Understanding the new Data Protection Act requirements

Changes came into force on 23 October. 
What impact will the Data Protection Act have on employers?

To understand the Act , there are certain key definitions. These are:

– Data Subject An individual who is the subject of personal data
– Data This includes information processed by equipment (eg computers) and
information recorded as part of a relevant filing system
– Personal data Any information relating to an identified or identifiable
– Processing Any operation performed upon personal data, whether or not by
automatic means
– Data controller A person who determines the purposes for and the manner in
which personal data is processed.

The main changes which came into force on 23 October are:

– Manual data Individuals can access non-automated records not covered by an
exemption (see below). This will cover structured sets of information which are
readily accessible – not necessarily synonymous with an individuals personnel

– Personal data Previously where a name was incidental to a document, that
name though clearly personal data was not subject to the Act. This
qualification has disappeared.

– Subject access Data subjects now have to be provided with a copy of the
data that concerns them AND should also be told the purposes for which the data
is processed; they should be given any available information as to the source
of the information and be given a description of those to whom the data has or
may have been given.

– Individual rights Individuals now have the right to seek to prevent
"processing" likely to cause damage or distress, the right to prevent
"processing" for the purposes of direct marketing and a qualified
right to object to automated decision taking.

Compensation can be claimed for damage caused by the failure to comply with
any obligations of the Act and will cover financial loss AND damages for

Personal data is exempt from disclosure in limited circumstances, for

– To prevent or detect crime
– To assess or collect tax
– When the data relates to the physical health or mental state or condition of
the data subject
– When the data is protected by legal professional privilege

What impact will the Act have on employers?

The key change is that employees can now access paper records such as
confidential notes or memos concerning them written by their supervisors. This
includes information concerning them sent by e-mail, even where messages have
been deleted.

Confidential references supplied by employers remain private but as
employees can request a copy from the recipient, employers should ensure the
references are fair and accurate.

A new category of sensitive personal data has been established, which covers
physical and mental health, ethnic origin, sexuality, and trade union
membership. To process this data the employer must explicitly obtain the data
subject’s consent or be able to show that is necessary under the Act.

Employers need to take extra care if the disclosure identifies a third
party. The consent of that third party will need to be obtained beforehand. If
consent cannot be obtained disclosure may be avoided but employers will need to
have made reasonable efforts to obtain that consent to rely on this exemption.


The Act has been referred to as a "toothless sop". However with
sanctions of a £5,000 fine in the magistrates court; an unlimited fine in the
High Court, and imprisonment for defaulting directors, employers would be wise
to ensure they comply with its requirements.


The Information Commissioner has provided guidance to help those holding
personal information comply with the Act. It is at: www.dataprotection.gov.uk. A code
of practice on using Personal Data in the employment relationship is due to be
introduced in four stages during 2002.

By Sarah Lamont, a partner at Bevan Ashford Solicitors

Comments are closed.