Data Protection For The HR Manager

1 Introduction
CHAPTER
Data protection law was first introduced in Britain with the Data Protection Act 1984. It was
enacted as a result of a Council of Europe Convention [European Treaty Series no. 108 for
the Protection of Individuals with regard to Automated Processing and Personal Data] and
enabled the United Kingdom to sign up to a European treaty on trans-border data flows. The
reason for the introduction of data protection was therefore participation in the beginnings
of e-commerce rather than any desire to introduce a right of privacy.
The Data Protection Act 1998 repealed and replaced the 1984 Act, and the reason for the
new Act was, once again, driven by the European Community. The Data Protection
Directive [95/46/EC] had to be implemented into national law by October 1998. This time
the Act, reflecting the articles of the Directive, goes much further towards creating a privacy
law in the United Kingdom.
The challenge for HR managers in the United Kingdom

Human Resources managers face possibly the most significant challenge of any manager in
relation to compliance with the 1998 Act because:
. Many personnel records are held on paper. Paper or manual files were not previously
subject to data protection law; the 1984 Act only applied to information held and
processed by electronic means. ‘Processing’ is defined widely to include obtaining,
organizing, holding and deleting or destroying information. (For a more detailed
consideration of defined terms, see Chapter 12).
. Employee personal data are often held or duplicated outside the HR department: for
example, appraisal material and sickness records are often held by line managers.
Speculative CVs may be received by line management and retained or passed between
managers without adequate control.
. The sensitivity of data held by the HR department makes it a likely target for data subjects’
questions (a ‘data subject’ is the individual to whom personal data relates). The 1998 Act
classifies certain information as ‘sensitive’; personal data relating to health, race, religion
and trade union membership is subject to more stringent regulation. In addition, HR
departments handle data such as information about salaries, promotions and employee
performance, all of which an employee would perceive as sensitive and which must be
dealt with in confidence.
. The employer owes a duty of confidentiality to its employees. Therefore a high level of
security and personnel staff reliability must be ensured.
2 Introduction
Spotlight on the potential abuses of personal data in the

employment arena
The Data Protection Commissioner1 instigated a report [The Use of Personal Data in Employer/
Employee Relationships commissioned by the Office of the Data Protection Commissioner,
formerly Registrar, by Robin E.J. Chater] on the use of personal data in the employment
arena in recognition of the risk that the employee/employer relationship was open to abuse
by the employer. The following issues, among others, were highlighted as raising serious
data protection issues:
. Employee surveillance and fraud prevention measures;

