CHAPTER
1 Introduction
Data protection law was first introduced in Britain with the Data Protection Act 1984. It was e...
89 downloads
1857 Views
524KB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
CHAPTER
1 Introduction
Data protection law was first introduced in Britain with the Data Protection Act 1984. It was enacted as a result of a Council of Europe Convention [European Treaty Series no. 108 for the Protection of Individuals with regard to Automated Processing and Personal Data] and enabled the United Kingdom to sign up to a European treaty on trans-border data flows. The reason for the introduction of data protection was therefore participation in the beginnings of e-commerce rather than any desire to introduce a right of privacy. The Data Protection Act 1998 repealed and replaced the 1984 Act, and the reason for the new Act was, once again, driven by the European Community. The Data Protection Directive [95/46/EC] had to be implemented into national law by October 1998. This time the Act, reflecting the articles of the Directive, goes much further towards creating a privacy law in the United Kingdom.
The challenge for HR managers in the United Kingdom Human Resources managers face possibly the most significant challenge of any manager in relation to compliance with the 1998 Act because: . Many personnel records are held on paper. Paper or manual files were not previously
subject to data protection law; the 1984 Act only applied to information held and processed by electronic means. ‘Processing’ is defined widely to include obtaining, organizing, holding and deleting or destroying information. (For a more detailed consideration of defined terms, see Chapter 12). . Employee personal data are often held or duplicated outside the HR department: for example, appraisal material and sickness records are often held by line managers. Speculative CVs may be received by line management and retained or passed between managers without adequate control. . The sensitivity of data held by the HR department makes it a likely target for data subjects’ questions (a ‘data subject’ is the individual to whom personal data relates). The 1998 Act classifies certain information as ‘sensitive’; personal data relating to health, race, religion and trade union membership is subject to more stringent regulation. In addition, HR departments handle data such as information about salaries, promotions and employee performance, all of which an employee would perceive as sensitive and which must be dealt with in confidence. . The employer owes a duty of confidentiality to its employees. Therefore a high level of security and personnel staff reliability must be ensured.
2
Introduction
Spotlight on the potential abuses of personal data in the employment arena The Data Protection Commissioner1 instigated a report [The Use of Personal Data in Employer/ Employee Relationships commissioned by the Office of the Data Protection Commissioner, formerly Registrar, by Robin E.J. Chater] on the use of personal data in the employment arena in recognition of the risk that the employee/employer relationship was open to abuse by the employer. The following issues, among others, were highlighted as raising serious data protection issues: . Employee surveillance and fraud prevention measures; . Use of automated data processing, e.g. CV scanning, aptitude and psychometric testing; . Collection of new and potentially sensitive information such as genetic tests or the results
of alcohol or drug testing. Arising from the report, the Information Commissioner’s Office has issued an Employment Practices Data Protection Code (referred to as ‘the Employment Code’). The Employment Code sets standards for the obtaining and processing of personal data within the employment arena. It applies to every employer. The employer is held responsible for all use of personal data relating to its employees, whether formally (within the HR department) or informally, for instance in papers held by managers. In addition, the processing of employee personal data must be undertaken in accordance with the Data Protection Principles (referred to as ‘the Principles’). The Principles set out the requirements relating to confidentiality, security and the fair processing of personal data – the elements of data protection law. The Principles are considered in detail in Part II of this book. In dealing with the issues identified in Robin Chater’s report – such as recruitment practices, monitoring employee communications, record-keeping and medical testing – the Employment Code effectively provides a level of detailed guidance on how the Office sees the Principles applying in relation to HR activities. As such it is invaluable guidance on how the regulator interprets and applies the Principles in relation to HR administration. The Data Protection Act 1998 raises serious issues for HR management. Outsourcing is particularly common in relation to the administration of employee benefits, perhaps because the employer seeks to concentrate on its key business activities and chooses to allow other, ‘more expert’, organizations to handle non-key functions such as payroll, pensions administration and fleet management. The outsourcing of functions involving the processing of personal data is the subject of a new statutory duty requiring checks to be made on the adequacy of security in place to protect personal data at the third-party service supplier’s offices and systems. It is also a requirement to have a written contract with thirdparty service suppliers who process personal data on behalf of the data controller, with specific clauses covering data protection issues.
1. The Data Protection authority in the UK has undergone several changes of name. Initially the Data Protection Registrar, the title changed to Data Protection Commissioner with the introduction of the Data Protection Act 1998. It changed again to Information Commissioner when responsibility for overseeing the implementation of the Freedom of Information Act 2000 was given to the Office.
Introduction
3
Another key issue for HR relates to the requirement to provide data subjects with specific information about the data controller before they supply any personal data, known as ‘subject information’. (The ‘data controller’ is the organization initiating the processing of personal data, and in the HR context this is normally the employer). This means first identifying and documenting the purposes for which personal data will be used in the employer/employee relationship. In some cases, identifying the extent of the use of personal data in the HR arena will be an issue in itself: examples include, the chairman’s use of home addresses to send Christmas cards to key managers and staff or the distribution of promotional material advising staff of offers on company goods and services or those of other companies. If the employee was not informed that their personal data would be used for these purposes, there is every chance that the employer would be breaking the law if it allowed personal data to be so used. All these issues and more are considered in the following chapters. Part I looks at HR activities and highlights the data protection implications of each. It is organized into chapters which correspond to HR functions such as recruitment, monitoring, employee administration and employee benefits. The chapters are split into sections: for example, the chapter on employee benefits includes sections on pension schemes, cre`ches, social clubs and work in the community as well as a general one providing an overview of employee benefits and the data protection implications they raise. Part I raises suggested action points in each section which can be used to check your company’s compliance with the requirements of the Data Protection Act and also for future verification. Draft wordings for data protection notices and statements are included, and the elements of suggested policies and procedures outlined. Part II considers each of the Data Protection Principles in turn, starting with the legal requirements and working through to their potential impact on HR activities. It provides a technical view of the Act and its requirements. A thorough introduction to the Act for those unfamiliar with its provisions, it is also a useful reference for HR professionals already familiar with the Act wishing to explore key areas in depth to find solutions to particular problems or identify alternative solutions to those suggested in Part I. If, for example, compliance with a data subject access request raises particular problems for the organization, refer to Chapter 19, ‘The Sixth Principle’, which considers subject rights and exemptions from the need to comply. Some of the material is duplicated across Parts I and II, but each part adds value in its own way as they start from different standpoints. Part I starts from the HR standpoint and considers the impact of the law on HR activities, while Part II starts from the legal standpoint and considers the law using examples taken from the HR environment.
This page intentionally left blank
PART
I Actions for employers
This page intentionally left blank
CHAPTER
2 Managing data protection
The Employment Practices Data Protection Code (‘the Employment Code’) emphasizes the importance of identifying within the organization an individual who is responsible for data protection compliance in relation to Human Resources. At the highest level, this individual is responsible for ensuring that other managers – within and external to HR – are aware of the employee personal data they hold. Furthermore, they should promote policies and procedures to encourage best practice when handling employee personal data. This may be achieved by providing training for all staff whose jobs involve the handling of such data as well as by implementing policies and procedures to meet the requirements of the Employment Code.
Recommended policies and procedures To ensure that due consideration has been given to most, if not all, aspects of data protection law and the Employment Code, check your existing policies against the list of recommended policies below. (The list also includes other actions it would be prudent to take). If you decide a particular policy or procedure is inappropriate for your business, document the fact that it has been considered and the reasons for its rejection or amendment. Outlines for many of these policies and procedures are included in later sections: for example, suggested documentation retention periods are set out in Chapter 10, ‘Employee administration’. 1) Policies on the disclosure of personal data (covering internal and external disclosures) including: . Legal obligations on the organization to disclose, for example to meet Inland Revenue requirements or to provide information to company auditors. . Cases in which the employee will be informed of the request for disclosure. . Checks to carry out on credentials of those seeking disclosure. . The position regarding the disclosure of sensitive data. . The position regarding disclosure which would involve transfer of personal data outside the European Economic Area. . The review of non-regular disclosures. 2) Policy on how spent disciplinary notices are handled (part of disciplinary procedure). 3) Document retention policy, including deletion and destruction guidelines. 4) Personal data security policy including: . Guidelines for using fax and e-mail to transmit confidential information. . The use of laptops and homeworking generally. . The security of paper files.
8
Actions for employers . Audit trails. . The use of shared facilities.
5) Subject rights procedures. 6) Interview policy and guidelines. 7) Policy on the provision of confidential references. The Employment Code recommends that serious breaches of data protection policies should be a disciplinary offence to impart the importance of compliance to staff.1
Staff training Staff training needs to cover the following as a minimum: . What constitutes unauthorized processing and how to avoid it. . How deceit may be used to obtain information illegally from the organization. . General guidelines for line managers recognizing that they process employee personal
data on behalf of the organization, and their responsibilities. . General guidelines on how to identify and action the exercise of subject rights. . General guidelines for those who ‘wear different hats’ working for two or more companies
or trustees (i.e. ‘Chinese walls’).2 (‘Chinese walls’ are protocols within the organization which operate so that ‘known’ facts in one department are kept confidential from other departments. They may also apply within a department so that information used for one purpose by a member of the HR team is kept confidential and not applied for another purpose even though the same team member might be involved).
Audit The full extent of personal data processing activities within the Human Resources function can best be identified by undertaking an audit of the HR department. An audit is key to identifying what subject information should be provided to staff and prospective job candidates and to checking that all processing of personal data currently under way meets the requirements of fair processing. In subsequent chapters it is a foundation of suggested compliance actions that a good knowledge of the processing activity undertaken in the department has been established. The Employment Code also recommends that an assessment is made of existing employee personal data, identifying who is responsible for the data.3 The Employment Code clearly indicates that some audit activity is required to ensure procedures are being followed.4 The Information Commissioner recommends audit as a tool to identify the effectiveness of current policies and procedures. Suggested audit guidelines have been set out in Guide to Data Protection Auditing published by the Information 1. Record Management – Management of data protection, benchmark 6. 2. Employment Practices Data Protection Code, Record-keeping – Pensions and insurance, benchmarks 1 and 3. 3. Record Management – Management of data protection, benchmark 3. 4. Record Management – Management of data protection, benchmark 1.
Managing data protection
9
Commissioner in December 2001. One of the recommendations is that an independent auditor should be utilized if possible. A person independent of the department – and preferably independent of the company – is best suited to the task of a departmental audit. The use of audit trail facilities on computer systems is also recommended in the Employment Code.5 The Information Commissioner recommends that new HR systems should include audit facilities in their specification.
ACTING ON AUDIT FINDINGS . Improve policies and procedures where these are proving to be impractical, inappropriate,
or simply missing. . Focus training on those areas which cause most problems for staff whose jobs involve the
handling of personal data. . Eliminate irrelevant personal data processing by purging old and unwanted files,
de-duplicating files and tailoring application and other forms so that only relevant data is sought from data subjects.6 . Check that notifications are up to date and that they accurately reflect current data processing activity.7
SUGGESTED ACTIONS Designate one person responsible for data protection compliance in relation to personnel management and records. The following are the suggested actions to be carried out by this designated individual: . Audit data protection compliance in relation to HR issues on a regular basis. . Act on audit findings. . Ensure that recruitment policies and procedures comply with the Principles (see Chapter 4). . Ensure that all staff who handle personal data relating to other staff are properly briefed
on data protection compliance issues (see Chapter 6 on staff training). . Ensure that all third-party HR service providers (service providers involved in processing
. .
. .
personal data are called ‘data processors’ in the Act) are under contract in relation to those services: for example, external payroll service provider, pensions administrator, trainers and consultants. (See Chapter 7). Check that a sensible document retention policy is in place and being followed. (See page 61 for an outline policy with specified retention periods). Supervise new staff whose jobs involve the handling of personal data or restrict their access to such data until they have undergone training on data protection issues. (See Chapter 6). Audit employee benefits administration for compliance with the Data Protection Principles and the Employment Code. (See Chapter 8). Ensure that any monitoring of employees is undertaken in accordance with the Principles and the Employment Code. (See Chapter 5). 5. Record Management – Security, benchmark 3. 6. Employment Code, Record management, Management of data protection, benchmark 4. 7. Employment Code, Management of data protection, benchmark 6.
CHAPTER
3 Rights and lawful processing
Data subject rights The Act gives data subjects certain rights in relation to the processing of their personal data. An employee may exercise those rights in relation to their employer. The Employment Code recommends that employers tell their employees about their rights under the Act, including the right of access to the information kept about them.1 (For a more detailed consideration of defined terms such as ‘data subject’ and ‘personal data’ see Chapter 12).
SUBJECT ACCESS Data subjects have the right to a copy of any information held about them by the organization. The requirements are: . The request must be made in writing. . It must be supported by any payment required by the organization (maximum ten
pounds). The company has forty days in which to respond to such a request with a complete copy of any information held. Explanation of codes etc. must be provided and the information must be in legible form. CCTV images are included in the definition of personal data, so it is reasonable to assume that you may be asked for copies of relevant portions of tapes by employees exercising this right. A data subject who makes a request is also entitled to: . Confirmation that the company holds personal data relating to them. . Be advised if the data is subject to any automated decision-making process. . Be advised of the logic in any processing, unless this would constitute a ‘trade secret’. . Be advised of the purposes for which their data is processed. . Be advised of the sources of the data.
THE RIGHT TO PREVENT PROCESSING FOR THE PURPOSES OF DIRECT MARKETING A data subject may make a written request at any time to require the company to cease, or not to begin, processing their personal data for the purposes of direct marketing. 1. Record Management, benchmark 2.
Rights and lawful processing
11
‘Direct marketing’ means the communication (by whatever means) of any advertising or marketing material directed at particular individuals. Therefore mailshots, e-mails and telephone calls are all included. The Data Protection Act 1998 requires that such requests be made in writing and gives the company a ‘reasonable’ period in which to amend records and mailing databases to comply with the request.
THE RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE DAMAGE OR DISTRESS The Act requires that data subjects exercising this right make their request in writing, setting out the reasons why processing is either causing or likely to cause substantial damage or distress to themselves or another and why such damage or distress is or would be unwarranted. The data controller then has a period of twenty-one days in which to respond either that they have complied or that they intend to comply with the data subject’s request or giving their reasons for not complying wholly or in part with the request on the grounds that the request is unjustified and stating those grounds. Valid grounds for not complying include cases: . Where the data subject has given consent to the processing. . Where processing is necessary for the performance of a contract to which the data subject
is a party or for taking steps preliminary to entering into such a contract. . Where processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than a contractual obligation. . Where processing is necessary in order to protect the vital interests of the data subject.
THE RIGHT TO OBJECT TO AUTOMATED DECISION-TAKING A data subject has the right to object to decisions taken by automated means in circumstances where the decision: . Is taken by or on behalf of the data controller, and . Significantly affects that individual, and . Is based solely on the processing by automatic means of the individual’s personal data, and . Is taken for the purpose of evaluating matters relating to him.
The Act requires that such objections be made in writing. Data controllers are then under a duty to review the decision manually: that is, by human intervention. The final decision may be to reverse the automated decision or reaffirm it; the key to compliance with the exercise of this right is the fact of human intervention. Automated decision-making would include such activities as scoring psychometric or other qualificational tests set by the employer.
THE RIGHT TO COMPENSATION Any individual who suffers damage or distress by reason of contravention of any of the requirements of the Act is entitled to compensation from the data controller through the courts.
12
Actions for employers
RIGHTS IN RELATION TO INACCURATE DATA A data subject may apply to the court for the rectification, blocking, erasure or destruction of personal data relating to them on the basis that the data is inaccurate. This applies even when the data controller obtained the inaccurate data from a third party or the data subject. The court may also choose to require the data controller (and any other data controllers holding the same data) to replace the inaccurate data with data recording the true facts as approved by the court.
ELEMENTS OF A DATA SUBJECT RIGHTS PROCEDURE FOR EMPLOYEES Employees will regularly require different pieces of information from the HR department: for example a double-check on the amount of holiday entitlement left, confirmation of details from contracts of employment, etc. In addition, employees are usually party to much of the information that is held on the HR file. For instance, appraisal information is usually shared with the employee, and the content of any disciplinary notices will be shared. Therefore a request from an employee for access to information held on their personnel file may not need to be treated as a subject access request. The employer is allowed to negotiate with the employee about the information required and the form it should take. For example, the employee might be given their personnel file to browse through in a confidential environment and allowed to take copies of anything they choose. This might be preferable to providing a photocopy of the entire file for all concerned. However, the employee has the right to insist that the subject access procedure is followed and that a complete copy of the information comprising the personal data is supplied unless this would involve disproportionate effort.
PROCEDURE The strict legal requirement is that any notice exercising the right to subject access should be issued in writing. If an employee purports to exercise a subject right by telephone or face to face, the organization is entitled to request that the approach be made in writing. In practice, an employer may take a more relaxed view or provide a form designed to elicit information verifying the identity of the individual making the enquiry. The employee might not be located in the same offices as HR personnel responding to the request, and it is sensible to check the person’s identity. Any useful background information can be sought from the individual both in relation to their enquiry and to assist in verification.
Subject access requests When responding to a subject access request it is best to coordinate relevant information and then check that it does not contain any personal data relating to other data subjects. Where information identifies a third party, the employer must refer to that third party for permission to disclose their personal data. If authority is withheld, the organization has the discretion to decide whether to comply fully with the request against the third party’s wishes or to withhold that information. In very limited circumstances there are grounds for not complying with a subject access request made by an employee. These include:
Rights and lawful processing
13
. Management forecasts, to the extent to which their disclosure would be likely to
prejudice the conduct of the business. For example, plans involving the closure of business premises and subsequent redundancies would not have to be disclosed to an employee making a subject access request if the plans were not already common knowledge. . A corporate finance exemption, which allows personal data to be withheld to the extent to which its application could affect the price of any stock or for safeguarding an important economic or financial interest. . An exemption applying to negotiations currently under way involving the data subject, to the extent to which the application would be likely to prejudice those negotiations. For example, negotiations over the terms of a leaving package would be exempt from a subject access request made by the data subject. If it is believed that there are legitimate grounds for not complying with a subject access request, seek legal advice.
The exercise of other rights The right to prevent the processing of personal data for direct marketing purposes is an absolute right. The organization must simply comply with the request. The right to prevent the processing of personal data likely to cause damage or distress is qualified by the organization’s right to assess the likely damage or distress and weigh this against its own purposes in processing the data. The Data Protection Act 1998 therefore allows organizations a certain amount of discretion in complying with such requests. If the data subject is dissatisfied with the outcome of the request, they may refer it to the Information Commissioner’s Office for assessment or to the courts. The exercise of the right to object to decisions taken by automated means involves the organization in a manual review of the decision taken. The reviewer’s findings may differ from those made by automated means; alternatively, they may concur. Again, the data subject who is not satisfied with the outcome may refer the matter to the Information Commissioner’s Office for assessment or to the courts.
SUGGESTED ACTIONS . It is vital to identify when a right under the Act is being exercised – brief all HR staff on
data subject rights. . Provide a documented procedure for employees to exercise their rights against the
organization; this will help to ensure that notices purporting to exercise rights are directed at designated personnel who will know how to react. . When a right is being exercised, deal with the matter quickly.
Data subject information The Act requires that, whenever personal data is obtained, certain information is given to the data subject first. The data controller (employer, pension scheme trustees, etc.) must be identified, along with the purposes for which the personal data is to be processed. Additional information relevant in the circumstances might include any other parties to
14
Actions for employers
whom data is to be disclosed and any other information which would affect the data subject’s decision to disclose the data requested. It is important to identify all the purposes for which personal data is to be processed. The Second Principle restricts processing to the stated purposes. Organizations must state their intended processing purposes before obtaining personal data. Consent must then be sought for any subsequent ‘new’ processing activity involving that personal data.
SUGGESTED WORDING FOR TYPICAL SUBJECT INFORMATION IN THE HR CONTEXT The following are sample wordings for those common areas requiring data subject information: employees, pension scheme member, job applicant.
Subject information for an employee The information we, [name of organization], require will be used for employee administration, including the administration of remuneration and employee benefits, and Health and Safety purposes. We will share your information with the Pension Scheme Trustees and administrators/ insurers/etc. in connection with employment benefits and/or the business. We may disclose information to our auditors or as required by law. Otherwise your personal details will be kept confidential. You are free to view your personnel file on request from time to time. Contact [name of contact] if you wish to see your file or part of it. (If applicable) We also require limited personal data for training and assessment purposes. (If applicable) We also use your personal data to advise you of offers on our products and services from time to time. If you do not wish to receive this information, please tick this box.
Subject information for a pension scheme member The information we, [name of pension scheme trustee body], require will be used for the purposes of administering the pension scheme and any benefits payable under the scheme. We may share information with your employing company and our advisers/administrators/insurers/etc. in connection with the pension scheme. We may disclose information to our auditors and actuaries or as required by law. Otherwise your personal details will be kept confidential. (If applicable) We also share information relating to you with independent financial advisers selected by the trustees from time to time so that they can provide you with financial planning advice at your request.
Subject information for a job candidate The information we request is required to assess your suitability for the job you have applied for and your suitability as an employee of [name of employing company]. We will obtain information about you from your designated referees should you be successful. We will also (delete as applicable) carry out a credit reference search/require you to attend for a medical with our company doctor/undertake the following vetting procedures prior to appointment. . . . We are an equal opportunities employer and we undertake equal opportunities monitoring in relation to job candidates. We will retain details of your race or ethnic origin, where this is provided by you for this purpose. The information will not identify you personally.
Rights and lawful processing
15
If your application is unsuccessful, we would normally retain your details on file for a period not exceeding six months. Please let us know if you would like your details to be destroyed immediately.
SUGGESTED ACTIONS . Identify all processing (including obtaining, holding, using and disclosing) of personal
. .
.
.
data undertaken by or for HR. Your list may include: – Employee/staff data for staff administration including pay and conditions. – Pension scheme member data for pension scheme administration. – Data relating to pensioners for pension scheme administration. – Data relating to employees’ and pensioners’ spouses for the administration of pension scheme payments and group life insurance. – Data relating to social club members for administration. – Employee data for marketing. – Data relating to ex-employees for statutory and contractual purposes. – Data relating to temporary workers and/or contractors for administration purposes. – Data relating to prospective employees for purposes of recruitment. Draft subject information to explain why personal data is required in each case and how it will be used and disclosed. See the suggested wordings set out above. Position subject information on any forms where personal data is sought: for example, job application forms, pension scheme membership application forms, social club membership application forms, etc. Make sure you use lettering of equal font size, and position the notice so it can be seen at least as easily as any other information or question on the form. Also include subject information in any staff handbook and booklets describing the pension scheme and other employee benefits. They can be included in induction or welcome packs and on the company intranet, if one exists. Again, make sure that the notice is given equal prominence with other terms and conditions. Include appropriate subject information in letters sent to acknowledge unsolicited CVs.
Conditions for lawful processing For the processing of personal data to be lawful, one or more specified conditions must be met. The conditions are set out in full in Schedule 2 to the Data Protection Act 1998.
CONDITIONS FOR PROCESSING HR-RELATED DATA The following are some of the commonly applicable conditions for the processing of personal data in the HR context. ‘The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract.’ For example, paying employees is fulfilling a term of their contract of employment, while providing pension scheme benefits is fulfilling a term of the pension scheme membership contract.
16
Actions for employers
‘The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.’ For example, your auditor may require to check your payroll records or check personal expenses claims. This condition covers the requirement to supply information about an employee to the Inland Revenue or DSS. Complying with court orders also falls under this condition. ‘The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.’ For example, marketing activity undertaken by an organization so long as the wishes of data subjects are observed. This means avoiding inappropriate marketing where you know the recipient does not want to receive marketing material. This condition also covers the use of CCTV to protect business premises against crime, but remember that the business interest must be balanced against the rights and freedoms of individuals. CCTV cameras should be focused on the areas of the premises most open to risk and should not, for instance, record employees if this can be avoided. (See, further, Chapter 5).
SUGGESTED ACTIONS . Identify and list all processing (remember to include obtaining, holding, using and
disclosing) of employee personal data. Your list is likely to include: – Employee/staff data for staff administration including pay and conditions. – Pension scheme member data for pension scheme administration. – Data relating to pensioners for pension scheme administration. – Data relating to employees’ and pensioners’ spouses for administration of pension; scheme payments and group life insurance. – Data relating to social club members for administration. – Employee and/or pensioner data for marketing. – Data relating to ex-employees for statutory and contractual purposes. – Data relating to temporary workers and/or contractors for administration purposes. – Data relating to prospective employees for purposes of recruitment. – Supplier data for purchases and accounts. – CCTV images for crime prevention and the prosecution of offenders. . Check that each activity is covered by one or more of the conditions for fair processing explained above. . Document your findings and your work.
Sensitive data ‘Sensitive data’ is a defined term in the Data Protection Act 1998. It refers to personal data consisting of information as to: 1) The racial or ethnic origin of the data subject. 2) Their political opinions.
Rights and lawful processing 3) 4) 5) 6) 7) 8)
17
Their religious beliefs or other beliefs of a similar nature. Whether they are a member of a trade union. Their physical or mental health or condition. Their sexual life. The committing or alleged committing by them of any offence, or Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
These categories of data have been identified as requiring a higher degree of care when processing. More regulation of this type of processing may follow in future. Currently the only additional requirement when processing sensitive data is to meet a condition for the fair processing of sensitive data in addition to one or more of the conditions for the fair processing of personal data. The conditions for the fair processing of sensitive data are set out in Schedule 3 to the Data Protection Act 1998. Most employers will process personal data relating to the health of their employees. Holding sickness records constitutes the processing of sensitive data.
COMMONLY APPLICABLE CONDITIONS FOR THE FAIR PROCESSING OF SENSITIVE DATA IN THE HR CONTEXT If your HR department processes sensitive data, one or more of the following conditions must be met: The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Contractual provisions such as the paying of sick pay or the administration of a private medical scheme or income replacement scheme would be covered by this condition. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. This would apply, for example, where the data subject has provided sensitive data to the press and the organization was asked to comment. The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or for obtaining legal advice. This will cover the seeking of legal advice in connection with an employee whose performance is unsatisfactory, perhaps due to ill health. The processing is of information as to racial or ethnic origin, necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects. This covers equal opportunities monitoring and reporting.
18
Actions for employers
The data subject has given his explicit consent to the processing of the sensitive data. This condition may be relied upon if none of the other conditions for the fair processing of sensitive data apply. However, there is a problem in relation to employment. In the context of the employer/employee relationship it is now doubtful that proper consent can be given by the employee to the processing of personal data relating to them by the employer. The view has been expressed that in the relationship between employer and employee, the employee is at such a disadvantage in terms of bargaining power that they are never able to give consent freely and without undue influence from the employer. The Information Commissioner (Elizabeth France, Commissioner 1992–2002) indicated that she agrees with this view. The Information Commissioner’s Office accepts that this creates a problem for employers processing sensitive data relating to employee sickness, for example. An Order is being sought urgently from the Secretary of State to deal with this issue. In the meantime, the position being adopted by the Office is that there are probably several legal obligations on the employer requiring it to process sensitive data relating to employees without relying on consent: three years’ statutory sick pay records must be kept pursuant to statute; there is the common-law duty to other staff and to the sick employee (for example). While it is accepted that this is a manufactured solution where none really exists, it does provide a workable solution to the problem in the short term. HR professionals should keep abreast of developments in this area as the manufactured solution is not viewed as a long-term one. See page 21 for more detail on the issue of consent.
SUGGESTED ACTIONS Identify all processing of sensitive data likely to be undertaken by the HR department (race, religion, trade union membership, health, sex life, criminal records). Your list is likely to include: . The race or ethnic origin of employees/staff for the purpose of equal opportunities
monitoring. . The health of employees/staff for the purpose of statutory and company sick pay schemes,
and to meet health and safety requirements. . Trade union membership for administrative purposes.
Check that each activity is covered by one or more of the conditions for the processing of sensitive data set out above.
The Data Protection Principles The Data Protection Principles, in Schedule 1 to the Data Protection Act 1998, set out required standards of behaviour to be observed when dealing with personal data. There are eight Principles and the text is set out below for reference. In addition, Chapters 14 to 21 in Part II provide in-depth analysis and guidance on each of the Principles. The Principles are as follows: 1) Personal data shall be processed fairly and lawfully.
Rights and lawful processing
19
2) Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes. 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4) Personal data shall be accurate and, where necessary, kept up to date. 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6) Personal data must be processed in accordance with an individual’s rights under the Act. 7) Appropriate technological and organizational measures shall be taken against the unauthorized or unlawful processing of personal data and against the accidental loss or destruction of, or damage to, personal data. 8) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The Employment Practices Data Protection Code, issued by the Information Commissioner, has interpreted the Principles in relation to HR activities.
SUGGESTED ACTIONS Security checks . If you do not have an IT security policy which covers HR computer systems, document (at
.
.
.
.
a high level) the security systems which protect personal data held: for example, restricted access by the use of passwords, access on a need-to-know basis, firewalls, back-up arrangements, business continuity plans, etc. Document the security arrangements for personal data held in paper files: for instance by using lockable filing cabinets, adhering to a ‘clean desk’ policy, using reliable and secure archive arrangements, and ensuring the reliable and secure destruction of documents containing confidential and ordinary information. Document how you ensure the reliability of staff who work in HR: for example, when taking up references and supervising new employees, with regard to laptop use and homeworking policies and procedures, and when providing training on security and confidentiality issues and house security policies as documented above. Consider the adequacy of the security arrangements you have in place in relation to the confidentiality of the employee personal data you process. Strengthen your arrangements as necessary. Review your security arrangements periodically to ensure that you are still providing adequate security for personal data considering the risk of disclosure or damage and the harm that could result.
Checks for fair and legal processing . Identify all employee personal data-processing activities. Your list might include:
– Employee/staff data for staff administration including pay and conditions. – Pension scheme member data for pension scheme administration. – Data relating to pensioners for pension scheme administration.
20
Actions for employers
– Data relating to employees’ and pensioners’ spouses for administration of pension scheme payments and group life insurance. – Data relating to social club members for administration. – Employee data for marketing. – Data relating to ex-employees for statutory and contractual purposes. – Data relating to temporary workers and/or contractors for administration purposes. – Data relating to prospective employees for purposes of recruitment. Ensure that each processing activity meets one or more of the conditions for fair processing. (See page 15).
Keeping personal data up to date and accurate . If one is not already in place, introduce a regular update of employee details whereby
employees are requested to confirm that their personal details as held on HR files are correct and up to date. . Review any procedures which involve the transfer of personal data internally and consider whether they need amending to ensure that accuracy is maintained.
Not keeping personal data longer than is necessary . Adopt a document retention policy with justifiable retention periods for personnel
information. (See page 61). . Introduce a regular review of how long files are kept, making sure that this is not for
longer than necessary or for longer than is stated in your HR document retention policy.
Ensuring that personal data held is adequate, relevant and not excessive . Ensure the relevance of new personal data entering the department by undertaking a
review of the categories of personal data sought on any application forms (those for jobs, membership of pension schemes or other employment benefit schemes, absence and holiday forms, etc.). Consider if all the information is actually necessary to the stated purpose for which it was obtained. For example: – Are job application forms asking for too much detail for a sensible assessment to be made of a candidate’s suitability for a junior position? – Are job application forms asking for information which will only be relevant in relation to the successful candidate? In which case, it is irrelevant in relation to most of the candidates who complete the form. – Are there any questions on forms of which you do not understand the relevance? . Review the personal data provided by line managers to HR in reports and statistics routinely required. Is sufficient information provided? Is any of the information irrelevant? . Check the relevance of personal data on existing files by undertaking a regular, rolling purge of HR files. In particular: – Ensure that you are following any document retention policies, procedures for removing expired disciplinary warnings or details of spent criminal convictions from files. – Anonymize data held on files retained for statistical analysis only; personal data should not be relevant to this activity.
Rights and lawful processing
21
Consent in the employer/employee relationship When the Data Protection Act 1998 was enacted, legal advice suggested that the most appropriate way to ensure the continuance of then current data-processing activities in the employment arena was to seek the informed consent of the employee to itemized lists of HR activities. Current thinking is that consent can never be demonstrated to have been given freely in the context of the employer/employee relationship. One of the advisory groups on data protection issues in the Hague (the Article 29 Working Party) has considered the issue of consent between employer and employee in the workplace. In an Opinion issued in September 2001 it suggested that where the employer is required to process personal data for ‘necessary and unavoidable’ purposes associated with employment administration, it would then be misleading if the employer were to seek to rely on consent from the employee to legitimize the resultant personal data-processing activities (Opinion 8/2001). The view expressed was that consent by an employee cannot be demonstrated to have been freely given to the employer because of the risk of prejudice to the employee’s continued employment and prospects at work. The Information Commissioner and representatives from her Office have concurred with the view of the advisory committee that it is very difficult to clearly establish that consent was freely given by an employee to the employer’s personal data-processing activity. Consent is not routinely required in order to process personal data legitimately. It is one of the conditions for fair processing required to meet part of the First Data Protection Principle. Generally, though, there are other conditions that may be relied upon in the context of employee administration. It is a little more difficult to find alternative conditions to legitimize the processing of sensitive data as the conditions are much more limited in application as befits the subject matter. Therefore it is in the context of processing sensitive data, sickness and absence records, details of trade union membership or criminal records that the employer would generally seek to rely on the consent of the employee to meet a condition for fair processing and thereby render the processing fair. The other prime example where an employee’s consent is of key importance is in relation to the transfer of personal data outside the European Economic Area. The Eighth Principle prohibits the transfer of personal data outside the EEA to any territory which does not provide adequate safeguards for the rights and freedoms of data subjects. However, there are some exceptions to the prohibition, a key one being where the data subject has consented to the transfer. If the employer is effectively deprived of consent as a condition to establish fair processing, this has a significant impact on its ability to process certain data and to process it in certain ways.
