IRS/DLA
research shows a wide gulf between the views of the Data Protection
Commissioner and employers on issues such as sickness absence records. David
Shepherd, editor of IRS Employment Trends, reports
Issues
of access and disclosure are central to the Data Protection Act. “Employees,
like any other individuals, have a right to know what information is kept about
them,” says the Data Protection Comm-issioner, Elizabeth France. Moreover, for
some categories of information, such as “sensitive personal data”, the explicit
consent of employees may be required before employers can legitimately hold
records.
In
the commissioner’s view, it is good practice for employers to, “Provide every
employee with a copy of his/her basic record annually and ask him/her to
identify inaccuracies and amendments needed.” Unfortunately, a majority of the
employers’ panel surveyed by research company Industrial Relations Services and
employment lawyers DLA Advance, falls short of her recommendations in this
respect.
Respondents
to a questionnaire were asked whether or not every em-ployee in his/her
organisation is provided with a copy of their basic personnel record and asked
to identify inaccuracies and amendments needed. While public-sector respondents
are evenly split on the issue, about three-fifths of both private services and
private manufacturing and utility employers did not provide employees with a
copy of their basic record as a matter of course.
Respondents
were also asked if their organisations automatically provide em-ployees with
copies of their records and how often they did so. More than half do so
annually, although one-tenth do so less frequently (up to every three years)
and around one-sixth say they do so on an ad hoc basis.
If
it is assumed (generously) that most of the employers providing employees with
copies of their records on an ad hoc basis do so at least once a year – this
means that less than one-third follow the commissioner’s notion of good
practice by providing for an annual employee update.
Automatic
disclosure of basic personnel records to employees may be a matter of good
practice, but disclosure following a legitimate access request from an employee
is a matter of law. Employees have a legal right to know what information is
kept about them.
Access
requests
According
to the Data Protection Commissioner, “A subject access request is any written
request (including e-mail) from a prospective, current, [or] past employee or any
other person who indicates they want to know what information is kept about
him/her. Employers can charge up to £10 for responding to each re-quest and can
ask for information that helps them locate the records – for example dates of
employment.”
To
comply with the DPA, and in particular with principle six, (Greater
difficulties) the Com-missioner says employers must “have in place a system
that enables [them] to locate all the information about an employee and provide
him/her with a copy of that information promptly – in any event within 40 days
of receiving a subject access request”.
There
are some important exemptions from this subject access right. Most notably, in
the employment context, information kept for management planning or forecasting
can be withheld where supplying it would “prejudice the employer’s business”.
Respondents
were asked whether or not their organisation has a procedure in place through
which employees can make an access request to see their records, and learn the
uses to which their personal data will be put.
Around
three-fifths said their organisation has an access procedure. A further quarter
reports its organisation plans to introduce such a procedure. All but one of
the latter group expects to introduce their procedures later this year.
Therefore, by 2002, it appears that just under one-sixth of the IRS/DLA panel
may be in danger of failing to comply with this provision of the Act as
interpreted by the commissioner.
Maximum
deadline
We
then asked respondents in organisations with a formal employee access procedure
whether or not a period of written notice is required from the employee. Around
two-thirds of respondents say this is the case, with both private manufacturing
and utility firms and private services companies being more likely to require
notice than public sector employers.
Asked
how much notice is required from employees seeking access to their records,
around two-fifths of the relevant respondent group surveyed report a figure of
40 days, which is in line with the maximum deadline allowed under the
legislation. Most of the remainder specify periods of between one and 14 days,
although one reports that “reasonable” notice is required, and two say no
notice is needed.
Employers
are entitled to charge up to £10 for each access request, as noted above.
Nevertheless, less than three-quarters do not charge an administration fee. Of
those that do, most told us they require £10 or “up to £10”, although one
charges £5.
According
to the Data Protection Comm- issioner, an employee’s explicit consent “will
often be required to legitimise the holding and use” of records that include
“sensitive personal data”.
This
is defined as personal data consisting of information on the data subject’s
racial or ethnic origin; political opinions; religious beliefs or other beliefs
of a similar nature; membership or non-membership of a trade union; physical or
mental health or condition; sexual life; commission or alleged commission of
any offence; and subjection to proceedings for any offence committed or alleged
to have been committed by the data subject, the disposal of such proceedings or
the sentence of any court in such proceedings.
Accordingly,
respondents were asked whether or not their organisations have arrangements for
ensuring that sensitive personal data is processed only with the explicit
consent of the employee concerned. Seven-tenths of respondents report this is
the case in their organisations, leaving the remaining three-tenths appearing
not to comply with the DPA as interpreted by the commissioner.
The
commissioner says, “A record that a particular employee had 20 days’ sick leave
last year will be sensitive personal data. It might not be actual information
about the employee’s health but it will be information as to his/her health.”
