Data Protection
The Data Protection Act 1998 sets out a number of legal principles which apply to those people or organisations (including employers) that hold personal data. Few businesses do not hold personal data, and the holding of data about staff, job applicants, and former staff will oblige the employer to notify and pay renewal fees to the Information Commissioner to allow it to be a data controller. In basic terms the legislation obliges those that hold any personal data (which means any information about a living person that allows the individual to be identified from that information) to deal with that information in accordance with various “data protection principles” set out in it.
Extra protection is given to data which is classed as “sensitive personal data”. This includes information or data amongst others on;-
i. Person’s racial or ethnic origin,
ii. Political opinions,
iii. Religious or similar beliefs
iv. Sexual life,
v. Trade union membership,
and most significantly
vi. Physical or mental health.
The legislation requires the “data controller” (which is the person responsible for holding and dealing with it) to ensure that any data is: - processed fairly and lawfully, that it is accurate and up to date, that it is relevant and not excessive, that it is used and obtained for a lawful purpose, and “processed” in accordance with the rights of the person about whom it concerns (known as the “data subject”). In addition proper safeguards are required to maintain the security of the data.
The term “processing” is interpreted very widely, and includes obtaining, copying, storing, sending, and destroying the information. “Data subjects” (i.e. individuals, including employees) have a right of access to most “data” about they held by the “data controller”. On receiving an appropriate request for such data the data controller (including an employer) is obliged to provide the information to the data subject (including an employee) within 40 days of the request. A small administrative fee can be charged, up to a set maximum.
A common myth is that employees are not entitled to see an employment reference about them. In fact they ARE entitled to receive a copy of a reference from a former employer.
Employers should include provisions within the contract of employment to expressly authorise the processing of personal data. (PAYG employment contract) Furthermore they should have an appropriate policy to inform their staff of their data rights, and to ensure all requests for data are handled in a lawful manner. (PAYG policy) The failure of an employer to deal with a request for data lawfully would entitle the aggrieved individual to obtain the assistance of either the Information Commissioner, or the court, to enforce proper compliance with the request.
From the 6th April 2010 the Information Commissioner has the power to impose fines of up to £500,000. This could happeh where there has been a serious breach of the Data Protection Act which has caused or is likely to cause significant damage of distress. To attract a fine the breach of the Data Protection Act must be deliberate or the data controller must either have known or ought to have known that there was a risk that a contravention of the legisaltion was about to occur, and that it was likely to cause substantial damage or distress. Crucially there must also have been a failure to have taken reasonable steps to prevent the breach from occurring in the first place. The Informatiion Commissioner will take into account the steps (if any ) that the data controller took to prevent the breach occuring when deciding the level of fine to impose, as well as the nature of the information in question, and whether it was a unique breach by the data controller or not. In addition, the size and resources of the business will also be taken into account.
The clear message is that employer must introduce, implement, and monitor appropriate data protection policies, and ensure that the relevant staff are trained and understand their obligations to deal with information properly.