WHERE CONSENT MAY BE REQUIRED Consent is one of the conditions for the fair processing of personal data and, more importantly, for the fair processing of sensitive data in which conditions are more restrictive. The conditions for fair processing are set out in Schedule 2 to the Act. (Schedule 3 sets out the conditions for the fair processing of sensitive data, i.e. that relating to mental and physical health, sex life, criminal records or charges, race or ethnic origin, religious or
22
Actions for employers
political beliefs, membership of a trade union). While Schedule 2 conditions include a number of practical alternatives to the obtaining of consent, Schedule 3 conditions do not provide alternatives to consent in many situations. Consent is also one of the exemptions to the prohibition on the transfer of personal data outside the EEA. These exemptions are set out in Schedule 4 to the Act. Another situation where consent is required is where personal data is obtained for a stated purpose and the data controller subsequently identifies a further purpose for processing the data which is not compatible with the original purpose. In this circumstance, the data controller must revert to the data subject to ask for consent for the new processing purpose. Again, this will prove difficult within the employer/employee relationship. Finally, consent is required to the processing of personal data for the purposes of marketing. This takes the form of the opt-out, or, for the marketing of products and services provided by third parties (that is, a party other than the employer), an opt-in.
Consequences for employment contracts It is not recommended that contracts of employment include consent clauses to the processing of personal data relating to employee data subjects. Where these already form part of the contract of employment, the wording should be amended so that the clause operates as subject information. The Information Commissioner’s view has been clearly stated: consent within the employer/employee relationship is unreliable, and to persist in apparently relying on such clauses indicates that the data controller is not keeping up to date with developments in data protection law.
Consequences for meeting the conditions for fair processing When processing personal data, other appropriate conditions for fair processing (in Schedule 2) will almost certainly apply. For example, there is a condition that the processing is pursuant to a contract to which the data subject is a party, in this case the employment contract; alternatively that the processing is in the legitimate business interests of the data controller subject to the rights and freedoms of individual employees. For a further explanation of the conditions for fair processing, see Chapter 14. For the application of the First Principle to processing in the HR context. (See page 15).
Consequences for establishing fair processing of sensitive data The processing of sensitive data must be justified on more restricted grounds (set out in Schedule 3), and it is suggested that normal HR activity involves the processing of sensitive data to meet statutory requirements. For example, the processing of data relating to health is necessary for the administration of statutory sick pay, and the processing of data relating to race or ethnic origin necessary to meet the requirements of equal opportunities monitoring. In fact, this is the interim solution offered by the Information Commissioner to overcome the deficiencies of Schedule 3 pending further legislative solutions. However, this solution will not cover any exceptional processing activity involving sensitive data. It serves to legitimize normal HR activity. Employers need to consider whether or not their processing of sensitive data falls outside the norm for any reason and to seek advice if it does. The first draft of the Employment Code of Practice suggested that the processing of information relating to the employee’s absence due to illness would not be covered by the statutory requirement condition for fair processing. This position has softened, largely in response to the problem of establishing freely given employee consent. The final version of
Rights and lawful processing
23
the Code allows for the processing of sensitive data to meet statutory obligations on the data controller in relation to employment to include normal sickness and absence reporting and recording. As stated above, this is now the interim solution offered by the Information Commissioner to resolve the issues of consent when processing sensitive data in the employer/employee relationship.
Consequences when transferring employee personal data outside the EEA When transferring employee personal data outside the EEA, there are other alternatives to consent to legitimize the transfer. At worst the data controller can apply the adequacy test and approve the transfer on the grounds that the transferee organization offers appropriate levels of security and protection for individual rights in relation to the sensitivity and confidentiality of the personal data being transferred. (See page 55).
Consequences for marketing The Employment Practices Data Protection Code follows previous guidance in relation to obtaining consent to marketing activity. The basic requirement is that data subjects be given an opt-out to the use of their personal data for marketing purposes. There are other areas in the Employment Code where consent is advocated: for example, when publishing information relating to an employee (in reports and accounts, company brochures, inhouse magazines, etc.)2 the informed consent of that individual should be sought. Employee consent is also advocated when one is approached for a reference by a third party.3
SUGGESTED ACTIONS . Amend contracts of employment to remove any clauses requiring data subject employees
to consent to data processing activity. . Consider the processing of sensitive data in the HR context. Any processing activity which
is non-routine by HR standards should be cleared specifically with the Information Commissioner’s Office as it is unlikely to be covered by the wider interpretation of the condition relating to meeting legal obligations in the employment context. . Ensure that the transfer of employee personal data outside the EEA does not rely on employee consent to the transfer. Alternative justifications for the transfer must be identified. (See page 55). . Use marketing opt-out clauses if the employer intends to market its own goods and services to employees or an opt-in clause if the intention is to market the goods and services of third parties. (See Chapter 11).
2. Record Management, Publication and disclosures, benchmark 1. 3. Record Management, References – benchmarks 2 and 3.
CHAPTER
4 Issues relating to recruitment
Selection and recruitment of new personnel The Employment Practices Data Protection Code sets out standards for the use of personal data in the recruitment and selection of new personnel.1 The Employment Code can be seen as ‘fleshing out’ the Data Protection Principles, explaining how they might apply in relation to HR activities. There is no conflict between the benchmark standards set out in the Employment Code and the Data Protection Principles. The Employment Code provides guidance as to the way the Information Commissioner applies the Principles in the HR context. Some of the issues covered in the ‘Recruitment and Selection’ part of the Employment Code which are not covered elsewhere require that: . There are no special rules relating to interview notes or any other component of
. .
. . . .
recruitment records. For example, interview notes should be disclosed if an interviewee exercises their right to access personal data relating to themselves. Under the 1984 Act, personal opinions were excluded from the definition of ‘personal data’ and therefore exempt from subject access. This is no longer the case. It should be stated, on any application form, to whom the information is being provided and how it will be used, if this is not self-evident. (See page 13). Recruiters should only seek personal data relevant to the recruitment decision to be made. Data required for personnel administration should be sought later, and only of the successful candidate. (See Chapter 4). If sensitive data are collected, ensure a condition for processing sensitive data is satisfied.2 A secure method for processing applications must be used.3 Recruiters should be consistent in the way personal data is used when shortlisting candidates for a particular position.4 Recruiters should ensure that personal data recorded and retained following interview can be justified as relevant to, and necessary for, the recruitment process itself, or for defending the process against challenge.5
CRIMINAL OFFENCES The Data Protection Act 1998 makes it a criminal offence to require candidates for jobs to make a data subject access request to the police in relation to possible criminal records. The 1. 2. 3. 4. 5.
Recruitment and Selection of New Personnel. Handling applications, benchmark 5. Handling applications, benchmark 6. Shortlisting, benchmark 1. Interviewing, benchmark 1.
Issues relating to recruitment
25
new Criminal Records Bureau is now the only legal route to the obtaining of personal data relating to the criminal records of prospective employees. The Employment Code provides that employers should only seek information about an applicant’s criminal convictions if that information can be justified in terms of the role offered. If the information is justified, employers must make it clear that spent convictions do not have to be declared, unless the post being filled is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.6
THE EMPLOYMENT PRACTICES DATA PROTECTION CODE The Employment Code makes a series of recommendations in relation to psychometric testing, vetting procedures and the retention of recruitment records respectively. Elements for inclusion in suggested policies for each of these areas are set out below.
USE OF PSYCHOMETRIC TESTS When and if using psychometric tests to assess candidates’ suitability for a job and to assist in making a recruitment decision, organizations should: . Explain the use of psychometric tests to all candidates required to undergo them. . Ensure that only personnel trained in the interpretation of psychometric test results have
access to the results and that a re´sume´ of the results is produced for use by non-trained personnel. . Ensure that other personnel, including managers and directors, have no access whatsoever to the results of psychometric tests, although they may have access to the re´sume´ prepared by the person trained in their interpretation. . Ensure that psychometric test results are kept securely while in use and destroyed as soon as the recruitment decision has been made.
PRE-EMPLOYMENT VETTING ‘Vetting procedures’ in this context involve something more than merely taking up one or two simple references, as in the case of an employer which requires candidates to undergo a credit reference check as part of standard recruitment procedure or calls for detailed references concerning their reliability, trustworthiness with money and valuables, timekeeping and sickness record, etc. If you take up references simply to confirm the dates during which the job candidate was employed, there is no need to take any further action in relation to vetting.
Elements of a suggested policy relating to pre-employment vetting When and if the organization undertakes pre-employment vetting it should: . Restrict vetting procedures to successful candidates only. . Restrict vetting procedures to jobs where there is a clear business need for pre-
employment vetting, for example in the case of persons being appointed to a position 6. Recruitment and Selection of New Personnel, Handling applications, benchmark 3.
26
Actions for employers
in a regulated environment or senior appointments to authorized bodies which require ‘positive vetting’. Generally the organization should seek to show that vetting is justified due to the potential harm that might otherwise result from an undesirable element being introduced into the working environment. . Restrict vetting questions in order to target specific issues and concerns allied to the job, rather than a general ‘fishing expedition’. . Consider each case referred for vetting before undertaking any checks, including: – The impact of vetting on the candidate. – The likelihood that you will be able to identify any potential threat through the information being sought, and – Any embarrassment likely to be caused by the vetting to the candidate’s friends or family.
RETENTION OF RECRUITMENT FILES AND INFORMATION Recruitment files should be kept secure at all times. In particular, the organization should ensure there are secure transmission facilities for recruitment information internally and externally. When a recruitment decision is made, the relevant recruitment files relating to unsuccessful candidates should be destroyed after a reasonable period (say, six months) unless: . A particularly good candidate agrees that their details may be retained for a longer,
specified, period in case another suitable job vacancy arises or to be a back-up for the successful candidate in case the initial appointment proves unsuccessful. . Some information is retained to show that the organization correctly operated its equal opportunities procedure. Such information should be depersonalized wherever possible (that is, retained without specific names and addresses being kept). Information relating to the successful candidate which is required for employee administration purposes should be transferred to a new personnel file for the new employee. In particular: . Information obtained during any pre-employment vetting should not be retained,
although the result of the vetting may be recorded and kept. . Information relating to any criminal records of the successful candidate should be deleted
unless the information is relevant to the appointment.
IMPLICATIONS OF INTERVIEWING At the interview, check that the candidate knows the name of the employer and something about its operations. If they have applied for a managerial position, this may include reference to any group structure. Explain that any information the interviewee volunteers will be treated in confidence and used to assess their suitability for the job. Show the candidate any statement of data protection policy and other material which explains how their personal data will be handled if they succeed in getting the job.
Issues relating to recruitment
27
Other information should be supplied to the candidate at the beginning of the interview if relevant: . That candidates will be required to undergo psychometric tests and what the results help
to determine. . That personal data may be processed involving automated decision-taking and the details
of the process: for example that tests will be marked by automated means. . That pre-employment vetting is to take place and what form that is to take, for example, if
a credit check is to be undertaken against the candidate’s name and address or if the successful candidate will have to complete a supplementary questionnaire for other background checks to be carried out by the organization or its regulator.
Notes of the interview When making a note of the interview, personal comments relating to interviewees should be avoided. Generally avoid statements you would not want to share with the interviewee. Keep notes factual and, where a personal opinion is included, it should be fair to the candidate and other candidates for the job. Interviewers should be consistent in their approach both mentally and in terms of the information recorded. If offered information relating to the candidate’s physical or mental health, race, religion, political beliefs, trade union membership or criminal record, only the bare facts should be recorded; no opinion should be given about this information. Any follow-up actions required will be taken by the HR department. In particular, interviewers should bear in mind that interview notes: . will be disclosed to the interviewee concerned if they ask to see them. . will be used to evidence the company’s equal opportunities policies. . will be retained for six months in respect of unsuccessful candidates and for a longer
period in respect of the successful candidate.
SUGGESTED ACTIONS 1) Review existing application forms (if used) and: . Include appropriate data subject information for job candidates, picking up the issues raised by other actions (below) to include on the form. . Consider each question on the form and identify whether the information sought relates to the assessment of the candidate for the job or if it relates to employment administration if the applicant is successful. Remove all questions which are not directly relevant to the assessment/recruitment decision (for example, National Insurance numbers, whether or not a current driving licence is held if the position does not involve driving, etc.). . If your recruitment procedure involves any automated decision-making, explain this in the data subject information. 2) If application forms are not used, the following information should be included in letters to candidates at the earliest opportunity: . Appropriate data subject information for job candidates, picking up the issues raised by other actions. . If your recruitment procedure involves any automated decision-making, explain this in the data subject information.
28
Actions for employers
3) If you receive unsolicited or speculative CVs, respond to the approach with the following information at the earliest opportunity: . Appropriate data subject information. . An indication of how long speculative CVs will be retained, together with an invitation for the prospect to withdraw their CV from consideration if the retention period is exceptional, say, longer than six months. . If your recruitment procedure involves any automated decision-making, explain this in the data subject information. . If your recruitment procedure involves the use of psychometric tests, adopt a policy similar to the one suggested. . If you use pre-employment vetting procedures, adopt a policy similar to the one suggested. . Adopt a policy on the retention of recruitment information similar to the one suggested. . Brief line managers on the data protection implications when interviewing candidates.
Using agencies to recruit The Employment Practices Data Protection Code emphasizes the importance of ensuring that job candidates know the identity of the organization that is recruiting. This requirement stems from the First Principle, the duty to process personal data fairly and lawfully. In particular, the interpretation of the Principles explains that the processing of personal data will not be deemed fair unless prescribed information has been supplied to the data subject. By introducing standard terms on which it deals with agencies the organization can require them to act in accordance with the Data Protection Principles and to supply the required information to candidates even where advertisements are carried ‘blind’ initially. (A ‘blind’ advertisement is one where the prospective employer is not identified and which is fronted by an agency, perhaps to keep a new venture secret or because of political considerations).
ISSUES FOR INCLUSION IN TERMS OF BUSINESS WITH RECRUITMENT AGENCIES The terms of business should identify the obligations of the agency, including: 1) A general requirement to act in accordance with the Data Protection Principles. 2) A requirement that advertising copy be approved by the organization prior to publication. 3) A requirement that the agency should always give all suitable candidates an information pack about the organization as provided by it. 4) A requirement that the agency shall not submit applications to the organization unless the candidate has both seen the information pack and has consented to the application being made. 5) A requirement that the agency will always deal directly and exclusively with a named person in the organization when handling recruitment on its behalf.
Issues relating to recruitment
29
SUGGESTED ACTIONS . Make formal appointments of one or more recruitment agencies either as part of a
continuing relationship or as one-off appointments when the organization is recruiting. . Include the terms outlined in your contract with the recruitment agency(ies). . Provide appointed recruitment agencies with a written re´sume´ of the organization, its
name, line of business, etc. for candidates and prospective candidates.
CHAPTER
5 Monitoring issues
Monitoring employees The monitoring of employee performance is not illegal. However, the monitoring of communications falls within the scope of the Regulation of Investigatory Powers Act 2000 (RIPA) and the Lawful Business Practices Regulations. These statutory instruments apply where communications are intercepted. For example, checking the content of e-mails and recording telephone conversations are activities covered by RIPA. In addition, intercepting communications, and other forms of monitoring, which involve personal data processing, must comply with the requirements of the Data Protection Principles and the Employment Practices Data Protection Code. In general, compliance with the Employment Code will ensure compliance with RIPA. An entire section of the Employment Code is devoted to monitoring activities and establishing appropriate benchmarks for such activity. These are the areas which should be considered.
EXAMPLES OF MONITORING ACTIVITY Monitoring may take the form of electronic scanning of internet usage to ensure that employees follow a company policy prohibiting access to the internet for personal reasons or use CCTV cameras in public areas such as the company car park or targeted on cash tills. It may also include reading e-mails while an employee is absent from work due to holidays, illness or injury to ensure that customer orders are picked up and dealt with. Some monitoring may be targeted at checking the performance of employees and how well they do their job. The benefit to the business of monitoring to enforce a company policy prohibiting personal use of the internet is that employees are encouraged to devote their work time to work related activities, improving ‘productivity’. Contrast monitoring by CCTV cameras in the car park or targeted on cash tills which is aimed at crime prevention or detection and improved public and employee safety. Checking e-mails to pick up customer orders has an obvious benefit to the employer. It ensures that business is not lost and keeps up customer relations.
IDENTIFY WHO IS AUTHORISED TO INSTIGATE MONITORING ACTIVITY The Employment Code recommends that the introduction and use of employee monitoring be controlled and that means restricted. Line managers should not be authorised to
Monitoring issues
31
introduce new monitoring activities but should follow agreed practices and make suggestions if they have any improvements to make. The Employment Code also recommends considering which is the appropriate department to undertake monitoring. In some cases, for example performance monitoring, it will be appropriate for line management or compliance personnel to undertake the role. In others, such as crime preventing and detection, it will be more appropriate for security personnel to undertake the role.
IDENTIFY THE BUSINESS NEED AND TARGET MONITORING APPROPRIATELY It is vital to identify the business need that monitoring is to address, and then to target the monitoring to address just that need and no other. To give a few examples: . If the prevention of pilfering from cash tills is the objective, then CCTV cameras should be
targeted on cash tills. . If the objective is to enforce the company’s policy forbidding the downloading of
undesirable material – such as pornography from the Internet, for example – then an automated check on flesh tint pixels in images might be the first step. Further investigation can be made if it appears that many of the images being stored or downloaded feature flesh tints. . If the objective is to identify employees abusing the employer’s e-mail facilities, it is appropriate to review the traffic of e-mail to identify excessive personal use before investigating further into the content of individual e-mails. . If incoming e-mail has to be checked for time-critical messages during an employee’s absence from work, it might be appropriate to review the subject headings to identify those most likely to be relevant and to avoid those which appear to be of a personal nature. Monitoring is by its nature intrusive. Bearing in mind the question of human rights, it should always be undertaken in such a way that the privacy and autonomy of individual employees are respected. Targeted monitoring is more likely to achieve this than a wholesale approach. The impact of monitoring on employees and their relationship with the employer should be taken into account. Assess whether or not the perceived benefits of monitoring are likely to outweigh the perceived risks, such as the alienation of employees, and the amount of time spent by supervisory staff on undertaking monitoring.
TRAIN MONITORS ABOUT THEIR DATA PROTECTION OBLIGATIONS Senior HR personnel and those who are authorised to introduce monitoring activity should read the Employment Practices Data Code on Monitoring. Employees who undertake monitoring should be briefed about data protection obligations relating to employee rights, the processing of sensitive data and the importance of following monitoring policies.
OPENNESS ABOUT MONITORING In accordance with respect for the privacy and autonomy of individual employees, the organization must be open about its monitoring policy and practices. This is also required if
32
Actions for employers
the fair processing requirements are to be met. Generally, employees should know that monitoring takes place and the reasons for it. The Information Commissioner’s view is that covert monitoring is difficult to justify and should only be undertaken on the advice of – or in collaboration with – the police. One area which causes problems is the use of the employer’s facilities by employees for personal or social purposes. Human rights law probably means that it would not be reasonable to prohibit employees from taking some personal telephone calls at work, for example in an emergency situation. Thus any policy will have to take this into account and allow some degree of reasonable use. Policies relating to the use of corporate facilities for private purposes must be audited and the rules enforced. If staff are aware that policies are not imposed in practice, the practice will come to overrule the procedure. The draft benchmarks in the Employment Code recommend that employees are given the opportunity to explain their behaviour if monitoring reveals an apparent problem. The results of monitoring could be misleading, and natural justice dictates that the person involved be given the chance to present their side of an event.
RESPONDING TO SPECIFIC PROBLEMS When introducing new monitoring activity to deal with a specific problem it is important to keep a sense of perspective. Monitoring should not be an emotional reaction to the problem but the outcome of consideration of the damage to the business weighed against the right of an employee to do their job without having someone looking over their shoulder all the time. In particular, note that covert monitoring will only be justifiable in limited circumstances and, even then, probably only with the backing of the police.
RELEVANCE OF INFORMATION OBTAINED It is possible that monitoring will reveal information which is not relevant to the purpose for which it was introduced. Unless employees are aware that such information will be applied for other purposes, it should not be used unless it is evidence of a criminal offence or gross misconduct. For example, monitoring the company reception area might be undertaken for reasons of public and employee safety. If the monitoring activity reveals liaisons between members of staff, this information must be disregarded unless their behaviour constitutes gross misconduct under the employer’s disciplinary procedure.
MONITORING COMMUNICATIONS The draft benchmarks recommend that employers set a clear policy on the use of their facilities for personal communications. The policy should be practicable and applied in practice. Telephone, e-mail and fax monitoring affects the privacy of those making calls and sending e-mails as well as those who receive them. Monitoring communications will thus have an impact on employees of other organizations and members of the public unassociated with the employer, such as employees’ spouses. The effect of monitoring on such individuals needs to be taken into account when assessing the overall need for and impact of monitoring. Consideration should be given to notifying callers and those sending e-mail that the organization undertakes monitoring activity. Oftel regulations already
Monitoring issues
33
provide for callers to be notified if telephone calls are being recorded. Telephone calls are not personal data unless they are recorded. A further consideration is that not all private communication is carried out during a private call or e-mail. A call or e-mail related to legitimate work activities might easily include a personal comment or note. Monitoring business communication will necessarily include monitoring some personal communication within the overall scheme. If the employer provides a mobile telephone or a landline at an employee’s home, and details of the account are sent direct to the employer then the disclosure (of the telephone account use) constitutes a disclosure of personal data, in relation to the employee, their family and callers to that telephone number.
SUGGESTED ACTIONS . Decide who, within the organisation, is authorised to introduce monitoring activity. Make
. . .
.
. . .
.
.
. .
sure you are able to demonstrate that the introduction and subsequent use of monitoring is controlled. Consider and document the reasons why a particular form of employee monitoring is required and the benefits expected to accrue from the monitoring. Consider the rights of employees have been taken into account and the likely impact of the monitoring on employees and the employer/employee relationship. Based on your findings, make a decision as to whether or not the monitoring is justified weighing the business benefits against the impact on employees and their privacy and autonomy. Consider whether there are any viable alternatives to the chosen monitoring activity. Target monitoring to address the business need. For example, if e-mails are to be checked to identify any orders addressed to employees who are on holiday, then check only those e-mails arriving in the period that the employee is on holiday and ignore any e-mails which obviously do not relate to the purpose. Train those authorised to introduce monitoring and those who monitor other employees. If CCTV is to be used, follow the checks and actions in the CCTV section on page 34. If the use of company vehicles is to be monitored, only monitor the use of those vehicles provided exclusively for business and related use or company vehicles when being used for business and related use. If you are monitoring electronic communications consult the Regulation of Investigatory Powers Act 2000 (‘RIPA’) and the Lawful Business Practice Regulations. If the aim of the monitoring activity is to police a company policy restricting use of electronic communication channels for personal reasons, ensure that the company’s policy is clear, has been communicated to employees and is enforced by the company. If monitoring is undertaken by a third party, for example, private investigators or a credit reference agency, ensure that the third party is aware that the subject of the monitoring is an employee. Include any policies relevant to monitoring together with the monitoring policy in staff information such as a staff handbook or the intranet. Tell employees what form monitoring will take and why it is being undertaken (note that covert monitoring is very hard to justify under the Data Protection Act and should only be undertaken if a crime is suspected and on the advice of the Police). Make sure that the communication process includes new starters and temporary workers.
34
Actions for employers
. Introduce a retention policy for information obtained by monitoring. The Employment
Code recommends a period not exceeding 6 months although this would need to be overridden where information was required to support a police prosecution.
The use of CCTV The Information Commissioner has issued a CCTV Code of Practice setting out standards of good practice for the operation of closed circuit television schemes. These include required signage to warn data subjects that a CCTV scheme is in operation. Elements of suggested policies are given below. Monitoring in the workplace is the subject of one of the sections of the Employment Practices Data Protection Code issued by the Information Commissioner’s Office. It is assumed that any CCTV scheme in operation on business premises will record images of employees from time to time; therefore the requirements of the Employment Code are relevant here. The requirements of the Employment Code in relation to monitoring at work are explained in the general comments in this chapter on monitoring in the workplace. The Employment Code is relevant to CCTV schemes if the cameras record images of employees as well as of the public: for example, images of employees will be captured if the cameras are trained on the organization’s car park or cover the reception area. Note that the data controller in relation to a CCTV scheme is the organization responsible for the scheme. If the landlord is responsible for the scheme, the tenant will not be the data controller unless it has access to the images for its own purposes. The requirement to comply with the Code is the responsibility of the data controller.
REQUIRED WORDING FOR SIGNAGE The signs should contain the following information: 1) The identity of the organization responsible for the operation of the CCTV. 2) The purposes for which CCTV is in use at the premises. 3) Details of how to contact the organization regarding the CCTV scheme. For example – where an image of a camera is not used on a sign – the following wording is recommended: Images are being monitored for the purposes of [‘crime prevention and public safety’ or ‘to prevent and detect crime’, for example]. This scheme is controlled by [name of organization]. For further information contact 01234-567-890
SUGGESTED POLICIES Consider the following outline policies. Suggestions as to appropriate timescales are shown in square brackets.
Monitoring issues
35
Quality of images All tapes should be checked for damage and quality of the images recorded at least [weekly]. Tapes should be replaced, regardless of condition, every [six months]. Any damaged tapes or tapes giving images of inferior quality should be replaced immediately. Images should be erased from tapes prior to disposal.
Physical security of the tapes Tapes should be kept in a locked office out of office hours. During office hours the security arrangements should include, for example, holding tapes in locked filing cabinets in offices with restricted access to visitors and the public. Tapes should never be taken off business premises without the written approval of the individual designated by the organization as responsible for the CCTV scheme. When removal of tapes is approved, a formal receipt should be retained showing the date, identity and authority of the person removing the tape and the purpose for which it is being removed. A log should be kept of details relating to tapes removed from business premises. This should include the name and authority of the person taking the tape, the reason for its removal, the date and any other relevant circumstances.
Retention of CCTV images Recorded images should be kept for no longer than [fourteen days] before the tapes are reused.
Disclosure of CCTV images Employees are entitled to access to CCTV images of themselves in accordance with data subject rights under the Act. The police may be allowed access to CCTV images at the organization’s discretion and in accordance with its policy on disclosure of data if the request is relevant and made in writing. The courts can order the disclosure of tapes. Any organization which provides maintenance services or monitoring services in connection with the CCTV scheme may have access to CCTV images recorded. No other parties will be allowed access to the tapes.
SUGGESTED ACTIONS . Document why CCTV is to be installed and what it is intended to do or prevent. . Appoint one individual to be responsible for the day-to-day operation of CCTV and its
compliance with the CCTV Code of Practice. . When positioning the cameras, check that they pick up relevant images only (for
example, avoiding staff rest areas if the CCTV is being introduced to monitor cash registers). . If the cameras are intended to cover a public space, put up signs to warn the public that they are entering a zone covered by surveillance equipment. (See the notes on recommended signage). . Establish and document CCTV policies.
CHAPTER
6 Staff training
Employers are under a statutory duty to ensure the reliability of staff whose jobs involve processing personal data. The Employment Practices Data Protection Code (Employment Code) suggests that this duty cannot be discharged simply by taking up references on employees or carrying out background checks. Appropriate action includes training for staff whose jobs bring them into contact with personal data. The existence of relevant and adequate policies and procedures will also demonstrate that the organization is using its best endeavours to comply with the Data Protection Principles and the Employment Code. In addition, the Employment Code suggests that the individual responsible for data protection compliance in HR should take action to brief those staff whose jobs involve the handling of employee personal data.1 These include directors, senior managers, line managers and supervisors, trainers and those responsible for health and safety and facilities management. Throughout the Employment Code there are references to staff training and what should be covered. In summary it is recommended that the following need to be included as a minimum: . Guidance on criminal offences contained in the Act, such as what constitutes
unauthorized processing and how to avoid it. . How deceit may be used to obtain information illegally from the organization. . General guidelines for line managers identifying that they process employee personal data
on behalf of the organization and their responsibilities. . General guidelines on how to identify and action the exercise of subject rights. . General guidelines on the operation of ‘Chinese walls’ for those staff whose jobs involve
working for two or more companies or trustees. . Employees’ rights of access to personal data and other rights.
CYCLE OF IMPROVEMENT Policies and procedures
Training
Supervision and audit 1. Employment Code, High level management, benchmarks 2 and 5.
Staff training
37
A cycle of improvement can be established: develop procedures to meet data protection requirements relevant to the issues being addressed; provide training for those staff whose jobs involve the handling of personal data, covering key aspects of data protection law and your house policies and procedures; finally, audit or supervise to ensure that the policies and procedures are followed in practice. Audit will reveal inadequacies in existing procedures which can be amended and adjusted in the light of audit findings, thus completing the cycle.
POLICIES AND PROCEDURES RELEVANT TO DATA PROTECTION Most businesses will have a number of policies and procedures that are relevant to data protection, for example: . Confidentiality of client and customer details. . Office security – visitor sign-in requirements. . Computer security – use of passwords and restricted access, screen savers. . Paper file security – use of lockable filing cabinets, ‘clean desk’ policy. . Homeworking policies. . Laptop security.
These bring together some of the key aspects of data protection: confidentiality and security. In addition you will need procedures for handling the exercise of subject rights such as the right to access personal data relating to the data subject held by the business, the right to object to direct marketing, etc. The Employment Code recommends that serious breaches of data protection policies should be a disciplinary offence to give compliance its due importance to staff.2
TRAINING TO FAMILIARIZE AND REINFORCE POLICIES AND PROCEDURES All new staff should undergo induction training in order to familiarize themselves with company rules and procedures. The interesting angle on data protection is that it benefits us all as individuals. We have rights as data subjects, and we are comforted by knowing that our affairs are handled confidentially by banks, building societies, doctors, opticians and so on. The Information Commissioner’s Office has produced a DVD for schools with the aim of educating young citizens in their data protection rights. This awareness of how data protection applies to employees as individuals can be reinforced by demonstrating how data protection applies to the organization and the effect this has on the employees carrying out their jobs. More training may be required for those staff whose work will bring them into contact with personal data: for example, those employed in the HR department, and those responsible for health and safety or employee benefits administration. If the HR function is decentralized, departmental supervisors probably need training to ensure that they handle personal data relating to employees in an appropriate manner. The Data Protection Act 1998 creates a number of criminal offences with liability for individual employees as well as the company, its directors and officers. Individuals who handle personal data should be made aware of the offences as well as of house policies and procedures governing the processing of personal data in the workplace. 2. Record Management, Management of data protection, benchmark 6.
38
Actions for employers
Specialist training might be appropriate for specific industries such as credit reference agencies, financial services and the provision of health care and medical services. A risk assessment of personal data held to support the main business activities is a useful starting point. In particular, look to areas which process sensitive data. Training is an ongoing process; existing employees may need refresher training on the basic data protection issues relevant to their role. There will be a requirement for more training when employees change jobs within the organization or take on new responsibilities. The organization might benefit from some employees developing an advanced level of knowledge of data protection issues and the way these affect the different parts of the business. Over time, data protection policies and procedures will develop or undergo amendment to meet changing circumstances. Training will be given on new and amended policies and procedures and the compliance of staff with those policies and procedures audited in due course.
SUPERVISION AND AUDIT Supervision and audit can provide feedback on the effectiveness of training material and indicate further training needs. In this way the cycle of continuous improvement is completed. Audit should be undertaken by a person independent of the training department – and preferably of the organization – in order to obtain an objective view. At this level the audit must include as wide a range of employees as possible, either by holding discussion groups or carrying out one-on-one interviews. This is the only sure way to find out what employees actually know about data protection and how it affects their jobs. Policies and procedures can be amended and adjusted to make them more effective and to incorporate actual scenarios that employees in the business face when handling personal data.
