The Data Protection Act 1998 (DPA) is one of the most requested Acts of Parliament on www.legislation.gov.uk and it is also one of the most complicated. With that in mind we have set out the basics of the DPA as it applies to employers.
The DPA governs the processing of personal data i.e. data that relates to a living person who can be identified by the individual or collective data held. The legislation applies to job applicants, employees (current and former), casual workers and contractors as well as customers and clients. Processing includes accessing, altering, destroying, disclosing, obtaining, organising recording, retrieving data etc.
In an employment context personal data could include details held in a filing system of a computer about an employee’s salary and bank account, an indexed or sub-divided personnel file, application forms, details about a grievance against the employee etc. but not anonymous information. Only information that is organised is covered. A useful test is whether a temp worker could find the information they needed without having to rifle through all of your documents. If they could then the data is likely to be personal data and therefore covered by the DPA.
If you are processing a large amount of data or deal with customer data you should have a data protection policy included in your staff handbook to ensure that your staff comply with the provisions of the DPA and understand how their own data will be processed.
Step1: Registering with the Information Commissioner
Businesses that process personal data will need to register with the Information Commissioner (IC). However, businesses that are processing employee data purely for administrative or marketing purposes can rely on an exemption which means that they are excused from the requirement to register. Processing pension information and some CCTV systems are not included in the exemption so employers that administer pension schemes or have CCTV inside their premises will still have to register with the IC. The IC’s guide to exemptions is here:http://ico.org.uk/upload/documents/library/data_protection/forms/notification_exemptions_-_self-assessment_guide.pdf It is important to check whether the exemption applies to you as failing to register when you should do so is a criminal offence. If you are unsure you can contact the notification helpline for guidance or register voluntarily. Businesses that are exempt will still have to process data fairly.
Step 2: Appoint a ‘data controller’
Appoint someone senior in your organisation to be responsible for complying with the DPA requirements.
Step 3: Data Protection Audit
The next step is to review the type of information you are processing and ensure that you are processing it fairly:
Processing information fairly – the key principles
If you are processing data, and nearly all employers will be, then you need to comply with the eight data protection principles and ensure that the information is:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept for longer than necessary.
- Processed in line with employee’s rights.
- Not transferred to other countries without adequate protection.
In order for processing to be ‘fair’ in accordance with the first principal above an employer must meet one of the conditions set out in Schedule 2 of the DPA:
- The employee has given their consent to the processing of personal data.
- The processing is necessary for the performance of a contract to which the employee is a party, or for the taking of steps at the employee’s request with a view to entering into a contract.
- The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
- The processing is necessary in order to protect the vital interestsof the employee.
- The processing is necessary for the administration of justice or the exercise of functions of a public nature.
- The processing is necessary for the purposes of legitimate interests pursued by the employer or the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the employees or the processing is carried out in circumstances specified in an order made by the Secretary of State.
Sensitive Personal Data
If you are processing sensitive personal data, that is data about an individual’s physical or mental health or condition; political opinions; racial or ethnic origin; religious beliefs or beliefs of a similar nature; sexual life; or trade union membership then additional conditions apply. Such information might appear in an employee’s interview notes, equal opportunities form, medical records, pension details etc.
Sensitive personal data can only be processed if one of the conditions set out in Schedule 3 of the DPA apply.
- Job adverts should explain how an applicant’s data will be processed and who it will be passed on to.
- Application forms and interviewers should only ask questions that are necessary to recruit and the application form should be designed so that any information not relevant to the job (such as previous salary) can easily be deleted.
- Applicants are not required to disclose spent criminal convictions unless one of the exemptions applies.
Transfer of Undertakings (Protection of Employment) Regulations(TUPE)
Under TUPE the seller of a business (or the business that currently provides the service being transferred) is required to provide the buyer of the business information about their staff. As the DPA allows the processing of data to comply with a legal obligation then this information can be provided without breaching the DPA. Any other pre-transfer or preliminary information should be provided on an anonymised basis.
Employees who think that their data has not been processed fairly can ask the IC to review how their data has been handled. The IC can then serve a notice on the employer requiring information, prosecute for reaches and issue financial penalties. Employees can also seek compensation for damage and, in some circumstances, distress.
Employees who think that their data has not been processed fairly can ask the IC to review how their data has been handled. The IC can then serve a notice on an employer requiring information, prosecute for breaches and issue financial penalties of up to £500,000. Employees can also seek compensation for damage and, in some circumstances, distress.