Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Data protection racket?

by Personnel Today 1 Apr 2001
by Personnel Today 1 Apr 2001

The
draft Code of Practice for the Data Protection Act has been met with much
criticism and controversy. Kirsty bamford and Paul Killen look at the original
Act, consider the draft proposals and explain how the Code will work in practice

Last
October, the Data Protection Commissioner published a draft Code of Practice
entitled The use of personal data in employer/employee Relationships (the
Code). The draft Code sets out standards with which employers should comply
when processing personal information, to avoid falling foul of the Data
Protection Act 1998 (the Act). Although the Code aims to give practical
guidance for employers when implementing the Act, the commissioner Elizabeth
France, has gone beyond the scope of the Act, setting out recommendations for
what is considered to be "best practice".

Publication
of the final version of the Code was originally planned for this spring but,
following a great deal of criticism, has been postponed until later in the
year. Much of the criticism has centred on the fact that the section dealing
with employee monitoring in the draft Code is not harmonised with the
Telecommunications (Lawful Business Practice) (Interception of Communications)
Regulations, which were issued under the Regulation of Investigatory Powers Act
2000. The Code is far more draconian in its approach than the Act and is
considered by many to go too far in placing onerous obligations on employers.
In the circumstances, employers could be forgiven if they are confused as to
precisely where their duties lie under the 1998 Act.

The
Data Protection Act 1998

Before
tackling the Code, it is essential that employers should have a good
understanding of what the Data Protection Act requires of their business. The
Act, which came into force on 1 March 2000, sets out rules on how personal
information belonging or relating to an individual is obtained, processed or
handled. Whereas the previous Data Protection Act 1984 (now repealed) applied
only to records held on computer, the new Act extends to include certain paper
records. A number of significant terms are defined in the Act, and the critical
ones may be summarised as follows.

–
The Act applies to "personal data". That is data that identifies an
individual subject. Personal data includes all data regarding facts and
opinions about an individual and covers information held regarding the
intentions of a data controller towards an individual.

–
"Sensitive data" is given special protection and is defined as
personal data which relates to race or ethnic origin, political opinions,
religious or other beliefs, trade union membership, sex life or the commission
of any offence.  

–
Employers will be "data controllers" and will therefore need to
comply with "the data protection principles" (see below) and the
other requirements of the Act (for example, the notification requirements). An
employer will "process" information if they obtain, record, or hold
information, or carry out any operation or set of operations on personal data.  

–
The Act applies to data held in a "relevant filing system", defined
as a set of information in which records are structured so that "specific
information relating to a particular individual is readily accessible".
This means that a substantial amount of manual data (for example, that held on
a personnel file) will fall within the scope of the Act. Personnel records held
without an indexing system or in a disorganised fashion, may not be caught by
the Act, although the draft Code suggests that even information not held
centrally, but kept for example by a line manager, will be caught within the
ambit of the Act.

Individual
rights

Employees
have the right of access to information held about them, whether on computer or
on paper.  Employers may charge a fee
(£10) for providing data to an employee, and exemptions apply where a business
needs to protect the confidentiality of the data processed for management
forecasting or planning purposes, or where the employer has given a
confidential reference (in relation to education, training or employment). This
latter exemption only applies where the employer has given the reference, not
when a reference has been received from a third party (although the employer in
that case may not have to disclose the identity of the third party to the employee).

Processing
data legitimately

In
order to comply with the requirement that personal data is processed
"fairly and lawfully" employers must ensure that certain conditions
are met. A data subject should be aware of the identity of the data controller,
the reason why the information has to be processed and to what extent. There
are a number of conditions that have to be met before personal data can be
processed legitimately. At least one of the following conditions must apply.

–
The individual has given his or her consent to the processing

–
The processing is necessary for the performance of a contract with the
individual

–
The processing is required under a legal obligation

–
The processing is necessary to protect the vital interests of the individual

–
The processing is necessary to carry out public functions, or

–
The processing is necessary in order to pursue the legitimate interests of the
data controller or third parties.

In
the case of sensitive data however, processing is subject to additional strict
conditions, which require, among other things, the following.

–
The employer has the "explicit" consent of the individual, or

–
The processing is required under a legal obligation, or

–
Any processing of sensitive data regarding racial or ethnic origin and so on
may only be done with a view to promoting or maintaining equality. This means
that, unless one of the other permitted reasons applies, employers must obtain
the employee’s consent to processing, which must be explicit where sensitive
data is concerned. This begs the question, "What is ‘consent’"?

Employee
consent?

Unfortunately
"consent" is not defined in the Act. The guidance to the Act refers
to "any freely given specific and informed indication of [his] wishes by
which the data subject signifies his agreement to personal data relating to him
being processed". The guidance also states that "signify"
implies some form of active communication between the parties. Therefore,
employers will not be able to infer consent from a lack of response to a communication.
This means that a provision in a handbook or a clause in an unsigned contract
of employment is unlikely to constitute valid consent. It also seems clear that
consent that is obtained under duress or in response to misleading information
would not be a valid basis for processing.

