The new Data Protection Act provides further rights for employees and additional responsibilities for employers
The new Data Protection Act 1998, effective from 1 March, widens the scope of its 1984 predecessor and places extra responsibilities on employers.
Specifically, the Act defines a range of “sensitive personal data”, the handling of which may require the employee’s consent.
Employees have other rights, too: they should be told when decision-making concerning them has been carried out by an automated system and, with a few exceptions, have rights to see their personnel records.
Furthermore, the 1998 Act covers structured paper-based records as well as information stored on computer.
The Act defines employers as “data controllers”, in that they are responsible for processing data about “data subjects”, which can include employees, prospective employees and former employees.
The type of data with which the HR manager deals will be what the Act describes as “personal” or “sensitive personal”.
The new concept of “sensitive personal data” incorporates information on an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, the commission or alleged commission by them of any offence or any proceedings relating to it.
The Act dictates that processing must satisfy one of a given set of reasons including:
• the individual’s consent;
• where processing is necessary for a contract to which the individual is a party;
• where processing is necessary to comply with a legal obligation.
Where sensitive personal data is being processed, additional restrictions must be met but, in most cases, the employee’s explicit consent will be required.
While neither consent nor explicit consent is defined by the Act, guidance issued by the Data Protection Commissioner suggests agreement must always be freely given. In the case of sensitive personal data, that consent must be absolutely clear – and informed. In other words, the individual must have been informed of the type of data being processed and the reasons for it.
Automated decision-making covers practices such as automated CV scanning, performance assessments, redundancy selection and psychometric testing of applicants. The Act gives an individual the right, by written notice, to require an employer to ensure that no decision that significantly affects them is based solely on automated means.
Where no notice is given, the employer must notify the individual as soon as practicable that a decision was taken solely on this basis. The individual then has a right to require the employer to reconsider the decision or take a new decision not based solely on automated means.
One important exemption is where the decision is taken with a view to entering into a contract with the individual.
The subject access right means that, upon payment of a fee, current or former employees are entitled to request and see, within 40 days, copies of any records on their personnel files.
Employers must also tell employees why the data is being processed and identify those to whom the information is, or may be, disclosed.
There are certain exemptions. A confidential reference produced by the current employer for training or employment will be exempt, but a reference provided by a third party will not.
Often, records about a particular employee will refer to others, such as colleagues or managers. Disclosure of third parties’ names without consent may amount to improper processing.
Linda Farrell is a partner of Bristows in London. Tel: 020-7400 8000