. Use of automated data processing, e.g. CV scanning, aptitude and psychometric testing;
. Collection of new and potentially sensitive information such as genetic tests or the results
of alcohol or drug testing.
Arising from the report, the Information Commissioner’s Office has issued an Employment
Practices Data Protection Code (referred to as ‘the Employment Code’). The Employment
Code sets standards for the obtaining and processing of personal data within the
employment arena. It applies to every employer. The employer is held responsible for all
use of personal data relating to its employees, whether formally (within the HR department)
or informally, for instance in papers held by managers. In addition, the processing of
employee personal data must be undertaken in accordance with the Data Protection
Principles (referred to as ‘the Principles’). The Principles set out the requirements relating to
confidentiality, security and the fair processing of personal data – the elements of data
protection law. The Principles are considered in detail in Part II of this book.
In dealing with the issues identified in Robin Chater’s report – such as recruitment
practices, monitoring employee communications, record-keeping and medical testing –
the Employment Code effectively provides a level of detailed guidance on how the Office
sees the Principles applying in relation to HR activities. As such it is invaluable guidance
on how the regulator interprets and applies the Principles in relation to HR
administration.
The Data Protection Act 1998 raises serious issues for HR management. Outsourcing is
particularly common in relation to the administration of employee benefits, perhaps
because the employer seeks to concentrate on its key business activities and chooses to allow
other, ‘more expert’, organizations to handle non-key functions such as payroll, pensions
administration and fleet management. The outsourcing of functions involving the
processing of personal data is the subject of a new statutory duty requiring checks to be
made on the adequacy of security in place to protect personal data at the third-party service
supplier’s offices and systems. It is also a requirement to have a written contract with third-
party service suppliers who process personal data on behalf of the data controller, with
specific clauses covering data protection issues.
1. The Data Protection authority in the UK has undergone several changes of name. Initially the Data
Protection Registrar, the title changed to Data Protection Commissioner with the introduction of
the Data Protection Act 1998. It changed again to Information Commissioner when responsibility
for overseeing the implementation of the Freedom of Information Act 2000 was given to the Office.
Introduction 3
Another key issue for HR relates to the requirement to provide data subjects with
specific information about the data controller before they supply any personal data, known
as ‘subject information’. (The ‘data controller’ is the organization initiating the processing
of personal data, and in the HR context this is normally the employer). This means first
identifying and documenting the purposes for which personal data will be used in the
employer/employee relationship. In some cases, identifying the extent of the use of personal
data in the HR arena will be an issue in itself: examples include, the chairman’s use of home
addresses to send Christmas cards to key managers and staff or the distribution of
promotional material advising staff of offers on company goods and services or those
of other companies. If the employee was not informed that their personal data would be
used for these purposes, there is every chance that the employer would be breaking the law if
it allowed personal data to be so used.
All these issues and more are considered in the following chapters. Part I looks at HR
activities and highlights the data protection implications of each. It is organized into
chapters which correspond to HR functions such as recruitment, monitoring, employee
administration and employee benefits. The chapters are split into sections: for example, the
chapter on employee benefits includes sections on pension schemes, crèches, social clubs
and work in the community as well as a general one providing an overview of employee
benefits and the data protection implications they raise. Part I raises suggested action points
in each section which can be used to check your company’s compliance with the
requirements of the Data Protection Act and also for future verification. Draft wordings for
data protection notices and statements are included, and the elements of suggested policies
and procedures outlined.
Part II considers each of the Data Protection Principles in turn, starting with the legal
requirements and working through to their potential impact on HR activities. It provides a
technical view of the Act and its requirements. A thorough introduction to the Act for those
unfamiliar with its provisions, it is also a useful reference for HR professionals already
familiar with the Act wishing to explore key areas in depth to find solutions to particular
problems or identify alternative solutions to those suggested in Part I. If, for example,
compliance with a data subject access request raises particular problems for the
organization, refer to Chapter 19, ‘The Sixth Principle’, which considers subject rights
and exemptions from the need to comply.
Some of the material is duplicated across Parts I and II, but each part adds value in its
own way as they start from different standpoints. Part I starts from the HR standpoint and
considers the impact of the law on HR activities, while Part II starts from the legal
standpoint and considers the law using examples taken from the HR environment.
This page intentionally left blank
I Actions for
PART
employers
2 Managing data protection
CHAPTER
The Employment Practices Data Protection Code (‘the Employment Code’) emphasizes the
importance of identifying within the organization an individual who is responsible for data
protection compliance in relation to Human Resources. At the highest level, this individual
is responsible for ensuring that other managers – within and external to HR – are aware of
the employee personal data they hold. Furthermore, they should promote policies and
procedures to encourage best practice when handling employee personal data. This may be
achieved by providing training for all staff whose jobs involve the handling of such data as
well as by implementing policies and procedures to meet the requirements of the
Employment Code.
Recommended policies and procedures

To ensure that due consideration has been given to most, if not all, aspects of data
protection law and the Employment Code, check your existing policies against the list of
recommended policies below. (The list also includes other actions it would be prudent to
take). If you decide a particular policy or procedure is inappropriate for your business,
document the fact that it has been considered and the reasons for its rejection or
amendment. Outlines for many of these policies and procedures are included in later
sections: for example, suggested documentation retention periods are set out in Chapter 10,
‘Employee administration’.
1) Policies on the disclosure of personal data (covering internal and external disclosures)
including:
. Legal obligations on the organization to disclose, for example to meet Inland Revenue
requirements or to provide information to company auditors.
. Cases in which the employee will be informed of the request for disclosure.
. Checks to carry out on credentials of those seeking disclosure.
. The position regarding the disclosure of sensitive data.
. The position regarding disclosure which would involve transfer of personal data
outside the European Economic Area.
. The review of non-regular disclosures.
2) Policy on how spent disciplinary notices are handled (part of disciplinary procedure).
3) Document retention policy, including deletion and destruction guidelines.
4) Personal data security policy including:
. Guidelines for using fax and e-mail to transmit confidential information.
. The use of laptops and homeworking generally.
. The security of paper files.
8 Actions for employers
. Audit trails.
. The use of shared facilities.
5) Subject rights procedures.
6) Interview policy and guidelines.
7) Policy on the provision of confidential references.
The Employment Code recommends that serious breaches of data protection policies should
be a disciplinary offence to impart the importance of compliance to staff.1
Staff training
Staff training needs to cover the following as a minimum:
. What constitutes unauthorized processing and how to avoid it.

