Employment Matters February 2008

Data Protection - what do you know?

You may have missed it but last month saw the second European Data Protection Day. An EU survey has shown that public awareness of data protection across the EU is low, although the recent loss of two computer discs containing the details of every family in Britain receiving child benefit certainly raised the profile of the issue in this country.

Following the story about the child benefit discs the Information Commissioner, Richard Thomas has told the House of Commons Justice Committee that several organisations have approached the Commissioner “on a confessional basis” to report problems they have encountered themselves, including admissions that large corporations have on several occasions lost employee records.

On 25 January this year the Commissioner ruled that Marks & Spencer PLC was in breach of the Data Protection Act when a laptop containing the unencrypted personal information of 26,000 employees was stolen from the home of a data processor. Marks & Spencer was served with an enforcement notice ordering the company to fully encrypt its laptops by April 2008.

But losing information is not the only pitfall for employers. Keeping unnecessary, inaccurate or irrelevant personal information may provoke complaints as well. An employee (or job applicant) who believes that he or she has suffered a loss as a result of your breach of their data protection rights may raise a claim for damages and for the distress suffered as a result.

A failure to comply with an enforcement order can lead to fines of up to £5,000 in the magistrates’ court, unlimited fines in the Crown Court, and in the worst cases prosecution can lead to imprisonment.

Given the complexities of the rules on data protection and the amount of information which employers are obliged to keep records of it is understandable that HR departments are caught between the desire on one hand to keep all of their files indefinitely and an urge on the other to destroy or delete everything.

Striking the balance is possible with a careful and thoughtful approach and provided that all of the relevant people in an organisation understand their responsibility for data protection.

A quick reminder
In simple terms the rules on data protection apply to any company, firm, business etc. which holds or uses ‘personal data’ stored electronically or in a structured paper filing system (where it is readily accessible). Personal data includes any piece of data or information that has an identifiable person as its subject matter (eg. a job application letter, a contract of employment, payroll records, CCTV footage etc.). However, data protection does not apply to an individual acting in a personal capacity (eg. a home CCTV security system).

Where it applies, data protection sets out eight principles that information should be:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with the legal rights of individuals
• Secure
• Not transferred to other countries [especially outside of the EU] without adequate protection.

Employees have the right of access to much of the information that you hold about them and such requests should be met within 40 days of a formal request being made - although you can charge up to £10 to cover your administration costs! In particular you should be open about any sensitive information that you hold, such as health records and medical reports, and give your employees the opportunity to correct or comment on this type of information.