It
is recommended that employers include a standard clause in contracts of
employment, recording the employee’s consent to the processing of personal
data. For example, "You consent to the company holding and processing, both
electronically and manually, the data it collects in relation to you and your
employment (in the course of your employment), for the purposes of the
company’s, for example, management and administration of its employees and its
business, and, or, for compliance with applicable procedures, laws and
regulations and to the transfer, storage and processing by the company or its
agent of such data outside the European Economic Area, in particular to [name
countries where group companies are based] and any other country in which the
company has offices."

However,
it is important to note that it is unlikely that explicit consent could be
obtained via a generic clause in a contract, so specific consent should be
sought for the processing of sensitive data. In the case of sensitive data, an
employer should notify an employee on the type of data that is to be processed,
the purpose and any special aspects of the processing which may affect the
employee.

Draft
Code of Practice

The
Code sets out two standards of conduct: the requirements that the commissioner
believes are necessary for compliance with the Act, and recommendations (or
good practice), which go beyond the strict remit of the Act. The Code (which is
still in draft form) covers various aspects of the employment relationship,
including recruitment, the keeping of employment records, the monitoring of
employee communications and the retention of former employees’ records.

Businesses
must nominate someone to oversee data compliance, train the staff involved in
data processing and ensure that procedures are in place for regular data
clean-up operations. Recruitment and interview procedures and application forms
should be reviewed to ensure that only relevant data is requested and retained.

The
Code recommends specific time limits for the retention of recruitment records
and applications, references, tax records, sickness records, appraisals,
training records, disciplinary records etc. All new staff should be advised of
what records will be held concerning them, for what purpose and, if the
information will be disclosed, to whom.

In
the case of sickness records, which fall within the definition of sensitive
data, employers are advised only to hold such records with explicit consent,
ensuring that employees are aware of the extent of such information. Equal
opportunity monitoring is likewise considered sensitive and should only be
undertaken as part of an ongoing programme of equality. Security is paramount
and businesses should set up a system of access controls to protect personal
data.

In
relation to the disclosure of information, a system must be put in place that
enables employers to locate information easily so that they can respond within
the stipulated 40 days of receiving a request. A further requirement is that
employers check the identification of a data subject to prevent information
being passed on in error and exercise caution before responding to any external
request for information. It is also particularly recommended that you put a
disclosure policy in place to assist staff members who are likely to receive
such requests.

Monitoring
communications

Employers
should establish specific business purposes for which monitoring will be
introduced and undertake an evaluation exercise to assess the impact of
monitoring on the privacy, autonomy and legitimate rights of employees.
Employees should in turn be advised of what monitoring will take place and that
any information gathered should only be used for a non-specified purpose in the
case of the discovery of criminal activity or gross misconduct.

The
Code specifically provides that covert monitoring is unlikely ever to be
justified and, in the case of e-mail monitoring, states that spot-check
monitoring is preferential to continuous monitoring and should be limited to
traffic data rather than the contents of communications. Employers should also
have clear business reasons for monitoring, which should be strictly limited
and targeted. Personal e-mails should never be opened. In the case of Internet
monitoring, this should be proportionate to the risk to the business and should
be designed to protect, rather than to prevent abuse.           

Kirsty
Bamford and Paul Killen are solicitors in the employment and pensions
department at Paisner & Co

The
eight principles of data protection

While
processing personal data, employers must comply with the eight principles of
good practice. These are that data must be as follows:

–
Fairly and lawfully processed

–
Processed for limited purposes and not in any matter incompatible with those
purposes

–
Adequate, relevant and not excessive

–
Accurate

–
Not kept for longer than is necessary

–
Processed in line with a data subject’s rights

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

–
Secure

–
Not transferred to countries without adequate protection.

Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Flexible benefits aid staff recruitment
next post
Anti-racial discrimination legislation in force today

You may also like

Forward features list 2025 – submitting content to...

23 Nov 2024

Features list 2021 – submitting content to Personnel...

1 Sep 2020

Large firms have no plans to bring all...

26 Aug 2020

A typical work-from-home lunch: crisps

24 Aug 2020

Occupational health on the coronavirus frontline – ‘I...

21 Aug 2020

Occupational Health & Wellbeing research round-up: August 2020

7 Aug 2020

Acas: Redundancy related enquiries surge 160%

5 Aug 2020

Coronavirus: lockdown ‘phase two’ may bring added headaches...

17 Jul 2020

Unemployment to top 4 million as workers come...

15 Jul 2020

Over 1,000 UK redundancies expected at G4S Cash...

14 Jul 2020

  • AI is here. Your workforce should be ready. SPONSORED | From content creation...Read more
  • Preparing for a new era of workforce planning (webinar) WEBINAR | Employers now face...Read more
  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+