. How deceit may be used to obtain information illegally from the organization.
. General guidelines for line managers recognizing that they process employee personal
data on behalf of the organization, and their responsibilities.
. General guidelines on how to identify and action the exercise of subject rights.
. General guidelines for those who ‘wear different hats’ working for two or more companies
or trustees (i.e. ‘Chinese walls’).2 (‘Chinese walls’ are protocols within the organization
which operate so that ‘known’ facts in one department are kept confidential from other
departments. They may also apply within a department so that information used for one
purpose by a member of the HR team is kept confidential and not applied for another
purpose even though the same team member might be involved).
Audit
The full extent of personal data processing activities within the Human Resources function
can best be identified by undertaking an audit of the HR department. An audit is key to
identifying what subject information should be provided to staff and prospective job
candidates and to checking that all processing of personal data currently under way meets
the requirements of fair processing. In subsequent chapters it is a foundation of suggested
compliance actions that a good knowledge of the processing activity undertaken in the
department has been established. The Employment Code also recommends that an
assessment is made of existing employee personal data, identifying who is responsible for
the data.3
The Employment Code clearly indicates that some audit activity is required to ensure
procedures are being followed.4 The Information Commissioner recommends audit as a tool
to identify the effectiveness of current policies and procedures. Suggested audit guidelines
have been set out in Guide to Data Protection Auditing published by the Information
1. Record Management – Management of data protection, benchmark 6.

2. Employment Practices Data Protection Code, Record-keeping – Pensions and insurance, benchmarks
1 and 3.
Managing data protection 9
Commissioner in December 2001. One of the recommendations is that an independent

auditor should be utilized if possible. A person independent of the department – and
preferably independent of the company – is best suited to the task of a departmental audit.
The use of audit trail facilities on computer systems is also recommended in the
Employment Code.5 The Information Commissioner recommends that new HR systems
should include audit facilities in their specification.
ACTING ON AUDIT FINDINGS

. Improve policies and procedures where these are proving to be impractical, inappropriate,
or simply missing.
. Focus training on those areas which cause most problems for staff whose jobs involve the
handling of personal data.
. Eliminate irrelevant personal data processing by purging old and unwanted files,
de-duplicating files and tailoring application and other forms so that only relevant data
is sought from data subjects.6
. Check that notifications are up to date and that they accurately reflect current data
processing activity.7
SUGGESTED ACTIONS
Designate one person responsible for data protection compliance in relation to personnel
management and records. The following are the suggested actions to be carried out by this
designated individual:
. Audit data protection compliance in relation to HR issues on a regular basis.

. Act on audit findings.
. Ensure that recruitment policies and procedures comply with the Principles (see Chapter 4).
. Ensure that all staff who handle personal data relating to other staff are properly briefed
on data protection compliance issues (see Chapter 6 on staff training).
. Ensure that all third-party HR service providers (service providers involved in processing
personal data are called ‘data processors’ in the Act) are under contract in relation to those
services: for example, external payroll service provider, pensions administrator, trainers
and consultants. (See Chapter 7).
. Check that a sensible document retention policy is in place and being followed. (See
page 61 for an outline policy with specified retention periods).
. Supervise new staff whose jobs involve the handling of personal data or restrict their
access to such data until they have undergone training on data protection issues. (See
Chapter 6).
. Audit employee benefits administration for compliance with the Data Protection
Principles and the Employment Code. (See Chapter 8).
. Ensure that any monitoring of employees is undertaken in accordance with the Principles
and the Employment Code. (See Chapter 5).
5. Record Management – Security, benchmark 3.

