Data protection

first_imgIn this series, we delve into the XpertHR reference manual to find essentialinformation relating to one of our features. This month’s topic…The Data Protection Act 1998The now-repealed Data Protection Act 1984 laid down rules relating to theprocessing of personal data held on a computer or computer disk. With the DataProtection Act 1998 (DPA) coming into force, the rules apply not only tocomputerised records but also to data held in a ‘relevant filing system’; thatis to say, in any manual or paper-based filing system that is structured eitherby reference to individuals or by reference to criteria relating toindividuals, in such a way that specific information relating to a particular individualis readily accessible. Meaning of personal dataThis means data relating to a ‘living individual’ (an employee) who can beidentified from that data or from that and any other information held by theemployer (the ‘data controller’), or that is likely to come into the employer’spossession. It also includes any expression of opinion and any indication ofthe employer’s intentions (or that of any other person within the employingorganisation) in respect of that employee – whether contained in (or attachedto) a letter, memorandum, report, certificate or other document, or held in apaper-based file, on computer, or by any other automated or non-automatedmeans. Any personal data ‘processed for the purposes of management forecasting ormanagement planning’ may be withheld if disclosing it would be likely toprejudice the conduct of the employer’s business. Nor do employees have theright to access personal data which contains information concerning theiremployer’s bargaining position in relation to negotiations or discussions aboutemployee pay and benefits or the like. Sensitive personal dataThis consists of information about an employee’s: – Racial or ethnic origins – Political opinions – Religious beliefs – Trade union membership – Physical or mental health or condition – Sex life or sexual orientation – Criminal (or alleged criminal) activities – Criminal proceedings, criminal convictions or sentences Sensitive personal data must not be held on an employee’s personal filewithout their express consent – unless it is held in compliance with anemployer’s legal obligations or to protect the employee’s vital interests. Such data may be retained only for as long as necessary, for the purpose ofdefending a complaint of unlawful discrimination on grounds of sex, race,disability or trade union membership (or non-membership), or (so long asappropriate safeguards are in place) for reviewing, monitoring, promoting ormain-taining an equal opportunities policy. Sensitive personal data volunteered on a job application form or during anemployment interview or held with the express consent of the employee inquestion, should be deleted from the employee’s personal file, unless retainedfor legal reasons. It may be necessary to retain health records if legislation precludes theemployment (or continued employment) of people in specified occupations or inwork involving exposure to certain hazardous substances. If a job application form requires a job applicant to provide informationwhich could be characterised as ‘sensitive personal data’, the form shouldexplain the employer’s reasons for requiring that information, together with anassurance that the information will be held in the strictest confidence. Itshould also state that (in keeping with the applicant’s rights under the DPA)it will not be disclosed or otherwise made available to any unauthorised thirdparty; and that it will be destroyed if the candidate’s application foremployment is unsuccessful. The same rule applies to ‘sensitive personal data’volunteered by a job applicant in a CV or similar document. Duties of employersPersonal data must be accurate, adequate and relevant; must not be disclosedto unauthorised third parties without the express consent of the ‘data subject’(the employee); must be kept up to date; must be processed fairly and lawfully;and must not be held for longer than is strictly necessary. See The eight dataprotection principles below. However, the DPA allows that certain personal data volunteered by a job applicantor existing employee needs to be held on file for contractual or legal reasons,consistent (in the latter case) with an employer’s duties and liabilities underlegislation such as the Social Security Contributions and Benefits Act 1992,the National Minimum Wage Act 1998, the Working Time Regulations 1998, theMaternity and Parental Leave etc Regulations 1999, health and safetylegislation, and so forth. The Management of Health and Safety at Work Regulations 1999 requireemployers to monitor the health of employees who are, or may be, exposed tohazardous substances, and to maintain any associated health records for aspecified number of years, for example. Evidence of an employee’s entitlement to parental or maternity leave, timeoff for dependants, annual holidays and such like, must also be retained forobvious reasons. An employer would be justified in keeping documentary evidencerelating to an employee’s dismissal (for whatever reason) against thepossibility of a complaint of unfair or unlawful dismissal or an action fordamages arising out the employer’s alleged negligence or breach of a statutoryduty. The same would be true of allegations of sexual or racial harassment or ofan employer’s failure to make reasonable adjustments to accommodate a disabledemployee. Attendance records (supported by doctors’ sick notes, accidentreports, etc) must be maintained for that same reason, as must records ofdisciplinary