One
year on from the introduction of the Data Protection Act, companies are failing
to comply with it and their directors are risking criminal prosecution as a
result, research published this week reveals.
It
shows that only half of the organisations questioned have a written data
protection policy.
The
report, by Industrial Relations Services and law firm DLA, also shows that 70
per cent do not have employees’ consent to hold sickness absence records and a
third have not sought consent to hold sensitive personal data like mental or
physical health problems of an employee.
The
research questioned personnel directors and other senior managers in 50
organisations with an average of 1,850 staff.
“Failure
to comply with the Act can lead to directors being personally liable for both
civil and criminal prosecution,” DLA partner Mike Pullen warned.
Author
of the report, David Shepherd, said, “It is worrying because if these
respected, mostly blue-chip companies are having trouble complying with the Act
then the situation will be much worse among most employers.”
Only
a third of the employers have arrangements to weed out documents like expired
disciplinary warnings.
Neil
Leitch, head of insurance and investment, HR policy and strategy
implementation, at Scottish Widows, said it carried out a huge cleaning
exercise last year. “Eight people spent three months going through files, and
for staff like myself who have been
here for 25 years, there were sackfuls of shredded waste,” he said.
The
Act regulates when and how personal data about individuals may be obtained,
held, used and disclosed.
Report
from IRS Employment Trends, (Issue 724), £25, 020-7354 67424
By
Catriona Marchant