6. Employment Code, Record management, Management of data protection, benchmark 4.
7. Employment Code, Management of data protection, benchmark 6.
3 Rights and lawful processing
CHAPTER
Data subject rights

The Act gives data subjects certain rights in relation to the processing of their personal
data. An employee may exercise those rights in relation to their employer. The
Employment Code recommends that employers tell their employees about their rights
under the Act, including the right of access to the information kept about them.1 (For a
more detailed consideration of defined terms such as ‘data subject’ and ‘personal data’ see
Chapter 12).
SUBJECT ACCESS
Data subjects have the right to a copy of any information held about them by the
organization. The requirements are:
. The request must be made in writing.

. It must be supported by any payment required by the organization (maximum ten
pounds).
The company has forty days in which to respond to such a request with a complete copy of
any information held. Explanation of codes etc. must be provided and the information must
be in legible form. CCTV images are included in the definition of personal data, so it is
reasonable to assume that you may be asked for copies of relevant portions of tapes by
employees exercising this right.
A data subject who makes a request is also entitled to:
. Confirmation that the company holds personal data relating to them.

. Be advised if the data is subject to any automated decision-making process.
. Be advised of the logic in any processing, unless this would constitute a ‘trade secret’.
. Be advised of the purposes for which their data is processed.
. Be advised of the sources of the data.
THE RIGHT TO PREVENT PROCESSING FOR THE PURPOSES OF

DIRECT MARKETING
A data subject may make a written request at any time to require the company to cease, or
not to begin, processing their personal data for the purposes of direct marketing.
1. Record Management, benchmark 2.

Rights and lawful processing 11
‘Direct marketing’ means the communication (by whatever means) of any advertising
or marketing material directed at particular individuals. Therefore mailshots, e-mails and
telephone calls are all included.
The Data Protection Act 1998 requires that such requests be made in writing and gives
the company a ‘reasonable’ period in which to amend records and mailing databases to
comply with the request.
THE RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE

DAMAGE OR DISTRESS
The Act requires that data subjects exercising this right make their request in writing, setting
out the reasons why processing is either causing or likely to cause substantial damage or
distress to themselves or another and why such damage or distress is or would be
unwarranted. The data controller then has a period of twenty-one days in which to respond
either that they have complied or that they intend to comply with the data subject’s request
or giving their reasons for not complying wholly or in part with the request on the grounds
that the request is unjustified and stating those grounds. Valid grounds for not complying
include cases:
. Where the data subject has given consent to the processing.

. Where processing is necessary for the performance of a contract to which the data subject
is a party or for taking steps preliminary to entering into such a contract.
. Where processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than a contractual obligation.
. Where processing is necessary in order to protect the vital interests of the data subject.
THE RIGHT TO OBJECT TO AUTOMATED DECISION-TAKING

A data subject has the right to object to decisions taken by automated means in
circumstances where the decision:
. Is taken by or on behalf of the data controller, and

. Significantly affects that individual, and
. Is based solely on the processing by automatic means of the individual’s personal data, and
. Is taken for the purpose of evaluating matters relating to him.
The Act requires that such objections be made in writing. Data controllers are then under a
duty to review the decision manually: that is, by human intervention. The final decision may
be to reverse the automated decision or reaffirm it; the key to compliance with the exercise of
this right is the fact of human intervention. Automated decision-making would include such
activities as scoring psychometric or other qualificational tests set by the employer.
THE RIGHT TO COMPENSATION

Any individual who suffers damage or distress by reason of contravention of any of the
requirements of the Act is entitled to compensation from the data controller through the
courts.
RIGHTS IN RELATION TO INACCURATE DATA

A data subject may apply to the court for the rectification, blocking, erasure or destruction of
personal data relating to them on the basis that the data is inaccurate. This applies even
when the data controller obtained the inaccurate data from a third party or the data subject.
The court may also choose to require the data controller (and any other data controllers
holding the same data) to replace the inaccurate data with data recording the true facts as
approved by the court.
ELEMENTS OF A DATA SUBJECT RIGHTS PROCEDURE FOR EMPLOYEES