SUGGESTED ACTIONS Provide: . Induction training on data protection covering the most basic principles. . Specialist training and supervision for those staff whose job involves personal data
processing, preferably including some on the job training. . Training on the use and abuse of employee personal data for line managers and
supervisors etc. . Information about data protection in staff handbooks, on the intranet, etc. for further
reference including reference to applicable policies and procedures and whom to contact in the organization for further information and guidance. Undertake: . A regular audit of data protection issues generally to identify weaknesses in existing
training material and further training needs. A list of appropriate policies and procedures is suggested in Chapter 2. Below is a suggested briefing note for staff covering the day to day data protection issues they are likely to encounter:
Staff training
39
Briefing Note Data protection: Questions and answers for HR personnel What is data protection? The holding, using and processing of personal data in the United Kingdom is regulated by the Data Protection Act 1998. In the broadest terms, data protection is about the confidentiality and security of personal data and gives individuals certain rights including the right to access information relating to them held by companies, government bodies, medical trusts, etc. Personal data is information about a living individual (the ‘data subject’). It includes names, addresses, telephone numbers, etc. as well as opinions. The Data Protection Act 1998 sets out minimum standards of required behaviour when dealing with personal data. It also establishes the Office of the Information Commissioner, a kind of ombudsman for the handling of personal data. Data protection and HR Information relating to colleagues at work constitutes personal data. ‘Colleagues’ means employees, contractors, consultants and temporary workers. Data protection principles When using personal data relating to other company representatives and employees, businesses and clubs are required to act in accordance with the Data Protection Principles. Access to personal data by data subjects Businesses and clubs are under a legal obligation to allow a ‘data subject’ (the individual about whom personal data is held) access to the information relating to them on computers and in most manual files. There is a limited period (40 days) in which to respond to a data subject access request. It is important that any data subject access request is identified when made and reported immediately to [named individual]. Other rights Individuals have other rights under the Act relating to the way in which their personal data is processed. Data protection issues will usually arise in connection with a complaint or grievance. Identifying these issues quickly will help to resolve them within the time limits set down by law. How data protection law might affect you personally Data protection law has always carried penalties for individuals (as well as businesses and clubs) who breach the provisions. These are some areas you should consider. The unauthorized obtaining or disclosure of personal data is a criminal offence. As a minimum, you should always check that anyone requesting information has the right to
40
Actions for employers
access it. Think twice before giving out contact details on request. As a rule, never give out home contact details. Instead, offer to contact the person yourself and ask them to contact the enquirer. Personal data should be treated confidentially and not used for any purpose other than communication and activities related to business affairs. In addition personal data should be kept secure, which means putting files away in cabinets in the evening and if you take a break during the day. In general you should treat other people’s personal data as you would want them to treat your own. Remember also that normal legal rules such as libel apply to written documents; do not include opinions or personal comments which the data subject might find offensive. Permitted disclosures Some disclosures are required by law, and others are permitted because they are in accordance with HR activity and have been explained to employees. It is important to check the authority of anyone requesting access to personal data. The following guidelines may assist in responding to enquiries: . DSS Benefits agencies, Inland Revenue, and Customs and Excise have authority under
various Acts of Parliament to access information relating to individuals. Their request should be made in writing and quote the Act under which they derive their authority to gain access. Site visits should be prearranged and visitors should show you proof of identity. . Requests for access to information from the police are complied with at the discretion of the organization. As a minimum, it is recommended that such requests be made in writing, setting out the reasons why the disclosure is requested and the full name of the police officer in charge of the case under investigation. . Mortgage and housing related reference requests should be referred to the employee concerned for permission before the request is answered. . Work-related reference requests should be referred to the employee concerned if they are still in employment. Reference requests for former employees may be answered so long as they are in writing. A reference is exempt from disclosure if an employee or ex-employee makes a data subject access request. However, this exemption ceases to apply once the reference has been sent out. If you are in any doubt about whether or not to respond to a request for information relating to an employee or ex-employee, refer the request to whoever has responsibility for data protection compliance in the organization Unauthorized disclosures The unauthorized disclosure of personal data is a criminal offence. To protect yourself as well as the organization, you should: . Always check that anyone requesting information has the right to access it and check
their identity. . Think twice before giving out contact details on request.
Staff training
41
. Make enquirers submit their request for access in writing, setting out the reasons why
they require access and what authority they are claiming. . Be aware that some people will use deception to try to access personal information, for
example, some private investigators. . Tell the employee when a request for access has been made; their permission to make
the disclosure is sufficient authority to disclose the information requested. Security of files and computers Reasonable security measures must be in place to guard against the risk of personal data being accessed, altered or deleted without due authorization. . In the office, make sure you operate a ‘clean desk’ policy; do not leave files on your desk
if you go out to lunch or when you go home at night. . Use a screen saver to mask personal data on your PC monitor when you leave your desk
or if you are not working on your computer. . Laptops and personal organizers must be backed up to computer files and databases
(‘C’ drives) in the office at least weekly in order to ensure that personal data is as complete, accurate and as up to date as possible at all times. . Personal data held on home PCs must be downloaded to computer files and databases (‘C’ drives) in the office at least once a month to ensure that personal data is as complete, accurate and as up to date as possible at all times.
CHAPTER
7 Outsourcing HR activities
A new statutory duty applies to employers who use service providers to process personal data on their behalf. An employer is a data controller in respect of personal data relating to its employees. If processing activity is outsourced – for example, using an external payroll service – the Data Protection Principles require the employer to enter into a written contract with the service provider incorporating specific terms relating to the security of the personal data to be processed. They are also required to check that the service provider provides adequate security for the personal data to be processed, both at the time of appointment and regularly thereafter. When inviting tenders for outsourced work, service providers should be asked about their policy on data protection and for details of their relevant security arrangements. On the new appointment of a service provider the required terms and conditions should be incorporated into the contract between the organization and the service provider. Existing arrangements with service providers should be checked to identify those that involve the processing of personal data on behalf of the organization. Then the required contract terms should be incorporated into the existing contractual arrangements. At review meetings, or from time to time by letter, the organization should ask about security arrangements and any breaches of security, in order to meet its statutory obligations.
What is a data processor? The definition in Section 1(1) of the Data Protection Act 1998 states that a data processor, ‘in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller’. The prime example of a data processor is an outsourced service provider such as a payroll service provider. The employer will send payroll data to the payroll service each month, and payslips will be generated and payments made into bank accounts on the due date. The payroll service provider has no interest in the personal data per se; it processes the data purely for the benefit of the data controller in return for remuneration. It acts solely on the instructions of the data controller; it probably has no discretion to act independently and no interest in doing so. Another example of a data processor would be a registrar offering share registration services, processing shareholder personal data on behalf of a listed company. The registrar has no interest in processing the personal data except for the remuneration it receives from the company by so doing. The data is processed on behalf of the company and for its benefit. In some cases an organization which provides a service does so both as data controller and data processor: for example, a training consultant will provide a training service to employees of a data controller. Personal data such as an employee’s name and role or job
Outsourcing HR activities
43
description will be sent to the trainer in advance of the training event, which the trainer will hold on behalf of the data controller and on his instructions. To a degree the trainer is acting as a data processor. However, a trainer will elicit more personal data from the employees during or after the training event, some of which will undoubtedly not be passed back to the data controller/employer. Therefore the training consultant is making decisions in relation to that additional personal data and acting as a data controller. In yet other cases a service provider may be both data processor and joint data controller with the data controller: for example, a pension fund administrator will administer and manage a pension scheme on behalf of the pension scheme trustees. The administrator will act on the instructions of the trustees generally, but those instructions may be worded very widely so that the pension scheme administrator is making decisions relating to the data on a daily basis. In this scenario, the scheme trustees and the scheme administrator would be joint data controllers and the scheme administrator also a data processor on behalf of the trustees.
Identifying data processors It is important that data controllers are able to identify their data processor(s) because of the statutory duty on the data controller to comply with the Seventh Principle. A data processor will be independent of the data controller – a third party – although it may be a sister or associated company in a group of companies. (Remember that employees of the data controller are not data processors as they constitute part of the data controller). A data processor which does not act as a data controller in relation to personal data is not subject to the Data Protection Principles in relation to that personal data. The only way the data processor can be regulated under the Act is via the agency of the data controller; hence the requirement for formal contracts obliging data processors to adhere to the Seventh Principle. Deciding whether or not a third party is a data processor is a matter of fact. The answers to the following questions will help a data controller to decide whether or not a party is a data processor: . Does the party process personal data supplied by the data controller? . Is the processing undertaken on behalf of or for the benefit of the data controller? . What do the parties intend should happen to the personal data when the relationship
between them ends? If the party is a data processor then personal data will either be returned to the data controller or its nominated representative or deleted. The data processor will have no further use for the data.
Queries to raise with existing and prospective service providers Service providers should be advised that the relationship with the employer appears to be one involving the service provider in processing personal data on behalf of the employer. For reference the service provider will be known as a ‘data processor’ under the Act. The service provider should be given an opportunity to disagree with the assessment. Identifying service providers is not always straightforward, and it may be better if the parties try to reach agreement as to their respective roles and obligations.
44
Actions for employers
It should be explained that the Data Protection Act 1998 places certain statutory duties on the organization to check the ongoing security arrangements of service providers. Useful information to be provided by the service provider would include: . A statement of compliance with current data protection law. . Such details of the service provider’s security arrangements as it is able to provide. . Details as to how new employees are monitored. . The controls within which new employees work to ensure that the service provider is
satisfied as to their reliability. . The actions taken by the service provider to comply with the increased compliance
requirements of the 1998 Act. . Confirmation that appropriate procedures are in place relating to the exercise of subject
rights. . Confirmation that all staff are given training on how to handle the exercise of subject
rights. . Confirmation that the service provider will advise the organization immediately should
any data subject of personal data processed on its behalf exercise their subject rights.
CONTRACTUAL TERMS It should be explained further that it is also a requirement of the Data Protection Act 1998 that specific clauses be introduced to the contract between organizations and their service providers. Suggested terms for inclusion are set out below. In addition to the clauses required by statute it may be useful to include a couple of additional ones. The first is to require the data processor to ensure that it passes on these obligations to any contractors it might use. The second is to require that any information reasonably requested by the organization will be supplied. This should enable regular checks on security arrangements to be undertaken. For example, if the service provider is regulated, then the organization might want to view any audit reports made by the regulator into the service provider’s business.
SUGGESTED TERMS FOR INCLUSION To the extent that [the service provider] is a data processor within the meaning of the Data Protection Act 1998 it hereby undertakes: . Only to act on instructions from [client] when processing personal data on your behalf. . To comply with the Seventh Data Protection Principle in relation to the processing of personal
data on [client’s] behalf. . To ensure that equivalent obligations of security are imposed on any third-party service supplier
to [the service provider] (‘subcontractors’) which process personal data on behalf of the [client]. . To report on security issues as may be required by the [client] from time to time.
SUGGESTED ACTIONS . If the resource provider is a sister or associate company, ask whether the data protection
implications of the arrangement have been considered. If not, provide them with a
Outsourcing HR activities
45
copy of the explanation letter. Note that contracts are required between group companies. . If the service or resource provider is already providing services to the existing business, ask for a copy of the data protection compliance reports for the last three years (if any) and check that it covers the issues identified above as relevant to the relationship. If not (or there are no such reports), take up the queries directly with the service provider after discussion with contacts in the existing business. . If the service or resource provider has not previously provided services to the organization, then send a letter setting out the suggested queries to raise with existing and prospective service providers, together with information about the proposed amendment to contract terms. If the arrangements have not yet commenced, then the appropriate time to raise the queries is during the tender process. . On a continuing basis, make regular checks that the service supplier has an appropriate level of security for computer systems and paper files which relate to your organization. Ask whether there have been any breaches of security or confidentiality and, if so, what action(s) they have taken to avoid a recurrence.
CHAPTER
8 Employee benefits
Employee benefits and perks This chapter highlights the different data protection issues that arise in connection with providing and administering employee benefits. The Principles apply to each function being undertaken and to each party involved. In particular, attention should be paid to the subject information provided to employees entitled to various benefits; some of the data protection issues can be overcome by explaining the circumstances to employees. Many benefits require the employee to complete a ‘membership application form’ of some description. A form is the ideal location to provide specific subject information. Particular care is needed where administration is outsourced, and the production of appropriate and lawful paperwork may be beyond the direct control of the employer. A further compliance issue is that where parties involved in HR activity are outsource service providers, the Seventh Principle applies to make formal contractual arrangements and continuing security checks on the service provider a necessity. It is important to identify these relationships and deal with them correctly. (See Chapter 7).
DIFFERENT BENEFITS AND COMMON PROBLEMS Medical insurance Medical insurance pays for private medical treatment for the employee and possibly his or her family members. In some schemes the employer designates a member of staff to authorize claims on the scheme. Claim forms obviously require details of the claimant and the medical condition provided by the employee and possibly their medical practitioner. All this personal data is disclosed to the designated person for authorization of the claim on behalf of the employer. Ostensibly the reason for this disclosure is to verify the identity of the claimant and their entitlement to claim. In fact, it constitutes an invasion of privacy to require the medical condition to be disclosed to the employer; other ways could easily be found to verify the claimant’s identity and the employer should really have no ongoing involvement in the claim. The practice is in breach of the Principles. Principle Two requires that personal data be adequate, relevant and not excessive for the purpose for which it is processed. Disclosure of a medical condition to the employer as part of the claims process is intrusive and probably breaches the Human Rights Act by its lack of respect for an individual’s private life. Breaches of law constitute contravention of the First Principle, which requires that personal data be processed lawfully. The situation is aggravated when a claim relates to a spouse or other dependant of the employee. The claimant’s medical details are disclosed to the employee as well as their employer without any real justification.
Employee benefits
47
The Employment Code recommends that if the employer takes on the role of the broker or one of its officers acts as group secretary for a private medical insurance scheme, any personal data processed should be kept to a minimum. Access to the information should be limited and not used for general employment purposes.1 Information provided to the employer at renewal may also be excessive. The employer needs to know the total claims made during the period of insurance and possibly to have a breakdown of high-value individual claims. However, it is submitted that the employer should not be able to identify claimants from the information provided, which is routinely the case.
Permanent health insurance Permanent health insurance pays monthly compensation to a worker who is no longer able to continue in employment due to illness or injury. It is designed to replace salary for the remainder of the individual’s working life. The main issue here is the disclosure of personal data between employer and permanent health insurance provider. Pension scheme trustees may also become involved. As an individual worker is diagnosed as unable to continue working, one or more individuals (possibly within the HR department) will start to explore the different financial options to allow that worker to leave employment with a compensatory package. Care needs to be taken to ensure that personal data is not disclosed between the parties except as strictly necessary. This is a situation where a clear warning to employees that their personal data will be shared between the parties (in this case the employer, the insurance company, and the pension scheme trustees) avoids the issue and illustrates the value of appropriate and well thought out subject information. Also, the employer should ensure that one or more of the conditions for fair processing of sensitive data is met.
Occupational health screening Occupational health screening involves medical checks on workers specifically to identify the early symptoms of illnesses or injuries common to a particular industry. The issue here is that personal data supplied in relation to occupational health screening must not be used for the purposes of employee administration. The health screening may show that a particular worker has a tendency towards a particular health problem, but the employer must not allow that to influence them by discriminating against that employee. Ideally the results of screening should not be made available to the employer except in anonymized form for statistical analysis. The individual employee should be advised of any problems specific to them and allowed to take the matter further with the employer or not at their discretion. Care needs to be taken to ensure that personal data is not disclosed between the parties except as strictly necessary. The employer should also ensure that one or more of the conditions for the fair processing of sensitive data is met as medical data is disclosed to it.
Company car If fleet management is outsourced, it is likely that the service provider will be processing personal data relating to employees who have company cars and is thereby acting as a data processor. Ensure that the employer is meeting its statutory obligation to check that the service provider has adequate security arrangements in place. It is a statutory requirement 1. Record Keeping, Pensions and insurance, benchmark 4.
48
Actions for employers
that two specific clauses be incorporated into the agreement between the employer and the service provider. For a full explanation, see Chapters 7 and 20. If the use of company vehicles is monitored, make sure that the requirements of the Employment Practices Data Protection Code are observed. (See, further, Chapter 5).
Share option schemes A ‘Save As You Earn’ share option scheme allows individual employees to make regular savings which may be applied against the purchase price of a predetermined number of shares in the company at the expiry of a set period, usually five years. Although the operation of a share option scheme involves the employing company, the listed company in the group and a building society, all parties act in the capacity of data controller rather than one or more processing personal data on behalf of the other(s). The employing company notifies workers of the terms of the scheme and provides building society application forms and company share scheme membership application forms for completion and return. These forms are used by the building society and the listed company (or its registrar) respectively to set up membership records. Neither party is acting on behalf of another; in both cases the relationship with the employee is a direct one. In some cases the employer may allow either the building society or the listed company (if this is a different entity to the employer) to publicize the scheme using personal data. This would be the case where the building society or listed company undertakes a personalized mailing to employees inviting them to join the scheme. This necessarily involves the transfer of employee personal data from the employer to the party undertaking the mailing and may be deemed to be processing on behalf of the employer. In this case the employer is under a statutory obligation to check the service provider’s security arrangements and to incorporate two specific clauses into its contract with the service provider. (For a full explanation, see Chapters 7 and 20).
SUGGESTED ACTIONS . Identify all employee benefits. Your list might include: medical insurance, permanent
health insurance, occupational health screening, company car, share option schemes. . Identify any third parties involved in the administration of benefits. Remember that
.
. .
.
pension scheme trustees are not the same legal entity as the employer; they are a third party for the purposes of data protection. Check that outsourced service providers comply with the security arrangements and that they are regulated by contracts containing the appropriate clauses. (See Chapters 7 and 20). Check that appropriate subject information is provided to employees in all cases. (See page 13). Consider what personal data is passed between the employer and the benefit provider or administrator at all stages. Check that it is adequate, relevant and not excessive and that personal data obtained for purposes linked with the administration of benefits is not also used for the purposes of personnel administration. If sensitive data (for example, details of illness or injury) is being processed, check that one or more of the conditions for fair processing are being met. (See page 16).
Employee benefits
49
Cre`ches PERSONAL DATA AND SENSITIVE DATA A cre`che facility will hold a lot of personal data, including much that is sensitive. The details of other family members, doctors and persons authorized (and not authorized) to collect individuals from the cre`che are needed to ensure the children’s safety and well-being. The First Principle requires that all data subjects be given specified information about the cre`che operator, the purposes for which personal data is required and any other relevant information. See page 13 for a full explanation of the requirements. The mechanics of the First Principle are explained in Chapter 14. It is likely that records relating to the cre`che will include medical details relating to the children: for example, those concerning required medication and any medical conditions or allergies. This is sensitive data, and its processing must meet one or more of the conditions for fair processing. See page 16 for more information about the requirements for processing of sensitive data. In addition, it is a requirement that employees in the cre`che facility are vetted to ensure they do not have a criminal record. This is also sensitive data, in this case relating to the cre`che’s employees. The processing of all of these categories of sensitive data should be authorised by reference to one or more of the conditions for fair processing of sensitive data. (See, further, Chapter 3). A further point is that any and all data must be disclosed to the social services on request. They have a statutory right to view any information on a site visit or inspection.
RECORD-KEEPING The Data Protection Principles encourage good record management practices. This means having an appropriate document retention policy for paperwork and computer files relating to the children in the cre`che, prospective attendees, their parents and other third parties. Appropriate retention periods should take into account the purposes for which the information is required and any legal obligations, such as the duty to disclose information to the social services or local authorities. Once clear operational requirements – in this case, cre`che administration – and legal requirements have been identified, appropriate record retention periods should be documented and enforced. Personal data which is no longer required should be disposed of securely. Many of the records relating to the cre`che will contain confidential information and sensitive data. Therefore appropriately high levels of security should apply to the destruction of paper files and the deletion of computer records that are no longer required. Records that are in use should also be adequately protected against unauthorized access or tampering. Chapter 20 suggests some of the actions that may be taken to establish and improve security arrangements; however, it is likely that cre`che premises will be reasonably secure due to the need to keep children safe from intruders.
50
Actions for employers
SUGGESTED ACTIONS . Introduce a document retention policy or check that any existing policy is adequate and
reasonable. . Check that arrangements for the disposal of information that is no longer required are
secure. . Revisit page 13 and introduce data subject information to key documents, particularly any
forms or questionnaires where personal data is requested. . Check that one or more of the conditions for the fair processing of sensitive data is being
met. . Check the security of documents and computer files relating to the cre`che. Bear in mind
that this is possibly the most confidential information the organization holds.
Pension schemes Pension scheme trustees will need data protection advice as much as employers. The operation of a pension scheme is a notifiable activity, so the trustee body should be registered for data protection. Pension scheme administration arrangements need to be reviewed for compliance in the same way that other HR issues are reviewed. All the same issues apply. The pension scheme trustee body is not the same legal entity as the employer and must be dealt with at arm’s length by the employer. This applies particularly when disclosing personal data between the employer and the trustees. In many cases the trustees rely on the employing company to undertake routine administration on their behalf. If this involves the processing of personal data (which it almost certainly will), the employer is acting as an outsource service provider to the trustees and a contract is needed to govern the relationship between the data controller (the trustees) and the data processor (the company). (See Chapter 7). In addition, staff in HR who undertake administrative tasks on behalf of the trustees should be made aware that when doing so they are acting on behalf of a third party. ‘Chinese walls’ are required to prevent the leakage of personal data held for employment purposes to the trustees and the leakage of personal data held by the trustees for scheme administration purposes to the employer.2 (‘Chinese walls’ are protocols within the organization which operate so that ‘known’ facts in one department are kept confidential from other departments. They may also apply within a department so that information used for one purpose by a member of the HR team is kept confidential and not applied for another purpose even though the same team member might be involved).
OUTSOURCING PENSION SCHEME ADMINISTRATION Pension scheme administration is often outsourced. As scheme administration involves the processing of personal data, the trustees are under a statutory duty to check the security arrangements for personal data processed by the pension scheme administrators. They are 2. Employment Practices Data Protection Code, Record-keeping – Pensions and insurance, benchmarks 1 and 3.
Employee benefits
51
also required to incorporate specific clauses into the contractual arrangements between themselves as trustees and the administrators. (See Chapter 7 and, in Part II, Chapter 20).
DEED OF WISH FORMS An interesting issue arises in connection with deed of wish forms. These require the pension scheme member to provide personal data relating to third parties. In this case, the third parties are the beneficiaries of the member in the event of their death. In theory the trustees should provide subject information to beneficiaries. Trustees should notify beneficiaries that their personal data has been disclosed to the company’s pension scheme trustees in connection with pension arrangements. This raises problems for the trustees of communicating with beneficiaries in an appropriate way which must be via the scheme member. Furthermore, the scheme member may not wish their beneficiaries to be aware that they are beneficiaries. A practical solution and a preferable alternative may be to require the deed of wish form to be supplied by the member in a sealed envelope. In this way the trustees and/or employer are not involved in processing ‘personal data’ as the sealed envelope does not identify the beneficiary data subjects.
SUGGESTED ACTIONS . Ensure that the trustee body is registered for data protection. (See Chapter 23). . Identify all personal data processing undertaken by, or on behalf of, the scheme trustees. . Ensure that appropriate subject information is in place for scheme members, prospective
members, pensioners and pension visitors. . Identify any third parties involved in processing personal data on behalf of the scheme
trustees – including the employer – and put contracts in place. (See Chapter 7). . Check the relevance and adequacy of any information requested by the scheme trustees:
for example, on the pension scheme membership application form and the beneficiary form (the deed of wish). . Check that security arrangements for personal data relating to the scheme are adequate. . If the trustees process sensitive data (for example, relating to the health of scheme members), ensure that a condition for the fair processing of sensitive data is being met. (See page 16). . Provide training and procedures for HR staff who handle administrative tasks on behalf of the trustees so that they understand the trustees are a body separate from the employer and that there is a need for ‘Chinese walls’ between the two parties.
Social clubs and work in the community SOCIAL CLUBS Some employers provide social facilities for employees or allow work facilities to be used for the promotion of social clubs and activities. There is likely to be less formality about arrangements for obtaining personal data in connection with social clubs and activities, such as a notice on the staff noticeboard for employees to ‘sign up for next week’s trip to the brewery’ etc.
52
Actions for employers
To some extent the employer’s responsibility for the compliance of, say, an in-house football team’s personal data-processing activities could be argued. However, the indications are that the Commissioner would consider that the employer owes a duty to its employees to protect them from misuse of their personal data. Tolerating the use of its facilities to publicize events means that the employer probably is responsible and certainly would be if social activities were encouraged by the employer as a staff ‘perk’. A prudent employer should therefore take steps to educate social club secretaries in basic data protection law, for example to instruct them that personal data relating to social club members should not be used in ways inconsistent with the purposes for which it was obtained, or be disclosed without authority, retained for longer than is necessary, etc. A relatively simple way to achieve this is to provide social club secretaries (formal and informal secretaries) with guidelines as to expected behaviour when processing personal data on company equipment and/or in company time. The issues the employer should seek to cover might include: . The use of company facilities to promote social activities for staff organized by individuals
.
.
. .
. . .
or groups of staff with common interests (such as promoting a football or netball team, arranging days out and arranging charity events) so long as this does not interfere with company business. Awareness that involvement in a social club and arranging social activities involves the processing of personal data relating to colleagues. Names and contact details (even where this is a work telephone extension number or e-mail address) constitute personal data. Awareness that data protection law sets standards for the correct use of personal data and that those involved in social clubs and arranging social activities are expected to observe the Data Protection Principles. The importance of the security of any records containing personal data. A reminder of the general embargo on sourcing personal data from the HR department. Personal data required to administer the social club should be obtained direct from the members or participants. The importance of explaining to members and prospective members why the information is required. That the aim should be to hold the minimum information in each case. A complaints procedure, possibly with the company or head of HR as final arbiter.
WORK IN THE COMMUNITY Many employers encourage staff to undertake work in the community, notably in relation to schools and helping to promote educational aims and objectives. Usually the employer encourages staff to participate in organized schemes and a scheme organizer is involved in carrying out any vetting required. Remember that there will be police checks for those who work with children and young people. The records of employees who participate in such events constitute personal data, and the Principles apply. As a prudent employer it is worth checking that the organizer provides appropriate subject information, that conditions are being met for the processing of sensitive data where this is the case, and that processing is undertaken in accordance with the Principles.
Employee benefits
53
SUGGESTED ACTIONS . Provide guidelines to social club or event organizers about the correct use of personal data. . Check that any schemes involving work in the community have considered data
protection issues in relation to the scheme. In particular, check: – that subject information is provided to prospective participants and that it is adequate and appropriate in the circumstances – that any vetting required prior to joining the scheme is fully explained to prospective participants on first contact with the scheme organizers.
CHAPTER
9 Corporate issues
Acting as a service company to a trading group By virtue of the Seventh Data Protection Principle, companies which subcontract or outsource any of their personal data processing activities are required to enter into written contracts with their subcontractors and outsource service suppliers, and these contracts should include two specific data protection terms. Unfortunately, as data protection law does not recognize trading groups of companies, this means that companies in a group are treated as independent parties. So if a group contains one or more employing companies which employ staff on behalf of the other trading companies, the relationship between the employing companies and the other trading companies is seen as one to which the Seventh Principle will apply. In essence, the trading companies have outsourced HR activities to another company in the group. The employing company provides staff and undertakes data processing on behalf of the trading companies. The employing company is a data processor; the trading company is a data controller in respect to personal data processed as part of its business. A similar situation arises where computer equipment is deemed to be owned by one or more companies in a group for accounting purposes. Those trading companies which process personal data on the computers are in principle outsourcing the processing to the company which is deemed to own the computer equipment. The contractual requirement arises from the Seventh Principle and the statutory duty is set out in Schedule 1 to the Act, Part II, which deals with the interpretation of the Principles. Where the Seventh Principle applies, two issues must be covered in the contract. The first is to ensure that any outsourced service suppliers and subcontractors (‘data processors’) are contractually bound to act only on instructions from the trading company (‘data controller’) when processing personal data supplied by the data controller. The second is to comply with obligations equivalent to those imposed on the data controller by the Seventh Data Protection Principle. The Seventh Principle relates to security and states: ‘Appropriate technological and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
REQUIRED CONTRACTUAL TERMS Issues to be covered are: . That the service company will only act on instructions from the trading company when
processing personal data on its behalf;
Corporate issues
55
. That the service company will comply with the Seventh Data Protection Principle in
relation to the processing of personal data on behalf of the trading company. It might be possible to meet the contractual requirement of the Seventh Principle by all relevant parties entering into one master agreement. All parties (employing company(ies), computer equipment owners, the ‘data processors’ and trading companies, the ‘data controllers’) would need to sign the agreement. Otherwise separate agreements will be required between each data controller and its data processor(s).
SUGGESTED ACTIONS . Identify the employing company(ies) in the group. . Identify the trading company(ies) in the group. . Put in place contracts between the employing company (the ‘data processor’) and the
trading companies (the ‘data controllers’) incorporating the terms set out above.
Issues for international groups of companies The Eighth Data Protection Principle acts as a blanket prohibition on the transfer of personal data to territories outside the European Economic Area unless there is a presumption of adequacy in relation to the data protection law in that territory. There is provision in the EC Directive for territories outside the EEA with their own data protection laws to be deemed adequate for the transfer of personal data. To date Switzerland, Hungary and Canada have been found to meet the adequacy criteria. Therefore all transfers of personal data within the EEA and to Switzerland, Hungary and Canada are lawful. The EC has also approved the Safe Harbor arrangements in the United States. Safe Harbor offers adequacy at company level. A company based in the United States has to subscribe voluntarily to the arrangement which involves federal regulation. Any company that subscribes is deemed to provide adequate protection for the rights and freedoms of data subjects, and transfers of personal data to that company are lawful. If an intended recipient of personal data is located in a territory outside the EEA and it is neither in one of the approved countries nor a subscriber in the United States to Safe Harbor, the following options are ordinarily available to legitimize the transfer: . Consent of the data subject. . Transfers made pursuant to (or to facilitate) a contract to which the data subject is a party. . Transfers made pursuant to a contract which is for the benefit of the data subject. . Transfer taking place on contract terms approved by the EC as providing adequate
protection for the rights and freedoms of data subjects. Standard terms are available on the EC Commission web site.1 These options are exemptions (among others) set out in Schedule 4 to the Act. Unfortunately these options do not wholly meet the need either in relation to transfers 1. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm.
56
Actions for employers
of employee data to parent companies or to other recipients located outside the EEA. This is primarily because consent is not reliable in the HR context. There is a view that an employee cannot freely give consent to their employer because of the inherent pressure in the relationship on the employee to consent to actions of the employer. The Information Commissioner subscribes to this view. Organizations which seek to rely on consent obtained from employees will find that consent challenged. Alternative arrangements should be sought immediately. (For a full commentary on the issue of consent in the employer/ employee relationship see page 21). Where an organization is part of an international group some transfer of employee personal data outside the EEA is bound to occur. The use of international telephone directories and e-mail address directories involves the disclosure and transfer of personal data. The transfer of employee personal data is particularly likely if the organization’s head office is located outside the EEA. The exemption applying to transfers pursuant to a contract or to facilitate a contract with the data subject may apply to some routine disclosure of employee personal data for HR purposes. Transfers may be made pursuant to the employee’s contract of employment: for example, the approval of contractual bonus payments or decisions relating to dismissal where this is part of the documented disciplinary procedure etc. However, that exemption will not cover non-contractual obligations such as international recruitment and selection or a redundancy programme. If none of the conditions in Schedule 4 apply – which is the case in relation to some HR disclosures to a parent company and all disclosures to a recipient in relation to a joint venture, merger or acquisition – consideration may be given to using contractual terms. Prescribed contract terms have been approved by the EC as providing adequate protection for personal data transferred to countries where inadequate data protection law exists. The contract should be entered into by the intended recipient of the personal data and the employer. The approved terms are lengthy and may not be acceptable to the parties. They are not particularly appropriate to the relationship between parent and subsidiary company. In relation to parent companies, the employer will have a continuing relationship with its parent to protect. The relationship will also mean that the subsidiary will have prior experience of the integrity of the parent organization. An international group of companies may also have international standards of data handling, security and confidentiality with which the UK-based employer will be familiar. Therefore it is suggested that it would be more appropriate to follow the adequacy test in relation to intra-group transfers. The Adequacy test is a process whereby a data controller in the United Kingdom assesses the adequacy of data protection in the country where the intended recipient of the personal data is located. The process is long and involved, requiring research to be undertaken and a judgement made at the end of the process. As extra security for the transfer and to focus attention on the data protection issues involved in a transfer of employee personal data it is recommended that the transfer be undertaken on the terms set out below.
SUGGESTED TERMS OF TRANSFER Although the intended recipient of the personal data is unable or unwilling to enter into a contract relating to the supply of personal data on the terms approved by the European Commission, nevertheless it is recommended that some form of agreement accompany any transfer which is undertaken based on a self-assessment of adequacy.
Corporate issues
57
Issues to cover include: . A restriction on the purposes for which the recipient may process the personal data. . A prohibition on the processing of personal data for specific activities such as marketing,
or onward disclosure to third parties. . A requirement to ensure that all reasonable security measures are in place for systems and
that staff whose jobs involve handling the personal data have adequate training in confidentiality and security issues. . A requirement that the personal data be deleted, destroyed or returned to the sender when the recipient has concluded its processing activity.
SUGGESTED ACTIONS . Identify the purposes for which transfers of employee personal data outside the EEA are
made. . Identify the parties to whom employee data will be disclosed. . If the purpose is routine HR administration which a parent company located overseas
requires for management planning or budgets, depersonalize or anonymize the data. . If the purpose is to approve or make decisions affecting individual employees (for
example, bonus payments, promotion, dismissal, international recruitment and selection), anonymized data will not meet the need. In this case check that the employees affected are aware that their personal data is to be transferred to the parent company for specific purposes and incorporate the contract terms approved by the EC (see below). . If the disclosure is in relation to a joint venture, merger or acquisition, check that the employees affected are aware that their personal data is to be transferred for this purpose and follow the contractual terms point below. . Suggest that the intended recipient enter into a contract in the terms approved by the EC for the transfer of personal data outside the EEA. The terms can be found at the relevant web site.2 If this is not possible then follow the adequacy test below.
