The 1998 Data Protection Act applies to personal data in computerised, manual or any other format. It requires transparency in the use of information as well as its 'proper' use. It also emphasises the need for privacy and access to data held by individuals ('data subjects'). Private filing systems maintained by managers are also included and employers are responsible for the proper usage of data in such systems. The introduction of the General Data Protection Regulations ("GDPR") which come into effect in May 2018 will not make any real practical difference for the majority of organisations processing and using data for HR related issues.
The Act covers all aspects of 'processing' data. This includes the manner in which it is collected, held, accessed, used, disclosed and destroyed. Anyone collecting data needs to consider the reasons for its collection, what it is going to be used for and who will have access to it.
The DPA includes rules on recruitment and selection, employment records, monitoring at work, and medical information. Employers therefore need to notify (by way of registration) the Information Commissioner that they are collecting, holding and processing data in order to comply with the Act. Registration can be completed on-line by visiting the Information Commissioner's website. The annual fee for registration is £35.00 for organisations with less than 250 staff and whose annual turnover of less than £26m. The annual fee for larger organisations is £500.00 (unless the organisation falls into an exempt category).
Key principles
The key principles of the DPA are that personal data must be:
The data subject has a right to be informed where data is being processed, a description of the data being held, purpose of the processing and the persons to whom the data may be disclosed. The data subject may also make a Data Subject Access Request for copies of personal data about him or her that are held either in a manual filing system or in electronic format. Such requests should be in writing with sufficient detail to enable the data to be identified. Requests of the 'give me copies of everything you have about me' are considered unreasonable and an employer may ask for clarification of what exactly is required and where the person thinks the data is held. An appropriate fee (usually £10) will be charged for responding to such a request and should be paid in advance. The information must be supplied to the individual within 40 days of receipt of the fee and any clarification requested. Certain information is exempt from Subject Access Rights these are:
Employees are not automatically entitled to see their references. The recipient of a confidential reference can only disclose the reference by complying with the Act's confidentiality rules. The referee who has given a confidential reference for employment, self employment or educational purposes can withhold the reference from disclosure. However, this only applies where the reference is given in confidence. The sample reference form on this site has a check box for the referee to tick to indicate whether the reference is being given in confidence or not.
Some information is defined as being 'sensitive' this includes information on race, religion or belief, Trade Union membership, sexual life, criminal record and health information. There are a number of conditions attached to the processing of Sensitive Personal Data. For example, information relating to ethnicity or race may be processed for legitimate purposes such as statistical analysis to ensure equality of opportunity in employment. However, the processing of medical information, other than for medical reasons, is only allowed with the express consent of the data subject. This naturally raises issues in managing sickness absence or dealing in with disability.
Information may be sent to any country within the European Economic Area and to Hungary and Switzerland. It may only be sent to an organisation in the USA if the organisation concerned has signed up to the Safe Harbour Agreement made with the European Union. In all other cases, an employer needs to be given the consent of the employee before sending information overseas.
The person responsible for compliance with the Act and who will be liable in the event of a breach is the Data Controller. In most organisations, the organisation itself is classified as the Data Controller. For partnerships or sole traders, it will be the partners or the trader. Where loss is suffered as a result of a breach, the Data Controller will be liable unless he or she can show that he or she has taken reasonable steps to prevent the breach. Preventive steps could include an audit of the systems and data processed, a data policy and procedure, communication and training as well as tying breaches of the DPA into the disciplinary procedure.