Employees will regularly require different pieces of information from the HR department:
for example a double-check on the amount of holiday entitlement left, confirmation of
details from contracts of employment, etc. In addition, employees are usually party to much
of the information that is held on the HR file. For instance, appraisal information is usually
shared with the employee, and the content of any disciplinary notices will be shared.
Therefore a request from an employee for access to information held on their personnel file
may not need to be treated as a subject access request.
The employer is allowed to negotiate with the employee about the information required
and the form it should take. For example, the employee might be given their personnel file
to browse through in a confidential environment and allowed to take copies of anything
they choose. This might be preferable to providing a photocopy of the entire file for all
concerned. However, the employee has the right to insist that the subject access procedure is
followed and that a complete copy of the information comprising the personal data is
supplied unless this would involve disproportionate effort.
PROCEDURE
The strict legal requirement is that any notice exercising the right to subject access should be
issued in writing. If an employee purports to exercise a subject right by telephone or face to
face, the organization is entitled to request that the approach be made in writing. In
practice, an employer may take a more relaxed view or provide a form designed to elicit
information verifying the identity of the individual making the enquiry. The employee
might not be located in the same offices as HR personnel responding to the request, and it is
sensible to check the person’s identity. Any useful background information can be sought
from the individual both in relation to their enquiry and to assist in verification.
Subject access requests

When responding to a subject access request it is best to coordinate relevant information
and then check that it does not contain any personal data relating to other data subjects.
Where information identifies a third party, the employer must refer to that third party for
permission to disclose their personal data. If authority is withheld, the organization has the
discretion to decide whether to comply fully with the request against the third party’s
wishes or to withhold that information.
In very limited circumstances there are grounds for not complying with a subject access
request made by an employee. These include:
. Management forecasts, to the extent to which their disclosure would be likely to

prejudice the conduct of the business. For example, plans involving the closure of
business premises and subsequent redundancies would not have to be disclosed to an
employee making a subject access request if the plans were not already common
knowledge.
. A corporate finance exemption, which allows personal data to be withheld to the extent
to which its application could affect the price of any stock or for safeguarding an
important economic or financial interest.
. An exemption applying to negotiations currently under way involving the data subject, to
the extent to which the application would be likely to prejudice those negotiations. For
example, negotiations over the terms of a leaving package would be exempt from a subject
access request made by the data subject.
If it is believed that there are legitimate grounds for not complying with a subject access
request, seek legal advice.
The exercise of other rights

The right to prevent the processing of personal data for direct marketing purposes is an
absolute right. The organization must simply comply with the request.
The right to prevent the processing of personal data likely to cause damage or distress is
qualified by the organization’s right to assess the likely damage or distress and weigh this
against its own purposes in processing the data. The Data Protection Act 1998 therefore
allows organizations a certain amount of discretion in complying with such requests. If the
data subject is dissatisfied with the outcome of the request, they may refer it to the
Information Commissioner’s Office for assessment or to the courts.
The exercise of the right to object to decisions taken by automated means involves the
organization in a manual review of the decision taken. The reviewer’s findings may differ
from those made by automated means; alternatively, they may concur. Again, the data
subject who is not satisfied with the outcome may refer the matter to the Information
Commissioner’s Office for assessment or to the courts.
SUGGESTED ACTIONS
. It is vital to identify when a right under the Act is being exercised – brief all HR staff on
data subject rights.
. Provide a documented procedure for employees to exercise their rights against the
organization; this will help to ensure that notices purporting to exercise rights are directed
at designated personnel who will know how to react.
. When a right is being exercised, deal with the matter quickly.
Data subject information

The Act requires that, whenever personal data is obtained, certain information is given to
the data subject first. The data controller (employer, pension scheme trustees, etc.) must be
identified, along with the purposes for which the personal data is to be processed.
Additional information relevant in the circumstances might include any other parties to
whom data is to be disclosed and any other information which would affect the data
subject’s decision to disclose the data requested.
It is important to identify all the purposes for which personal data is to be processed.
The Second Principle restricts processing to the stated purposes. Organizations must state
their intended processing purposes before obtaining personal data. Consent must then be
sought for any subsequent ‘new’ processing activity involving that personal data.
SUGGESTED WORDING FOR TYPICAL SUBJECT INFORMATION IN