ADEQUACY TEST . Find out about and document the data protection laws in effect in the country where the
recipient of the personal data is located.3 Alternatively you might ask the intended recipient of the personal data for information. . Find out and document whether or not the intended recipient of the personal data is a member of any professional body or subscribes to a code of conduct or practice which includes the need for confidentiality when dealing with personal data. Ask the recipient if you are unsure, but all professional bodies will have a code of conduct. . You should have some knowledge of the recipient’s security arrangements, whether or not computer systems meet international standards, what internal policies and procedures 2. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm. 3. The privately owned web site at www.privacyinternational.org/survey gives details of the state of data protection law in countries around the world.
58
.
. .
. .
Actions for employers
protect confidentiality of personal data, etc. Document this also. If you have no prior knowledge of the intended recipient, ask for information on all the above issues. Consider the confidentiality of the personal data involved and whether or not it is ‘sensitive data’. Consider and document your view as to the likely harm which would result from unauthorized destruction or disclosure of the data. Check with other European offices (if any) as to their practice regarding the disclosure of employee data to a parent or other recipient located outside the EEA. Given the information you have collected in response to the points raised above, make a judgement as to whether or not you personally consider the transfer provides adequate safeguards for the personal data given its confidentiality etc. If you are personally satisfied as to the security of the data and the integrity of the transferee, make the transfer on terms such as the suggested ones set out above. Document the process you have gone through, the checks undertaken and the reasons why you finally made the decision to transfer/not to transfer the personal data outside the EEA.
Joint ventures, mergers and acquisitions The thorniest data protection issues arise prior to a merger or joint venture transaction. In preliminary discussions it may be necessary to disclose some personal data relating to key employees. Subject information provided to employees may not cover the processing of employee personal data for a purpose other than employment administration. Disclosure in connection with a proposed merger or joint venture cannot truly be classified as routine employment administration. So, unless the employees have been advised previously (via subject information) that this might occur, no personal data may be disclosed without telling them first. This might not be convenient if discussions are secret or at a delicate stage. There is an exemption from subject information provisions where disclosure would involve revealing price-sensitive information (the ‘Corporate Finance exemption’). Obviously some mergers and acquisitions will be able to rely on that exemption. The Corporate Finance exemption will also be an effective means of restricting the disclosure of personal data to a data subject who makes a subject access request during the period of embargo. Only the information which would reveal that negotiations are under way may be withheld; other personal data should be supplied in accordance with the subject access provisions. There is also an exemption in relation to management forecasts and management planning. To the extent that meeting the subject information provisions would be likely to prejudice the conduct of the business or other activity of the organization, personal data processed for management planning purposes is exempt from subject information provisions. However, it may be stretching the point to try to argue that the disclosure of employee personal data to a prospective acquirer is required for management planning purposes. For smaller, private companies, the only other option is to depersonalize or anonymize personal data before disclosure. Nevertheless, caution is still required when dealing with key employees. Personal data relating to the ‘Finance Director’, for example, will identify the individual as clearly as their name. Hopefully the finance director will be one of the few who are in the know about the proposed transaction.
Corporate issues
59
Once the transaction is in the public domain, employees may be informed that their personal data will be disclosed in connection with the proposed transaction. As the disclosure may still represent processing for a new purpose, employees should be asked for their consent to the disclosure. As the transaction proceeds care should be exercised in relation to the personal data disclosed. The target organization should be selective about the information it provides. Personnel records should not be provided in full as it would be difficult to justify such wide disclosure; only relevant information should be provided. All personal data disclosed should be subject to a duty of confidentiality binding the acquirer and its advisers. There should also be a prohibition on the further disclosure of personal data supplied in connection with the proposed transaction, and the processing of the data should be restricted to purposes of evaluating the assets and liabilities of the target organization. On completion of the transfer or acquisition, all parties’ notifications on the Data Protection Register should be reviewed as there may be changes to be notified. In addition, newly acquired personnel files should be checked for compliance with the Principles as recommended in the Employment Practices Data Protection Code.
SUGGESTED ACTIONS These action points are written from the perspective of the organization making the disclosure of personal data. You may need to adapt them according to your organization’s role in the transaction.
In preliminary discussions . Ensure that an appropriate confidentiality clause has been signed to protect any
.
. .
.
.
personal data that might be disclosed. In particular, place a prohibition on the processing of such data for any purpose other than assessing the value of the assets and liabilities of the proposed transaction. Identify those persons and companies to which the personal data will be disclosed: for example, the interested party, its professional advisers, bankers, etc. Restrict the onward disclosure of any personal data supplied to these third parties on a ‘need to know’ basis. If any of the parties are located outside the EEA, any transfer of personal data will be subject to the Eighth Principle. (See page 55). If any personal data is to be disclosed at this stage, check that the employing company has given employees appropriate data subject information notices to explain that disclosure for these purposes may occur. If employees are not aware that their personal data might be disclosed in such circumstances and this personal data cannot be anonymized completely, explain the situation to them and obtain their consent before making any disclosure. Check that any personal data to be disclosed to a third party – for example, by inclusion in a data room – is anonymized as far as possible. If anonymized data is not sufficient for the purposes of the third party, find out why, assess the reasonableness of the request and document the reasons before making the disclosure. As personal data is disclosed ensure that it is duly marked as confidential and only disclose such information as is required, i.e. do not disclose complete HR files but select only relevant material.
60
Actions for employers
As the project continues beyond preliminary discussion stage . Ensure that appropriate confidentiality requirements continue to apply to protect any
personal data that might be disclosed/obtained. . Continue to check that personal data supplied is relevant and not excessive, and supply
anonymized data wherever possible. . Continue to check any requests for access to employee data for reasonableness and log
such requests.
At any time during discussions and negotiations If at any time the transaction under consideration is one which could have an impact on the price of any financial instrument (i.e. price-sensitive information), then information relating to the proposed transaction need not be disclosed if a data subject makes a subject access request.
On completion of the transaction . Check the terms of all parties’ notifications on the Data Protection Register. . Check all newly acquired HR files for compliance with the Principles in relation to the
adequacy and relevance of the material held.
CHAPTER
10 Employee administration
Record keeping Most of the Data Protection Principles impact on record-keeping. The obligations to keep personal data up to date, to ensure that only relevant data is processed and to keep personal data secure are all directly applicable to record-keeping.
THE NEED FOR A DOCUMENT RETENTION POLICY The key to keeping records compliant with the Principles is a robust, policed, document retention policy. Note that the draft Employment Practices Data Protection Code suggested maximum document retention periods for HR records. The final version of the Employment Code omits the table set out below in favour of recommending that employers select and document their own retention policy appropriate to their industry and practices. However, the table from the Draft Employment Code is a useful starting point and gives an indication of what the Information Commissioner’s Office would consider reasonable in normal circumstances. If there are specific, business reasons to support longer or shorter retention periods than those set out below, document those reasons. When considering document retention, computer files as well as paper files need to be considered. Ensure that computer systems allow personal data to be deleted permanently. Some systems have the facility for automatic purging guidelines to be built into the recordkeeping system, which is impressive so long as there is provision for a manual override when required.
The basis of a document retention policy – Table from the Draft Employment Code Document
Suggested period of retention (see note)
Keep or delete on employee leaving
Application form
Duration of employment
Delete/destroy
References
1 year
Delete/destroy
Payroll and tax information
6 years
Keep 6 years
Sickness records
3 years
Delete/destroy
Annual leave records
2 years
Delete/destroy
Unpaid leave/special leave records
3 years
Delete/destroy
Annual appraisal/assessment records
5 years
Delete/destroy
Records relating to promotion, transfer, training, disciplinary matters
1 year from end of employment
Keep 1 year
62
Actions for employers
References given/information supporting the reference
5 years from giving reference
Keep 5 years from giving reference
Summary of record of service such as name, position held, dates of employment
10 years from end of employment
Keep 10 years
Records relating to accident or injury at work
12 years
Keep 12 years
The Employment Code features an entire section devoted to record-keeping.1 Among the recommendations, here are some of the key ones not covered elsewhere: . Employee personal data should be checked periodically by data subjects to ensure that it is
up to date and accurate.2 . Anonymize any data about workers and former workers where practicable.3 . If the holding of any information on criminal convictions of workers is justified, ensure that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of Offenders Act.4
DISCIPLINARY, GRIEVANCE AND DISMISSAL The Employment Code makes a series of recommendations in relation to record-keeping in these circumstances.5 In particular, it is emphasized that the Data Protection Act 1998 applies to personal data processed in relation to disciplinary, grievance and dismissal proceedings. It is recommended that employee personal data is not accessed or used merely because it might have some relevance to a disciplinary or grievance investigation if access or use would be either: . Incompatible with the purpose(s) for which it was obtained, or . Disproportionate to the seriousness of the matter under investigation.6
Records should be accurate, so the reason for termination of employment must be accurately recorded and accord with what the employee was told was the reason for termination. To keep files up to date there should be procedures on how ‘spent’ disciplinary warnings are handled.
EQUAL OPPORTUNITIES MONITORING The Employment Code makes a series of recommendations about the obtaining and processing of information about a worker’s ethnic origin, disability or religion.7 Personal data falling into these categories is sensitive data. Therefore the employer should ensure that 1. 2. 3. 4. 5. 6. 7.
Record Management. Record Management, benchmark 4. Record Management, Retention of records, benchmark 2. Record Management, Retention of records, benchmark 3. Record Management, Disciplinary, grievance and dismissal proceedings. Disciplinary, grievance and dismissal proceedings, benchmark 2. Record Management, Equal opportunities monitoring, benchmarks 1 to 4.
Employee administration
63
equal opportunities monitoring satisfies one or more of the conditions for the fair processing of sensitive data set out in Schedule 3 to the Act. There is a condition which specifically relates to legitimate equal opportunities monitoring, so this is not a problem. The Employment Code recommends that sensitive data processed for purposes of equal opportunities monitoring should be maintained in anonymized form where practicable. In many instances, information held for monitoring equal opportunities does not need to identify individual workers.
FRAUD PREVENTION The Employment Code makes a series of recommendations relating to the use of employee personal data for purposes of fraud prevention.8 Some public employers will undertake ‘matching’ exercises with employee personal data against lists of persons in rent arrears for example. The recommendations include consultation with trade unions or other worker representatives before starting a data-matching exercise. Any legitimate concerns raised in consultation should be followed up and any appropriate action taken before starting the exercise. The Employment Code also recommends that employees are reminded of the fact that the employer undertakes fraud prevention exercises from time to time. This is in addition to the requirement to provide subject information as required by the First Principle. Employee personal data should not be disclosed to other organizations for the prevention or detection of fraud9 unless: . You are required by law to make the disclosure, or . You believe that failure to disclose, in a particular instance, is likely to prejudice the
prevention or detection of crime, or . The disclosure is provided for in workers’ contracts of employment.
SUGGESTED ACTIONS . Adopt a sensible document retention policy. . Anonymize personal data used for statistical and equal opportunities monitoring purposes
so that individuals cannot be identified. . Read the guidance on security in Chapter 20.
Disclosure and publication of employee personal data DISCLOSURES Employers are routinely approached for information relating to their employees. All such requests involve the disclosure of personal data relating to the employee concerned. Simply confirming that a particular individual is employed by the company constitutes personal data relating to that individual. 8. Record Keeping, Fraud prevention, benchmarks 1 to 3. 9. Fraud prevention, benchmark 3.
64
Actions for employers
Most requests are genuine and justifiable; however, some will be attempts to elicit personal data by deceit. The employer is under an obligation to make staff aware of this, particularly those working in HR who are responsible for the handling of employee personal data. Disclosures of employee personal data fall into three main categories: 1) Those disclosures required by law such as sharing information with the Inland Revenue, National Insurance contributions agency, Child Support Agency, etc. 2) Those made at the request of the data subject, for example providing a reference for a mortgage application, to a new employer or to ‘whom it may concern’. 3) Other, probably non-routine, requests from outside agencies such as solicitors and other interested parties. Obviously, disclosures required by law must be made subject to verification that the request is genuine. A disclosure requested by the data subject should be made in accordance with company policy, and will probably be made openly so that the employee is aware of its content. In particular, references to be provided to new or prospective employers are the subject of a series of recommendations in the Employment Code.10 This recommends setting out a clear policy explaining who in the organization is authorized to give references on its behalf. Anyone likely to be approached for a reference or to become a referee needs to be aware of the policy. Requests from other third parties should be dealt with in accordance with the recommendations in the Employment Practices Data Protection Code. Employees should be advised of the request and allowed to determine how it is handled, what information is disclosed, etc. unless this would involve ‘tipping off’ the data subject in relation to a criminal investigation. Requests for information from the police fall into this last category. Organizations have the discretion whether or not to comply with a request made by the police for access to personal data held. While most organizations will ordinarily want to comply with such requests, there should be a procedure to handle them properly and fairly in relation to the employee. Requests for details such as home contact or birth date by colleagues is another non-routine request for the disclosure of employee personal data. The personal data held on HR files is held for purposes related to HR administration, and a disclosure to another member of staff for social purposes is processing for an unrelated purpose. A robust internal disclosures policy is also recommended.
Issues to address in policy and procedures for the disclosure of employee personal data externally Set out the circumstances in which personal data relating to employees will be disclosed. For example: . Disclosure of employee personal data will be made where required by law (for example to
the Inland Revenue, National Insurance Contributions Agency, Child Support Agency). . Disclosure of employee personal data will be made at the specific request of the employee
concerned, for example providing references. 10. Record Management, References.
Employee administration
65
. In all other cases, disclosure of employee personal data will only be made with the
knowledge and consent of the employee concerned. The procedural requirements should include: . Ensuring or requiring that the request be made in writing. . Verification of the identity of the person making the request. . Checking that the request is either authorized by reference to a statute (for example under
. .
. .
the Income Taxes Act etc.) or that the proposed disclosure is agreed by the employee concerned. Provision for non-routine requests to be referred to the employee and acting according to their instructions. Providing the employee with a copy of the personal data comprising the information in the case of non-routine requests, noting the circumstances of the request in a central file held for this purpose. How to deal with requests made by the police where they specify that the employee should not be informed. The person in the organization to whom reference should be made for guidance on difficult issues.
Issues to address in policy and procedures for internal disclosures Provide an explanation as to why the employer is restricted in its use of employee personal data for purposes other than those related to employee administration. Reference can be made to the fact that all employees are data subjects and that the organization owes a duty of confidentiality to all of them. Reference can be made to any data protection policy in place. Give examples of the types of request for personal data likely to fall into this category. Examples might include requests for colleagues’ home contact details or birth dates so that cards or flowers can be sent on, say, the birth of a child or during a period of absence due to illness. The recommended stance is that requests from individual employees for personal details relating to a colleague will be declined by the employer on the grounds that to accede would be a breach of the duty of confidentiality owed to employees. However, there may be circumstances in which an employee has a legitimate requirement for a colleague’s personal details. For example, a manager might request home contact details for an absent staff member in order to check the situation regarding outstanding work. In these circumstances it might be appropriate to approach the employee, asking them to contact the manager at work rather than disclosing personal details. Procedural elements to cover include: . The person to whom enquiries should be addressed. . The requirement for requests to be in writing or by e-mail, giving full details of the reasons
why the information is needed. . The fact that details of any requests for personal information relating to colleagues will be
logged, together with details of the request and the decision.
66
Actions for employers
THE PUBLICATION OF EMPLOYEE PERSONAL DATA From time to time an employer will want to publish information relating to all or some of its employees. This might involve, for example, putting photographs in company brochures, on the web site or in a company magazine. It might involve providing quotes and background information (years of experience, qualifications and membership of any professional or industry bodies) to the press as part of a press release. The Employment Practices Data Protection Code recommends that employees are given advance warning of the publication of their personal data and the opportunity to approve its publication.
Issues to address in policy and procedures for the publication of employee personal data The circumstances in which personal data relating to employees will be published. For example: . Employee personal data will be published where required by law, for example in company
reports and financial statements. . In all other cases, employee personal data will only be published with the full knowledge
and consent of the employee concerned, including the likely extent of the publication.
Procedural elements The procedure should include: . Providing the employee concerned with a description of the publication, including the
medium (print, web site, verbal), the shelf life of the publication, its intended and likely audience, the content of the information, the personal data contained in the information. . Obtaining the consent of the employee before publication. . Taking account of any comments and requests for amendment requested by the employee.
SUGGESTED ACTIONS IN RELATION TO THE DISCLOSURE AND PUBLICATION OF EMPLOYEE PERSONAL DATA . Establish policies and procedures on the disclosure of employee personal data internally
and externally and communicate it to those staff who are likely to receive requests for information about employees. . Establish a policy and procedures on the publication of employee personal data and communicate it to those staff who are likely to be involved in the publication of information about the company and its employees. . Check periodically that the policies and procedures are understood and are being followed. In particular, check the log of non-routine requests for information.
Health and safety Records that are retained for purposes of health and safety will contain personal data relating to employees and others, such as visitors to the organization’s premises. Generally the following records are held for health and safety purposes:
Employee administration
67
. Details of fire wardens and first-aiders. This information may be disclosed to the
emergency services to assist in managing an incident should one occur. Employees should be aware of this disclosure of their personal data. . Accident books and incident logs. These will necessarily contain sensitive data relating to the physical and/or mental health of those involved in an accident at work. . Visitors’ books. These require visitors to supply personal data and should be supported by subject information. . Claims files. These may contain sensitive data relating to an incident. The data will be disclosed to insurers. The processing of this personal data is covered by an exemption as being necessary for the purposes of defending legal rights. An insurance claim is made when an organization recognises that someone has, or is likely to make, a legal claim for liability against it. Issues surrounding the use of medical testing for health and safety purposes are considered below.
SUGGESTED ACTIONS . Check that lists of fire wardens and first-aiders are accurate and kept up to date and that
there is a procedure to ensure this is always the case. . Ensure that fire wardens and first-aid-certificate holders receive appropriate subject
.
.
. .
information so that they are aware of the extent of personal data used for these purposes, the parties to whom it will be disclosed and any other relevant information. See page 13. Include appropriate subject information in or near to visitors’ books so that the persons who are required to supply details are aware of the reasons why the information is required. Again, page 13 is relevant. Include appropriate subject information in accident books so that the persons required to supply details are aware of the reasons why the information is required. (Page 13 is also relevant here). Amend the wording in accident books to include an explicit consent clause to the processing of sensitive data. (See page 16). Check the security arrangements for claims files, which may be held outside the HR department.
Medical testing Many employers require their employees to undergo medical tests. The most common circumstance is on appointment, when this is made ‘subject to’ a satisfactory medical. Another situation where a medical might be required is if an employee is absent from work for a long period due to illness. The employer might require the employee to undergo a medical to assess their suitability for work or to support a claim made against permanent health insurance (long-term sick pay). In addition there are industries and work-related activities which carry a high risk factor concerning the health of the employee: for example, using a pneumatic drill is potentially harmful to an individual’s hearing and using a VDU screen potentially damaging to one’s
68
Actions for employers
eyesight. These are circumstances where the medical testing of current employees might be required.
THE IMPACT OF THE EMPLOYMENT PRACTICES DATA PROTECTION CODE At the time of going to print the ‘Medical Testing’ section of the Employment Code was still in draft form, but substantial amendments to the draft were not anticipated. The Employment Code supplements existing legislation which gives patients the right to view their medical records, such as the Access to Medical Reports Act 1988 (‘AMRA’), and the provisions of such legislation continue to apply. If the employer intends to obtain information about its employees from medical testing, then the Employment Code also applies.11 Note that the results of some medical tests are not reported back to the employer. For example, the results of an eyesight test undergone by a computer operator may not be required by the employer and never come within its control. The Employment Code would not apply in these circumstances. Nor would it apply if the results of the testing were not communicated to the employer in written form. A clinic or doctor might perform a pre-employment medical and simply advise the employer by telephone that the individual was fit for employment. Where the Employment Code does apply, the prerequisite for any medical testing is to establish clearly the business purpose that the testing is to achieve. For example, pre-employment medicals are required to ensure that new employees are fit for the positions for which they have been accepted. Eyesight tests for VDU operators are required to meet a statutory obligation. Medical tests for employees on long-term sick leave may be required in connection with permanent health insurance claims (that is, claims made under a long-term sick pay scheme) or for work and succession planning purposes. The Employment Code differentiates between the medical testing of prospective employees and that of current employees. The medical testing of current employees should only be undertaken on a voluntary basis unless it is both necessary and a proportionate reaction to a significant health risk, or, in the case of an individual on long-term sick leave, to establish continued unfitness for work and qualification for benefits under any permanent health scheme.12 The Employment Code recommends that in deciding whether medical testing is a necessary and proportionate measure an employer should carry out an assessment of the likely reduction in risk or other benefits balanced against the extent of intrusion for the individual. For example, employers are encouraged to consider using medical questionnaires rather than making prospective employees undergo a medical examination. So an assessment of the risk the employer is trying to avoid or mitigate is an essential first step. The next step is to consider if there are other ways of avoiding or mitigating the risk, which would avoid the necessity for medical testing. This process should be documented at every stage so that the employer can show that it has duly considered the issues raised in the draft ‘Medical Testing’ section of the Employment Code.
11. Draft Medical Testing benchmarks and Record Management, Sickness and Accident Records, benchmarks. 12. Draft Medical Testing benchmarks.
Employee administration
69
MEDICAL TESTING FOR HEALTH AND SAFETY Medical testing undertaken for purposes of meeting health and safety requirements must also be proportionate to the risk and must be carried out only on employees who are at risk. Introducing company-wide medical tests so as not to differentiate between workers or to encourage those in high-risk occupations to undergo tests is not advisable as it conflicts with the draft benchmarks. For further discussion of data protection issues relating to health and safety. (See page 66).
CONSENT The Employment Code strongly recommends seeking the consent of workers to medical testing. This apparently conflicts with the Information Commissioner’s stance in relation to the unreliability of consent in the employer/employee relationship. (See page 21). However, there is little alternative to consent in these circumstances, and in requiring consent the draft Employment Code can at least specify that employees should be fully informed of the need for medical testing and the likely consequences arising from the results.
RELEVANCE OF PERSONAL DATA PROCESSED Information obtained as part of a medical test which is not strictly necessary for the purpose of the tests must not be processed. The example in the draft ‘Medical Testing’ section of the Employment Code involves a medical test showing that an individual is pregnant, a factor not relevant to the individual’s ability to work safely. Information obtained in this way must not be used for other, more general, employment purposes.
PROCESSING SENSITIVE DATA All medical data is classified as ‘sensitive data’ under the Act, and there are tighter controls over processing such data. The key current requirement is to meet one or more of the conditions for fair processing set out in Schedule 3 to the Act. See page 16 for an explanation of the requirements and consideration of the different applicable conditions. Confidentiality is another key requirement when dealing with sensitive data. The ‘Record-Keeping’ section of the Employment Code has a section of recommendations relating to sickness and absence records. It recommends that sickness records be kept separately from absence records and that absence records (without a note of the reason for absence where it is related to illness or injury) be used in preference to sickness records for routine data processing.13 For example, the payroll department might need to know which employees worked which days during the month for payroll calculation purposes, but the reason for absence might not be relevant unless statutory sick pay was being reclaimed and at no time should payroll personnel be privy to information about the nature of the illness or injury. There is a general duty of confidentiality concerning sickness records.14 The Employment Code also recommends that confidentiality is maintained within the employing 13. Record Management, Sickness and accident records, benchmark 1. 14. Record Management, Sickness and accident records, benchmark 3.
70
Actions for employers
organization. For example, other employees should not be supplied with details relating to employee sickness unless the disclosure is to the employee’s manager who requires the information for management and supervisory purposes. In particular, the Employment Code disparages the practice of publishing a sickness ‘league table’ to compare the number of days different employees are absent from work.
TESTING FOR DRUG OR ALCOHOL USE The draft Medical Testing section of the Employment Code sets out recommended best practice for undertaking the drug and alcohol testing of employees. In addition to the general benchmarks for medical testing, key requirements are that drug and alcohol tests should be undertaken on a voluntary basis unless there is a significant health and safety purpose. The employer should establish a real necessity for the testing and be able to demonstrate that the tests are a proportionate response to the safety risk both in relation to the type of testing and the range of employees tested. For example, if drug and alcohol tests are carried out on train drivers, there is no justified basis for extending the tests to managerial staff simply to set a good example. For managerial staff to be tested there must be a need: for instance, if they are routinely involved in work where the use of drugs or alcohol could affect the safety of other individuals. The results of drug and alcohol tests can significantly affect employees’ careers and lives; thus the draft benchmarks stress the importance of using tests and testing procedures of the highest technical quality. Generally, covert testing will only be justifiable with the involvement, and on the advice, of the police.15
GENETIC TESTING It is accepted that genetic testing might be valid on health and safety grounds in exceptional circumstances. The draft benchmarks in the Employment Code relating to genetic testing are based on the conclusions of the Human Genetics Advisory Commission, which has examined the implications of such testing in the employment arena. In addition to the general requirements for medical testing, the key requirements for genetic testing are that it should be undertaken on a voluntary basis unless there is a significant health and safety risk posed by a particular employee or where it is known that a specific working environment or practice poses a specific risk to employees with particular genetic variations. The draft benchmarks stress the importance of using tests of the highest technical quality and reliability. The results of any test must always be communicated to the person tested and professional advice and support should be made available when the results are communicated. If it is known that an individual has previously undergone a genetic test, they should not be required to disclose the results of that test except where the information is needed to show susceptibility – or lack of it – to harm from performing a job or to help assess current ability (or inability) to perform a job safely.
15. Draft benchmarks from ‘Medical Testing’ section of the Employment Code.
Employee administration
71
SUGGESTED ACTIONS The following is a checklist of actions to meet the recommendations in the draft Medical Testing section of the Employment Code. . Establish and document a clear business need for the testing. . Ensure either that employees required to undergo testing have volunteered or that you
. . . .
can demonstrate that the testing is required for health and safety purposes and that employees’ rights have been taken into account. Ensure that the organization is meeting one or more of the conditions for the fair processing of sensitive data. (See page 16). Explain the consequences of testing and of any adverse findings to employees prior to undertaking any tests. If carrying out tests for drug or alcohol use, ensure that the tests used are of the highest technical quality. If carrying out genetic testing, the results must be fully explained to the employee and professional advisers should be available to provide support and guidance.
Company credit cards A normal company credit card arrangement operates with the employee being given a credit card in the company name. Statements on the account are sent direct to the employer for payment. Most employers will check the expenditure itemized on the credit card bill to ensure that only legitimate business expenses are processed through their accounts. Even where the employer allows the use of company credit cards for personal expenses (that is, expenses not related to the business), these will not be allowed for tax purposes on its trading accounts. If the employer does not require the reimbursement of personal expenses by the employee, the total expenses will be taxable on P11D. Therefore the employer needs to monitor the use of company credit cards and to distinguish personal expenditure from legitimate expenses incurred on behalf of the company or when carrying out authorized, business-related, activities. The disclosure of employees’ spending habits constitutes a disclosure of personal data, even in relation to business expenses. The credit card statements will identify specific employees or allow them to be identified for the reasons outlined above. Therefore subject information provided to employees who have the use of company credit cards needs to cover this use and disclosure of their personal data. Also, the position of the employer in relation to the credit card company needs to be considered. The credit card company acts as a data processor in handling personal data relating to company card users. This is a relationship that requires appropriate contractual clauses to meet the requirements of the Seventh Principle. (See Chapter 7). Finally, the monitoring of employees’ activity falls within the Employment Practices Data Protection Code. Checking credit card statements is a form of monitoring. See Chapter 5 for a full explanation of how the Employment Code impacts on monitoring activity and suggested actions to take.
72
Actions for employers
SUGGESTED ACTIONS . Ensure that employees are fully aware of the disclosure of personal data between employer
and the credit card company. (Refer to page 13). . Treat credit card statements as personnel information. (Refer to page 61). . Check that appropriate data protection terms are included in the agreement between the
employer and the credit card company. (Refer to Chapter 7). . Confirm that appropriate actions are taken in relation to monitoring. (See Chapter 5).
CHAPTER
11Marketing to staff
If the organization is marketing to its own employees, the requirement is for an opt-out clause to be provided before the personal data is processed for marketing purposes. This means explaining that employee personal data will be used for marketing purposes in subject information at the first contact with the data subject. This will probably be on the application form or at interview. At the same time a marketing opt-out must be provided and observed. If the organization intends to allow third parties to market to its employees, an opt-in clause is required. Note that in a group of companies where all staff are employed by a service company, the promotion of other group companies’ products and services to staff will require an opt-in.
Suggested clause wordings Marketing opt-in clause If you would be happy to receive details of offers on products and services from third parties, please tick this box.
Marketing opt-out clause We would like to tell you about our products and services from time to time (and a staff discount is available). If you would prefer not to receive this information please tick this box.
AFFINITY BRANDING An alternative method of marketing group products would be to undertake affinity branding or hosting. The employer presents the product or service as its own. The fulfilment of purchase orders is outsourced to the product or service provider. The product or service provider is a data processor, processing employee personal data on behalf of the employer, so the actions outlined in Chapter 7 are relevant.
SUGGESTED ACTIONS . Check that employees are aware that their personal data will be (or is being) used for the
purposes of marketing. An established history of using employee data for marketing plus appropriate subject information for new employees is required. If marketing to employees is a new venture that has not previously been communicated to employees, then:
74
Actions for employers
. Advise employees in writing that the company wishes to use employee personal data to
. .
. . .
.
promote its own or another company’s goods and services and seek their consent to such use (an ‘opt-in’). Remember that other group companies must be treated on an arm’s length basis. Incorporate further data subject information into your proposed marketing material. Follow the actions suggested on page 13 and add an opt-out consent clause to the use of personal data for the purposes of marketing, including any data-sharing or disclosure to third parties. Put in place a procedure to deal with requests from employees not to use their personal data for marketing. (See page 10). Adhere to your own industry codes of practice and those of the Direct Marketing Association. If you intend to access databases of other group companies, check that appropriate data subject information notices were provided to employees explaining that their personal data would be used by third parties to promote goods and services and that they were given an opportunity to opt out of such promotions. As other group companies must be treated on an arm’s length basis, employees are required to opt in in order to receive marketing material (including e-mails etc.) about group products or services unless these can be badged as being provided by the employer. (See Chapter 7).
PART
II Explanation of the legal requirements
This page intentionally left blank
CHAPTER
12 Definitions
The problem with legal definitions is that they include other defined terms. To understand each definition you need to have knowledge of the others. Therefore each of the definitions below is explained in plain English before the technical, legal, aspects of each are considered.
‘Personal data’ Personal data is information which relates to a living person. An individual’s name and address are personal data relating to him or her. The following are examples of personal data relating to most of us: . Details and histories of bank accounts held by banks. . Details and histories of mortgages held by building societies. . Medical records held by doctors and hospitals. . Tax and National Insurance records held by the Inland Revenue. . Dental records held by dentists. . Records of eyesight and eye problems held by opticians. . Our shopping habits and purchase histories held by credit card and store card
companies. . Details of household gas and electricity consumption held by utility companies. . Details of properties held by the local council. . Images caught by CCTV in shops. . Employment records held by employers. . Student records held at colleges and schools. . Buying habits recorded when using loyalty ‘club cards’. . Vehicle ownership and driver’s licence details held by the DVLA. . Names and addresses for direct marketing held by any organization which sends out
marketing material. . Membership records maintained by clubs, societies, professional and trade bodies. . Library membership records. . Pension records held by pension scheme trustees and administrators. . Insurance details.
The list could go on, but it illustrates the breadth of the subject and starts to indicate some of the issues.
78
The legal requirements
KEY POINTS TO NOTE The definition of ‘personal data’ under the 1998 Act is wider than that under the 1984 Act because it includes the following, not previously included: . Data which is not immediately identifiable with an individual until referenced to another
.
.
.
. .
file, or even a manual list. The 1984 Act definition specified that personal data meant data that could be processed by reference to the data subject. Under the 1998 Act, data need not be processed by reference to the data subject so long as they can be identified from either the data or other information controlled by the data controller. For example, a list of National Insurance numbers is personal data because these can be cross-referenced with the individuals to whom they relate. The future intentions and opinions of the data controller in relation to the data subject are now specifically included where previously they were excluded. This has an impact on interview notes. Previously interview notes, as the opinion of the interviewer, were exempt from data protection law; they are now within the definition and subject to data protection provisions such as subject access. The requirement remains for personal data to relate to a living individual. Therefore data relating to a corporate entity is not personal data. Although companies have a legal existence, they do not have a physical existence; they act through their employees, officers and directors. Information relating to these persons is personal data, even where the information comprises bare contact details. If the individual is identifiable then the information is personal data, even though – as with a business contact address – it may relate to a business. Business information relating to a sole trader is personal data because it relates to the individual and not to a company or other organization. Similarly, information relating to a partnership which can be related to one of the partners is personal data. CCTV images and photographs of people who can be identified from them are personal data. Personal data may be held in a variety of media, including on a computer, on microfiche, in paper records, in index card systems, in diaries and address books and in back-up material. It may be held in current files and in archive files and records.
TECHNICAL DEFINITION OF PERSONAL DATA Section 1(1) of the Data Protection Act 1998 defines data as: information which; a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, b) is recorded with the intention that it should be processed by means of such equipment c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68. Data, therefore, is information that is processed automatically. This includes information held on a personal computer, in programmed telephones and fax machines, on
Definitions
79
microfiche and in imaged documents. It is also information forming or intended to form part of a relevant filing system which potentially includes paper in filing cabinets, paper on desks, paper in archives, diaries and address books, ‘little black books’, Roladex, index card files, etc. It may also be an accessible record which is one that is a health record, an educational record, or an accessible public record, all of which are defined terms considered below. Section 1(1) then defines personal data as data which relate to a living individual who can be identified: a) from those data, or b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The elements of the definition are: . Personal data relates to a living individual, not a company or charity or club. Nor does it
relate to deceased persons. . The individual must be identifiable either from the data or from other information to
which the data controller has access.
