Data protection

Overview

• Personal data held on computers or in manual records is regulated by the Data Protection Act 1998 (DPA).
• The DPA controls how personal data is stored and used and it provides powers to ensure that the people in control of personal data comply with the law.
• In the context of employment, the DPA applies to any data that employers might collect and retain about individuals who wish to, have worked or currently work for them.
• All organisations must comply with the 8 data protection principles.
• A distinction is made between personal data and sensitive personal data.
• Personal data relates to an individual – the 'data subject' – who can be identified from that data.
• Sensitive personal data is personal data containing information on: race or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, or the commission or alleged commission of a criminal offence.
• The Information Commissioner can issue substantial fines - civil montary penalties - against data controllers for deliberate or reckless breaches of data protection law.

Go to Top

Data protection principles

• Personal data must be:

1. processed fairly and lawfully meaning that the individual must give consent to the processing or it must be necessary to comply with legal obligations. (For sensitive personal data, the individual must give explicit consent.)
2. obtained only for specified and lawful purposes
3. adequate, relevant and no more than is necessary
4. accurate and up to date
5. not kept for any longer than is necessary
6. processed in keeping with the rights of the individual
7. protected against unauthorised or unlawful processing, loss, destruction or damage
8. transferred outside the European Economic Area (EEA) only where the transfer country or territory ensures an adequate level of protection

• There are certain exemptions from provisions in the DPA in cases of national security, crime and tax, regulatory activity, and legal proceedings.

Go to Top

Rights of individuals

• Data subjects (i.e. individuals) have certain rights under the Act:
  • to know the purpose for which their personal data is being processed
  • to have access to their personal data by means of a written request and payment of a fee (not more than £10)
  • to stop an organisation processing personal data where it is likely to cause substantial damage or distress to the individual or another party
  • to stop an organisation processing personal data for the purposes of direct marketing
  • to be notified if automated decisions are taken in relation to an individual, e.g. selection for redundancy, and to be given the opportunity to make appropriate representations

Go to Top

Remedies

• If provisions of the DPA are breached, the individual has certain remedies. They can:
  • apply for a court order requiring an organisation to comply with the legislation
  • apply to the court for compensation if they have suffered damages
  • apply to the court for the rectification, blocking, erasing or destruction of inaccurate or damaging personal data
  • make a request to the Information Commissioner to assess whether the data processing is being carried out in accordance with legislation (this may result in enforcement action being taken by the Commissioner.)

Go to Top

Notification

• Before an employer can begin to collect and use personal data about its job applicants and employees, it may need to provide details to the Information Commissioner.
• Details of the notification are kept on a public register which can be inspected by any person, at any time.
• There are some significant exemptions to the notification requirement which will almost certainly exclude the smaller employer who has relatively simple data processing arrangements.
• An employer may be exempt from the obligation to notify where personal data is only processed for 'staff administration purposes'. This includes all personnel and work-management matters such as appointments, removals, pay and discipline.

Go to Top

Powers of the Information Commissioner

• The Information Commissioner has (ICO) certain powers. It can:
  • serve an Enforcement Notice on data controllers (employers) who are in breach of the Act
  • serve Information Notices requesting information from data controllers to see whether they are complying with the Act
  • apply for a warrant to enter and search premises, seize documents or inspect equipment if there is reason to believe that the Act is being breached
• The ICO can also impose substantial fines (up to £500,000) against data controllers for deliberate or reckless breaches of data protection law. Fines (civil monetary penalties) can be imposed where the:
  • data controller has committed a serious breach of one of the 8 data protection principles
  • breach was either deliberate, or the data controller knew, or ought to have known, that the breach would be likely to cause significant damage or distress
  • data controller failed to take reasonable steps to prevent the breach
• Before imposing a CMP due process has to be followed involving, among other things, the ICO serving a notice of intent upon the data controller which tells it of its right to make written representations to the ICO until a specified deadline. The ICO cannot issue the notice until after that deadline. Once the notice has been served, the data controller has the right to appeal to the Information Tribunal about the notice itself being issued or the level of the fine.
• The ICO's stated overall objective when using its regulatory powers is to 'take a practical down to earth approach – simplifying and making it easier for the majority of organisations who seek to handle personal information well and tougher for the majority who do not'.
• The ICO's Regulatory Action Policy provides examples of types of conduct which are likely to result in the ICO using its formal powers, e.g. repeated failures to keep personal data secure, seriously intrusive marketing and failures to comply with reasonable subject access requests under the Data Protection Act. 
• Examples of breaches which are not likely to result in formal regulatory action being taken include accidental failure to comply with the data protection principles (where action is taken once the mistake has been realised) and single minor breaches of the Data Protection Act by small businesses who are not aware of the requirements under their legal obligations.

Go to Top

Employment Practices Data Protection Code

• Guidance on the application of the DPA to the employment relationship is available from the Employment Practices Data Protection Code which is made up of 4 parts: recruitment and selection; records management; monitoring at work; and information about workers’ health.
• The code is not legally binding but clarifies the standards against which employers will be assessed if they are to comply with the Act.
• The code covers all aspects of the employment relationship including: recruitment; management of data protection; employment records; access to and disclosure of information; contract and agency staff; employee monitoring; medical testing; discipline and dismissal; and retention of records (including those for former employees).
• For ease of reference the code is arranged into a main document and a supplementary guidance for those who need more information. There is also a 'quick guide' which is aimed at providing an essential starting point.

Go to Top

Resources

Business Link

• Data Protection and Your Business

CIPD

• Data protection factsheet

Information Commissioner

• The Guide to Data Protection
• CCTV Code of Practice
• Employment Practices Data Protection Code
• Employment Practices Data Protection Code: Supplementary Guidance
• Employment Practices Data Protection Code: Quick Guide (Ideal for the Small Business)
• The Privacy Dividend: the business case for investing in proactive privacy protection
• Guidance about the issue of monetary penalties
• Personal information online: code of practice
• Guide to the Privacy and Electronic Communications Regulations: aimed at public electronic communications providers

Go to Top