far more draconian in its approach than the Act and is
considered by many to go too far in placing onerous obligations on employers.
In the circumstances, employers could be forgiven if they are confused as to
precisely where their duties lie under the 1998 Act.
The
Data Protection Act 1998
Before
tackling the Code, it is essential that employers should have a good
understanding of what the Data Protection Act requires of their business. The
Act, which came into force on 1 March 2000, sets out rules on how personal
information belonging or relating to an individual is obtained, processed or
handled. Whereas the previous Data Protection Act 1984 (now repealed) applied
only to records held on computer, the new Act extends to include certain paper
records. A number of significant terms are defined in the Act, and the critical
ones may be summarised as follows.
–
The Act applies to "personal data". That is data that identifies an
individual subject. Personal data includes all data regarding facts and
opinions about an individual and covers information held regarding the
intentions of a data controller towards an individual.
–
"Sensitive data" is given special protection and is defined as
personal data which relates to race or ethnic origin, political opinions,
religious or other beliefs, trade union membership, sex life or the commission
of any offence.
–
Employers will be "data controllers" and will therefore need to
comply with "the data protection principles" (see below) and the
other requirements of the Act (for example, the notification requirements). An
employer will "process" information if they obtain, record, or hold
information, or carry out any operation or set of operations on personal data.
–
The Act applies to data held in a "relevant filing system", defined
as a set of information in which records are structured so that "specific
information relating to a particular individual is readily accessible".
This means that a substantial amount of manual data (for example, that held on
a personnel file) will fall within the scope of the Act. Personnel records held
without an indexing system or in a disorganised fashion, may not be caught by
the Act, although the draft Code suggests that even information not held
centrally, but kept for example by a line manager, will be caught within the
ambit of the Act.
Individual
rights
Employees
have the right of access to information held about them, whether on computer or
on paper. Employers may charge a fee
(£10) for providing data to an employee, and exemptions apply where a business
needs to protect the confidentiality of the data processed for management
forecasting or planning purposes, or where the employer has given a
confidential reference (in relation to education, training or employment). This
latter exemption only applies where the employer has given the reference, not
when a reference has been received from a third party (although the employer in
that case may not have to disclose the identity of the third party to the employee).
Processing
data legitimately
In
order to comply with the requirement that personal data is processed
"fairly and lawfully" employers must ensure that certain conditions
are met. A data subject should be aware of the identity of the data controller,
the reason why the information has to be processed and to what extent. There
are a number of conditions that have to be met before personal data can be
processed legitimately. At least one of the following conditions must apply.
–
The individual has given his or her consent to the processing
–
The processing is necessary for the performance of a contract with the
individual
–
The processing is required under a legal obligation
–
The processing is necessary to protect the vital interests of the individual
–
The processing is necessary to carry out public functions, or
–
The processing is necessary in order to pursue the legitimate interests of the
data controller or third parties.
In
the case of sensitive data however, processing is subject to additional strict
conditions, which require, among other things, the following.
–
The employer has the "explicit" consent of the individual, or
–
The processing is required under a legal obligation, or
–
Any processing of sensitive data regarding racial or ethnic origin and so on
may only be done with a view to promoting or maintaining equality. This means
that, unless one of the other permitted reasons applies, employers must obtain
the employee’s consent to processing, which must be explicit where sensitive
data is concerned. This begs the question, "What is ‘consent’"?
Employee
consent?
Unfortunately
"consent" is not defined in the Act. The guidance to the Act refers
to "any freely given specific and informed indication of [his] wishes by
which the data subject signifies his agreement to personal data relating to him
being processed". The guidance also states that "signify"
implies some form of active communication between the parties. Therefore,
employers will not be able to infer consent from a lack of response to a communication.
This means that a provision in a handbook or a clause in an unsigned contract
of employment is unlikely to constitute valid consent. It also seems clear that
consent that is obtained under duress or in response to misleading information
would not be a valid basis for processing.
It
is recommended that employers include a standard clause in contracts of
employment, recording the employee’s consent to the processing of personal
data. For example, "You consent to the company holding and processing, both
electronically and manually, the data it collects in relation to you and your
employment (in the course of your employment), for the purposes of the
company’s, for example, management and administration of its employees and its
business, and, or, for compliance with applicable procedures, laws and
regulations and to the transfer, storage and processing by the company or its
agent of such data outside the European Economic Area, in particular to [name
countries where group companies are based] and any other country in which the
company has offices."
However,
it is important to note that it is unlikely that explicit consent could be
obtained via a generic clause in a contract, so specific consent should be
sought for the processing of sensitive data. In the case of sensitive data, an
employer should notify an employee on the type of data that is to be processed,
the purpose and any special aspects of the processing which may affect the
employee.
Draft
Code of Practice
The
Code sets out two standards of conduct: the requirements that the commissioner
believes are necessary for compliance with the Act, and recommendations (or
good practice), which go beyond the strict remit of the Act. The Code (which is
still in draft form) covers various aspects of the employment relationship,
including recruitment, the keeping of employment records, the monitoring of
employee communications and the retention of former employees’ records.
Businesses
must nominate someone to oversee data compliance, train the staff involved in
data processing and ensure that procedures are in place for regular data
clean-up operations. Recruitment and interview procedures and application forms
should be reviewed to ensure that only relevant data is requested and retained.
The
Code recommends specific time limits for the retention of recruitment records
and applications, references, tax records, sickness records, appraisals,
training records, disciplinary records etc. All new staff should be advised of
what records will be held concerning them, for what purpose and, if the
information will be disclosed, to whom.
In
the case of sickness records, which fall within the definition of sensitive
data, employers are advised only to hold such records with explicit consent,
ensuring that employees are aware of the extent of such information. Equal
opportunity monitoring is likewise considered sensitive and should only be
undertaken as part of an ongoing programme of equality. Security is paramount
and businesses should set up a system of access controls to protect personal
data.
In
relation to the disclosure of information, a system must be put in place that
enables employers to locate information easily so that they can respond within
the stipulated 40 days of receiving a request. A further requirement is that
employers check the identification of a data subject to prevent information
being passed on in error and exercise caution before responding to any external
request for information. It is also particularly recommended that you put a
disclosure policy in place to assist staff members who are likely to receive
such requests.
Monitoring
communications
Employers
should establish specific business purposes for which monitoring will be
introduced and undertake an evaluation exercise to assess the impact of
monitoring on the privacy, autonomy and legitimate rights of employees.
Employees should in turn be advised of what monitoring will take place and that
any information gathered should only be used for a non-specified purpose in the
case of the discovery of criminal activity or gross misconduct.
The
Code specifically provides that covert monitoring is unlikely ever to be
justified and, in the case of e-mail monitoring, states that spot-check
monitoring is preferential to continuous monitoring and should be limited to
traffic data rather than the contents of communications. Employers should also
have clear business reasons for monitoring, which should be strictly limited
and targeted. Personal e-mails should never be opened. In the case of Internet
monitoring, this should be proportionate to the risk to the business and should
be designed to protect, rather than to prevent abuse.
Kirsty
Bamford and Paul Killen are solicitors in the employment and pensions
department at Paisner & Co
The
eight principles of data protection
While
processing personal data, employers must comply with the eight principles of
good practice. These are that data must be as follows:
–
Fairly and lawfully processed
–
Processed for limited purposes and not in any matter incompatible with those
purposes
–
Adequate, relevant and not excessive
–
Accurate
–
Not kept for longer than is necessary
–
Processed in line with a data subject’s rights
–
Secure
–
Not transferred to countries without adequate protection.