‘Data subject’ This is the individual to whom personal data relates. A data subject need not be a United Kingdom national. Any data relating to a living individual which is processed in the United Kingdom is subject to the provisions of the Act. This applies whether the individual is British, an EC citizen or located in a territory outside the EEA. In the HR context, data subjects are employees, ex-employees and prospective employees. Temporary workers, consultants, professional advisers, suppliers of goods and services are also data subjects.
TECHNICAL DEFINITION OF ‘DATA SUBJECT’ The Act states that: ‘“data subject” means an individual who is the subject of’ personal data.
‘Data controller’ The data controller is the party (organization, company, club or individual) which makes decisions about the personal data to be processed. It decides the purposes for which personal data is to be processed, what personal data is required and how it is obtained. A trading company is the data controller of personal data connected with the business, its customers and suppliers. An employing company is the data controller of employee personal data. The trustees of a pension scheme are the data controller of personal data relating to past and present members of a pension scheme and their dependants. A charity is
80
The legal requirements
the data controller of membership and subscriber lists. A club is the data controller of personal data of its members, and so on.
TECHNICAL DEFINITION OF ‘DATA CONTROLLER’ Section 1(1) of the Act provides: ‘“data controller” means. . . . . .a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.’ The elements of the definition are: . The data controller is the party which determines the purposes for which and the manner
in which personal data are processed. This is indicative of control over personal data. Note that data protection law never concerns itself with concepts of ‘ownership’ of data. The key element is control: the data controller is the one or more party which makes decisions about the processing of personal data. So, for example, an employer which outsources its payroll administration is a data controller because it gives instructions to the payroll service provider about the administration of the payroll, who is to receive salary, on what basis and subject to what timings, etc. . Two or more bodies may be data controllers in relation to the same personal data. In the example of processing personal data for payroll administration purposes, the Inland Revenue and the National Insurance Contributions Agency will both operate as data controllers in relation to payroll data (including personal data) supplied by the employer. Employer, Inland Revenue and National Insurance Contributions Agency all process personal data as data controllers and for different purposes.
‘Processing’ ‘Processing’ is used in a very wide sense in relation to data protection. It includes obtaining, using, holding and destroying and deleting personal data. Basically the term means anything that might be done to or with data.
TECHNICAL DEFINITION OF ‘PROCESSING’ Section 1(1) of the Act provides: ‘processing’, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including; a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data.
Definitions
81
‘Data processor’ A data processor is the party which carries out the processing of personal data on behalf of another. It is providing a service in which it has no real interest except where it is paid for the processing. In a group of companies, whichever one owns the computer equipment is technically a data processor on behalf of the other companies in the group which use the computer equipment. Using the example of a payroll service provider, the data controller is the employer as outlined above (see the definition of ‘data controller’), while the service provider processes personal data on behalf of the data controller. The data processor – in this example, the payroll service provider – has no interest in the data except that it is remunerated by the data controller for carrying out the processing activity.
KEY POINT TO NOTE A key point in this definition is that employees of the data controller are specifically excluded from the definition. Employees fall within the authority of the data controller for data protection purposes unless they commit some act outside that authority.
TECHNICAL DEFINITION OF ‘DATA PROCESSOR’ Section 1(1) of the Act reads: ‘“Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.’
European Economic Area (EEA) The following countries are currently within the EEA: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain and Sweden. Check that the list is up to date by referring to the web site of the Information Commissioner (see below).1
TECHNICAL DEFINITION OF ‘EEA’ Section 70(1) of the Act defines ‘EEA State’ as: ‘A State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 11993.’
‘Relevant filing system’ This definition relates only to paper files and whether or not they are covered by data protection law. The original intention was that not all paper files should be included in data 1. www.dataprotection.gov.uk.
82
The legal requirements
protection law, and this definition was the way to distinguish between those files which should be included and those which should not. In practice, the definition is probably unimportant because the Information Commissioner has put forward the view that all paper files are included and – unless your organization wants to run a test case through the courts – the view of the regulator is best followed.
THE TECHNICAL DEFINITION OF ‘RELEVANT FILING SYSTEM’ Section 1(1) states: ‘Relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. The elements of the definition are: . A set of information relating to individuals which is not processed by means of equipment
operating automatically in response to instructions given for that purpose, that is information not held on computer. . The set is structured, that is held in a filing system. . The system is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. Guidance from the office of the Information Commissioner suggests that the first criterion to establish is whether the information is a ‘set’ or grouping of information such as HR files or customer files. Then consider whether the information has a structure either based on identifiers such as name or employee number or by reference to criteria relating to individuals, for instance age, type of job or membership of a particular organization. Finally, consider whether the system allows specific information relating to an individual to be readily accessed. This guidance means that any and all filing systems lie within the definition. A representative from the Commissioner’s Office (on a Data Protection compliance seminar) stated that even an individual’s messy desk could be regarded as structured because the individual would be able to locate any particular piece of information on that desk if asked. At a conference in February 2002 the Information Commissioner, Elizabeth France, said in relation to the definition of a relevant filing system that ‘if you can find it for the boss, it’s caught; if not, why are you keeping it?’ This wide interpretation of relevant filing system may not be what was originally intended by Parliament. However, the regulator’s view must be given due consideration and weight although there are recent signs that there may be some opposition to the Commissioner’s view from the Courts. In a County Court case, Durant v FSA, the Court considered the meaning of ‘relevant filing system’. A manual personnel file with the employee’s name on the front was not found to be a ‘relevant filing system’ and, therefore, the information contained in the file was not ‘personal data’ for the purposes of the Data Protection Act 1998.
Definitions
83
This is the first case on the definition and for the first time there is a move away from the very wide definition applied by the Information Commissioner. Until now the position has been that every piece of paper has been deemed reasonably accessible and, therefore, the information on it has been classified as ‘personal data’. The Court considered that the information in the file was reasonably easily accessible but nonetheless, the file was not within the meaning of ‘relevant filing system’. The implications of the case are to introduce a degree of uncertainty when dealing with paper files as to whether or not they are caught by the definition of personal data by virtue of being in a ‘relevant filing system’. There will need to be more case law before certainty is established. In the meantime employers may rely on the Durant case on a carefully judged, ad hoc basis, for example, if specific material held in a paper file was to be excluded from a response to a subject access request. A risk-averse employer will not want to run the chance of being the next test case. Obviously a total overhaul of HR procedures in reliance on the Durant judgement would be premature.
‘Notification’ Notification is not a defined term but arises from the notification regulations made pursuant to the Act. It means arranging for an entry on the Data Protection Register showing the name of the organization involved in the processing of personal data, the purposes for which personal data is processed, and the categories processed. If the notification regulations require an organization to register, then processing without registration is prohibited.
Safe Harbor This is a scheme operating in the United States whereby organizations formally agree to follow a set of data protection principles and guidance. It is regulated by the United States Department of Commerce and approved by the European Commission as offering an adequate level of protection for the transfer of personal data to US organizations that have signed up to the scheme.
‘Sensitive data’ A plain English interpretation cannot add to the technical definition, which is set out in Section 2 of the Act and provides that: Sensitive personal data means personal data consisting of information as to; a) b) c) d)
The racial or ethnic origin of the data subject, His political opinions, His religious beliefs or other beliefs of a similar nature, Whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
84 e) f) g) h)
The legal requirements His physical or mental health or condition, His sexual life, The commission or alleged commission by him of any offence, or Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
This is an exclusive definition. No other classes of data are ‘sensitive’ data.
‘Accessible record’ Section 68 of the Act provides that: 1) In a) b) c) 2) In a)
this Act ‘accessible record’ means; a health record as defined by subsection (2), an educational record as defined by Schedule 11, or an accessible public record as defined by Schedule 12. subsection (1)(a) ‘health record’ means any record which; consists of information relating to the physical or mental health or condition of an individual, and b) has been made by or on behalf of a health professional in connection with the care of that individual’.
Schedule 11 provides the definition of an education record but it relates exclusively to schools. It does not cover Continuing Professional Development records or other records maintained of training undergone by employees. Pursuant to Section 69, a ‘health professional’ means any of the following: a) a registered medical practitioner (a ‘registered medical practitioner’ includes any person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section). b) a registered dentist as defined by section 53(1) of the Dentists Act 1984, c) a registered optician as defined by section 36(1) of the Opticians Act 1989, d) a registered pharmaceutical chemist as defined by section 24(1) of the Pharmacy Act 1954 or a registered person as defined by Article 2(2) of the Pharmacy (Northern Ireland) Order 1976, e) a registered nurse, midwife or health visitor, f ) a registered osteopath as defined by section 41 of the Osteopaths Act 1993, g) a registered chiropractor as defined by section 43 of the Chiropractors Act 1994, h) any person who is registered as a member of a profession to which the Professions Supplementary to Medicine Act 1960 for the time being extends, i) a clinical psychologist, child psychotherapist or speech therapist, j) a music therapist employed by a health service body, and k) a scientist employed by such a body as head of department.
Definitions
85
Table of sources of definitions in the Data Protection Act 1998 Taken from Section 71 – Index of defined expressions: Section number Accessible record
68
Address (in Part III)
16(3)
Business
70(1)
The Commissioner
70(1)
Credit reference agency
70(1)
Data
1(1)
Data controller
1(1) and (4)
Data processor
1(1), (4) and 63(3)
The Data Protection Directive
70(1)
Data Protection Principles
4 and Schedule 1
Data subject
1(1)
Disclosing (of personal data)
1(2)(b)
EEA State
70(1)
Enactment
70(1)
Enforcement notice
40(1)
Government department
70(1)
Health professional
69
Inaccurate (in relation to data)
70(2)
The non-disclosure provisions (in Part IV)
27(3)
Notification regulations (in Part III)
16(2)
Obtaining (of personal data)
1(2)(a)
Personal data
1(1)
Processing (of information or data)
1(1) and Paragraph 5 of Schedule 8
Recipient (in relation to personal data)
70(1)
Recording (of personal data)
1(2)(a)
Relevant filing system
1(1)
Sensitive personal data
2
The subject information provisions (in Part IV)
27(2)
Third party (in relation to processing of personal data)
70(1)
Using (of personal data)
1(2)(b)
CHAPTER
13 Introduction to the Principles
All businesses are under a legal duty to comply with the Data Protection Act 1998. The only exception from compliance with the Act is for a private individual who processes personal data for domestic and family purposes only. It follows that all employers are likewise under a legal duty to comply with the Act. This section of the book covers the legal requirements of the Data Protection Act 1998. It starts with the definitions and moves through an in-depth consideration of the eight Data Protection Principles. Consideration of data subject rights are explained in Chapter 19. The Data Protection Principles are the backbone of the compliance requirements of the Act. They are set out in Schedule 1 of the Data Protection Act 1998. The Schedule is divided into two parts. Part I contains the bare text of the Principles. Part II, entitled ‘Interpretation of the principles in Part I’, sets out some further requirements for compliance with the Principles as well as giving some guidance as to what is expected in order to meet compliance standards. Schedule 1 is incorporated into the Act by Section 4. This section also provides that it is the duty of the data controller to comply with the Principles in relation to all personal data with respect to which he is the data controller. At this point, therefore, there is no duty on data processors to comply with the Principles. The distinction between data controllers and data processors is critical as a result, and a significant part of later chapters is devoted to identifying and analysing the relationship between data controllers and data processors. The Sixth Principle requires data controllers to have regard to the rights of data subjects under the Act. Subject rights are set out in Part II of the Act, Sections 7–15. Since October 2001 all the subject rights have been in force, although subject access to certain, limited, paper files can still benefit from the exemption provided by the second transitional period. As this exemption is restricted to manual data subject to processing already under way as at 24 October 1998 and personal data processed for certain historical research purposes only, it is not dealt with in this book. Each chapter on the Principles starts with a short introduction, considers the actual wording of the Principle or subject right, and then provides an analysis of the meaning. Examples are given where these are appropriate. Where guidance has been published by the Information Commissioner, and it assists in understanding the legal requirements, this is included. As the Data Protection Principles remain largely unchanged since their introduction under the Data Protection Act 1984, reference is made to guidance issued in relation to the 1984 Act where it is thought to be still relevant and helpful in interpreting current law.
Introduction to the Principles
87
The Employment Practices Data Protection Code During 2002 the Information Commissioner published the two largest sections of the fourpart Employment Practices Data Protection Code (‘the Employment Code’). It sets out best practice for the processing of employee personal data. The chapters on the Principles include reference, where appropriate, to the Employment Code. The Employment Code helps to illustrate how the Principles apply to HR activities and, as a published code of practice, it will be used as a standard against which employers’ compliance with the Principles will be measured. The Employment Code does not have the force of law, and any enforcement action would be based on failure to meet the requirements of the Act rather than the Code. The Code constitutes the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met. The Commissioner has stated that relevant benchmarks in the Employment Code would be raised in any enforcement action in relation to the processing of personal data in employment. It was also said that failure to meet the particular benchmarks in the Employment Code is likely to mean that the employer is not complying with the Act. However, although employers may seek alternative ways of meeting the legal requirements, it should be borne in mind that the Employment Code sets out the regulator’s recommendations and these must be given due consideration and weight. So, although the Employment Code does not have the force of law, employers need to meet the benchmark standards or be able to explain why it does not apply to them if that is the case. Other bodies will also use the benchmark standards in the Employment Code as a measure of accepted industry best practice. For example, employment tribunals are likely to use the Code as a reference. As a reference document for employers, the Employment Code effectively considers how the Act applies in the HR context and sets out best practice for complying with its provisions. As such it is a useful starting point for data protection compliance within the HR function at the least. The Employment Code applies to personal data held for the purposes of employee administration, which includes the payment of salaries and the administration of other employee benefits. The data subjects are: . Employees. . Ex-employees. . Prospective employees. . Employees’ families. . Temporary staff. . Contract staff.
Personal data in this context is likely to include: . Personnel files on computer and in paper form. . Training records relating to employees and other organizations’ employees if you run an
accredited training scheme on behalf of others.
88
The legal requirements
. Recruitment files (application forms and interview notes, even those relating to
unsuccessful candidates). . Supervisors’ records. . Sickness records where individual employees are named or can be identified from other
information such as an employee number. The Employment Code was put forward by the Information Commissioner as a draft document in 2000. There has been extensive consultation with industry and worker representative bodies. It is being issued in tranches, and there are four parts: . Record keeping. . Recruitment. . Monitoring at work. . Medical information (not yet issued in final form).1
Each part is designed to stand alone and starts with standard sections explaining the perceived status of the Employment Code and continues with benchmarks applying to the management of data protection compliance within HR. Each part of the Code includes benchmarks and examples. The following chapters deal with the substantive law, but references to relevant benchmarks from the Employment Code have been included. The key issues for compliance were highlighted in Part I.
1. As at August 2003.
CHAPTER
14 The First Principle
Interpreting the First Principle The First Data Protection Principle requires data controllers to process personal data fairly and in accordance with any relevant law. For employers this means the fair and legal processing of personal data relating to employees, prospective employees, ex-employees, temporary and contract workers. In addition to the general duty to process personal data fairly and lawfully, data controllers must meet specified requirements otherwise their personal data processing will not be deemed fair. The first of these specified requirements is that the purpose for which personal data is being processed must meet one or more of the conditions for fair processing set out in a Schedule to the Data Protection Act 1998. In addition, if sensitive data is being processed (that is, data relating to health, race or ethnic origin, membership of a trade union, religious or political beliefs, sex life or criminal records), the purpose for which it is being processed must meet one or more of the conditions for the fair processing of sensitive data, also set out in Schedule 3 to the Act. The second specific requirement for fair processing is that data subjects must be given certain information about the data controller and the purposes for which personal data is to be processed. In relation to employment, this means that employees and prospective employees must be given information about the employer and the uses to which it puts employee personal data. In summary there are three aspects of fair processing under the First Data Protection Principle. These are: . The general duty to process fairly and lawfully. . The requirement to meet one or more of the conditions for fair processing. . The requirement to supply subject information.
Each of these aspects needs to be considered separately.
The general duty to process fairly and lawfully ‘Fair and lawful’ is given its plain English meaning. When deciding whether or not a data controller is processing fairly, the Information Commissioner’s Office will look at the facts of the case and decide whether or not the processing was fair in relation to that particular case as well as whether or not the processing was generally fair. This is important because it is possible for processing generally to be fair but for one person not to be treated fairly due to procedures not being followed properly. For example, if recruitment procedures require
90
The legal requirements
pre-employment vetting by credit reference search, candidates should have this explained to them. If normal recruitment procedures provide for this explanation to be given before the first interview – say, in the letter inviting the applicant for interview – if it is not explained to one particular candidate albeit accidentally, then the processing will not be fair in relation to that one candidate. Note that it may have been fair in relation to the majority of candidates, but in this one isolated case, it was not fair. The test of fairness is subjective.
HOW IS FAIRNESS ASSESSED? The Information Commissioner has expressed the view that in assessing fairness, first and paramount consideration must be given to the consequences of the processing to the interests of the data subject. This view has been supported by the Data Protection Tribunal.1 Some of the questions the Information Commissioner’s Office will ask when assessing fairness are: . Was the person supplying the data under the impression that it would be kept confidential
by the data controller, and was that impression justified by the circumstances? . Was any unfair pressure used to obtain the information? Were any unjustified threats or
inducements made or offered? . Was the person improperly led to believe that they must supply the information, or that
failure to provide it might disadvantage them?
LAWFUL PROCESSING Again, ‘lawful processing’ is given its plain English meaning. Personal data must be processed in accordance with any relevant legal requirements. These need not be criminal offences; lawfulness also relates to civil law. For example, if personal data is processed under a duty of confidentiality – bank or medical details, say – then the disclosure of that personal data in breach of the duty of confidentiality will be unlawful. Similarly if a contract includes a provision that personal data will not be retained for longer than a specified period, then a party to the contract that retains the data beyond the specified period will be processing personal data unlawfully. In relation to employment law, processing payroll information to make unauthorized deductions from salary would constitute unlawful processing. An important development in relation to lawful processing is the Human Rights Act 2000, which sets out various rights for individuals, including the right to respect for the privacy of family life, home and correspondence. Any system which purports to monitor employee performance or behaviour must therefore include procedures and policies to safeguard this right to respect for individual privacy. Data protection and human rights work together to increase privacy for individual employees.
1. CCN Systems Limited and CCN Credit Systems Limited v The Data Protection Registrar, case DA/90 25/49/9 and Infolink v The Data Protection Registrar, case DA/90 25/49/9.
The First Principle
91
EXAMPLES FROM THE EMPLOYMENT PRACTICES DATA PROTECTION CODE The Employment Code applies the Principles specifically in relation to HR activities, so it is essential reading to gain an understanding of how the Principles apply and how the Information Commissioner’s Office is likely to interpret them. The Employment Code recommends that where information is sought from a third party in support of a candidate’s application for employment, a signed release should be obtained from the candidate. This ensures that the data subject is aware that information is being sourced from a third party if there is no other indication of consent. Normally, requiring a candidate to provide contact details for third parties prepared to give references will suffice to meet fair processing requirements, but there may be other occasions when it would be appropriate to seek further consent. An example of this would be if further references were to be required after appointment as part of an assessment of suitability for promotion, or if information was to be sought from a school or university where no specific contact details for reference purposes had been provided by the data subject.2 In addition, the candidate should be given the opportunity to explain any discrepancies that the information reveals. This provides a check on the accuracy of the material sourced from the third party as well as meeting fair processing requirements.3 A further recommendation relates to the way that personal data is assessed when a recruitment decision is being made. The Employment Code provides that the processing should be consistent, so that it is ‘fair’.4 If the employer undertakes pre-employment vetting, it should be made clear to the data subject that vetting will take place and how it will be conducted.5 It is fair to unsuccessful candidates to offer them the opportunity not to have their details retained for consideration should future vacancies occur.6
SUGGESTED ACTIONS Read the Employment Code and make sure that in-house procedures meet the benchmarks. If there are special circumstances why you feel it is inappropriate to adopt a particular benchmark, document your reasons and diary it for a regular review. This will show that the benchmark has been considered, not ignored, and it will be a permanent record of reasons which may be difficult to remember after a period of time has passed. Think through the various HR activities: how is personal data obtained? How is it used and disclosed? Is personal data processed fairly? When records are destroyed or deleted, is the data or document retention policy fair to the employees and ex-employees? You should already be aware of the legal issues relevant to HR; be aware also that unlawful activities will constitute a breach of the First Principle if personal data is involved. Remember that ‘unlawful’ simply means contrary to law, civil as well as criminal; there does not have to be an offence for processing to be unlawful.
2. The Employment 3. The Employment 7.6. 4. The Employment 5. The Employment 6. The Employment
Practices Data Protection Code, Recruitment and Selection, benchmark 4.2. Practices Data Protection Code, Recruitment and Selection, benchmark 4.3 and Practices Data Protection Code, Recruitment and Selection, benchmark 5.1. Practices Data Protection Code, Recruitment and Selection, benchmark 7.3. Practices Data Protection Code, Recruitment and Selection, benchmark 8.5.
92
The legal requirements
The requirement to meet one or more of the conditions for fair processing There are a number of conditions for fair processing set out in Schedules to the Act, and any processing must meet at least one of these conditions in order to be accepted as fair by the Information Commissioner’s Office. These are first set out in summary in the table below and are then considered in detail with examples of how they apply in relation to HR activities. Condition
Comment
Consent
Not reliable in the HR context
Contractual obligations
Covers some of the HR functions e.g. those under a contract of employment such as payroll, but note ‘obligations’ of the data controller in relation to employment contracts, so it does not cover processing for SSP purposes or Inland Revenue returns.
Legal obligations
Covers many of the non-contractual obligations, e.g. in relation to health and safety, Inland Revenue, etc.
Vital interests of the data subject
Rarely used: ‘a matter of life or death’
Administration of justice and government
Rare in routine HR, possibly in relation to police enquiries.
Legitimate interests
Where the interests of data controller or third party are deemed to outweigh the harm to the data subject. A useful condition if you want to market to employees or in a merger or takeover situation.
CONSENT The first condition is that the data subject has given their consent to the processing. In general, consent to personal data processing activities is not required under current data protection law. There are occasions when it might be necessary if no other authority applies: for example, if sensitive data is being processed (see below) and no other condition for the fair processing of sensitive data applies. Consent may also be needed if personal data is to be transferred to a country outside the EEA where adequate standards of data protection do not exist. (See page 55). If data subjects are asked to consent to data processing activities, the organization must have a procedure to deal with those data subjects who refuse. For example, if you ask employees to consent to provide details of illnesses if they are absent from work due to sickness, how will you deal with the ones who refuse? For this reason most organizations will avoid seeking consent if another condition can be met. In the employer/employee relationship it is now doubtful that proper consent can be given by the employee to the processing of personal data relating to them by the employer. The view has been expressed that in the relationship between employer and employee, the employee is at such a disadvantage in terms of bargaining power that they cannot ever give consent freely and without undue influence from the employer, simply by virtue of the fact
The First Principle
93
that this is the employer. The former Information Commissioner indicated that she agreed with this view. There is also a growing trend whereby the Office is encouraging data controllers to try to find alternatives to seeking consent in most situations. Consent is being seen as very much a last resort. (See page 67). There is no definition of consent in the 1998 Act, but the EC Directive7 defines consent with three key elements: . Consent must be freely given. . It must be specific and informed, so that all processing activity is described. . It must constitute an indication that the data subject signifies his agreement; inaction will
not suffice. In relation to this third point, the former Commissioner stated8 that a data subject may signify consent other than in writing so long as there is some active communication between the parties.
MEETING CONTRACTUAL OBLIGATIONS The second condition which may apply is where processing is necessary for the performance of a contract to which the data subject is a party. This is the condition which will be favoured in relation to personal data processing activity in HR. The data subject – in this case the employee – is party to a contract of employment. The employer has a duty to provide remuneration and other employee benefits set out in the contract of employment. Personal data processing for the purposes of payroll and other employee benefit administration is therefore undertaken pursuant to the contract between the parties. This contractual condition has an additional element where the processing is necessary for the taking of steps at the request of the data subject with a view to entering into a contract. This covers pre-contractual processing activity, for example, when personal data is supplied to the pension administrators so that a new employee can be offered membership of the pension scheme and offered transfer terms for any existing pension. At the time the details are supplied to the administrators, the employee (as a prospective pension scheme member) has no contract with the pension scheme, but the details are disclosed and the pension scheme administrators contact the prospective member with terms of membership of the pension scheme. These are steps preliminary to entering into a contract with the data subject, arguably even where the data subject then declines to enter into the contract on the terms offered.
MEETING THE LEGAL OBLIGATIONS OF THE DATA CONTROLLER Another important condition from the employer’s perspective is the third condition: the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. Many personal data processing activities within HR are undertaken pursuant to this condition; for example, record-keeping 7. Reference 95/46/EC. 8. Legal guidance published in December 2001, ISBN 1 870466 23 3, Paragraph 3.1.5.
94
The legal requirements
to comply with health and safety requirements, disclosing data to government departments such as the National Insurance Contributions Agency or the DSS, obtaining personal data from the Inland Revenue and so on.
PROTECTING THE VITAL INTERESTS OF THE DATA SUBJECT Condition 4 applies where the processing is necessary in order to protect the vital interests of the data subject. This has been interpreted by the Commissioner to mean a ‘life or death’ situation and is not generally particularly useful in routine HR administration, although there could be circumstances involving the health of the data subject.9
THE ADMINISTRATION OF JUSTICE AND GOVERNMENT FUNCTIONS The fifth condition relates to the administration of justice and Crown and public functions and is unlikely to apply generally in relation to HR. However, it will cover situations where personal data must be processed – as part of a police investigation, for example – or it might be quoted as applying to information required by the Child Support Agency. It also covers the exercise of any other functions of a public nature exercised in the public interest by any individual. This would apply to processing undertaken on behalf of directors, officers or staff members who have a public role, for instance the chairperson or committee member of a professional institute or charity.
LEGITIMATE INTERESTS The sixth condition is important in relation to most personal data processing activity. It applies where the following elements can be established: . Legitimate interests; . Of the data controller or third parties to whom the data are disclosed; . Balanced against the rights and freedoms or legitimate interests of the data subject.
This is a catch-all to a large extent and covers processing which cannot be brought within the aegis of the contract of employment nor that of any other legal duty imposed on the data controller. It is qualified to the extent that the data controller should balance its own legitimate interests against those of data subjects. A key area where this condition may apply is in relation to any marketing activity undertaken to promote goods and services to employees. Many businesses promote their own goods and services to staff at discounted prices, and these may arrange for offers from other businesses to be made available as a ‘perk’ of employment. Where these promotions require the processing of personal data – for example, if invitations are specifically addressed to staff using name and work contact details – such processing would be legitimized by this condition for fair processing. Certainly, marketing activity would not usually fall within the contract of employment (unless the employer has committed itself to providing such opportunities as part of the remuneration package, which seems unlikely) nor is the employer meeting any other legal obligation when marketing to staff. Therefore the 9. See Legal Guidance – December 2001, Paragraph 3.1.3.
The First Principle
95
legitimate interests of the employer as a business provide a useful condition in these circumstances. The qualification that the rights and freedoms of data subjects should not be prejudiced would apply if, for example, an employee were to notify the company that they did not want to be included in promotional offers. From the date of receipt of such a notification, the employer would not be justified in relying on the sixth condition in relation to that employee, because the employee is entitled to exercise their right not to receive marketing literature and the employer is bound to respect that right when processing personal data in reliance on this condition for fair processing. The Commissioner has suggested a two-part test to establish whether this condition is appropriate in any particular case. The first part is to consider the legitimacy of the interests pursued by the data controller or third party. The second part is to consider the rights and freedoms or legitimate interests of the data subject and decide whether or not these are prejudiced by the processing activities of the data controller and, if so, whether the data subject’s interests override those of the data controller. There is provision for the Secretary of State to specify particular circumstances in which the sixth condition is – or is not – to be judged as satisfied. To date no order has been made pursuant to this clause.
Meeting one or more of the conditions for the fair processing of sensitive data Remember that processing involving sensitive data must meet one of the conditions for the fair processing of personal data as well as one of the following conditions for the fair processing of sensitive data. The two schedules are not exclusive, and any processing involving sensitive data must be legitimized by reference to conditions from both lists. The conditions which qualify processing of sensitive data as fair are laid out in the table below and then explained in detail. Condition
Comment
Explicit consent
Again unreliable in the HR context and note that a higher level of consent (‘explicit’) is required than ‘consent’ from the conditions for fair processing ordinary personal data.
Legal obligations in connection with employment.
For example, processing to meet the requirements of SSP, Inland Revenue and Benefits Agency requirements. Consider also legal obligations in relation to other employees: for example, the disclosure of details of infectious illness of one employee so that other employees can take preventive measures.
Vital interests of the data subject
Rarely used, a matter of ‘life or death’.
Non-profit-making bodies
Applies to restricted activities and data subjects.
Information already in the public domain
Cannot apply generally but only in relation to specific instances.
Legal rights
The establishment or defence of the legal rights of the employer: for example, discussing the dismissal of an employee for absence through sickness with a solicitor.
96
The legal requirements
Administration of justice and government
Not generally useful in the HR context.
Medical purposes
Restricted again, probably to ‘life or death’ situations where consent of data subject cannot be obtained.
Equal opportunities monitoring
An obvious condition for HR processing activity and designed for use where equal opportunities are promoted and not otherwise.
EXPLICIT CONSENT The first condition is that the data subject has given their explicit consent to the processing of the personal data. As stated above, businesses are advised not to rely on consent as a condition to establish fair processing unless they are able to handle those situations where a data subject declines to give their consent. In addition, there is the issue that it is almost impossible to establish that consent is freely given in the employer/employee relationship. There is no definition of ‘explicit consent’ in the 1998 Act, but it is reasonable to assume that the requirement is more rigorous than simple ‘consent’ required by the first clause of Schedule 2.
MEETING LEGAL OBLIGATIONS IN CONNECTION WITH EMPLOYMENT This condition applies where processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Obviously this will be a useful condition in the HR context. Note that there is no corresponding condition to that contained in Paragraph 2 of the Second Schedule, which states that processing necessary to perform a contract to which the data subject is party is fair processing. An example where the condition to meet an employment right or obligation might apply is where sensitive data is shared between employer and pension scheme trustees as part of routine liaison and communication, particularly when an employee is likely to retire early due to ill health. The rights and obligations relate to the contract of employment which provides pension scheme membership as part of the employment remuneration package as well as the pension scheme rules. Another example is sensitive data relating to an accident or injury suffered at work processed to meet health and safety requirements. Trade union membership is a category of sensitive data which might be processed in order to deduct union dues from a person’s salary. There is provision for the Secretary of State to specify particular cases where this condition may be excluded or to specify further conditions which must be met before the condition can be regarded as satisfied. To date no order has been made pursuant to this clause.
PROTECTING THE VITAL INTERESTS OF THE DATA SUBJECT OR ANOTHER Condition 3 applies where processing is necessary in order to protect the vital interests of the data subject. This has been interpreted narrowly by the Commissioner to mean a ‘life or
The First Principle
97
death’ situation and is not generally useful in routine HR administration. However, it is not as straightforward in application as its counterpart in Schedule 2, and further conditions apply. The processing must be necessary to protect the vital interests of the data subject or another person in a case where: first, consent cannot be given by or on behalf of the data subject or, second, the data controller cannot reasonably be expected to obtain the consent of the data subject. Where the claim is that the processing is necessary to protect the vital interests of another person, the data controller could show that consent by or on behalf of the data subject has been unreasonably withheld.
NON-PROFIT-MAKING BODIES This condition applies where the data controller is not established or conducted for profit and exists for political, philosophical, religious or trade-union purposes. This condition will apply so long as the processing is carried out in the course of the data controller’s legitimate activities, with appropriate safeguards for the rights and freedoms of specific categories of data subject and does not involve the disclosure of personal data to a third party without the data subject’s consent. The ‘specific categories of data subject’ referred to are those individuals who either are members of the data controller or have regular contact with it in connection with its purposes.
INFORMATION ALREADY IN THE PUBLIC DOMAIN This condition provides that information comprising sensitive data which has been made public as a result of steps deliberately taken by the data subject may be processed by the data controller. A prime example of this condition in action occurred in January 2002, when government ministers used the press to publicly reject families’ claims that elderly patients had been failed by the National Health Service system by being left wearing soiled clothing and with the effects of their injuries unwashed. The rebuttal included sensitive data relating to these patients which explained that in their distress and confusion the elderly people had strongly resisted moves to clean and re-clothe them. This apparent disclosure of sensitive data was covered by the condition in Clause 5 namely that as the patients and their families had already placed the details of these individuals’ health in the public domain via the press, the rebuttal simply made use of the same information which was therefore already in the public domain. A sensible employer should seriously consider how wide a ‘public’ is required to establish that sensitive data is in the public domain. For example, an employee who contracts a contagious disease might alert some colleagues at work; whether or not this would be sufficient to warn all staff about the problem on the basis that the information is already in the public domain is doubtful. If disclosure of the identity of the employee were unavoidable, the employer would seek to rely on condition two: that its legal obligations to other members of staff require that sensitive data be processed.