warnings and hearings. Keeping details of an employee’s age, nationality, marital status,parenthood, next of kin, home address, telephone number, bank account, etc canbe justified on a variety of practical and legal grounds (for example to complywith age limits on working hours and periods of employment, in the case ofaccidents and emergencies, and for the purposes of the national minimum wage,payroll, pensions). The eight principlesUnder the DPA, personal data held on an employee’s personal file or on anyassociated or computerised record must be: 1. Processed fairly and lawfully, either with the employee’s consent, or forcontractual or legal reasons, or in the employer’s legitimate interests; or toprotect the employee’s vital interests; and, in the case of ‘sensitive personaldata’, not without the employee’s explicit consent – unless that data is heldin compliance with any statutory duty, or to protect the employee’s vitalinterests, or for the purposes of legal proceedings, or for medical purposes or(in the case of data concerning an employee’s racial or ethnic origins) for thepurposes of identifying, monitoring, promoting or maintaining the employer’sequal opportunities policy 2. Obtained only for one or more specified and lawful purposes, and must notbe further processed in any manner incompatible with that purpose or purposes 3. Adequate, relevant and not excessive in relation to the purpose orpurposes for which it is processed 4. Accurate and, where necessary, kept up to date 5. Processed in accordance with the ‘subject access’ rights of employeesunder the DPA 6. Protected (by ‘appropriate technical and organisational measures’)against unauthorised or unlawful processing or disclosure, and againstaccidental loss, damage or destruction. And it must not be: 7. Kept for longer than strictly necessary (but, again, subject to any legalrequirements to the contrary) 8. Transferred to any country or territory outside the European EconomicArea (EEA) (for example in connection with a transfer or secondment overseas)unless that country or territory ensures an adequate level of protection forthe rights and freedoms of data subjects in relation to the processing ofpersonal data. For further information log on to: www.dataprotection.gov.ukAction point checklist– Check recruitment and selectionprocedures to ensure they comply with the DPA– Ensure automated systems are not used as the sole basis forshortlisting candidates for promotion, transfer or further training. Giverejected candidates an opportunity to make representations about theobjectivity, fairness and consistency of such systems – Scrutinise job application forms, health questionnaires, etcto ensure the questions asked are relevant. If necessary, accompany them with adocument explaining the justification for certain questions (“Are youpregnant or have you recently given birth?”, for example, or “Do youhave a disability?”)– Keep application forms, CVs and other documents from rejectedjob applicants under lock and key and destroy them within four months of thedate they were informed their application was unsuccessful. If there is achance of an offer of employment being made at a later date, inform thecandidate accordingly and ask for their written permission to retain thatinformation on file– Most workers now have the right of access to their personalfile. Scrutinise files and, where necessary, launder them to remove irrelevantpersonal data– Inform employees of their rights under the DPA, in particularto access to the information kept about them – Better still, provide each employee with a copy of his or herbasic personal file at least once a year. Invite the employee to identifyinaccuracies and suggested amendments.Questions and answersCan an employer approach aworker’s GP for information on their health?Not without obtaining their written consent. The employer isobliged to inform the worker of their rights under the Access to MedicalReports Act 1988. The worker has the right to see a copy of the report beforeit is relayed to the employer, and can ask the doctor to remove informationthey consider damaging or irrelevant, or forbid the doctor to release thereport to the employer. These rights do not generally extend to reportsprepared by an independent doctor paid for by the employer.Can employers use computers aloneto judge performance, reliability or conduct?An employer is duty bound to notify a worker of any significantdecision affecting them that has been taken solely on the basis of an automatedcomputer system. The employee may respond in writing within 21 days asking theemployer to reconsider the decision or to take a new decision other than onthat basis. The employer must reply within 21 days specifying the steps it willtake to comply with the employee’s request.Can an employee insist informationabout them is removed from their personal file?An employee may ask for information to be deleted if it isinaccurate or likely to cause them substantial unwarranted damage or distress.The employer must remove the information or explain why the request isunjustified within 21 days. The employer need not comply with a request if theworker consented to that information being held, or if it is necessary forcontractual or legal reasons, or to protect the worker’s interests. From 24October 2007, employees may apply to a civil court for an order requesting theremoval or destruction of inaccurate personal data.   Data protectionOn 1 Jul 2003 in Personnel Today Comments are closed. Related posts:No related photos. Previous Article Next Articlelast_img

Leave a Comment

Your email address will not be published. Required fields are marked *