Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Employee relationsEmployment lawEmployee communicationsHR practiceComputer misuse

Q&A: protecting personal data

by Personnel Today 15 Feb 2008
by Personnel Today 15 Feb 2008

With the recent spate of government mistakes on losing personal data, XpertHR spells out the correct procedures for handling employee information.

Q How does the Data Protection Act 1998 actually define ‘personal data’?

A Under the Data Protection Act 1998, ‘personal data’ simply means information held on record about an individual. Information held in paper format, data stored on a computer system and data processed through e-mail are all covered by the Act, which regulates the processing of data about individuals in employment.

Where information is held manually, it must be ‘structured in such a way that specific information relating to a particular individual is readily accessible’ to be covered by the Act. This means, in effect, that the data filing system must be easy to find and follow.

The Court of Appeal has further held that, to constitute ‘personal data’, information must be significantly biographical and have the individual as its focus.

Q What is ‘sensitive personal’ data, and can it be held on a personal file?

A Sensitive data comprises information about an employee’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation, or criminal (or alleged criminal) activities, proceedings or convictions.

Such data must not be held on an employee’s personal file without that employee’s express consent unless the information is necessary to comply with the employer’s legal obligations. Sensitive personal data volunteered on a job application form or during an interview should be deleted from the employee’s personal file, unless retained for legal reasons or in connection with any legal proceedings.

Q What principles are employers obliged to follow to ensure that personal data is handled correctly?

A Employers are obliged under the Data Protection Act 1998 to adhere to eight data protection principles which state that employers must:



  • Process personal data fairly and lawfully (which means that personal information must not be obtained or used unless either the employee has consented or one of a limited range of conditions has been met)
  • Obtain and process data only for specified and lawful purposes (ie use personal information only for clearly agreed purposes)
  • Ensure data is adequate, relevant and not excessive in relation to its stated purpose (ie not store more information than is necessary about a person)
  • Ensure that data is accurate and kept up to date
  • Not keep data for longer than is necessary in relation to its purpose
  • Process data in accordance with the rights of individuals
  • Take appropriate measures against unauthorised or unlawful processing and against accidental loss, damage or destruction of the data
  • Not transfer data outside the European Economic Area without ensuring adequate protection of the data.

Q Does an employer have the right to retain any personal data gathered during the recruitment process?

A The Data Protection Act 1998 created new obligations for employers in relation to information they gather and retain about job applicants (and existing employees). The Act covers all personal information held about an individual, whether the files are set up manually or held on computer. To ensure compliance with the Act, the application form should include a statement about the employers’ intent to process the information and ask the applicant to signify their consent.

Q Does an employer have the right to approach an employee’s GP for information about their health?

A An employer must not approach an employee’s GP for a medical report without first obtaining the employee’s written consent. When doing this, the employer is obliged to inform the employee of their rights under the Access to Medical Reports Act 1988. The employee has the right to see a copy of the report once it is prepared and before it is given to the employer.

The employee also has the right to ask the doctor to remove information that they consider damaging or irrelevant or to refuse to allow the doctor to release the report. These rights do not generally extend to reports prepared by an independent doctor paid for by the employer.

Q For how long should an employer keep an employee or ex-employee’s personnel files?

A The Employment Practices Data Protection Code provides guidance on compliance with the Data Protection Act 1998 regarding the retention of employees’ and former employees’ records.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

The Act itself sets no specific period, stating only that personal data should not be kept longer than is necessary for the purpose or purposes for which it is being processed.

Employers can therefore set their own retention periods, so long as these are based on business needs and take into account any professional guidelines.




Personnel Today

Personnel Today articles are written by an expert team of award-winning journalists who have been covering HR and L&D for many years. Some of our content is attributed to "Personnel Today" for a number of reasons, including: when numerous authors are associated with writing or editing a piece; or when the author is unknown (particularly for older articles).

previous post
Head-to-head: big issues facing employers in 2008
next post
160 UK jobs axed as Morgan Stanley closes Advantage Home Loans subsidiary

You may also like

Minister defends Employment Rights Bill at Acas conference

16 May 2025

CBI chair Soames accuses ministers of not listening...

16 May 2025

EHRC bows to pressure and extends gender consultation

15 May 2025

‘Polygamous working’ is a minefield for HR

14 May 2025

Contract cleaner loses EAT race discrimination appeal

14 May 2025

Construction workers win compensation claim against defunct employer

9 May 2025

Zero-hours workers’ rights to be extended from beyond...

8 May 2025

Employment tribunal backlog up 23% in a year

7 May 2025

Ministers urged to outlaw misuse of NDAs

7 May 2025

Ofgem workers ballot for strike action

2 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+