LEGAL RIGHTS This condition recognizes the need for sensitive data to be processed in connection with the establishing or defending of legal rights. An employer might seek to rely on this condition if
98
The legal requirements
an employee brings a personal injury claim against it for an accident or injury that occurred at work. It also allows for the processing of sensitive data necessary for the purpose of obtaining legal advice where legal proceedings are pending or anticipated.
ADMINISTRATION OF JUSTICE AND GOVERNMENT FUNCTIONS As with Clause 5 of Schedule 2, this condition covers the processing necessary for the administration of justice, for the exercise of any functions conferred on any person by or under any enactment, or for the exercise of any functions of the Crown, a minister of the Crown or a government department. There is provision for the Secretary of State to specify particular cases where this condition may be excluded or to specify further conditions which must be met before the condition can be regarded as satisfied. To date no order has been made pursuant to this clause.
MEDICAL PURPOSES This condition covers the situation where processing is necessary for medical purposes and is undertaken by a health professional or a person, who in the circumstances owes a duty of confidentiality equivalent to that which would arise if that person were a health professional. For the purposes of this condition ‘medical purposes’ includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health care services. This condition obviously has application in relation to occupational health screening (preventive medicine) and medical insurance (the provision of care and treatment and the management of health care services).
EQUAL OPPORTUNITIES MONITORING This condition applies to processing of information as to racial or ethnic origin which is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins. The processing must be undertaken with a view to enabling such equality to be promoted or maintained, and must be carried out with appropriate safeguards for the rights and freedoms of data subjects. There is provision for the Secretary of State to specify particular circumstances in which processing is, or is not, to be taken to provide the appropriate safeguards for the rights and freedoms of data subjects. To date no order has been made pursuant to this clause. This is an important condition in relation to equal opportunities monitoring, although it is worth noting that many employers could rely on condition two, which would apply to processing necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Equal opportunities monitoring is an obligation imposed by law on certain data controllers.
The First Principle
99
FURTHER CONDITIONS Over and above the conditions for the fair processing of sensitive data included in the Schedule to the Act and detailed above, there is provision for the Secretary of State to specify additional circumstances in which the fair processing of sensitive data may be established. To date one order, the Data Protection (Processing of Sensitive Data) Order 2000, has been made. It provides for the fair processing of sensitive data in a variety of circumstances. These are laid out in the following table, and considered in detail below. Circumstances
Comment
Prevention or detection of unlawful acts
Limited in application, requiring substantial public interest, not simple prevention of crime that affects the employer such as theft etc.
Confidential counselling services
Limited in application, also requiring substantial public interest, and explicit consent must first have been considered and rejected.
Insurance and pensions
Limited in application, assisting the life and pensions industry only.
Equal opportunities
An obvious condition for HR processing activity but designed for use where equal opportunities are promoted, not otherwise.
Political opinions
Limited in application, applies only to political organizations not businesses.
Research
Limited in application, restricted to substantial public interest.
Police
Limited in application, restricted to the police.
Prevention or detection of unlawful acts The conditions require that processing be in the substantial public interest. Arguably any processing related to the prevention or detection of any unlawful act is in the public interest, but the requirement is that it should be in the ‘substantial’ public interest, so it is obviously not intended to be applied to any and all unlawful acts. The provisions are for: . Processing undertaken in circumstances in which the consent of the data subject would
prejudice the prevention or detection of the unlawful act; . Processing necessary for the discharge of any function designed to protect the public
against dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of any person, or the mismanagement of any body or association.
Confidential counselling services This condition requires that processing be in the substantial public interest and applies to processing necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service. There is a qualification that explicit consent should normally be sought, but this condition will apply if the processing is carried out without the explicit consent of the data subject, either because consent would prejudice the provision of the counselling etc., or because consent cannot be given by the data subject, or because the data controller cannot reasonably be expected to obtain explicit consent.
100
The legal requirements
Insurance business and occupational pension schemes Conditions have also been established under the Sensitive Data Order to allow the fair processing of sensitive data necessary for the purpose of carrying on an insurance business or making determinations in connection with eligibility for and benefits payable under an occupational pension scheme. The processing of sensitive data relating to health only is permissible if it relates to the parent, grandparent, great-grandparent or sibling of an insured person or member of a pension scheme. A further qualification is that the processing must not support measures or decisions in connection with the data subject. Thus information relating to the medical histories of close relatives may be processed for the purposes of assessing the risk posed by an individual making an insurance proposal or being considered for entry into pension scheme membership or benefits. The information cannot be processed to make a decision relating to the parent, grandparent, great-grandparent or sibling. A further qualification is that the processing be necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject (in this case the parent, grandparent, etc.) and is not aware that the data subject has withheld their consent.
Additional condition applying to processing to monitor equal opportunities In the same way as the processing of sensitive data relating to race or ethnic origin may be processed fairly to monitor equal opportunities, so may sensitive data relating to religion be processed for this purpose. Interestingly, the Order also provides for data subjects to prevent such processing by notice to the data controller, which has the effect of creating a new mini-right for data subjects.
Processing sensitive data relating to political opinions A new condition allows the processing of sensitive data relating to the political opinions of data subjects where the processing is undertaken by political organizations and where it neither causes, nor is likely to cause, substantial damage or distress to data subjects or any other person. The Order also provides for data subjects to prevent such processing by notice to the data controller.
Research Processing that is in the substantial public interest and necessary for research purposes may benefit from another new condition for the fair processing of sensitive data set out in the Sensitive Data Order. The requirements are that the processing does not support measures or decisions with respect to any particular data subject unless the data subject’s explicit consent is obtained in addition and the processing neither causes nor is likely to cause substantial damage or distress to the data subject or any other person. Business research is unlikely to qualify as being in the significant public interest yet some sectors may be able to take advantage of the condition. Examples include pharmaceutical companies developing new drugs and universities and other research bodies operating on a non-profit-making basis.
The police Processing that is necessary for the exercise of any functions conferred on a constable by any rule of law is fair processing under the Sensitive Data Order.
The First Principle
101
Summary The conditions for the fair processing of personal data provide several options for employers processing personal data for personnel administration, the administration of employment benefits and pension schemes, marketing, and the meeting of health and safety requirements. The additional conditions which apply to the processing of sensitive data are much narrower in application. Key omissions include processing in the legitimate interests of the data controller, which is a useful catch-all in relation to personal data processing. Another omission is processing necessary for the performance of a contract to which the data subject is party. As a result employers should (rightly) conclude that fewer processing activities involving sensitive data will be permissible. Certainly there are limited grounds for the processing of sensitive data for marketing purposes, for example, unless the employer has the consent of the employee. Consent is something of an issue in the HR arena, as the Commissioner concurs with the view that consent by an employee to the personal data-processing activities of their employer is unlikely to meet any sensible interpretation of having been ‘freely’ given. So consent is (at least) an inappropriate condition on which to rely in relation to the processing of personal data in regard to HR activities. It can be seen that consent is not a prerequisite to fair processing; however, many other conditions may apply, particularly in relation to the processing of personal data rather than sensitive data. Finally, it is worth noting that even where personal data processing activity meets one or more of the conditions for fair processing, it does not follow that the processing is fair. Fairness will depend on the circumstances of the processing (the subjective test referred to earlier) and on the subject information requirements being met.
Suggested actions This is an area of data protection law that is largely unseen by the outside world. Only when an organization is under investigation in relation to other data protection problems will it be asked to declare on which of the conditions for fair processing it seeks to rely when processing personal data and sensitive data. However, the conditions contain many of the elements of modern data protection law, and making an initial assessment of the most likely conditions to apply to any processing activity is a useful activity in the short term, leading to a greater understanding of data protection law. In the longer term it might be an invaluable activity, if the business or HR department is dealing with a data protection problem and the issue of conditions for fair processing arises, any advance thoughts on the subject will be helpful. Document any thoughts may you have on the conditions applicable to your department’s processing activity.
The requirement to supply subject information The First Principle requires a data controller to supply specified information to data subjects before any personal data is obtained from them. The information required is:
102
The legal requirements
. The identity of the data controller and – if the data controller has nominated a
representative for the purposes of the Act – the identity of that representative; . Details about the purposes for which personal data is processed or is intended to be
processed; . Any further information which is necessary, having regard to the specific circumstances in
which the data is being or is to be processed, to enable the processing in respect of the data subject to be fair.
THE IDENTITY OF THE DATA CONTROLLER This is a straightforward requirement, and in practice the data controller’s name usually features on literature where subject information is required. The ideal location for a subject information notice is on any form that purports to gather personal data. In relation to HR this means job application forms, pension scheme membership forms, sickness and absence forms, appraisal forms, etc. In-house forms usually carry the employer’s name, meeting the part of the requirement that the identity of the data controller must be shown. Where letters are used – for example, when acknowledging receipt of a speculative CV or a statement of the standard terms and conditions of employment – the full legal title of the employer will be shown on the letterhead. Whether or not the full legal title of the data controller is required is not certain, there is no case law or handy definition to provide guidance. It does seem to be proper to use the full legal title for registered companies, however, as there can then be no doubt as to the identity of the data controller. This is an important aspect in the context of job advertisements which invite potential applicants to apply with details of their qualifications and experience. The advertisement is clearly inviting candidates to submit personal data, and the subject information requirements should be met within the body of the advertisement. Many employers rely on their company logo to indicate their identity, especially where the advertisement is double-branded with the identity of any recruitment agency. Advertisers should consider whether or not the legal titles of both agency and prospective employer need to be included in the text of the advertisement. It may not be necessary where the advertiser is a household name, but then many companies overestimate their public reputation or use a corporate identity in connection with several trading companies in a group. It is a point to consider. An example of a representative nominated for the purposes of the Act would be a share registrar nominated to handle queries from shareholders of the data controller. The company in which shareholders have chosen to invest is the data controller, the administration of the share register is outsourced to a share registrar service provider, and it is practical for queries to be handled directly by the registrar. In these circumstances the registrar can be nominated as representative of the data controller for the purposes of the Act.
THE PURPOSES FOR WHICH THE DATA IS INTENDED TO BE PROCESSED These should include a reference to the main processing activity and any ancillary activities. Care needs to be taken to identify all processing activities for inclusion in the wording of the subject information notice.
The First Principle
103
ANY OTHER INFORMATION RELEVANT IN THE CIRCUMSTANCES One way to identify what information could be relevant is to consider if there is any information which would affect the data subject’s decision to supply the information requested. This includes, for example: . Details of any third parties to whom the data will be disclosed; . Other sources of personal data relating to the data subject; . The consequences of not supplying the information requested; . The period of time during which the personal data will be retained.
So, for example, a subject information notice on a job application form might read: The information requested on this form is required for the purpose of assessing your suitability for employment with (Name of Employer Limited). All the information we request is necessary to assist us in making our employment decision and we may not be able to process your application further if you do not answer all the questions. We will take up references from the persons you nominate on the form. If your application is successful, the application form will form part of your contract of employment with the firm. If your application is unsuccessful we will hold this application form for a period not exceeding one year in case any other suitable position arises. This draft notice covers: . The identity of the data controller [Name of Employer Limited]. . The purposes for which the data will be processed – assessing suitability for employment
and if successful, forming part of the contract of employment. . Other information relevant in the circumstances, such as:
– ‘If some of the information requested is not provided we may not be able to process your application’, and – ‘We will seek information from referees . . .’, and – ‘We hold unsuccessful applications for an unusually long period of time.’ (Six months is accepted as the usual period).
DATA OBTAINED FROM THIRD PARTIES Where personal data is not obtained direct from the data subject but from a third party, the data controller should ensure that the data subject was given a subject information notice which included the fact that the data would be disclosed. If an appropriate notice has not been given, the data controller must provide subject information when the data is first processed by them. It is assumed, therefore, that if a data controller purchased a mailing list, when first using the list to mail to data subjects, appropriate wording should be included about the data controller’s personal data-processing activities. Where data is not collected direct from the data subject, the data controller is still under an obligation to ensure that the appropriate subject information notice has been given; otherwise they must give an appropriate subject information notice direct to the data subject within a reasonable time of commencing processing activity. In practice this means checking what information has been received by the data subject at the time the personal data was obtained. If an employer
104
The legal requirements
uses a recruitment agency or headhunter, the information provided by the agency to the data subject will determine whether or not an additional subject information notice is required to cover the employer’s processing activity. When an employer is asked to provide a reference, it should check that the data subject is aware that references are being taken up and agrees to the provision of the information requested. There are exceptions to the requirement to provide subject information notices where the personal data was obtained from a third party. These apply: . Where providing the subject information would involve disproportionate effort, or . Where the disclosure is one required by law.
If a data controller intends to rely on the disproportionate effort exemption they must record the reasons why compliance involves disproportionate effort. The subject information provisions are a new requirement under the 1998 Act and may require changes to documentation so that subject information is assured of reaching the target. Forms requesting personal data are an obvious location for a notice: for example, job application forms, product or service application forms, quotation forms, cut-out forms in newspapers. Areas more difficult to deal with are telephone interviews and face-to-face interviews in the course of which personal data is recorded. Procedures are required to ensure that staff carrying out telephone or face-to-face interviews provide a scripted subject information notice or a document including such a notice for the data subject to read. It will still pose a higher risk to compliance than would, say, a printed statement on a form because in most cases it will not suffice to show that subject information is provided. If one data subject does not receive the specified information, then the processing of personal data relating to them is unfair. The test is a subjective one.
TIMING OF PROVIDING SUBJECT INFORMATION Clause 2 of Part II of Schedule 1 considers two scenarios: the first where the data is obtained from the data subject and the second where it is obtained from a third party. It is not specifically stated that subject information should be provided before personal data is obtained, but the Commissioner has always insisted that this should be the case. This is sensible as obtaining personal data direct from the data subject obviously involves some form of communication between the data controller and the data subject and, therefore, providing subject information is not difficult. Also, as the data subject may make a decision whether or not to supply the data requested on the basis of the data controller’s stated processing purposes, this must be provided before any personal data is supplied. In the second scenario, where the personal data is sourced from a third party, the requirement is that subject information be provided before the ‘relevant time’. This is defined as the time when the data controller first processes the data or within a reasonable period of disclosure to a third party being envisaged. This means that the data controller who sources personal data from a third party must check what subject information was provided to the data subject(s) and, if this is not adequate, supplement it with further information to meet the requirements of the First Principle. An obvious example is where a company buys in a mailing list. If the list is used for direct marketing, an appropriate subject information notice should form part of the first marketing initiative involving persons named on the list. This will be acceptable and within the relevant time.
The First Principle
105
PROMINENCE OF SUBJECT INFORMATION – SIZE AND POSITIONING The Information Commissioner has stated that it would be inappropriate to set down rules about the size, positioning and wording of notification clauses, so it is a matter of judgement, data controllers should keep in mind ‘fairness’. The following are questions the Commissioner’s Office would consider when assessing the adequacy of the prominence given to a notice: 1) Is the typeface or font in the notification of at least an equivalent size to the type face or font used in the rest of the form? 2) If not, is the print nevertheless of sufficient size for the data subject’s eye to be drawn to it? 3) Are the layout and print size such that the notification is clear and easy to read? 4) Is the notification placed at or very close to the place where the data subject supplies their details or signs the form? 5) If not, is it placed in such a way that the data subject will inevitably see it in the course of filling in the form? 6) If not, is it nevertheless placed where the data subject’s eye will be drawn to it? 7) Is the general nature and presentation of the form such that it conveys to the data subject the need to read carefully all the details including the notification clause? As a general rule, the size of font or typeface used for the notice should be no less prominent than any font or typeface used for any other part of the document.
WHAT MAKES AN EFFECTIVE NOTICE? The following are the type of questions the Commissioner’s Office are likely to consider when assessing the efficacy of subject information:10 1) Do the words used convey all the likely non-obvious uses and disclosures of the customer’s information? 2) Do the words properly convey the fact that information about the customer will be passed on to others? 3) Do the words convey the full implications for the customer of the use or disclosure, for example that he/she might receive telephone marketing calls? 4) Do the words explain the above in a way that would be understood by the great majority of likely data subjects?
MARKETING FAIRLY It has already been seen that a subject information notice should contain all information relevant in the circumstances to allow a data subject to decide whether or not to supply the personal data requested. Clauses which explain about the use of personal data for marketing activity should include an opt-out, so that data subjects can decline to allow their personal data to be used for marketing purposes. Although many European countries require positive 10. Text taken from Commissioner’s website.
106
The legal requirements
action from a data subject to indicate a willingness for their personal data to be used for marketing purposes (an opt-in clause), the Commissioner’s Office accepts that the position in the United Kingdom where opt-out clauses are standard, is acceptable.
TELEPHONE MARKETING The situation is that any intended use of personal data for the purposes of telemarketing or telephone work should be specifically disclosed.
EXEMPTIONS FROM THE SUBJECT INFORMATION REQUIREMENTS There are no significant exemptions from the requirement to supply subject information. Also it should be noted that the subject information provisions take effect to overrule any enactment or rule of law prohibiting or restricting the disclosure, or authorizing the withholding, of information. The main force of this provision is felt in relation to subject access requests, but it makes the point that data protection law overrides many other areas of law and any organization choosing not to comply with subject information requirements for example, had better take legal advice on the likely consequences.
EXAMPLES FROM THE EMPLOYMENT PRACTICES DATA PROTECTION CODE The Employment Code provides that when advertising a job the name of the employer and any recruitment agency must be clearly indicated so that applicants are aware of the name of the organization(s) before they submit any personal data. The purposes for which the personal data will be processed should also be stated if this is not obvious. The purpose of making a recruitment decision or selecting a shortlist will usually be obvious as the text of advertisements invites prospective candidates to apply for the position advertised. However, care must be taken with any other non-obvious purposes to which the data is to be put. For example, if an applicant’s details are to be assessed to identify their suitability for a training programme when they are not suitable for the job advertised, this should be stated. The location of subject information notices will depend on the correspondence between data controller and data subject. If a telephone interview is conducted, then a spoken form of words will be required. If applications for a job are invited online, then an appropriate form of words is required on the web page before the data subject submits their application. If the employer undertakes pre-employment vetting, it should be made clear to the data subject that such vetting will take place and how it will be conducted.11 If the details of unsuccessful applicants are to be retained against future suitable positions, this is information ‘relevant in the circumstances’ and applicants should be advised of it as part of the subject information requirements. They should be given the opportunity to have their details removed from the relevant file.12
11. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 7.3. 12. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 8.5.
The First Principle
107
RECOMMENDED ACTIONS Take the time to identify how personal data is obtained and its use for HR purposes. Your list is likely to include application forms, CVs, employee details forms and pension scheme forms for new employees. On a continuing basis you might receive personal data relating to employees on sickness and absence forms, in accident books, on appraisal forms and in training feedback. Some of the data will be provided by third parties, the Inland Revenue, Benefits Agency, referees, doctors and recruitment agencies. Most data will be supplied by the employees themselves. Normal HR activities will involve the processing of personal data for HR administration and the administration of employee salaries and other benefits; work planning and management may also be relevant. Remember to include marketing activity if the organization’s goods or services are promoted internally using personal data or if affinity schemes are in place (whereby a third party promotes to a group of data subjects – in this case, the employees of an organization – offering discounted goods and services). Once you have identified how personal data is obtained and its use around the organization, draft appropriate subject information notices and ensure these are included on forms, in staff handbooks, etc. so that all current and prospective employees will see them. Remember to include temporary workers and contractors. Remember also to put a notice on your web site if you invite applications over the internet. Document how and when this review was undertaken and what actions resulted from it. This may prove useful in future if your organization or department is challenged on data protection issues. Check that third parties which supply personal data have given appropriate subject information notices. Pay particular attention to recruitment agencies: it is a good idea to give them a note of the points you would like to be drawn to the attention of prospective candidates when you are recruiting. Include subject information in that list of points. Read the recruitment section of the Employment Practices Data Protection Code and make sure that your procedures and documents meet the required benchmarks. If you decide that a particular benchmark is not appropriate to your department or organization, document the reasons for future reference.
CHAPTER
15 The Second Principle
Interpreting the Second Principle The Second Principle reads: ‘Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.’ The key elements of the Principle are that: . Personal data must be processed for purposes known at the time of obtaining the data. . All processing must link back to the original purpose for which it was obtained. . All purposes for which data is processed must be lawful.
Each of these three elements need to be considered and their impact on personal data processing in the HR context assessed.
Personal data must be processed for purposes known at the time of obtaining the data This is probably the biggest restriction in current data protection law. Organizations must be able to identify the purposes for which the data will be processed before (or at the time of ) obtaining the data. It means that personal data cannot be sought in the hope that one day it will be useful for purposes as yet unknown. This accords with the First Principle which requires that individuals be given prescribed information before any personal data is obtained. (See Chapter 14). The prescribed information includes the purposes for which the data is intended to be processed. So if the purposes are unknown at the time of obtaining the data, the individual data subjects cannot be given the required information. The requirement is to specify the purposes for which personal data is processed. In addition to meeting the subject information requirements of the First Principle, the entry in the Data Protection Register includes specified purposes for which personal data will be processed. For the HR department, this means that all the activities for which employee personal data is processed need to be identified. The obvious ones relate to employment administration, the administration of employee benefits and work planning and management. Less obvious ones might include marketing to employees, the use of personal data by third parties measuring the assets and liabilities of the employer for purposes of mergers and takeovers. These are the processing purposes which must be disclosed to employees to meet the subject information requirements. For more detailed guidance and suggested actions to help
The Second Principle
109
meet the subject information requirements. (See page 13). The purposes for which employee personal data are processed should coincide with the employer’s notification entry on the Data Protection Register.
All processing must link back to the original purposes for which it was obtained ‘Processing’ is defined to include using, holding and disclosing personal data. Thus any activity involving personal data after it has been obtained is subject to this rule, that it be handled in such a way as to be compatible with the original purpose for which it was obtained. For example, data obtained from an employee for the purpose of payroll administration may be disclosed to the Inland Revenue because that disclosure is compatible with the original purposes. However, to disclose that same data to a charity seeking to collect funds for a good cause would not be compatible with the purpose of payroll administration. The main danger to employer data controllers is unintentionally restricting HR activities by failing to have correctly worded subject information for employees. In general it is preferable to use wide wordings to describe HR activities and give examples rather than try to create a definitive list. When personal data is to be processed for a ‘new’ purpose – that is, one that was not foreseen and therefore not included in subject information at the time of obtaining the data – then the permission of the data subject is required. This is in itself a problem in the HR context. (See page 21). However, that is what will be required before the processing can take place.
All purposes for which data is processed must be lawful This necessarily follows on from the First Principle (see Chapter 14). An example of unlawful processing would be the disclosure of personal data in breach of a duty of confidentiality. Employers owe their employees a duty of confidentiality in relation to employee personal data. This would be breached if the employer were to publicize details of an employee’s home life without their prior agreement.
Limited exception to the requirement to comply with the Second Principle In limited circumstances there is an exemption from the requirement to comply with the Second Principle. Where the processing of personal data is only undertaken for research purposes (including statistical or historical purposes) then it is not to be regarded as incompatible with the purposes for which it was obtained so long as the following requirements are met: . The data must not be processed to support measures or decisions with respect to particular
individuals.
110
The legal requirements
. The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject. This means that if personal data is processed for genuine research purposes, the processing need not relate to the purpose for which the data was originally obtained. However, the data must not be used to make decisions about individual data subjects. For example, if an employer keeps detailed records of the reasons for employee absences the stated purpose of processing that personal data is to administer the company’s sick pay scheme and SSP. The employer may then decide to undertake an occupational health study of its employees over a given period purely for purposes of research. This purpose was unforeseen at the time employees were asked for information about their absences from work and therefore no subject information was provided. Processing the sickness records for this new purpose would be in breach of the Second Principle; however it would be permissible under the exemption for research purposes. Note that the employer would not be able to use the research to identify individuals whose behaviour deviated from the norm in any way. Such use would amount to making decisions about individual data subjects and would invalidate the exemption which provides that personal data must not be used to support measures or decisions relating to particular individuals.
CHAPTER
16 The Third Principle
Interpreting the Third Principle Principles Three to Five inclusive are the most straightforward of the Eight Principles. The Third Principle in particular has no interpretative provisions to be taken into account. The text may be read and understood at face value. The Third Principle reads: ‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’ The terms ‘adequate’, ‘relevant’ and ‘not excessive’ are considered separately below. None of the terms are defined. We must make judgements as to what is adequate, relevant and not excessive in each case. This may vary according to circumstances. Some examples from the Information Commissioner’s caseload are included at the end of the chapter.
Personal data to be adequate for the purpose An employer holds personal data relating to its employees for the purposes of employee administration. Routine employee administration includes administering employee benefits and remuneration as well as maintaining records of annual leave and absences through illness or injury. Job performance and evaluation can also be seen as part of employee administration; recording appraisals, disciplinary and grievance issues are valid activities under this heading. Employee administration also covers keeping records relating to former employees so that the employer is able to respond to requests for references from other employers and to supply information which may be requested by the Inland Revenue or Benefits Agency. If the employer holds insufficient information to be able to meet these obligations, it would be holding inadequate records for the purpose for which personal data was intended to be processed. Therefore the measure of adequacy relates to being able to meet obligations undertaken as part of the original purposes for which data was obtained. An employer is under an obligation to an employee to administer the contract of employment correctly and fairly during employment and to provide information about the employee to outside organizations as requested by the employee. It is also under an obligation to provide information relating to employees and ex-employees to a number of government departments and statutory bodies. Employers’ record-keeping policies should be based on meeting these obligations. Thus adequacy relates not only to the information sought from data subjects but also to the length of time the data controller considers it necessary to retain the information. There is no official guidance on appropriate document retention periods. It is reasonably considered to be a matter dependent on the business and its particular circumstances.
112
The legal requirements
However, an early draft of the Employment Code included a table of recommended retention periods for HR records. This is reproduced on page 61.
Personal data to be relevant to the purpose The Employment Code gives several good examples of obtaining data that is not relevant to the purpose. Employment application forms often include questions relating to employee administration rather than the recruitment decision. One example is National Insurance numbers, which are routinely sought on application forms. These have no impact on the recruitment decision and are sought at this early stage simply to ease the administrative burden of setting up new employee records and payroll. However, the Information Commissioner’s view (in the Employment Code) is that the information is not relevant to the recruitment decision. Furthermore, as a number of application forms completed by unsuccessful candidates will also include National Insurance numbers which will never be used at all, these should not be routinely obtained from all candidates but only from the successful candidate. This is a slightly different aspect of relevance. If information is sought in several cases but only really needed in one case, that constitutes processing personal data that is not relevant. Another example of this is the question on job application forms relating to whether or not the applicant holds a current driving licence. This information is only relevant in relation to applicants for jobs as drivers or where a company car is offered as part of the remuneration package. It should not be routinely sought in relation to candidates for other positions where driving a vehicle is not part of the job. If some of the questions on the application form are not relevant to all jobs, data is therefore being sought which is irrelevant. Organizations are expected to differentiate between the level of detail required from a prospective senior manager and that required from a new postroom worker. The effect of the requirement to process relevant data could well signal the end of job application forms. HR departments are being directed towards restricting questions on application forms to those relevant to the recruitment decision and to differentiate between senior and less senior roles under recruitment.
Personal data not excessive for the purpose There is substantial overlap between what is relevant and what is not excessive. Take the example of application forms which include questions that are not relevant to the recruitment decision and some that are not relevant to the level of job advertised. To obtain data from a number of prospective candidates must result in obtaining personal data that is excessive for recruitment purposes. Obtaining ten National Insurance numbers when only the one belonging to the successful candidate will be required means that the organization is holding excessive data. Obtaining information about driving licences from candidates for jobs which do not involve driving is likewise excessive for the purpose.
The Third Principle
113
Other published guidance Guidance on the 1984 Act issued by the Information Commissioner’s Office included a list of factors to be taken into account by enforcement teams when judging whether personal data was adequate, relevant and not excessive for the purpose. These are the factors: . The number of individuals on whom data is held. . The number of individuals for whom data is used. . The nature of the item of personal data. . The length of time for which it is held. . The way it was obtained. . The possible consequences for individuals of its holding or erasure. . The way in which it is used. . The purpose for which it is held.
The point is made in the guidance that the Office would not accept that information is relevant merely on the say-so of the data controller.
Examples The following cases illustrate the application of the Third Principle.1 In processing a mortgage customer’s application for a current account, a bank was found to have acted in breach of the Third Data Protection Principle when it carried out three credit reference checks on the applicant. A series of unfortunate circumstances resulted in the customer being the subject of a marker on his bank account indicating possible fraud. Thus the processing of the personal data was inadequate and excessive. A health authority carried out a ‘lifestyle survey’. A question had been included in the survey which did not relate clearly to either the data subject’s health or the declared aims of the survey. The inclusion of the question was held to be a breach of the Third Principle because it was irrelevant. An indicator on an individual’s credit reference file showed that the bank account holder had got into financial difficulties. Although this was accurate, it was still held to be inadequate because the fact that the individual had entered into an agreed arrangement with the bank to rectify the situation had not been recorded.
The Employment Practices Data Protection Code Considering relevance in relation to vetting procedures, the Employment Code recommends that vetting should only be undertaken where there are ‘particular and significant risks to the employer, clients, customers or others’ and it provides that other, less intrusive alternatives should be considered before undertaking vetting. Also, vetting should be targeted at successful applicants, not undertaken generally on all applicants, at 1. Taken from the Commissioner’s Case histories and enquiries for 2000–2001.
114
The legal requirements
the specific risk identified. It should not be used for general intelligence-gathering: in other words, ensure that the extent and nature of personal data sought is relevant and not excessive for the purpose for which it is being processed.2
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmarks 7.1, 7.2, 7.4.
CHAPTER
17 The Fourth Principle
Interpreting the Fourth Principle Principles Three to Five inclusive are the most straightforward of the Eight Principles. There are no additional requirements set out in the interpretative provisions to be taken into account. The interpretative provisions serve several purposes. As well as setting out additional compliance requirements, notably for the First and the Seventh Principles, there is some codification of the accumulated wisdom on interpretation dating back to the 1984 Act. The absence of any additional compliance requirements means that the text of Principles Three to Five may be read and understood at face value. The Fourth Principle reads: ‘Personal data shall be accurate and, where necessary, kept up to date.’ The text of this Principle is unchanged from the 1984 Act, although the numbering is different; it was formerly the Fifth Data Protection Principle. The interpretation of the Principle has changed subtly. A useful proviso has been added to give a bit of flexibility in certain cases where inaccurate data is processed despite the data controller having taken reasonable steps to ensure its accuracy. There are two elements to this Principle. Personal data should be: a) accurate and b) kept up to date where necessary.
Accuracy The requirement that personal data be accurate is not absolute. Where personal data is inaccurate but the data controller can show that the information in the data is reproduced in its records exactly as it was obtained, then there is no breach of this Principle. So, for example, if an employee completes a job application form and supplies inaccurate information which the employer believes to be true, then the employer is not in breach of the Fourth Principle even though its employee personal data contains inaccurate information. Where possible the data controller should take reasonable steps to ensure the accuracy of personal data. So, again using the example of the employee supplying false information on a job application form, if the false information were that their date of birth was in 2003, this is evidently inaccurate and the employer should confirm the actual year of birth for the record. Likewise if the inaccurate information can easily be checked. For example, if the employee gives a National Insurance number which differs from that on their P45, the employer would be expected to investigate further and not accept the information at face value.
116
The legal requirements
A further qualification to the requirement that personal data be accurate applies where the data controller holds information which is known or believed to be inaccurate but a note has been made on the record that this is the case. There may be occasions when retaining an original inaccuracy has value for the data controller and the Fourth Principle cannot be used to require it to amend its records and erase the inaccurate information. So, for example, a discrepancy in employment dates on a job application form might be explained by the data subject (job applicant) but the data controller would wish to retain the data in its original form with an explanation of the inaccuracy. The record might be retained in this form as part of a disciplinary action or simply as an anomaly to bear in mind in future dealings with the employee.
OTHER PUBLISHED GUIDANCE Guidance on the text of the Fourth Principle issued under the 1984 Act is still relevant, the text of the Principle having remained unchanged. In ‘The Guidance – Third Series’ published in November 1994 in relation to the 1984 Act, the Registrar commented that the first part of this Principle (then the Fifth Principle) is stated in unqualified terms. Ergo data is either accurate or it is not. However when considering whether or not it would be appropriate to taken action against a data controller found to be in breach of the part of the Principle requiring accuracy, the following factors would be taken into account: . The significance of the inaccuracy. Has it caused, or is it likely to cause, damage or distress
to the data subject? . The source from which the inaccurate information was obtained. Was it reasonable for the
data controller to rely on information received from that source? . Any steps taken to verify the information. Did the data controller attempt to check its
accuracy with another source? Would it have been reasonable to ask the data subject, either at the time of collection or at another convenient opportunity, whether the information was accurate? . The procedures for data entry and for ensuring that the system itself does not introduce inaccuracies into the data. . The procedures followed by the data controller when the inaccuracy came to light. Were the data corrected as soon as the inaccuracy became apparent? Was the correction passed on to any third parties to whom the inaccurate data may already have been disclosed? Did the inaccuracy have any other consequences in the period before it was corrected? If so, what has the data controller done about those consequences?