THE HR CONTEXT
The following are sample wordings for those common areas requiring data subject
information: employees, pension scheme member, job applicant.
Subject information for an employee

The information we, [name of organization], require will be used for employee administration,
including the administration of remuneration and employee benefits, and Health and Safety
purposes. We will share your information with the Pension Scheme Trustees and administrators/
insurers/etc. in connection with employment benefits and/or the business. We may disclose
information to our auditors or as required by law. Otherwise your personal details will be kept
confidential.
You are free to view your personnel file on request from time to time. Contact [name of
contact] if you wish to see your file or part of it.
(If applicable) We also require limited personal data for training and assessment
purposes.
(If applicable) We also use your personal data to advise you of offers on our products
and services from time to time. If you do not wish to receive this information, please tick this
box.
Subject information for a pension scheme member

The information we, [name of pension scheme trustee body], require will be used for the purposes
of administering the pension scheme and any benefits payable under the scheme. We may share
information with your employing company and our advisers/administrators/insurers/etc. in
connection with the pension scheme. We may disclose information to our auditors and actuaries
or as required by law. Otherwise your personal details will be kept confidential.
(If applicable) We also share information relating to you with independent financial advisers
selected by the trustees from time to time so that they can provide you with financial planning
advice at your request.
Subject information for a job candidate

The information we request is required to assess your suitability for the job you have applied for
and your suitability as an employee of [name of employing company]. We will obtain
information about you from your designated referees should you be successful. We will also
(delete as applicable) carry out a credit reference search/require you to attend for a medical with
our company doctor/undertake the following vetting procedures prior to appointment. . . .
We are an equal opportunities employer and we undertake equal opportunities monitoring in
relation to job candidates. We will retain details of your race or ethnic origin, where this is
provided by you for this purpose. The information will not identify you personally.
If your application is unsuccessful, we would normally retain your details on file for a period
not exceeding six months. Please let us know if you would like your details to be destroyed
immediately.
SUGGESTED ACTIONS
. Identify all processing (including obtaining, holding, using and disclosing) of personal
data undertaken by or for HR. Your list may include:
– Employee/staff data for staff administration including pay and conditions.
– Pension scheme member data for pension scheme administration.
– Data relating to pensioners for pension scheme administration.
– Data relating to employees’ and pensioners’ spouses for the administration of pension
scheme payments and group life insurance.
– Data relating to social club members for administration.
– Employee data for marketing.
– Data relating to ex-employees for statutory and contractual purposes.
– Data relating to temporary workers and/or contractors for administration purposes.
– Data relating to prospective employees for purposes of recruitment.
. Draft subject information to explain why personal data is required in each case and how it
will be used and disclosed. See the suggested wordings set out above.
. Position subject information on any forms where personal data is sought: for example, job
application forms, pension scheme membership application forms, social club member-
ship application forms, etc. Make sure you use lettering of equal font size, and position
the notice so it can be seen at least as easily as any other information or question on the
form.
. Also include subject information in any staff handbook and booklets describing the
pension scheme and other employee benefits. They can be included in induction or
welcome packs and on the company intranet, if one exists. Again, make sure that the
notice is given equal prominence with other terms and conditions.
. Include appropriate subject information in letters sent to acknowledge unsolicited CVs.
Conditions for lawful processing

For the processing of personal data to be lawful, one or more specified conditions must be
met. The conditions are set out in full in Schedule 2 to the Data Protection Act 1998.
CONDITIONS FOR PROCESSING HR-RELATED DATA

