Data protection racket?On 1 Apr 2001 in Personnel Today Thedraft Code of Practice for the Data Protection Act has been met with muchcriticism and controversy. Kirsty bamford and Paul Killen look at the originalAct, consider the draft proposals and explain how the Code will work in practiceLastOctober, the Data Protection Commissioner published a draft Code of Practiceentitled The use of personal data in employer/employee Relationships (theCode). The draft Code sets out standards with which employers should complywhen processing personal information, to avoid falling foul of the DataProtection Act 1998 (the Act). Although the Code aims to give practicalguidance for employers when implementing the Act, the commissioner ElizabethFrance, has gone beyond the scope of the Act, setting out recommendations forwhat is considered to be “best practice”.Publicationof the final version of the Code was originally planned for this spring but,following a great deal of criticism, has been postponed until later in theyear. Much of the criticism has centred on the fact that the section dealingwith employee monitoring in the draft Code is not harmonised with theTelecommunications (Lawful Business Practice) (Interception of Communications)Regulations, which were issued under the Regulation of Investigatory Powers Act2000. The Code is far more draconian in its approach than the Act and isconsidered by many to go too far in placing onerous obligations on employers.In the circumstances, employers could be forgiven if they are confused as toprecisely where their duties lie under the 1998 Act.TheData Protection Act 1998Beforetackling the Code, it is essential that employers should have a goodunderstanding of what the Data Protection Act requires of their business. TheAct, which came into force on 1 March 2000, sets out rules on how personalinformation belonging or relating to an individual is obtained, processed orhandled. Whereas the previous Data Protection Act 1984 (now repealed) appliedonly to records held on computer, the new Act extends to include certain paperrecords. A number of significant terms are defined in the Act, and the criticalones may be summarised as follows.–The Act applies to “personal data”. That is data that identifies anindividual subject. Personal data includes all data regarding facts andopinions about an individual and covers information held regarding theintentions of a data controller towards an individual.–”Sensitive data” is given special protection and is defined aspersonal data which relates to race or ethnic origin, political opinions,religious or other beliefs, trade union membership, sex life or the commissionof any offence. –Employers will be “data controllers” and will therefore need tocomply with “the data protection principles” (see below) and theother requirements of the Act (for example, the notification requirements). Anemployer will “process” information if they obtain, record, or holdinformation, or carry out any operation or set of operations on personal data. –The Act applies to data held in a “relevant filing system”, definedas a set of information in which records are structured so that “specificinformation relating to a particular individual is readily accessible”.This means that a substantial amount of manual data (for example, that held ona personnel file) will fall within the scope of the Act. Personnel records heldwithout an indexing system or in a disorganised fashion, may not be caught bythe Act, although the draft Code suggests that even information not heldcentrally, but kept for example by a line manager, will be caught within theambit of the Act. IndividualrightsEmployeeshave the right of access to information held about them, whether on computer oron paper. Employers may charge a fee(£10) for providing data to an employee, and exemptions apply where a businessneeds to protect the confidentiality of the data processed for managementforecasting or planning purposes, or where the employer has given aconfidential reference (in relation to education, training or employment). Thislatter exemption only applies where the employer has given the reference, notwhen a reference has been received from a third party (although the employer inthat case may not have to disclose the identity of the third party to the employee).Processingdata legitimatelyInorder to comply with the requirement that personal data is processed”fairly and lawfully” employers must ensure that certain conditionsare met. A data subject should be aware of the identity of the data controller,the reason why the information has to be processed and to what extent. Thereare a number of conditions that have to be met before personal data can beprocessed legitimately. At least one of the following conditions must apply.–The individual has given his or her consent to the processing–The processing is necessary for the performance of a contract with theindividual–The processing is required under a legal obligation–The processing is necessary to protect the vital interests of the individual–The processing is necessary to carry out public functions, or–The processing is necessary in order to pursue the legitimate interests of thedata controller or third parties.Inthe case of sensitive data however, processing is subject to additional strictconditions, which require, among other things, the following.