Keeping personal data up to date The Fourth Principle provides that personal data be kept up to date only where necessary. A record intended to provide a snapshot of circumstances as at a given date will obviously not require to be updated. For example, a sensible employer will require employees to keep it advised of changes in their circumstances such as change of address etc. However, it is not necessary for the employer to update the individual’s recruitment file, application form, etc. to show the new address. The recruitment file shows data correct as at the date of recruitment; subsequent changes in details are recorded elsewhere.
The Fourth Principle
117
OTHER PUBLISHED GUIDANCE The Commissioner has stated1 that it may be important for the purpose of the data processing that personal data be current, for example where personal data is processed to determine whether or not to provide credit. This is an area where a data subject could suffer damage (by not being offered credit) if personal data is inaccurate. Suggested factors to take into account are set out in the guidance for data controllers and the Information Commissioner’s Office: . Any record of when personal data was obtained or updated. . Awareness of the data controller that personal data may not be up to date. . Any procedures to update personal data and the effectiveness of those procedures. . Whether or not the non-currency of the personal data is likely to cause damage or distress
to the data subject.
Examples Inaccurate personal data may cause damage or distress to a data subject. The following examples (taken from the Commissioner’s case histories) illustrate the need for personal data to be kept up to date. A complaint was received about personal data recorded on a credit reference file. Although the account had been written off some years earlier and the balance on the account was nil, nevertheless the impression was given that the account was current. Under normal procedures an account written off would be removed from current files after a set period, usually six years from the relevant date. This particular account with its current indicator would remain on file indefinitely in contravention of the lender’s normal practices. This was found to be a breach of the Fourth Principle. Again, the potentially significant impact on a data subject of inaccurate personal data is shown by a case involving a loan applicant. The bank operator recording details of the application incorrectly accepted archive details relating to the applicant’s home address and employment. When the bank tried to contact the applicant, using the inaccurate details, it appeared as though a false address and false employment details had been provided. The bank concluded that an attempt was being made to obtain a loan fraudulently. As a result a fraud warning indicator was attached to the file and may have been shared with other financial institutions in due course. The fraud warning was deleted once the mistake had been brought to the attention of the bank. Inaccurate personal data can give a misleading impression. Two individuals once married to each other but now divorced complained that a credit reference agency had declined to note that they were not now connected. The root of the problem was an incorrect assumption by a member of the agency’s staff that the two were in fact still connected. This was found to be a breach of the Fourth Principle. A police force mistakenly attributed another person’s record to an individual undergoing an employment vetting check. The individual complained that this constituted a breach of the Data Protection Act. The police force agreed to modify its procedures to prevent a recurrence and made an ex-gratia payment to the individual. 1. December 2001 Legal Guidance paragraph 3.4.
118
The legal requirements
The Employment Practices Data Protection Code The Employment Code recommends that where information is sought from a third party in support of a prospective candidate’s application for employment, the candidate should be given the opportunity to explain any discrepancies that the information reveals. This provides a check on the accuracy of the material sourced from the third party as well as meeting fair processing requirements.2 A further recommendation is that personal data that are recorded and retained following interview can be justified as relevant either to the recruitment process or for defending the recruitment process against challenge.3
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.3. 3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 6.1.
CHAPTER
18 The Fifth Principle
Interpreting the Fifth Principle Principle Five is a very straightforward one. There are no interpretative provisions to be taken into account at all. The absence of any additional compliance requirements means that the text may be read and understood at face value. The Fifth Principle reads: ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’ This is a clear exhortation to purge computer and paper files and delete old and unwanted information even where this comprises personal data. It goes even further than that because it challenges data controllers to consider the length of time for which personal data is retained and whether or not those retention periods are appropriate with regard to the purpose for which the data was obtained. The key to processing personal data in accordance with this Principle is to ensure that appropriate document retention policies and guidelines are in place and being followed. Furthermore, if these differ from what would normally be expected to apply, the reasons why an unusual retention period or unusual deletion policy was considered necessary in the circumstances should be documented. See page 61 for guidance on retention policies.
Data held for research purposes Records that are retained for purposes of research should have personal data removed from them where possible, anonymizing the records so that no data subjects are identifiable from the information retained. Section 33 of the Act provides that personal data held only for research purposes (including statistical or historical purposes) may be held indefinitely (disregarding the provisions of the Fifth Principle) so long as the following requirements are met: . The data must not be processed to support measures or decisions with respect to particular
individuals. . The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject. This useful exemption under Section 33 is not lost even where: . Personal data is disclosed to another person so long as it is for research purposes only; . It is disclosed to the data subject, at his request or with his consent. . It is disclosed to a person acting on behalf of the data subject.
120
The legal requirements
. A person makes the disclosure reasonably believing that the disclosure falls with these
grounds when in fact it does not.
Other published guidance If personal data has been processed pursuant to a relationship between data controller and data subject, then the retention of the personal data should be considered at the termination of that relationship in the view of the Commissioner.1 The example given relates to HR: For example, the data subject may be an employee who has left the employment of the data controller. The end of the relationship will not necessarily cause the data controller to delete all the personal data. It may well be necessary to keep some of the information so that the data controller will be able to confirm details of the data subject’s employment for, say, the provision of references in the future or to enable the employer to provide the relevant information in respect of the data subject’s pension arrangements. It may well be necessary in some cases to retain certain information to enable the data controller to defend legal claims, which may be made in the future. Unless there is some other reason for keeping them, the personal data should be deleted when the possibility of a claim arising no longer exists, i.e. when the relevant statutory time limit has expired.
The Employment Practices Data Protection Code The Employment Code recommends that employers establish appropriate employee record retention policies based on the business need and that these should be rigorously adhered to.2 One of the early drafts of the Employment Code included a suggested table of retention periods relating to HR files and records. Although this was removed from the final version it provides a useful insight into the sort of retention periods the Information Commissioner considers appropriate. The table is reproduced on page 61. In the recruitment process, once a decision to appoint a candidate has been made careful consideration should be given to what personal data is to be transferred from the recruitment file to the employee’s work records. Some of the information will not be relevant and should be destroyed, particularly that relating to sensitive data on criminal convictions and the detail of any vetting exercises (although the results of the vetting process may be retained).3
The CCTV Code of Practice The CCTV Code provides some suggested retention periods for recorded images in different circumstances, applying the Fifth Principle. 1. December 2001 Legal Guidance etc., paragraph 3.5. 2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 8.1. 3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmarks 8.2, 8.3, 8.4.
The Fifth Principle
121
Publicans may find seven days an appropriate length of time to keep recorded images if the purposes of the processing are public safety and the detection and prevention of crime because they will soon be made aware of any incident, such as a fight, occurring on their premises. Organizations which record images of street activity for crime prevention purposes may not need to retain images for longer than thirty-one days unless they are required for evidential purposes in legal proceedings. Banks and building societies recording images at ATMs for the purposes of resolving customer disputes might reasonably retain recorded images for up to three months in order to provide information about cash withdrawals. The Information Commissioner suggests this retention period, which is based on the interval at which individuals receive their account statements.
CHAPTER
19 The Sixth Principle
This chapter focuses on the Sixth Data Protection Principle and the interpretative provisions relevant to the Sixth Principle contained in Schedule 1 to the Act. The Sixth Principle is concerned with data subject rights. It reads: ‘Personal data shall be processed in accordance with the rights of data subjects under this Act.’ The meaning of ‘rights of data subjects’ is not open-ended. The rights are restricted to those created pursuant to specific sections of the Act. They are: . Subject access request;1 . Notice from a data subject that he or she is exercising his or her right to prevent
processing likely to cause damage or distress to himself or another;2 . Notice from a data subject that personal data relating to him or her should not continue
to be processed for purposes of direct marketing;3 . Notice requiring the data controller to ensure that certain decisions taken by automated means be reviewed.4 A breach of any of these rights can be assessed by the Information Commissioner’s Office but the rights are enforceable through the Courts.
Data subject rights not covered by the Sixth Principle Other data subject rights are created by the Data Protection Act, and these are rights granted on application to the court. These are: . The right to compensation for failure in certain circumstances; . Rights in relation to inaccurate data.
There are yet other rights, created by the Sensitive Data Order which sets out additional conditions for the fair processing of sensitive data. Certain of these conditions are qualified by allowing data subjects the right to prevent the processing of sensitive data relating to them under the condition. Each subject right is considered below.
1. 2. 3. 4.
Data Data Data Data
Protection Protection Protection Protection
Act Act Act Act
1998 1998 1998 1998
Section Section Section Section
7. 10. 11. 12.
The Sixth Principle
123
Subject access request Data subjects have a right to a copy of any information comprising personal data relating to them that is in the control of the data controller. ‘Control’ means in its possession or in the possession of a party over which the data controller has power to demand its possession. This is the case where the personal data is in the possession of a data processor who holds the data on behalf of the data controller. A data subject who makes a request is entitled to: . Confirmation that the company holds personal data relating to them. . Be advised if the data is subject to any automated decision-making process. . Be advised of the logic involved in any automated processing in certain circumstances. . Be advised of the purposes for which personal data relating to them is processed. . Be advised of the sources of the personal data.
Data controllers may charge data subjects a fee of up to ten pounds to help towards administration costs. The data controller has forty days from receipt of the fee in which to consider the validity of the request and whether any exemptions apply and to supply the information requested or explain why certain information is being withheld. An explanation of codes and references used in the information must be provided if the meaning is not clear. The information must be provided in legible form unless an alternative medium is agreed with the data subject or if providing it in a legible form would involve ‘disproportionate effort’. The logic involved in any automated processing must be disclosed in certain circumstances. These are where a decision: . Significantly affects a data subject, and . Is, or is likely to be, made by fully automated means, and . Involves evaluation of the data subject: for example their performance at work, their
creditworthiness, etc. A data controller does not have to comply with this part of the subject access request if the disclosure of the logic involved in the automated processing would constitute the disclosure of a ‘trade secret’.
SUBJECT ACCESS RIGHTS – EXCEPTIONS There are limited exceptions to the requirement to comply fully with a valid subject access request.5 Other than in respect of ‘the formalities’ (see below), where exceptions apply, they apply in relation to specific information which may be withheld. Other relevant information (that is, personal data relating to the data subject making the request) must still be disclosed in accordance with the subject access procedure in Section 7 of the Act. The 5. Set out in Section 7 of the Data Protection Act 1998, Schedule 7 and various Orders made under the Act.
124
The legal requirements
following list, while not comprehensive, considers some of the more generally applicable exceptions.
THE FORMALITIES A data controller is not obliged to comply with a request for subject access unless he has received: . A request in writing, and . a fee not exceeding ten pounds if applicable (a lower fee applies to credit reference
agencies and a higher one to certain health records), and . such information as he may reasonably require in order to satisfy himself as to the identity
of the person making the request and to locate the information sought. The Freedom of Information Act 2000 has added a further proviso to the final point.6 Where a data controller reasonably requires further information to confirm the identity of the data subject and locate the information sought, and asks the data subject for more information, if the information is not supplied then the data controller is not under a duty to comply with the subject access request.
PERSONAL DATA RELATING TO OTHER DATA SUBJECTS Where compliance with the request would necessarily involve the disclosure of information relating to another individual (including the fact that information has been provided by that other party) who can be identified from that information, there is no obligation to comply with the request unless: . The other party has consented to the disclosure of the information to the person making
the request, or . It is reasonable in all the circumstances to comply with the request without the consent of
the other party. In this context what is ‘reasonable’ will depend on: . Any duty of confidentiality owed to the other party. . Any steps taken by the data controller to obtain the consent of the other party. . Whether the other party is capable of giving or refusing consent.
Other published guidance Guidance has been published by the Information Commissioner7 about how to deal with subject access requests which will result in personal data relating to a third party being disclosed. In particular, advising the enquirer of the source of personal data relating to them will often result in disclosing another person’s personal data. The Commissioner identifies key questions for data controllers when dealing with subject access requests involving the potential disclosure of personal data relating to third parties: 6. Section 7(3) of the Freedom of Information Act 2000. 7. Subject Access Rights and Third Party Information, published March 2000.
The Sixth Principle
125
. Does the information being accessed contain information about a third party? . If so, would its disclosure reveal the identity of the third party? . In deciding this, has other information which the data subject has received or may receive
been taken into account? . To what extent can the information be edited so it can be supplied without revealing the
identity of the third party? . Has the third party previously given the information to the person making the subject
access request? . If, or to the extent that, the information will identify the third party, has the third party
consented to the disclosure? . If not, should consent be sought? . Is it reasonable to disclose the third-party information without consent? . Is the third-party information confidential or sensitive or harmful? . Is the third-party information of particular importance to the person making the subject
access request? There is a key exception to the third party rules suggested above. If the subject access request relates to health records and the third party is a health professional who has compiled or contributed to the health record (or has been involved in the care of the data subject in their capacity as a health professional), then access cannot be refused on the grounds that the identity of a third party would be disclosed.
HEALTH RECORDS There is an exemption where a health professional considers that serious harm to the data subject’s physical or mental health or condition is likely to be caused by giving access to personal data.8 Before deciding whether this exemption applies, any data controller who is not a health professional is obliged to consult the health professional responsible for the clinical care of the data subject (the ‘appropriate’ health professional – there are provisions where there is more than one such health professional or none at all). The obligation to consult does not apply where the data subject has already seen or knows about the information which is the subject of the request, nor in certain limited circumstances where consultation has been carried out prior to the request being made. There are provisions applying where a request is made by a third party on behalf of the data subject, which apply if the data subject is a minor or mentally incapacitated. A health record is defined in the 1998 Act as being any record which consists of information relating to the physical or mental health or condition of an individual, and has been made by or on behalf of a health professional in connection with the care of that individual. A ‘health professional’ is any of the following: a) a registered medical practitioner (a ‘registered medical practitioner’ includes any person who is provisionally registered under Section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in Subsection (3) of that Section); 8. Data Protection (Subject Access Modification) (Health) Order 2000.
126
The legal requirements
b) a registered dentist as defined by Section 53(1) of the Dentists Act 1984; c) a registered optician as defined by Section 36(1) of the Opticians Act 1989; d) a registered pharmaceutical chemist as defined by Section 24(1) of the Pharmacy Act 1954 or a registered person as defined by Article 2(2) of the Pharmacy (Northern Ireland) Order 1976; e) a registered nurse, midwife or health visitor; f ) a registered osteopath as defined by Section 41 of the Osteopaths Act 1993; g) a registered chiropractor as defined by Section 43 of the Chiropractors Act 1994; h) any person who is registered as a member of a profession to which the Professions Supplementary to Medicine Act 1960 for the time being extends; i) a clinical psychologist, child psychotherapist or speech therapist; j) a music therapist employed by a health service body, and k) a scientist employed by such a body as head of department9
REFERENCES There is a limited exception for references in the hands of the referee. Personal data are exempt from a subject access request if they consist of a reference given or to be given in confidence by the data controller for the purposes of education, training or employment. Note that the exemption does not apply in the hands of the recipient of the reference.
MANAGEMENT FORECASTING Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from subject access. The exemption applies only to the extent to which subject access would be likely to prejudice the conduct of the business. This includes circumstances, for example, where a business relocation is under consideration and specific individuals are the subject of discussion either for relocation with the business or for redundancy. A subject access request from a data subject in these circumstances could be handled without providing access to the planning and discussion relating to the business relocation if that would prejudice the relocation.
CORPORATE FINANCE This exemption applies when responding to a subject access request could reveal price sensitive business information. Obviously it will only apply to, and in relation to, quoted companies. Businesses involved in providing a corporate finance service, offering underwriting or advice on issues of shares and other instruments, are exempt from responding to certain subject access requests. The exemption also applies to businesses generally to restrict access to price-sensitive information so that the orderly functioning of financial markets is not prejudiced.10
9. Section 69 of the 1998 Act. 10. Data Protection (Corporate Finance Exemption) Order 2000 (184).
The Sixth Principle
127
NEGOTIATIONS If negotiations are under way between the data controller and the data subject, this exemption may apply to prevent the data subject from accessing details of the data controller’s intentions. Otherwise, the subject access provisions would operate to force the data controller to show his hand. Personal data which consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions. The exemption only applies to the extent that disclosure to meet subject information requirements would be likely to prejudice those negotiations.
LEGAL PROFESSIONAL PRIVILEGE Personal data are exempt from subject access if the data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. This is restrictive in real terms. Legal professional privilege is not very wide; it only applies to communication between a legal adviser and the data controller.
SELF-INCRIMINATION A person need not comply with any request or order regarding subject access to the extent that it would reveal evidence of criminal activity by the data controller. Disclosure to meet a subject access request should not involve the data controller in revealing the commission of any offence (other than an offence under the Data Protection Act) or expose them to proceedings for that offence.
Other data subject rights THE RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE DAMAGE OR DISTRESS Section 10 of the Act gives a right to data subjects to prevent processing likely to cause damage or distress. The Act requires that data subjects give notice to the data controller, in writing, setting out the reasons why processing is causing, or is likely to cause, substantial damage or distress to themselves or another and why the damage or distress is or would be unwarranted. The data controller then has a period of twenty-one days in which to respond either that he has complied or intends to comply with the request or giving reasons for not complying. A response to the effect that the data controller does not intend to comply wholly or in part with the request must make out a case that the request is unjustified and state the grounds for that opinion. The data subject may apply to the court for a decision as to whether or not the continued processing – and the data controller’s decision – is justified in the circumstances. Exceptions to this right are set out in Paragraphs 1–4 of Schedule 2 to the Act. They are: . Where the data subject has given consent to the processing; . Where processing is necessary for the performance of a contract to which the data subject
is a party or for taking steps preliminary to entering into such a contract;
128
The legal requirements
. Where processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than a contractual obligation; . Where processing is necessary in order to protect the vital interests of the data subject.
RIGHT TO PREVENT PROCESSING FOR THE PURPOSES OF DIRECT MARKETING Section 11 of the Act gives data subjects the right to prevent the processing of personal data relating to them for the purposes of direct marketing. A data subject may make a written request at any time to require the data controller to cease, or not to begin, processing their personal data for the purposes of direct marketing. ‘Direct marketing’ means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Therefore mailshots, e-mails and telephone calls are all included. The Data Protection Act requires that such requests be made in writing and gives the data controller a ‘reasonable’ period in which to amend records and mailing databases to comply with the request.
RIGHT TO OBJECT TO AUTOMATED DECISION TAKING A data subject has the right to object to decisions taken by automated means in circumstances where the decision: . Is taken by or on behalf of the company, and . Significantly affects that individual, and . Is based solely on the processing by automatic means of the individual’s personal data, and . Is taken for the purpose of evaluating matters relating to them.
The requirement is for the objection to be set out in writing. Examples of areas likely to be affected are: . Automated recruitment systems; . Automated marking of psychometric and other tests; . Credit scoring.
The data controller is under a legal obligation to review the decision taken by automated means. The reviewer must be a human being. The reviewer may concur or disagree with the automated decision.
Rights not covered by the Sixth Principle Other rights under the Act are not subject to the Sixth Principle. These are as follows:
RIGHT TO COMPENSATION Any individual who suffers damage by reason of contravention of any of the requirements of the Act is entitled to compensation from the data controller pursuant to Section 13 of the
The Sixth Principle
129
Act. Similarly the individual is entitled to compensation if he suffers distress as well as damage or for distress only if the contravention relates to processing of personal data for special purposes. ‘Special purposes’ means one or more of the following: . The purposes of journalism. . Artistic purposes. . Literary purposes.
Actual financial loss was recoverable under the 1984 Act if it was due to actions in contravention of the Act. The 1998 Act has extended the right to include compensation for damage or distress due to contravention of the Act.
RIGHTS IN RELATION TO INACCURATE DATA A data subject may apply to the court for the rectification, blocking, erasure or destruction of personal data relating to them on the basis that the data is inaccurate pursuant to Section 14 of the Act. This applies even when the data controller obtained the inaccurate data from a third party or the data subject. The court may also choose to require the data controller (and any other data controllers holding the same data) to supplement the existing data to record the true facts as approved by the court. Compensation may also be awarded by the court if the data subject has suffered damage as a result of the inaccurate data.
RIGHT TO PREVENT PROCESSING OF SENSITIVE DATA A feature of the Sensitive Data Order11 is that it gives data subjects the right to require a data controller to cease processing sensitive data relating to them if the processing is undertaken for the purposes of identifying and monitoring equal opportunities in relation to religious beliefs, physical or mental health or political views. Exercise of the right must be by notice in writing to the data controller. A reasonable period must be stated at the end of which the data controller is required to have ceased processing. The data controller must have ceased processing those personal data at the end of that period.
11. The Data Protection (Processing of Sensitive Data) Order 2000 (417).
CHAPTER
20 The Seventh Principle
This chapter examines the Seventh Data Protection Principle and the interpretative provisions relevant to the Seventh Principle contained in Schedule 1 to the Act. Key words and phrases with a technical meaning are explained in Chapter 12 and are important to a clear understanding of the law and guidance on this point. The Seventh Principle is concerned primarily with the security of personal data. The basic requirement is that appropriate security must be in place to protect personal data. The more sensitive and confidential the data and the more harm likely to result from its accidental loss or disclosure, the tighter security is required. In addition to the basic security requirement there are two additional requirements. The first relates to staff whose jobs involve the handling of personal data. Employers are under a legal obligation to ensure that such staff are reliable. The second relates to outsourcing. Data controllers have a legal duty to ensure that their data processors take appropriate security measures throughout the life of their relationship. Furthermore, data controllers are responsible for putting in place with their data processors a written contract including two specific clauses relating to the Seventh Principle.
Basic requirement for security of personal data The text of the Seventh Principle reads: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ Note that the requirement is for appropriate security of personal data. Guidance about determining what might be ‘appropriate’ is provided in the interpretative provisions: . Having regard to the state of technological development, and . the cost of implementing any measures, . the measures must ensure a level of security appropriate to – . the harm that might result from such unauthorised or unlawful processing or accidental loss,
destruction or damage as are mentioned in the seventh principle, and . the nature of the data to be protected.1
The guidance reinforces the fact that this is not an absolute obligation and it spells out the factors to take into account when assessing the ‘appropriateness’ of any security measures. 1. This is the actual text of Paragraph 9 of Schedule 1 Part II. Author’s phrasing and use of bullet points.
The Seventh Principle
131
The first point is that security will depend on the state of technological development. The appropriateness of security measures will be assessed by reference to the state of technological development. HR managers need to keep abreast of enhancements in recordkeeping systems. Any significant improvements introduced generally need to be incorporated into HR systems within a reasonable period of time if the department is not to fall behind required standards. Secondly, the cost of appropriate security measures is expressly to be factored into the assessment of what is appropriate. It would seem that ‘appropriateness’ in relation to cost will be influenced by the financial standing of the data controller. Costs which would be appropriate if borne by, say, a BP or a Shell Oil might not be appropriate if the data controller is a small business. The Information Commissioner’s view is that there can be no standard set of security measures to meet the requirements of the Seventh Principle.2 Different security measures will be required to meet different circumstances. The nature of the data to be protected will dictate, to some extent, the harm that might result from unauthorized access, unauthorized processing, loss or damage. Processing includes the obtaining, using, holding and destroying of personal data. For example, a greater degree of harm can be envisaged from the unauthorized disclosure of, say, sensitive data relating to health than of straightforward personal data such as an individual’s name and address (which might be found in a telephone directory in any event). Sensitive categories of data are not the only types of data which might give rise to an increased duty of care when processing personal data. For example, financial data relating to the earnings of an employee would be regarded as confidential, and the scope for harm to result from unauthorized disclosure is greater than if the employee’s name and address were to be disclosed. ‘Appropriateness’ of security measures will depend on the harm that might result from the unauthorized access, processing or destruction of personal data. The Information Commissioner encourages data controllers to adopt a risk-based approach to security.3 Returning to the text of the Seventh Principle, both technical and organizational security measures are expressly required. The impact of the inclusion of paper files within the definition of personal data (see Chapter 12) means that technical security measures alone are not sufficient to protect personal data against unlawful access, damage or destruction. The safeguarding of paper files requires a different approach to that employed on computer file and database security. There is also a physical risk to personal data held in computer files and databases which has perhaps become more apparent recently with the spate of laptop thefts. It is no longer sufficient simply to think and plan in terms of firewalls, password security and back-up facilities; organizational security measures are also a necessary component of a realistic security system.
COMPLYING WITH THE SEVENTH DATA PROTECTION PRINCIPLE The Commissioner’s view is that there can be no standard set of security measures to meet the requirements of the Seventh Principle. Different security measures will be required to meet different circumstances; however, the requirement is to guard against unauthorized destruction or deletion, amendment or disclosure of personal data. 2. December 2001 Legal Guidance paragraph 3.7. 3. December 2001 Legal Guidance paragraph 3.7.
132
The legal requirements
Physical security of computer equipment, paper and microfiche files is important. At the highest level, physical security starts with the security of business premises. Within the HR department, confidential files should be protected in lockable filing cabinets or in offices with restricted access. A ‘clean desk’ policy encourages staff to use filing cabinets and storage areas. Within the HR department the Employment Practices Data Protection Code provides that employers should base security measures on the risks of unauthorized access to, or loss or damage of, employment records.4 In particular: ‘Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.’ 5 If computer equipment or paper files are taken out of the office, appropriate security is required. This can be established by policies and procedures applicable to users of lap-top computers and those employees who work from home either permanently or occasionally. On the subject of taking work out of the office the Employment Code states: ‘Ensure that if employment records are taken off-site e.g. on laptop computers, this is controlled. Make sure only the necessary information is taken and there are security rules for staff to follow.’ 6 The security of personal data in transit is easily overlooked. The transmission of personal data by fax and e-mail should be the subject of policies and procedures aimed at ensuring security and confidentiality. HR managers need to consider the implications of shared facilities such as printers or e-mail addresses, not just in the HR department but in the business with which HR staff communicate. Hot-desking creates practical problems for HR staff trying to ensure that employee personal data is received by the correct line manager, for example. The Employment Code states: ‘Take account of the risks of transmitting confidential worker information by fax or e-mail. Only transmit such information between locations if a secure network or comparable arrangements are in place. In the case of e-mail, deploy some technical means of ensuring security such as encryption.’ 7 System security may not be under the control of the HR manager. IT security tends to be a business-wide concern with business-wide solutions such as password protection, locking PCs, screen savers, restricted access, user-verification procedures, virus protection measures and firewalls for Internet connections, etc. There are ISO standards8 for computer security, and larger organizations should be applying those standards or ones equivalent to those standards. Maintaining appropriate levels of security depends heavily on policies and procedures. These are only effective if they are practical and realistic, communicated properly to all staff and policed. In particular, for the data controller to be able to demonstrate that policies and procedures are being followed, audit is an important tool. Audit will also reveal which procedures are impractical or inappropriate. Training is essential if staff are to understand the reasons why policies and procedures exist. This will, in turn, help staff to remember relevant procedures and apply them. See Chapter 6.
4. 5. 6. 7. 8.
Record Management Record Management Record Management Record Management ISO 7799.
– – – –
Security, Security, Security, Security,
benchmark benchmark benchmark benchmark
1. 2. 5. 6.
The Seventh Principle
133
Employees and the security of personal data The interpretative provisions state:9 ‘The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.’ Employers have a duty to ensure the security of personal data of which they are the data controller by reference to controlling the activities of their employees. Note that this is not an absolute obligation: the requirement is that reasonable steps be taken. The requirement is also a continuing one. Controls are required both prior to the employee gaining access to personal data and on a continuing basis. Reasonable steps almost certainly includes staff training, and this is emphasized in the Employment Practices Data Protection Code. Employers are to ensure that staff ‘are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer’s policies and procedures.’ 10 The Employment Code also says:11 Take steps to ensure the reliability of staff that have access to workers’ records. Remember this is not just a matter of carrying out background checks. It also involves training and ensuring that workers understand their responsibilities for confidential or sensitive information. Place confidentiality clauses in their contracts of employment. Finally, the Employment Code recommends that serious breaches of data protection rules should be a disciplinary offence.12
Data controllers and data processors The Seventh Principle regulates the relationship between the data controller and its data processor(s). Where the processing of personal data is carried out by a data processor on behalf of a data controller, the latter is under an obligation to choose a data processor able to provide sufficient guarantees in respect of its technical and organizational security measures. Furthermore, the data controller must take reasonable steps to ensure that the data processor complies with those measures. In addition there is the requirement for written contracts. Specifically, the data controller is not to be regarded as complying with the Seventh Principle unless: a) the processing is carried out under a contract: i) which is made or evidenced in writing, and ii) under which the data processor is to act only on instructions from the data controller, and b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.13 9. 10. 11. 12. 13.
Paragraph 10 of Schedule 1 Part II. Record Management – High level management, benchmark 5. Record Management – Security, benchmark 4. Record Management – High level management, benchmark 5. Paragraph 12 of Part II of Schedule 1.
134
The legal requirements
The Principles themselves do not, prima facie, regulate the activities of data processors. The Act provides that data controllers are subject to the Principles. The Seventh Principle applies so that data controllers are responsible for the compliance of data processors. Appropriate security measures are the key part of that obligation. It also means that data protection compliance of data processors must be policed by the data controller. In summary, the data controller is under an obligation to ensure that appropriate security requirements are imposed on third parties which process personal data on its behalf. This means checking that data processors have appropriate security for personal data or to require guarantees that such security is in place and putting in place a written contract containing two specific terms. See Chapter 7 for an explanation of what constitutes a data processor and suggested actions to take in the HR context. Chapter 8 is also relevant: it considers the relationships between employers and benefit administrators to determine those which are data processors.
WHAT IS A DATA PROCESSOR? A data processor is the party that carries out the processing of personal data on behalf of another party. It is providing a service in which it has no real interest except where it is paid for the processing.
Technical definition of ‘data processor’ Section 1(1) of the Act reads: ‘“Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.’ The prime example of a data processor is an outsource service provider such as a payroll administrator. The employer sends payroll data to the payroll administrator at agreed periods, and the payroll administrator generates payslips and makes payments into bank accounts on the due date. The payroll administrator has no interest in the personal data per se; it processes the data purely for the benefit of the data controller in return for remuneration. It acts solely on the instructions of the data controller; it probably has no discretion to act independently and no interest in doing so. Another example of a data processor would be a registrar offering share registration services, processing shareholder personal data on behalf of a listed company. Companies are under a statutory duty to maintain registers of shareholders. This is a function which is often outsourced to a registrar. The registrar has no interest in processing the personal data except for the remuneration it receives from the company by so doing. The data is processed on behalf of the company and for its benefit. Yet another example would be a mailing house. Customer lists are supplied by the data controller to the mailing house to effect a mailing. If mailing addresses include names or job titles which identify the individual, then personal data is being processed. The mailing house has no interest in processing the personal data except that it receives remuneration from the data controller for doing so. The mailing house is a data processor in respect of the mailing lists supplied.
Identifying data processors It is important that data controllers are able to identify their data processor(s) because of the statutory duty on the data controller to comply with the Seventh Principle.
The Seventh Principle
135
A data processor will be independent of the data controller – a third party – although it may be a sister or associated company in a group of companies. (See page 54). Deciding whether or not a third party is a data processor is a matter of fact. The answers to the following questions will help a data controller to decide whether or not a party is a data processor. . Does the party process personal data supplied by or on behalf of the data controller?
For example, a company might buy a mailing list from a third party and arrange for the list containing personal data to be supplied direct to its preferred mailing house. The personal data was not supplied directly by the data controller but on its behalf. This does not affect the underlying relationship between mailing house and the data controller. The mailing house is a data processor on behalf of the data controller. . Is the processing undertaken on behalf of or for the benefit of the data controller?
Processing undertaken on behalf of the data controller will indicate that the processor is a data processor. Processing undertaken for the benefit of the data controller does not necessarily indicate that the processor is a data processor. . Does the third party have any interest in the personal data apart from remuneration for
the service provided to the data controller? A variety of examples are given above. . Does the third party take decisions in regard to the personal data it processes?
The processor may be a data controller in its own right if it uses the personal data for its own purposes or deals with it in any way that would suggest that it is the data controller. . Is there a degree of autonomy or does the third party act only on instructions from the
data controller? . What do the parties intend should happen to the personal data when the relationship
between them ends? If the party is a data processor, then personal data will either be returned to the data controller or its nominated representative or deleted. The data processor will have no further use for the data.
THE OBLIGATION TO CHECK COMPLIANCE To discharge its duty under the Seventh Principle in relation to data processors the data controller must first check that the data processor has security measures in place to protect personal data from unauthorized access, deletion or amendment. Both the adequacy and the appropriateness of the security measures must be assessed. The Seventh Principle refers to ‘appropriate’ measures, so there is a degree of risk assessment involved. The data controller should first assess the risks inherent in the personal data to be disclosed to the
136
The legal requirements
data processor and then assess whether or not the data processor has taken adequate steps to protect personal data in its control. The data controller is unable to make an assessment without information. So the first step would be to require the prospective data processor to provide information about its compliance with current data protection law. It should be asked for such details of its security arrangements as it is able to provide without compromising that security. Information should be requested about staff training on data protection issues, how employees are supervised and the controls within which employees work to ensure that it is satisfied as to their reliability. This may be particularly important in respect of new employees and temporary workers.
