Newsletter
Keep in touch with the latest legal developments (eg:abc@example.com)
Search
Data Protection
What is the Data Protection Act (DPA) 1998?
The aim of the DPA is to protect the right of privacy of individuals relating to the processing of personal data about them. It imposes obligations on those who process information (data controllers) whilst attempting to balance the rights of the individual the subject of that data (data subjects). A data subject therefore includes employees, casual workers, agency workers, previous workers and applicants for employment.
How does it affect employers?
The DPA mainly affects the following processes :-
Recruitment and selection
- Applicants should be made aware of what information about them is being collected and for what purpose it is to be used. Only relevant personal information of applicants should be obtained and information that might be needed only for a successful candidate (e.g. banking details) should not be collected during the application process. All information obtained must be kept secure and not disclosed elsewhere without specific consent of the applicants. Information about criminal convictions should only be obtained if the job requires it. Information obtained as part of a recruitment process should be deleted once there is no longer a clear business need to retain it.
Employment records
- Any information kept about workers is regulated by the DPA. The Act seeks to strike a balance between the need of the employer to keep records and the workers right to personal privacy. Workers should be kept aware of what information about them is held and what it will be used for. Records should be kept up to date at all times and any out of date or irrelevant information should be deleted and/or otherwise disposed of securely. Records should be kept in a secure way with a view to ensuring that only those authorised can access them.
Sickness records and other more sensitive information such as equal opportunities monitoring should be kept distinct from other less sensitive information. Information should only be disclosed to third parties if the employer is sure that the worker would agree and if in doubt the worker should be consulted.
Monitoring at work
- If the employer collects or uses information about workers the DPA will apply e.g. when emails or internet use are monitored, when video surveillance is used to detect crime and when telephone usage is checked. The DPA does not prevent such monitoring but provides that if it could adversely affect workers its use must be justified by its benefit to the employer or others. Openness is the primary consideration. Workers should be kept aware of the nature, extent and reasons for monitoring unless, in exceptional circumstances covert monitoring can be justified. DPA guidance on the subject of monitoring emphasizes that :-
- monitoring is usually intrusive;
- workers can legitimately expect to keep their personal lives private;
- workers are entitled to some privacy in the work environment.
Collection and use of information about workers health
- The DPA covers information collected or used about workers health. This will include, for example, questionnaires given to workers to complete about their health or drug and alcohol testing results. These records are treated as sensitive and additional conditions apply. Workers should be kept informed about what health information is being collected and for what reason. To justify collection or use of such information an employer must be able to show that:-
- collecting such information is necessary to protect health and safety at work; or
- collection is necessary to prevent discrimination on the grounds of disability; or
- each worker affected has given explicit consent to the information being collected and used. Any such consent must be freely given.
Provided the conditions are satisfied employers must keep information about workers health particularly secure. It should be password protected or kept in a sealed envelope in a worker's file. Access to it should be restricted. Information should be kept for no longer than necessary and the least intrusive means of obtaining such information should be considered. Where, for example, a worker is to undergo a medical test he/she should be made fully aware of what, why and how much information is to be collected. Drug and alcohol testing is also covered by the DPA.
Sensitive personal data
In addition to information about health issues other sensitive data includes information relating to :-
- racial or ethnic origin
- political opinions
- religious or similar beliefs
- trade union membership
- sexual matters
- criminal offences
Data Protection Principles
For data to be processed lawfully the following eight principles establish that data must be :-
- processed fairly and lawfully
- processed for limited purposes
- adequate, relevant and not excessive
- accurate and up to date
- kept no longer than necessary
- processed in accordance with the individuals rights
- kept securely and not transferred outside the European Union unless the recipient country has adequate data protection provisions for the individual concerned.
Fairly and lawfully processed data
For information to be considered fairly processed at least one of the following conditions must have been met :
- the worker has consented
- processing is necessary for the performance of a contract with the individual
- processing is necessary to comply with legal obligations e.g. dealing with the Inland Revenue
- processing is necessary in order to protect the vital interests of the worker
- processing is necessary to carry out a statutory function or for the administration of justice
- processing is necessary in order to pursue the legitimate interests of the employer provided these are not prejudicial to the rights, freedoms and interests of the worker
Rights of workers under the DPA
Workers have the right to :-
- make a Subject Access Request i.e. to find out what information about them is processed by their employer
- to prevent processing of information about them that might cause substantial unwarranted damage or distress to them or any other person
- to prevent processing of data for direct marketing purposes
- to object to any decisions made only by automatic means
- to compensation for damage and distress caused by any breach of the Act by their employer
- to rectification, blocking, erasure and destruction of information held about them if it is inaccurate or contains expressions of opinion based on inaccurate information
- to ask the Information Commissioner to consider whether the DPA has been contravened and, if it has, an enforcement notice may be served on the employer
Please contact us for further information.
Email us
info@hhlegal.co.uk
Telephone
0800 371 407
Internal Links
External Links
- ACAS
Acas aims to improve organisations and working life through better employment relations
- Business Link Practical Advice for Business
- CBI
"The Voice of Business"
- DTI
Employment Advice
- Employment Tribunals The Employment Tribunals are judicial bodies established to resolve disputes between employers and employees over employment rights
- Equal Opportunities Commission
Working to eliminate sex discrimination in Britain today
- HSE The Health and Safety Commission is responsible for health and safety regulation in Great Britain
- ICO
The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information
- National Bullying HelplineHelp Stop Bullying in the Workplace
- The Age and Employment Network Experts in Age & Employment