The following are some of the commonly applicable conditions for the processing of
personal data in the HR context.
‘The processing is necessary for the performance of a contract to which the data subject is a
party, or for the taking of steps at the request of the data subject with a view to entering into a
contract.’
For example, paying employees is fulfilling a term of their contract of employment,
while providing pension scheme benefits is fulfilling a term of the pension scheme
membership contract.
‘The processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than an obligation imposed by contract.’
For example, your auditor may require to check your payroll records or check personal
expenses claims. This condition covers the requirement to supply information about an
employee to the Inland Revenue or DSS. Complying with court orders also falls under this
condition.
‘The processing is necessary for the purposes of legitimate interests pursued by the data
controller or by the third party or parties to whom the data are disclosed, except where the processing
is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate
interests of the data subject.’
For example, marketing activity undertaken by an organization so long as the wishes of
data subjects are observed. This means avoiding inappropriate marketing where you know
the recipient does not want to receive marketing material.
This condition also covers the use of CCTV to protect business premises against crime,
but remember that the business interest must be balanced against the rights and freedoms
of individuals. CCTV cameras should be focused on the areas of the premises most open to
risk and should not, for instance, record employees if this can be avoided. (See, further,
Chapter 5).
SUGGESTED ACTIONS
. Identify and list all processing (remember to include obtaining, holding, using and
disclosing) of employee personal data. Your list is likely to include:
– Data relating to employees’ and pensioners’ spouses for administration of pension;
– Employee and/or pensioner data for marketing.
– Supplier data for purchases and accounts.
– CCTV images for crime prevention and the prosecution of offenders.
. Check that each activity is covered by one or more of the conditions for fair processing
explained above.
. Document your findings and your work.
Sensitive data
‘Sensitive data’ is a defined term in the Data Protection Act 1998. It refers to personal data
consisting of information as to:
1) The racial or ethnic origin of the data subject.

2) Their political opinions.
3) Their religious beliefs or other beliefs of a similar nature.

4) Whether they are a member of a trade union.
5) Their physical or mental health or condition.
6) Their sexual life.
7) The committing or alleged committing by them of any offence, or
8) Any proceedings for any offence committed or alleged to have been committed by them,
the disposal of such proceedings or the sentence of any court in such proceedings.
These categories of data have been identified as requiring a higher degree of care when
processing. More regulation of this type of processing may follow in future.
Currently the only additional requirement when processing sensitive data is to meet a
condition for the fair processing of sensitive data in addition to one or more of the
conditions for the fair processing of personal data. The conditions for the fair processing of
sensitive data are set out in Schedule 3 to the Data Protection Act 1998.
Most employers will process personal data relating to the health of their employees.
Holding sickness records constitutes the processing of sensitive data.
COMMONLY APPLICABLE CONDITIONS FOR THE FAIR PROCESSING OF

SENSITIVE DATA IN THE HR CONTEXT
If your HR department processes sensitive data, one or more of the following conditions
must be met:
The processing is necessary for the purposes of exercising or performing any right or obligation which
is conferred or imposed by law on the data controller in connection with employment.
Contractual provisions such as the paying of sick pay or the administration of a private
medical scheme or income replacement scheme would be covered by this condition.
The information contained in the personal data has been made public as a result of steps
deliberately taken by the data subject.
This would apply, for example, where the data subject has provided sensitive data to the
press and the organization was asked to comment.
The processing is necessary for the purpose of, or in connection with, any legal proceedings (including
prospective legal proceedings), or for obtaining legal advice.
This will cover the seeking of legal advice in connection with an employee whose
performance is unsatisfactory, perhaps due to ill health.
The processing is of information as to racial or ethnic origin, necessary for the purpose of identifying
or keeping under review the existence or absence of equality of opportunity or treatment between
persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or
maintained, and is carried out with appropriate safeguards for the rights and freedoms of data
subjects.
This covers equal opportunities monitoring and reporting.

