The new Data Protection Act provides further rights for employees and additional responsibilities for employers
The new Data Protection Act 1998, effective from 1 March, widens the scope of its 1984 predecessor and places extra responsibilities on employers.
Specifically, the Act defines a range of "sensitive personal data", the handling of which may require the employee's consent.
Employees have other rights, too: they should be told when decision-making concerning them has been carried out by an automated system and, with a few exceptions, have rights to see their personnel records.
Furthermore, the 1998 Act covers structured paper-based records as well as information stored on computer.
The Act defines employers as "data controllers", in that they are responsible for processing data about "data subjects", which can include employees, prospective employees and former employees.
The type of data with which the HR manager deals will be what the Act describes as "personal" or "sensitive personal".
The new concept of "sensitive personal data" incorporates information on an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, the commission or alleged commission by them of any offence or any proceedings relating to it.
The Act dictates that processing must satisfy one of a given set of reasons including:
• the individual's consent;
• where processing is necessary for a contract to which the individual is a party;
• where processing is necessary to comply with a legal obligation.
Where sensitive personal data is being processed, additional restrictions must be met but, in most cases, the employee's explicit consent will be required.
While neither consent nor explicit consent is defined by the Act, guidance issued by the Data Protection Commissioner suggests agreement must always be freely given. In the case of sensitive personal data, that consent must be absolutely clear - and informed. In other words, the individual must have been informed of the type of data being processed and the reasons for it.
Automated decision-making covers practices such as automated CV scanning, performance assessments, redundancy selection and psychometric testing of applicants. The Act gives an individual the right, by written notice, to require an employer to ensure that no decision that significantly