This means that, to comply with the DPA, and in particular with principle one,
(Making sure systems are able to delete out-of-date unwanted information)
employers should “only hold sickness records of employees if [they] have the
explicit consent of each employee or if one of the other conditions for
processing sensitive data is satisfied”.
In
organisations that hold sickness absence records (all but two of the sample)
under three-tenths had not obtained specific consent of each employee to hold
such records.
Communication
Both
compliance with the DPA and adherence to the Data Protection Commissioner’s
view of what constit- utes good practice require significant efforts from
employers in the area of employee communication.
To
comply with the Act, as interpreted by the commissioner, and in particular to
comply with principle one, employers must “inform newly appointed staff what
information will be kept about them, where it is obtained, how it is used and
who, if anyone, it will be disclosed to” and they must “explain clearly how any
sensitive data is to be used” (as well as obtaining a clear indication of the
employee’s agreement).
Moreover,
to adhere to the commissioner’s notion of good practice, employers must “inform
new employees of their rights under the Data Protection Act 1998, in particular
their right of access to information kept about them”.
To
gauge the extent to which the organisations communicate with their employees
about data protection issues, they were asked what methods were used to communicate
with employees. The most popular ways of communicating data protection issues
to the general population of employees are via the staff handbook and specific
letters to staff – both of which methods are used by more than half the
employers.
The
second question concerned the last time respondents’ organisations had issued a
communication to employees covering data protection issues. The responses
suggest a high level of recent communication.
One-third
of respondents report that data protection last featured in a communication to
employees within the past three months, a further third report a communication
within the past six months, and another sixth within the past year.
This
gives a total of just under four-fifths of the sample that have communicated
with employees on data protection issues within the past year.
By
contrast, only one-tenth of our respondents report that their organisations
have never issued a communication of any kind to their employees on this
subject.
Will
the new code be a solution or a nasty shock?
The
DPA and the associated good-practice guidance provided by the Data Protection
Commissioner place major responsibilities on employers.
But
the three-tenths of the IRS/DLA panel who have not read the draft code may be
in for some nasty surprises when the final version is published.
Respondents
who have read the draft were asked what effect they think the code will have on
employee relations in their organisations.
On
a four-point scale, nearly half believe the code’s effect on their organisation
will be “neutral”, two-fifths believe it will be “positive” and one-sixth
believe it will be “negative”.
None
believes the impact will be “very positive”.
Among
the reasons identified are:
–
Effects on my organisation will be positive. “It provides reassurance and clear
guidance for ensuring compliance with [the DPA]”
Local
authority
– Effects on the wider economy will be positive. “Given the rise in global
communications, this should offer some protection and control within the UK”
Automotive
component manufacturer
– Effects on my organisation will be neutral. “The code only implements the
‘best-practice’ position”
Financial
services firm
– Effects on my organisation will be negative. “It is overkill. We cannot do
our job if we do not have [employees’] details
Transport
company
– Effects on the wider economy will be negative. “The resource implications of
the draft code are so large as to make it difficult for an organisation to
fully comply”
How
the survey was carried out
To
provide a snapshot of employers’ policies and procedures on the use of personal
data in employer-employee relationships, IRS and DLA jointly surveyed a panel
of employers a year after the 1998 Act came into force.
They
questioned them about the extent to which practice in their organisations
complies with the DPA and about the extent to which they use some of the
“good-practice” procedures set out by the commissioner in the code of practice.
The
panel comprised 53 respondents, 49 of whom submitted detailed questionnaire
replies in time to be included in the main analysis. All but six responses are
in respect of whole organisations; the others refer to a specific division,
department or site.
The
panel represents a cross section of economic activity Two-fifths of it is drawn
from the private services sector and a similar proportion from the public
sector, with the rest from manufacturing and utility companies.
There
was a bias towards medium-sized and large employers in the sample: the average
workforce size among respondent organisations is 1,850. Broken down by broad
sector, the median workforce size is 2,600 for public sector respondents, 785
for the private services sector and 450 for manufacturing and utilities.
Overall panel members employ 304,000 people – 127,000 (public sector), 157,000
(private services) and 20,000 (manufacturing and utilities).
In
recognition of the sensitive nature of some of the issues involved, respondents
were offered the chance to participate in the research without their responses
being attributed to their organisations by name.
Contacts
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
Draft
Code of Practice: the use of personal data in employer/employee relationships
issued for consultation by the Data Protection Commissioner, October 2000,
available at wood.ccta.gov.uk/dpr/dpdoc.nsf
IRS
Employment Review 724, March 2001, available from Fawzia Ittoo, Industrial
Relations Services, 020-7354 6747, or e-mail [email protected] price
£25. www.irseclipse.co.uk For a
full summary of the report’s main findings go to www.personneltoday.com/features