For full access to this section you must be subscribed to the Employers' Guide to HR and logged in.
Employers' Guide to HR
Data Protection Act
The Data Protection Act 1998 (the Act) came into force on March 1 2000 and replaced the Data Protection Act 1984. The Data Protection Act aims to provide guidelines to Employers on the use and storage of information and data they hold on their employees
Last Modified on: 2005/03/17 14:22
The Data Protection Act introduced fundamental changes to the legal basis on which 'personal data' is processed and covers processing manual/paper data. Companies can no longer assume that they have the right to process personal data: all processing activities have to be legitimised according to the restrictive conditions specified in the Act, secondary legislation and Codes of Practice. Importantly, the Act also gives individuals (data subjects) increased rights to control how information about them is obtained and used.
Processing personal data includes all forms of use of the data; data entry into personnel and payroll databases, accessing this data in hard copy in employment files or transmitting or sharing this data.
Risks of non-compliance
The risks of non-compliance include a £500 fine in the magistrates court, an unlimited fine in the High Court, up to £75,000 and imprisonment for defaulting directors.
Data protection principles
When processing personal data you should comply with the eight principles of good practice. Data should be:
fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
accurate;
not kept longer than necessary;
processed in accordance with the data subject's rights;
secure;
not transferred to countries without adequate
' The Data Protection Act introduced fundamental changes to the legal basis on which 'personal data' is processed and covers processing manual/paper data. Companies can no longer assume that they have the right to process personal data: all processing activities have to be legitimised according to the restrictive conditions specified in the Act, secondary legislation and Codes of Practice. Importantly, the Act also gives individuals (data subjects) increased rights to control how information about them is obtained and used. Processing personal data includes all forms of use of the data; data entry into personnel and payroll databases, accessing this data in hard copy in employment files or transmitting or sharing this data. Risks of non-compliance The risks of non-compliance include a £500 fine in the magistrates court, an unlimited fine in the High Court, up to £75,000 and imprisonment for defaulting directors. Data protection principles When processing personal data you should comply with the eight principles of good practice. Data should be: fairly and lawfully processed; processed for limited purposes; adequate, relevant and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subject's rights; secure; not transferred to countries without adequate protection. Main changes under the 1998 Act Manual records i.e. those forming part of a 'filing system' structured by reference to individuals, or criteria relating to individuals, which renders specific information about a particular individual 'readily accessible' will be covered. To be legitimate, the processing of personal data must be based on one of the following criteria: The individual agrees to the processing The processing is necessary: for the performance of the contract for compliance with a legal obligation (e.g. PAYE) to protect the vital interests of the individual (i.e. life/death situation) for the exercise of any public function exercised in the public interest for the data controller's or a third party's legitimate interests, except if it would cause unwarranted prejudice to the basic rights of the individual. In addition, explicit and unambiguous consent will need to be obtained before processing 'sensitive' data (i.e. information about an individual's racial/ethnic origin, political opinions, trade union membership, religious beliefs, convictions or alleged offences, sex life and/or health). Individuals have increased rights: To be informed that data about them is being processed, the source of the data, the purpose of the processing and to whom the data may be disclosed To prevent certain processing i.e. that likely to cause 'substantial' and 'unwarranted' damage or distress and processing for direct marketing purposes (e.g. sensitive data such as an individual's state of health) To be advised if a decision which 'significantly affects' them is taken on a solely automated means (e.g. recruitment and selection assessments) To sue for compensation if damage is suffered from any breach of the Act To apply for a court order for correction, erasure or blocking of inaccurate data. Extended powers to the Data Protection Registrar (now renamed Commissioner), including power to introduce codes of practice and help individuals enforce their rights. Enhanced data protection Principles including a prohibition on transfer of personal data to countries outside the EU, unless the country to which the data is sent ensures an adequate level of protection for personal data or: The individual consents to the transfer The transfer is necessary for the performance of the contract The transfer is made on terms of a kind approved by the Commissioner. The Information Commissioner maintains a list of approved countries at www.dataprotection.gov.uk Consent is defined by the EU Directive as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data about him being processed'. Therefore consent must be active i.e. it can not be implied by failure to return or respond to a note. It is important to note that the definition of personal data has been significantly broadened and now includes 'any expression of opinion about an individual and any indication of the intentions of the data controller or any other person in respect of the individual'. For example managers must ensure that all comments on an employee's performance review are seen by the individual concerned. Exemptions Exemptions provided under the Act are piecemeal and partial. Those most relevant are exemptions for the following purposes: Confidential references (e.g. employment references) You should remember however that in relation to confidential references the receiver may seek consent to disclose the reference to the prospective employee before or after he/she has been engaged. The Company may, or may not, agree to such disclosure. In addition, there are certain legal procedures under which disclosure may be ordered. Management forecasts Potentially this could cover data concerning proposed redundancies or long-term career prospects Negotiations, research and pre-publication When the data is protected by legal professional privilege Employee's rights to access their data Employees have the right of access to their personal employment record normally within 40 days of written notice being received by the Company. You may charge them a maximum of £10 for access. You should arrange for the employee to have access to records at a suitable location and in the presence of another person (to ensure that no material is inappropriately removed or destroyed). Employees may, within reason, request one copy of any or all of the contents of a record. They may also challenge the accuracy of a record and if it is inaccurate ask that it is corrected or removed. In addition they may contest the legitimacy of making or keeping particular data. Employee's rights to access emails or CCTV camera footage Emails or CCTV camera footage that refer to the employee, or where the employee is recorded, can be classified as part of their personal data and therefore they have a right to request access and copies of this. Copies of any live emails or footage that can be easily accessed should be given to the employee upon request, however, this may not be easy to do if the data is archived, stored or goes back many years. Consent will need to be gained if such data contains reference to any third party, or should be screened and cleared of any information identifying a third party. The code of practice on CCTV camera’s can be used as a principle for dealing with requests for information such as this. Click here for more information. Action points Find out where your data is stored. For example: Individual's personnel file Personnel database Payroll Third parties e.g. Benefits providers Managers files Emails Overseas headquarters Look at the data you are collecting and ask the questions why is it necessary? Is it up to date? Does it serve a purpose? If information is not relevant, out of date or serves no purpose it should be destroyed. Recruitment - for new employees, get their written consent to the processing of their data on the application form and in the contract of employment. Inform the employee what data will be processed, why it is needed, how it will be processed, and who will have access to it (including third parties). Can your processes be streamlined so that your data is centralised and duplication is eliminated? Establish a method to regularly audit all the data you hold and destroy anything that is out of date or inaccurate ( expired disciplinary warnings do not necessarily have to be destroyed but should clearly be marked as void and should not be used in further disciplinary action). Provide staff with a copy of their personal records, ask that they check and update their details. Establish a procedure by which employees can request to see their data Ensure there are adequate security measures in place to protect personal data. E.g. secure storage, off site back up of data Establish a procedure for issuing references on behalf of the company. E.g. Who can write them? If line managers are authorised to give references ensure they are aware of their liabilities and the information that they can give - factual information or information that can be demonstrated as being reasonable by reference to actions, events or circumstances. Consider establishing a pro-forma of information that you will issue in a reference. When issuing a reference always include a disclaimer 'This is a reference given in strictest confidence and without legal responsibility'. The information contained in this article is for general guidance only and represents our understanding of employment and associated law and employee relations issues at the date of modification. VizualHR cannot be held responsible for any action or inaction taken in reliance upon the contents. Specific advice should be sought on any individual matter.
...
Data Protection Act . It is truncated because
you are Not Logged In to the System. The full text of this article contains approximately 1422 words.Subscribed Logged In .