–The employer has the “explicit” consent of the individual, or–The processing is required under a legal obligation, or–Any processing of sensitive data regarding racial or ethnic origin and so onmay only be done with a view to promoting or maintaining equality. This meansthat, unless one of the other permitted reasons applies, employers must obtainthe employee’s consent to processing, which must be explicit where sensitivedata is concerned. This begs the question, “What is ‘consent’”?Employeeconsent?Unfortunately”consent” is not defined in the Act. The guidance to the Act refersto “any freely given specific and informed indication of [his] wishes bywhich the data subject signifies his agreement to personal data relating to himbeing processed”. The guidance also states that “signify”implies some form of active communication between the parties. Therefore,employers will not be able to infer consent from a lack of response to a communication.This means that a provision in a handbook or a clause in an unsigned contractof employment is unlikely to constitute valid consent. It also seems clear thatconsent that is obtained under duress or in response to misleading informationwould not be a valid basis for processing.Itis recommended that employers include a standard clause in contracts ofemployment, recording the employee’s consent to the processing of personaldata. For example, “You consent to the company holding and processing, bothelectronically and manually, the data it collects in relation to you and youremployment (in the course of your employment), for the purposes of thecompany’s, for example, management and administration of its employees and itsbusiness, and, or, for compliance with applicable procedures, laws andregulations and to the transfer, storage and processing by the company or itsagent of such data outside the European Economic Area, in particular to [namecountries where group companies are based] and any other country in which thecompany has offices.”However,it is important to note that it is unlikely that explicit consent could beobtained via a generic clause in a contract, so specific consent should besought for the processing of sensitive data. In the case of sensitive data, anemployer should notify an employee on the type of data that is to be processed,the purpose and any special aspects of the processing which may affect theemployee. DraftCode of PracticeTheCode sets out two standards of conduct: the requirements that the commissionerbelieves are necessary for compliance with the Act, and recommendations (orgood practice), which go beyond the strict remit of the Act. The Code (which isstill in draft form) covers various aspects of the employment relationship,including recruitment, the keeping of employment records, the monitoring ofemployee communications and the retention of former employees’ records. Businessesmust nominate someone to oversee data compliance, train the staff involved indata processing and ensure that procedures are in place for regular dataclean-up operations. Recruitment and interview procedures and application formsshould be reviewed to ensure that only relevant data is requested and retained.TheCode recommends specific time limits for the retention of recruitment recordsand applications, references, tax records, sickness records, appraisals,training records, disciplinary records etc. All new staff should be advised ofwhat records will be held concerning them, for what purpose and, if theinformation will be disclosed, to whom.Inthe case of sickness records, which fall within the definition of sensitivedata, employers are advised only to hold such records with explicit consent,ensuring that employees are aware of the extent of such information. Equalopportunity monitoring is likewise considered sensitive and should only beundertaken as part of an ongoing programme of equality. Security is paramountand businesses should set up a system of access controls to protect personaldata.Inrelation to the disclosure of information, a system must be put in place thatenables employers to locate information easily so that they can respond withinthe stipulated 40 days of receiving a request. A further requirement is thatemployers check the identification of a data subject to prevent informationbeing passed on in error and exercise caution before responding to any externalrequest for information. It is also particularly recommended that you put adisclosure policy in place to assist staff members who are likely to receivesuch requests.MonitoringcommunicationsEmployersshould establish specific business purposes for which monitoring will beintroduced and undertake an evaluation exercise to assess the impact ofmonitoring on the privacy, autonomy and legitimate rights of employees.Employees should in turn be advised of what monitoring will take place and thatany information gathered should only be used for a non-specified purpose in thecase of the discovery of criminal activity or gross misconduct. TheCode specifically provides that covert monitoring is unlikely ever to bejustified and, in the case of e-mail monitoring, states that spot-checkmonitoring is preferential to continuous monitoring and should be limited totraffic data rather than the contents of communications. Employers should alsohave clear business reasons for monitoring, which should be strictly limitedand targeted. Personal e-mails should never be opened. In the case of Internetmonitoring, this should be proportionate to the risk to the business and shouldbe designed to protect, rather than to prevent abuse. KirstyBamford and Paul Killen are solicitors in the employment and pensionsdepartment at Paisner & CoTheeight principles of data protectionWhileprocessing personal data, employers must comply with the eight principles ofgood practice. These are that data must be as follows:–Fairly and lawfully processed–Processed for limited purposes and not in any matter incompatible with thosepurposes–Adequate, relevant and not excessive–Accurate–Not kept for longer than is necessary–Processed in line with a data subject’s rights–Secure–Not transferred to countries without adequate protection. Comments are closed. Previous Article Next Article Related posts:No related photos.