Privacy at work

When personal or sensitive personal data is stored or handled by an employer’s relevant filing system (such as manual or paper files, a computer, or another type of electronic device), the Data Protection Act 1998 (the ‘Act’) will apply. Handling or processing may include getting hold of, recording, modifying, retaining or deleting information, and a ‘relevant filing system’ must be a highly structured filing system, such as one that is similar to a computer, rather than a system that just uses chronological order. This piece of legislation requires that the data belonging to the ‘data subject’ (in this case an employee) is held in a fair and proper way by the ‘data controller’ (in this case an employer).

The Act will protect data that affects the privacy of a living, identifiable person, whether that data is opinion or factual. Although a name being mentioned in a document is unlikely to be considered personal data, if information has been changed to conceal the identity of a living person – where a data controller can still identify the person – that will still be considered personal data.

Data protection principles

There are eight data protection principles that govern the way personal data can be processed:

1. There must be a specific purpose for data to be taken and processed.

2. The data must transferred outside the European Economic Area only where there are proper safeguards.

3. Data should only be held for as long as is necessary.

4. Data should be sufficient, pertinent and not excessive.

5. The data must be kept safe.

6. The data must be processed in accordance with the rights of individuals.

7. The data must be taken and processed for specified purposes.

8. The data should be processed fairly and lawfully. Fair processing will require there to have been consent from the data subject, and a reason for the processing – for example, that it is necessary for compliance with a legal obligation, to carry out a contract with the data subject, or protect their vital interests, to perform a public purpose, such as the administration of justice, or in pursuance of an organisation’s legitimate interests where the individual’s rights are not prejudiced.

With respect to sensitive data, there are additional rules. Subjects where personal data is likely to be considered sensitive include race, health, sex, or a criminal record. Sensitive data processing also requires one of the following:

Unambiguous consent from the data subject; a requirement to perform the processing to carry out a legal obligation connected to employment; that the processing is necessary for legal proceedings or the administration of justice; that it is required by a health professional for essential medical purposes; or that the processing is carried during the legitimate activities of a non profit organisation.

If the conditions are not met, data processing will be unlawful.

The right to see information

One of the key rights under the Act is the right of an individual to see information held on them where the Act applies to that information – for example, employment records. The way this information is viewed is via a written subject access request that is made to the data controller. There is a deadline of within 40 days to respond to the request and the data controller can charge for providing the information (this could be up to £10 (£2 for a request for limited information from a credit reference company and £50 for medical records)).

A subject access request will require a data controller to provide the data subject with a description and a copy of all the information that the controller holds on the subject, details of where this has come from and an explanation of any codes used, details of those who have potentially received the data, and the reason why the data controller has held or processed the information. Examples of where this may be used in the workplace include where an employee wants to obtain copies of various emails that concern a disciplinary hearing, or where an employee wants to see a copy of their personnel file.

The Information Commissioner

The Information Commissioner is the body that oversees data protection legislation – both the Act and the Freedom of Information Act 2000, under which information can be requested from a public authority by an individual or organisation (that public authority must tell the applicant whether or not it holds the information within 20 days and then provide the information or state an exemption as reason why it doesn’t have to be provided.) The Information Commissioner is government appointed.

The Data Protection Code is something that has been issued by the Information Commissioner. It is not legally binding but is a good starting point to take steps to resolve issues with data protection. If it is not followed this may be cited in any enforcement notices that the Information Commissioner may issue against an organisation for not complying with the Act.

Claiming

If a data subject suffers financial loss or distress (in limited circumstances if distress is the only claim) because there has been a breach of the Act’s provisions, then a right to claim compensation arises. In addition to awarding compensation to a data subject, a court may decide to order inaccurate data is amended or destroyed.

Where is the Act relevant?

There are some very specific examples of situations in which the Act could apply. For example, a recruitment agency should always have an employee’s consent to pass on information about that employee to an employer. The agency should only request information from the employee that is relevant to the job application and an employee must be told if any information on them is to be requested from someone else (for example, requesting a reference from a previous employer). (See Part 1 of the code for recruitment and selection and Part 2 for record keeping in employment).

In terms of references there is an exemption in the Act which means that an employer does not have to provide details of a reference they have written in confidence, or reveal the identity of the reference writer (or any other third parties). In fact, references are generally allowed if they don’t identify a third party. It is not sufficient to take measures to conceal the identity – for example just to blank out the name of the third party (in this case the reference writer) – because if the content of the reference could identity that person, employers can consider withholding the reference.

Workplace monitoring (see Part 3 of the Code) is another area where an employer must ensure that the provisions of the Act are being complied with. The monitoring of emails, phone calls and internet use must be in accordance with the Regulation of Investigatory Powers Act 2000, as well as the DPA, which may also apply to areas like the recording of sent emails (depending on the monitoring and record keeping procedures).

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 require the interception to be only for the purposes of monitoring, or keeping a record of, relevant business communications, otherwise consent is required.

According to Part 3 of the Code any monitoring must not intrude unnecessarily on employees’ privacy or autonomy at work and the benefit of monitoring should be looked at against the negative effect on the workforce. Where the negative effect is not proportionate to the business reason for which the monitoring was introduced, the Code recommends that monitoring should not be used.

Covert monitoring is rarely justifiable and an employer should introduce a policy explaining to employees the reasons for monitoring and how the monitoring is being carried out.

Any retention of medical tests will trigger the Act’s provisions (see Part 4 of the Code). Here there should be an ‘impact assessment’ to establish whether there is a less intrusive alternative.