Data protection law in the UK is designed to protect individuals from misuse of their data. The key piece of legislation in this area is the Data Protection Act 1998 (DPA) which sets out eight principles. The DPA applies to computerised information and to well-structured manual records, such as certain files about job applicants.
Employer obligations under the DPA
As employers store employee records, they are required to comply with the DPA. Through the eight data protection principles, the DPA regulates the way information about employees (including job applicants and former employees) can be collected, handled and used. The principles require personal data to be:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than necessary;
- Processed in line with data subjects’ rights;
- Not transferred to other countries without adequate protection.
The code of practice
The Information Commissioner’s Office has produced a code of practice on data protection in employment (the “Code”) which sets out the Information Commissioner’s recommendations as to how the legal requirements of the DPA can be met. The Code does not have legal effect and compliance with its recommendations is not mandatory. Employers may have alternative ways of meeting these requirements. However, if employers take no steps towards complying with the DPA, they leave themselves at risk of breaking the law.
The Code covers:
- recruitment and selection procedures,
- management of employment records (including medical information),
- monitoring of employees and
- information about workers’ health and medical records.
Employees’ rights to access their records under the DPA
The DPA also gives employees certain rights to apply for their records. This is known as a subject access request ( “SAR”) and should be made by an employee in writing.
Once an employer has received an SAR there are a number of steps for the employer to take:
- provide the employee with a written acknowledgement of receipt of the SAR and indicate a likely timescale for a response (within the 40 day time limit);
- consider whether the SAR provides sufficient information with which to identify the employee and the relevant data. If it does not, request clarification, including any information that might help to make the search easier. Request a fee of up to £10 if required;
- appoint a manager to oversee the collation and to ensure an adequate search is carried out;
- explain to the staff that might hold information on the employee the types of data required;
- inform all relevant staff of the timescale within which the data needs to be collated and instruct them not to delete any relevant data;
- after collating the data, consider whether to seek the consent of any third parties that might be identifiable from it. Notify the employee if this is likely to lead to a delay in the provision of a response;
- consider whether any data is exempt from disclosure. Exemptions are narrow but include, for example, material which is legally privileged;
- provide a written response setting out an explanation of the types of data provided and whether and for what reasons any data has been withheld.
Responding to an SAR can be onerous for the employer, however, the DPA does not allow an employer to refuse to deal with an SAR on this basis. Employees are not, however, entitled to see all documents that refer to them: the mere mention of the employee in a document is not necessarily enough. Whether it is, in any particular instance, depends on how relevant it is to the employee as the subject of the data, as distinct from matters that they may have been involved in.
The General Data Protection Regulation
A new regulation from the EU (the General Data Protection Regulation, the “GDPR”) came into force on 24 May 2016. It will apply to all member states directly from 25 May 2018. Organisations will therefore have two years to take the necessary steps to be compliant with the GDPR. Under the GDPR there will is an increased emphasis on compliance with a requirement to notify the regulator of a breach promptly and within 72 hours.
Posted on 01/06/2016 in Legal UpdatesBack to Knowledge