THE CONTRACTUAL REQUIREMENT Where personal data is processed by a data processor on behalf of a data controller, in addition to their duty to ensure that data processors keep personal data secure, the data controller must take specific contractual steps in order to comply with the Principle. The data controller will not be deemed to be compliant with the Seventh Principle unless there is a written contract in place between the parties incorporating specific terms. Thus data processors are made subject to the security provisions of the Seventh Principle which would otherwise not apply to them at all. The specific contractual terms required constitute a restriction on the data processor requiring it to act only on instructions from the data controller when processing personal data on behalf of the data controller. There is also a requirement that it comply with obligations equivalent to those imposed on the data controller by the Seventh Principle. The impact of the requirement is that organizations must enter into a written contract with subcontractors and outsource service providers where this is not already the case. Where a contractual relationship already exists between a data controller and a data processor the relevant clauses can usually be incorporated into the agreement by an exchange of letters signed on behalf of the data processor to signify their agreement to the amendment. In addition to the terms specified in the interpretation of the Seventh Principle, data controllers may find it useful to include a reference in the contract to its obligation to monitor compliance and to establish its right to question security arrangements and any breaches of confidentiality and to gain access to any document it may decide is relevant in that regard.
GROUPS OF COMPANIES AND THE SEVENTH PRINCIPLE Data protection law does not recognize trading groups of companies. Each company must notify separately and is deemed to be a ‘third party’ for the purposes of data protection. Therefore companies in a group must consider their relationship with other companies in the group on an ‘arm’s length’ basis. For example, if one company (usually a ‘service’ company) is the employing company in the group and effectively supplies staff to other, trading companies in the group then it will be a data processor if those staff process personal data in carrying out their job. Consider that most jobs will involve handling personal data to some extent, especially if office-based. (See page 54). The requirement for written contracts will apply. Even between group companies there is no relaxation of this requirement. However, the Commissioner has suggested that such
The Seventh Principle
137
companies seek legal advice on the possibility of entering into one contract with all group companies as signatories in preference to a number of contracts between the service company and each individual trading company.
DATA PROCESSORS OUTSIDE UNITED KINGDOM JURISDICTION The wording of Paragraph 12 of the interpretative provisions is that the contract with a data processor should require it to comply with obligations equivalent to those imposed on the data controller by the Seventh Principle. The effect of the word ‘equivalent’ is to place data processors located outside the United Kingdom under the same restriction as UK-based data processors. A data processor may be outside the jurisdiction of the Data Protection Act 1998, but if the data controller is within that jurisdiction then it must ensure that its data processor(s) adhere(s) to security requirements commensurate with those required by the Seventh Principle regardless of their geographic location. This is important where a data controller uses the services of data processors located outside the EEA.
Summary The impact of the Seventh Principle is to create a need for: . Risk assessment of all personal data-processing activities. . Appropriate security measures based on the degree of risk identified, state of the art and
the cost of implementation. . Documented policies and procedures with security features. . Staff training and communication of policies and procedures. . Audit to ensure that policies and procedures are adequate and practical and that they are
being followed in practice. . Identification of data processors. . Careful vetting of prospective data processors at tender stage to check that their system
and organizational security measures are adequate. . Written contracts with data processors. The terms of the contract must include a
requirement that the data processor act only on the instructions of the data controller in relation to processing personal data and that it adhere to the Seventh Data Protection Principle. . Continued monitoring of the data processor’s performance in relation to security.
CHAPTER
21 The Eighth Principle
This chapter considers the Eighth Data Protection Principle which relates to the transfer of personal data outside the EEA. The Principle and relevant interpretative provisions are set out in Schedule 1 to the Act. Key words and phrases with a technical meaning are explained in Chapter 12 and are important to a clear understanding of the law and guidance on this point.
Interpreting the Eighth Principle The Eighth Principle reads: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’ The key points to note are: . There is a prohibition on the transfer of personal data. . It applies outside the EEA. . It applies unless there is an adequate level of protection for the rights and freedoms of
relevant data subjects.
The prohibition In practice there are exemptions and exceptions which might take personal data outside the prohibition. These exceptions cover specific circumstances set out in Schedule 4 to the Act. This means that the prohibition on the transfer of personal data outside the EEA does not apply if one or more of the conditions in Schedule 4 are met. The more commonly applicable conditions are considered below.
SCHEDULE 4 CONDITIONS Consent A data subject may consent to the transfer of personal data relating to him or herself notwithstanding that the transfer takes the personal data outside the EEA. Consent must be freely given and informed. The fact of the transfer and that protection for the rights of the data subject may not meet standards within the EEA must be communicated. There are problems with establishing freely given consent in the HR context. (See page 21 for a full explanation).
The Eighth Principle
139
Where the data subject is party to a contract A key exception to the general prohibition is where the transfer is necessary for the performance of a contract between the data subject and the data controller. A further condition applies where steps are taken at the request of the data subject with a view to their entering into a contract with the data controller. Generally this condition will apply to any transfers required pursuant to the contract of employment. So if a transfer of employee personal data is necessary for the administration of employee benefits and the transferee is located in a territory outside the EEA, the transfer may be made despite the Eighth Principle. However, the transfer must be truly ‘necessary’. If a group chooses to base its administrative functions outside the EEA, it will not be able to argue for the necessity of employee personal data to be transferred to it. The location of the administration function is a matter of choice, not of necessity. This restricted interpretation1 of what is necessary has other implications. Applying the same logic, arguably if the objectives of the contract could be achieved without transferring personal data outside the EEA, then the transfer is unnecessary and fails to meet the criterion of necessity and therefore the Schedule 4 condition. An illustration in the context of insurance is helpful. If a broker seeks terms for insurance for a client, should it be restricted to underwriters located in the EEA and prevented from approaching non-EEA underwriters? If terms can be put forward by an EEA underwriter, then how may the broker justify approaching underwriters outside the EEA if that approach involves the disclosure of personal data? It appears that it is not possible for the contract condition to be relied upon in these circumstances.
Legal claims Transfers may be made where they are necessary in connection with any legal proceedings. The condition includes prospective legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights. There is no requirement that the data subject be a party to the legal proceedings or prospective legal proceedings.
WITHIN THE EEA Countries within the European Economic Area are deemed to have an adequate level of protection for personal data. The EC Directive on Data Protection sets the basic data protection requirements throughout the EEA. The Directive also provides for countries outside the EEA to be designated by the European Commission as providing an adequate level of protection for the rights and freedoms of data subjects. This is known as the ‘presumption of adequacy’. To date Switzerland, Hungary and Canada have been designated as providing adequate data protection. Transfers of personal data to these countries may be effected without further checks as to adequacy. In the United States, the Safe Harbor arrangements have been approved by the EC as providing an adequate level of protection, so any organization that subscribes to Safe Harbor is deemed to provide adequate data protection. 1. ‘International Transfers of Personal Data’ published by the Information Commissioner, Paragraph 8.3.
140
The legal requirements
Countries within the European Economic Area Austria Belgium Denmark Finland France Germany
Greece Iceland Ireland Italy Liechtenstein Luxembourg
Netherlands Norway Portugal Spain Sweden
The Channel Islands and the Isle of Man are not part of the EEA.
ASSESSING ADEQUACY If none of the conditions in Schedule 4 applies and the country in which the intended transferee of the personal data is located has not been presumed adequate, the data controller must make its own assessment of adequacy. The data controller must assess the adequacy of protection for data subjects’ rights and freedoms both in the territory where the transferee is located and as offered by the transferee organization. Certain circumstances may help to establish adequacy: for example, if the transfer is one between a data controller and its data processor and an appropriate contract is in place to meet the requirements of the Seventh Principle. (See Chapter 20). It may help to establish adequacy if the transfer is one within an international group of companies and agreed standards of data processing apply. If the transfer is being made within an industry sector where professional rules or a code of conduct apply, this may also be factored into the assessment of adequacy. The Information Commissioner pointed out that these circumstances in themselves could not be relied on completely to establish adequacy but that they would count in favour of (or against) a final assessment of adequacy.2 This interpretation may be at least partially incorrect. The relationship between a data controller and a data processor is regulated by the Seventh Principle. It requires, inter alia, that the data controller: . Investigate the data processor’s security measures for the processing of personal data. . Restrict the processing of personal data processed on its behalf so that the data processor
may only act on its instructions. Given these two conditions, no other circumstances would appear to be relevant to the decision relating to adequacy.
The adequacy test The factors relevant to a decision about ‘adequacy’ are set out in the interpretative provisions, which state: An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to; a) the nature of the personal data, 2. ‘Transborder dataflows’ published by the Information Commissioner in July 1999, Paragraph 11.5.
The Eighth Principle
141
b) c) d) e) f) g)
the country or territory of origin of the information contained in the data, the country or territory of final destination of that information, the purposes for which and period during which the data are intended to be processed, the law in force in the country or territory in question, the international obligations of that country or territory, any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and h) any security measures taken in respect of the data in that country or territory.3 The Information Commissioner has issued guidance amounting to a recommended procedure to assess adequacy.4 The ‘Adequacy Test’ is to be applied if a proposed transfer does not fall within one of the exceptions in Schedule 4 and that transfer is to an organization located in a territory which has not been approved by the European Commission. In these circumstances, the following steps are considered the Good Practice Approach: 1) Consider the type of transfer involved and whether this assists in determining adequacy, for example if the transfer is within an industry sector where professional rules or standards apply (underwriters, for example) or is a transfer within an international group of companies. Although this will not establish adequacy prima facie, it may go some way towards it because the data controller has a level of knowledge about the security and procedures within the transferee company and may have an ongoing relationship which both parties will wish to protect. 2) Consider: . The nature of the personal data (consider sensitive personal data in particular). . The country or territory of origin of the personal data. . The purposes for which and period during which the data are intended to be processed. . The harm that might result from improper processing. . The law in force in the country or territory in question. . The international obligations of that country or territory. . Any relevant codes of conduct or other rules which are enforceable in the country or territory. . Any security measures taken in respect of the data in that country or territory. . The extent to which data protection standards have been adopted. . Whether there is a means of ensuring the standards are achieved in practice. . Whether there is an effective mechanism for individuals to enforce their rights or obtain redress if things go wrong. 3) Think whether there are any circumstances in your knowledge or that of others involved in the proposed transfer which indicate to you that it is not appropriate to make the data transfer: for example, if you are aware of breaches of confidentiality at the transferee company or other data security problems.
Use of contracts In addition, contractual terms may be used to supplement the security of personal data transfers. However, unless you are able to use the standard terms approved by the European 3. Schedule 1 Part II Paragraph 13. 4. ‘Transborder dataflows’ published by the Information Commissioner in July 1999.
142
The legal requirements
Union and the Information Commissioner, then it is unlikely that a non-standard contract (i.e. not one approved in full by the EC or the Information Commissioner) would legitimize a transfer of personal data outside the EEA without the adequacy test risk assessment yielding a positive result in addition. The issues you should seek to cover in a non-standard contract are: . Purpose limitation – restricting the purpose(s) for which the personal data supplied can be
processed. . Security – requiring appropriate technical and organizational security measures be taken
by the disclosee. . Restrictions on onwards transfers. . Additional safeguards for sensitive personal data.
Notice of inadequate protection Even if the transfer has been justified by one of the Schedule 4 conditions, or is being made to an approved territory or following a positive adequacy finding, consider whether there are any circumstances in your knowledge or that of others involved in the proposed transfer which indicate to you that it is not appropriate to make the data transfer: for instance, if you are aware of breaches of confidentiality at the transferee company or other data security problems, any transfer of personal data may be in breach of the Eighth Principle.
Summary . Transfers within the EEA are authorized. . Transfers to countries which have been approved by the European Commission are
likewise authorized, currently Hungary, Canada or Switzerland. . Transfers to the United States to companies which subscribe to Safe Harbor are approved. . Other transfers must be authorized by the adequacy test unless one of the conditions in
Schedule 4 is met.
CHAPTER
22 The Information Commissioner
The role of the Data Protection Registrar was created by the Data Protection Act 1984. The first incumbent, Eric Howe, was given a choice of location for the new Data Protection Office and selected Wilmslow because that was where he lived. The Registrar’s Office was set up to be an independent regulatory authority, and that remains the case. The EC Directive on Data Protection [95/46/EC] was published in final form in 1995. It was intended to harmonize data protection regulation throughout the member states of the European Union. A deadline for member states to implement its provisions was set for October 1998. The Data Protection Act 1998 was the British implementation; interestingly, several EU member states are still to bring in appropriate legislation. One of the requirements of the Directive was that member states should appoint a Data Protection Commissioner, therefore the 1998 Act changes the name of the Data Protection Registrar to that of Commissioner. With the introduction of the Freedom of Information Act 2000 the name changed again, to that of Information Commissioner.
Structure of the Office of the Information Commissioner The Commissioner is supported by a team of approximately 130 staff in the following departments: . The strategic policy group, the drivers in the development of data protection guidance. . The freedom of information group. . The compliance department, including the enquiry line. . The legal department. . The investigations department, exclusively staffed by ex-policemen. . The notification department, responsible for maintaining the register of data
controllers. . The marketing department.
RESPONSIBILITIES AND FUNCTIONS These are set out in the Data Protection Act 1998. In general terms, the Office is responsible for data protection and freedom of information in the United Kingdom. Its duties include carrying out assessments of compliance. These are investigations of the circumstances of processing activity carried out at the request of an individual or organization (not necessarily a data subject of the organization under investigation). At the end of the investigation the Office will issue its formal assessment of the compliance or noncompliance of the activity complained of and any data subject who believes they have been
144
The legal requirements
disadvantaged by the processing is at liberty to take up the matter in the civil courts. Assessments are not necessarily linked to legal enforcement action. Organizations can be compelled to cooperate with an assessment. If the Office requests information to facilitate the assessment and the organization fails or refuses to comply, the Office has a power under Section 43 to require the information to be provided. Failure to comply with such a notice would be a criminal offence under Section 47. The Commissioner is also under a duty to promote the development and use of codes of practice. Codes of practice may be European or national. There is a working party (the Article 29 Working Party) which considers codes and proposed codes at the European level. An example of a code under consideration is the IATA Recommended Practice 1774 on data protection in relation to international air transport. At national level, some codes have been drafted by trade associations with input from the Office. The ABI code for insurers includes standards for data protection approved by the Commissioner. Other codes have been initiated by the Commissioner, such as the Employment Practices Data Protection Code. The Information Commissioner’s Office is also responsible for issuing guidance on data protection issues in response to demand from industry. Some examples include: . Legal guidance on the Act issued in December 2001. . A guide to data protection auditing issued in December 2001. . An educational CD-ROM ‘the Plumstones’ issued for use in schools.
There is also the enforcement activity of the Office. To date the enforcement procedure has only been used after negotiation has failed to persuade a data controller to amend its personal data-processing activities. There are signs that the Office is starting to take a tougher line with enforcement. Once an enforcement notice is issued, non-compliance is a criminal offence under Section 47 of the Act. Finally, there is the duty to maintain the register of data controllers. The notification process has been streamlined. It is possible to notify online as well as by telephone. The process involves a standard template based on the data controller’s industry. Data controllers should check the activities outlined before signing and resubmitting the forms for registration. The register is publicly available information. Again, it can be accessed via the Internet. The registration department has issued updated guidance (based on the 1998 Act and notification regulations) on notification requirements and how a data controller can identify whether or not it needs to notify.
CHAPTER
23 Notification
If you are required to notify, it is a criminal offence to fail to do so. Similarly any changes in activities must be notified to the Registrar; again, failure to do so is a criminal offence. It is unlikely that HR activity alone will determine whether or not an organization should be registered for data protection. The rules and exemptions from notification apply to the business activities of the organization and notification or registration for purposes of employment administration will naturally follow from the need to register at all. As a general indication the following organizations will need to be registered: . Complex organizations involving groups of companies which ‘share’ personal data. This
.
. . .
will include organizations where there is one service or employing company and one or more trading companies. The normal operation of the business will require that personal data is shared between the employing company and the trading company(ies) for work planning and management. Organizations providing the following services: – Advertising agency. – Accountancy and auditing. – Legal services. – Credit referencing, debt administration and factoring. – Crime prevention and the prosecution of offenders. – Education. – Financial services. – Health administration and the provision of health services. – Marketing. – Mortgage, insurance-broking and insurance administration. – Pastoral care. – Pensions administration. – Private investigation. – The trading and sharing of personal data. Organizations with responsibility for CCTV. Organizations which use credit reference information or trade and/or share personal data. Organizations which market goods and services using personal data obtained from a third party (i.e. buy in mailing lists or undertake promotions to their customers jointly with other companies) or which market goods and services on behalf of third parties or clients.
146
The legal requirements
Exemptions The small business exemption (or ‘core business exemption’) applies where the organization only processes personal data for: 1) Advertising, marketing and PR only in relation to its own goods and services. 2) Administration of customer/client and supplier records. 3) Staff administration. There is an exemption from registration for organizations whose personal data is held not on computer but in paper files only. There is a further exemption for charitable organizations. It applies where the data controller is a not-for-profit organization and processes personal data only for the purpose of establishing and maintaining records of membership and of those with whom it has regular contact. The exemption also allows administration of employees, accounts and recordkeeping and limited advertising and promotional activity directed solely towards its own members.
How to register or notify Registration can be instigated by telephone or online. Registration entries are based on a standard template for each industry, so it is important to check that it covers all the organization’s personal data-processing activities. Registration entries should also be checked regularly against personal data processing activities to pick up those changes to activities which are notifiable.
CHAPTER
24 Criminal offences
The following criminal offences are created under the Data Protection Act 1998: . Failure to notify or register with the Data Protection Register when processing activities
involving personal data are such that registration is required.1 (See Chapter 23 for an explanation of when notification is required). . Failure to keep the notification up to date with current personal data processing activity.2 It is a defence if the person charged with the offence can show that they exercised all due diligence to comply with the requirement to keep the notification up to date and accurate. . The unauthorized disclosure or obtaining of personal data.3 . Requiring candidates for employment to apply to the police for a copy of their criminal record, if any, using the subject access right in the Act.4 The Freedom of Information Act 2000 includes the facility to bring in a new data protection offence. Anyone employed by a public authority who deletes or destroys records in order to frustrate a subject access request could be guilty of an offence under the Act once the section has been implemented.
Liability for data protection offences Companies can be guilty of the offences in the Act, such as failure to notify. The offences can be committed by individuals, and include the unauthorized disclosure or obtaining of personal data. For example, a police officer who accesses the Driver and Vehicle Licensing Authority records for a private purpose not connected with police activity will be guilty of an offence. In such circumstances the police authority might not be guilty of the same offence if it can show that individual employees were given training about authorized disclosures and the misuse of personal data and that there were procedures in place to discourage unauthorized activity. A director, manager or officer of a company can be liable for Data Protection Act offences5 if they consent to or connive at the commission of the offence or if the offence can be shown to be attributable to any neglect on their part.
1. 2. 3. 4. 5.
Section Section Section Section Section
21 21 55 56 61
Data Protection Act 1998. of the Act. of the Act. of the Act. of the Act.
148
The legal requirements
Penalties On summary conviction, the limit is a £5,000 fine; on indictment, it is unlimited.
Index abuses, of personal data 2 access rights see data subject access requests Access to Medical Reports Act (1998) 68 accessible record, definition of 84 accuracy, of personal data Employment Code on 118 ensuring 20 examples 117 inaccurate data, rights in relation to 12, 122, 129 job application forms 115–16 published guidance on 116 adequacy to purpose, of personal data 111–13 agency recruitment organization, identification of 28–9 suggested actions 29 terms of business 28 see also recruitment AMRA see Access to Medical Reports Act (1998) application forms see job application forms Article 29 Working Party 21 audit findings, acting on 9 guidelines 8–9 importance of 132 staff training on 38 audit trails, on computer systems 9 automated data processing and abuse of personal data 2 disclosure of logic of 123 automated decision-taking, right to object to 11, 13, 128 CCTV Code of Practice, on retention periods 35, 120–21 data controller, responsibility of 34 images, data subject access to 10 and personal data 78 signage, required wording for 34 suggested actions 35 suggested policies images, disclosure of 35 physical security, of tapes 35 quality of images 35 use of 16, 30, 31, 33
Chater, Robin E.J. 2 Chinese walls 8, 36, 50 company car 47 company credit cards 71–2 compensation, right to 11, 122, 128–9 compliance assessments 143–4 compliance reports 45 computer files retention policy for 61 security of 19, 41, 54 confidentiality Data Protection Act (1998) 1 joint ventures 59 medical testing 69–70 references 8 security arrangements for 19, 40 and staff training 37 consent, in employer/employee relationship definition of 93 employment contracts, consequences for 22 fair processing, conditions for 22–3 international groups of companies, issues for 56 marketing, consequences for 22, 23, 73, 74 medical testing 69 and new processing purpose 22 personal data, transfer outside EEA 21, 22, 23, 138 refusal, procedure for 92–3 sensitive data 21–2 suggested actions 23 unreliability of freely given 18, 21, 22–3, 92–3 Council of Europe Convention (European Treaty Series 108) 1 cre`ches 49, 50 credit reference checks 113, 117 criminal convictions, retention of information on 62 criminal investigations, disclosure of personal data in relation to 64 criminal offences, under Data Protection Act (1998) liability 147 penalties 148 staff training on 36, 37, 39–40
150
Index
criminal records, access to 24–5 Criminal Records Bureau 25 data controller and data subject, balance between legitimate interests of 94–5 definition of 3, 79–80 future intentions and opinion of 78 identification of 13, 102 legal obligations of 93–4, 135–6 responsibilities of 36 data controller/data processor relationship 42–3, 86, 133–7 data processor definition of 42–3, 80, 134 employing company as 54 identification of 13, 43, 134–5 outside UK jurisdiction 137 data protection, definition of 39 Data Protection Act (1984) Data Protection Registrar, creation of 143 introduction of 1 Data Protection Act (1998) accessible record, definition of 84 criminal offences under 147–8 data controller, definition of 79–80 data processor, definition of 42, 80 data subject, definition of 79 definitions, sources of 85 and EC Directive on Data Protection 1, 143 EEA, definition of 81 HR-related data, conditions for processing 15–16 notification, meaning of 83 personal data, definition of 78–9 processing, definition of 80 relevant filing system, definition of 81–3 sensitive data, definition of 15–16, 83–4 service providers, statutory duties of 44 data protection awareness 37 Data Protection Commissioner 2, 143 see also Information Commissioner Data Protection Directive (95/46/EC) 1, 143 Data Protection Principles 2, 18–19 and Employment code 87–8 fair and legal processing, checks for 19–20 introduction to 86–8 personal data ensuring accurate, relevant and not excessive 20, 115–16 keeping up to date 20, 116–17 not keeping longer than necessary 20, 119–20 security checks 19 Data Protection Register 108–9, 144
Data Protection Registrar 2 see also Information Commissioner data subject, definition of 1, 79 data subject access requests 39 automated processing, disclosure of logic of 123 CCTV images 10 coded information, disclosure of meaning of 123 entitlements, of subject 123 exceptions to requirement for compliance corporate finance 13, 126 health records 125–6 legal professional privilege 127 management forecasting 13, 126 negotiations, prejudicing of 13, 127 references 126 self-incrimination 127 sensitive data 1 and staff training 36 third parties, data relating to 124–5 fees for 123 procedure for 12–13, 124 data subject information additional relevant information, disclosure of 13–14 data controller, identification of 13, 102 examples from Employment Code 106 exemptions from 106 intended processing purposes, disclosure of 13–14, 102 marketing, fairness of 105–6 meaning of 3 other relevant information 103 prominence of 105 recommended actions 107 sample wording for employee 14 for job candidate 14–15 for pension scheme member 14 subject information notices 103–4, 105 suggested actions 15 telephone marketing 106 third parties, information obtained from 103–4 timing of 104 data subject rights 86 automated decision-taking, right to object to 11, 13, 128 compensation, right to 11, 122, 128–9 damage or distress, right to prevent processing causing 11, 13, 127–8 direct marketing, right to prevent processing for purposes of 10–11, 13, 128 guidelines for 8 inaccurate data, rights in relation to 12, 122, 129
Index interpreting 122 sensitive data, right to prevent processing of 122, 129 staff training 36 suggested actions 13 see also data subject access requests deceit, and obtaining of information 8, 36 disciplinary procedures 7 disclosures, permissible 40–41 document retention CCTV images 35, 120–21 computer files 61 monitoring issues 34 not longer than necessary 20, 119–20 policy on 7, 9, 20 recruitment files 26, 91 retention periods 61–2, 111–12, 120 duplication, of records 1 Durant v FSA case 82–3 e-commerce, and need for data protection 1 e-mail, monitoring of 30, 31, 32–3, 132 EC Directive on Data Protection (95/46/EC) 1, 143 EEA, and prohibition of transfer of personal data outside adequacy, presumption of 139 Adequacy Test 55, 56, 57–8, 140–41 consent, issue of 21, 22, 23, 56, 128, 138 contracts, use of 56, 141–2 EEA countries 81, 139–40 exemptions from consent 138 contract, data party subject to 56, 138, 139 legal claims 139 inadequate protection, notice of 142 interpreting 138 legitimizing transfer, options available for 55–6 Safe Harbor scheme 55 suggested actions 57 terms of transfer, suggested 56–7 employee administration 61–72 employee benefits 9, 46–53 employee data adequacy to purpose 111–12 disclosure of external versus internal 64–5 non-routine requests from outside agencies 64 required by law 64 publication of issues to address in policy and procedures for 66 procedural elements 66 suggested actions 66 suggested actions 66
151
employee reliability 19, 130, 133 employee surveillance 2 see also CCTV; monitoring Employment Code 22, 23 abuses, of personal data 2 accuracy 118 agency recruitment 28–9 CCTV, use of 34–5 data protection management 2, 7–9 and Data Protection Principles 24 benchmark standards, and enforcement action 87 data subjects, range of 87 personal data, scope of 87–8 as published code of practice for complying with the Act 87 sections of 88 data subject rights 10–13 disclosure of employee information 64, 66 document retention periods, recommended 61–2, 120 employee reliability, and security of personal data 130, 133 fair processing 91 medical insurance schemes 47 medical testing 68 monitoring activities 30–34, 71 principles, interpretation of 19 record keeping 61–3 recruitment 24–8 security 132 staff training 36–41 vetting procedures 113–14 employment contracts, and EEA transfers 56, 138, 139 Employment Practices Data Protection Code see Employment Code equal opportunities monitoring, and sensitive data 17, 62–3, 98, 100 European Economic Area see EEA fair processing, requirement for consent, issue of 92–3 contractual obligations 93 data controller, legal obligations of 93–4 data subject, protecting vital interests of 94 justice and government functions, administration of 93–4 legitimate interests of data controller and data subject, balance between 94–5 suggested actions 101 see also sensitive data, fair processing of fairness, assessment of 89–90 fees, for data subject requests 123 France, Elizabeth 18, 82–3
152
Index
fraud prevention 2, 63 see also CCTV Freedom of Information Act (2000) 124, 143, 147
Lawful Business Practices Regulations 30, 33 lawful processing, meaning of 15–16, 89–90, 109 line managers, training for 8, 36–8
Guide to Data Protection Auditing (Information Commissioner) 8–9
marketing, to staff affinity branding 73 clause wordings opt-in clause 73 opt-out clause 73 and consent 22, 23, 73, 74 and data subject rights 10–11, 13, 128 and fairness 105–6 legitimate interests of data controller and data subject, balance between 94–5 suggested actions 73–4 medical conditions, disclosure of 46 medical insurance 46–7 medical testing circumstances of 67–8 confidentiality 69–70 consent, requirement for 69 drug/alcohol use, testing for 70 Employment Code, impact of 68 genetic testing 70 for health and safety 69 personal data obtained, relevance of 69 prospective versus current employees 68 and risk assessment 68 sensitive data, processing of 69 suggested actions 71 membership application forms 46 mergers and acquisitions see joint ventures monitoring authorized person, identification of 30–31, 33 business need, identification of 31, 33 CCTV, use of 34–5 communications 30, 32–3 corporate facilities, use for private purposes 32–3 covert 31–2, 33 credit card statements, checking of 71 documenting reasons for 33 employee rights, taking into account 33 impact of 31, 33 information obtained, relevance of 32 information retention policy 34 monitors, training of 31, 33 of performance 30 privacy, respect for 31 specific problems, responding to 32 suggested actions 33–4 by third parties 33
health and safety records kept for 66 suggested actions 67 health insurance 47 health professional, definition of 125–6 Howe, Eric 143 Human Genetics Advisory Commission 70 Human Rights Act (2000) 90 inaccuracy, data subject rights in relation to 12, 122, 129 Information Commissioner adequacy, assessing 140–41 consent issue, interim solution to 18, 21, 22–3 Data Protection Registrar, creation of 143 openness of monitoring 32 Information Commissioner’s Office 2 codes of practice, development and use of 144 compliance assessments 143–4 enforcement activity 144 guidance, issuing of 144 referral to 13 register of data controllers, maintenance of 144 internet usage, monitoring of 30, 31 interview notes 24, 26–7 interview policy and guidelines 8 ISO standards, for system security 132 IT security policy 19 job application forms and accuracy of personal data 115–16 recruitment decision, relevance of information to 91, 112 review of 27–8 secure processing of 24 statement of person(s) to whom information to be provided 24 see also recruitment joint ventures confidentiality 59 ‘Corporate Finance’ exemption 58 management planning exemption 58 personal data, caution over disclosure of 59 preliminary discussions 58–9 suggested actions 59–60
notification exemptions 146 meaning of 83
Index methods of 146 organizations required to register 145 occupational health screening 47 Opinion (8/2001) 21 outsourcing and agency recruitment 28 contractual terms 44 data processor definition of 42–3 identification of 43 security arrangements 42, 44, 45, 46, 50–51, 54, 136 and security of personal data 130 service providers, queries to raise with 43–4 suggested actions 44–5 third-party HR service providers 9 written contract, requirement for 42, 46, 54, 136 see also data controller/data processor relationship paper files relevant filing system, definition of 81–3 security of 1, 19, 41, 81–3 pension schemes administration, outsourcing of 50–51 Chinese walls, need for 50 deed of wish forms 51 pension fund administrator, as data controller and processor 43 sensitive data, sharing of 96 suggested actions 51 trustee bodies 50 performance monitoring 30 personal data, definition of under 1998 Act 78–9 personal expenses, taxation of 71 phone calls, monitoring of 32–3 Principles see Data Protection Principles privacy, right to respect for 90 processing, definition of 80 psychometric tests, use of 2, 25 record keeping disciplinary, grievance and dismissal 62 document retention policy 61–2 equal opportunities monitoring 62–3 fraud prevention 63 practices 49 suggested actions 63 recruitment consistency when shortlisting 24 criminal offences, and access to criminal records 24–5 information following interview, relevance of 24
153
interview notes, access to 24, 26–7 policies and procedures 9 pre-employment vetting 25–6, 49, 113–14 psychometric tests, use of 25 recruitment decision, relevance of information to 24, 112 recruitment files, retention of 26 sensitive data, ensuring conditions for 24 suggested actions 27–8 see also job application forms references 25 confidentiality of 8 data subject access requests 126 requests to employer for 64 registration see notification Regulation of Investigatory Powers Act (2000) 30, 33 Rehabilitation of Offenders Act (1974) 25, 62 relevant filing system, definition of 81–3 research purposes, data held for 100, 109–10, 119–20 retention see document retention rights see data subject rights Safe Harbor scheme 55, 83 security appropriateness of costs 131 data, nature of 131 meaning of 130 organizational and technical security measures, requirement for 131 technological development, state of 131 unauthorized access, harm resulting from 131 CCTV tapes 35 compliance measures audit, importance of 132 data in transit 132 physical security 131 system security 132 working at home 132 of computers 41 and contractual requirements 42, 46, 54, 136 of paper files 1, 19, 41, 81–3 policy for 7–8 of recruitment information 26 regular review of 19 sensitive data confidential counselling services 99 and consent, issue of 18, 21, 96, 101 cre`ches 49 data subject or another, protecting vital interests of 96–7 data subject rights in relation to 122, 129 definition of 15–16, 83–4
154
Index
equal opportunities monitoring 17, 62–3, 98, 100 fair processing of 17–18, 21–2 insurance business 100 justice and government functions, administration of 8 legal rights 97–98 medical purposes 46, 69, 98 non-profit-making bodies 97 pension schemes 96, 100 police 100 political opinions 100 public domain, information already in 97 recruitment 24 research 100 restricted processing of 101 suggested actions 18 unlawful acts, prevention or detection of 99 Sensitive Data Order (2000) 99–100, 122, 129 service company, acting as to trading group computer equipment, use of 54 contractual terms 54–5 data controller, trading company as 54 data controller/data processor relationship 136–7 data processor, employing company as 54 security arrangements 54 suggested actions 55 written contract, requirement for 54 share registration services 42 sick leave, long-term and medical testing 67, 68 social clubs 51–2 staff handbook 33, 38
staff training briefing note, sample for HR personnel 39–41 cycle of improvement, establishment of 36–7 data compliance issues, briefing on 9 data controller, responsibilities of 36 employee reliability, and security of personal data 130, 133 employers, responsibilities of 36 induction training 38 issues covered by 36 new staff, monitoring of 9 as ongoing 38 policies and procedures, familiarization and reinforcement of 37–8 social club secretaries 52 specialist training 38 suggested actions 38 supervision and audit 38 subject access see data subject access requests subject information see data subject information subject rights see data subject rights trading groups of companies see service company, acting as to trading group up-to-date, keeping information 20, 116–17 Use of Personal Data in Employer/Employee Relationships, The (Chater) 2 vetting procedures 25–6, 49, 113–14 work in the community 52–3