Failure to register under the Data Protection Act and adopt a data protection policy can land a firm in trouble.
Although the Data Protection Act 1998 came into force on 1 March 2000, nine out of 10 companies do not appreciate its implications and one in two directors are unaware they are personally liable for the accuracy of their database. These statistics are all the more alarming bearing in mind that failure to comply with the Act may lead to an unlimited fine in the Crown Court, potential liability of responsible directors, and damages for the affected data subject for damage and associated distress. Failure to comply also exposes a company to the full spectrum of employment-related claims, including sexual, racial and disability discrimination and unfair dismissal.
Subject to certain exemptions, the Act requires a company to notify the Data Protection Commissioner if it is "processing personal data", which includes obtaining, holding, recording, analysing data or disclosing such data to someone else. "Data" is any information relating to individuals who can either be identified from the data alone or from the data and other information in the company’s possession. The Act applies not only to data processed automatically but also data held on manual files.
To this end, the Act would certainly apply to employees’ personnel files, recruitment, health, attendance and disciplinary records and any other files compiled manually by management with or without authorisation.
Personal data must be processed fairly and lawfully and to this end can be processed only with the individual’s consent. While such consent can be implied in circumstances in which the individual is providing the information or where a clause in the individual’s contract of employment specifically places the employee on notice that personal information about him or her will be processed in accordance with the Act’s provisions, explicit consent (in writing) is required for processing of "sensitive personal data", which includes information relating to racial, ethnic or origin, political opinions, religious beliefs, health, sex and commission of offences.
On payment of a fee, any employee has the right to see all personal data held by the company relating to him/her, be told of the purpose for which the processing is taking place and who has access to the information, require inaccurate information to be corrected and can request a copy of all of the information held. What this means in practice is that any remarks made by management in an employee’s official personnel file, or in an unofficial file kept by a manager for his/her purposes in monitoring the performance of his/her juniors, will be disclosable on request.
It is not difficult, therefore, to see how a flippant remark in an internal management appraisal could lead to a discrimination and/or a constructive dismissal claim. The longer a company leaves the implementation of a comprehensive data protection policy, the greater will be its difficulty in reorganising its administration to incorporate the Act’s provisions, and the greater will be its exposure.
Because of a company’s increased exposure to employment-related claims in the absence of a comprehensive data protection policy, it will not be long before insurers offering cover for employment-related claims require a detailed data protection audit to be carried out as a pre-condition to cover or offer substantial discounts on premiums once such audit has taken place.
By Mark O’Neil, senior employment solicitor at Sinclair Roche & Temperley, tel 020-7452 4224, e-mail: mark.o’neil @srtlaw.com