The data subject has given his explicit consent to the processing of the sensitive data.
This condition may be relied upon if none of the other conditions for the fair processing of
sensitive data apply. However, there is a problem in relation to employment. In the context of
the employer/employee relationship it is now doubtful that proper consent can be given by
the employee to the processing of personal data relating to them by the employer. The view
has been expressed that in the relationship between employer and employee, the employee is
at such a disadvantage in terms of bargaining power that they are never able to give consent
freely and without undue influence from the employer. The Information Commissioner
(Elizabeth France, Commissioner 1992–2002) indicated that she agrees with this view.
The Information Commissioner’s Office accepts that this creates a problem for
employers processing sensitive data relating to employee sickness, for example. An Order
is being sought urgently from the Secretary of State to deal with this issue. In the meantime,
the position being adopted by the Office is that there are probably several legal obligations
on the employer requiring it to process sensitive data relating to employees without relying
on consent: three years’ statutory sick pay records must be kept pursuant to statute; there
is the common-law duty to other staff and to the sick employee (for example). While it is
accepted that this is a manufactured solution where none really exists, it does provide a
workable solution to the problem in the short term. HR professionals should keep abreast of
developments in this area as the manufactured solution is not viewed as a long-term one.
See page 21 for more detail on the issue of consent.
SUGGESTED ACTIONS
Identify all processing of sensitive data likely to be undertaken by the HR department (race,
religion, trade union membership, health, sex life, criminal records). Your list is likely to
include:
. The race or ethnic origin of employees/staff for the purpose of equal opportunities
monitoring.
. The health of employees/staff for the purpose of statutory and company sick pay schemes,
and to meet health and safety requirements.
. Trade union membership for administrative purposes.
Check that each activity is covered by one or more of the conditions for the processing of
sensitive data set out above.
The Data Protection Principles

The Data Protection Principles, in Schedule 1 to the Data Protection Act 1998, set out
required standards of behaviour to be observed when dealing with personal data. There are
eight Principles and the text is set out below for reference. In addition, Chapters 14 to 21 in
Part II provide in-depth analysis and guidance on each of the Principles.
The Principles are as follows:
1) Personal data shall be processed fairly and lawfully.

2) Personal data shall be obtained only for one or more specified and lawful purposes and
shall not be processed in any manner incompatible with that purpose or those purposes.
3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
4) Personal data shall be accurate and, where necessary, kept up to date.
5) Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6) Personal data must be processed in accordance with an individual’s rights under the
Act.
7) Appropriate technological and organizational measures shall be taken against the
unauthorized or unlawful processing of personal data and against the accidental loss or
destruction of, or damage to, personal data.
8) Personal data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal
data.
The Employment Practices Data Protection Code, issued by the Information Commissioner,
has interpreted the Principles in relation to HR activities.
SUGGESTED ACTIONS
Security checks
. If you do not have an IT security policy which covers HR computer systems, document (at
a high level) the security systems which protect personal data held: for example, restricted
access by the use of passwords, access on a need-to-know basis, firewalls, back-up
arrangements, business continuity plans, etc.
. Document the security arrangements for personal data held in paper files: for instance by
using lockable filing cabinets, adhering to a ‘clean desk’ policy, using reliable and secure
archive arrangements, and ensuring the reliable and secure destruction of documents
containing confidential and ordinary information.
. Document how you ensure the reliability of staff who work in HR: for example, when
taking up references and supervising new employees, with regard to laptop use and
homeworking policies and procedures, and when providing training on security and
confidentiality issues and house security policies as documented above.
. Consider the adequacy of the security arrangements you have in place in relation to the
confidentiality of the employee personal data you process. Strengthen your arrangements
as necessary.
. Review your security arrangements periodically to ensure that you are still providing
adequate security for personal data considering the risk of disclosure or damage and the
harm that could result.
Checks for fair and legal processing

. Identify all employee personal data-processing activities. Your list might include:
– Data relating to employees’ and pensioners’ spouses for administration of pension

– Employee data for marketing.
Ensure that each processing activity meets one or more of the conditions for fair processing.
(See page 15).
Keeping personal data up to date and accurate

. If one is not already in place, introduce a regular update of employee details whereby
employees are requested to confirm that their personal details as held on HR files are
correct and up to date.
. Review any procedures which involve the transfer of personal data internally and consider
whether they need amending to ensure that accuracy is maintained.
Not keeping personal data longer than is necessary

. Adopt a document retention policy with justifiable retention periods for personnel
information. (See page 61).
. Introduce a regular review of how long files are kept, making sure that this is not for
longer than necessary or for longer than is stated in your HR document retention
policy.
Ensuring that personal data held is adequate, relevant and not excessive
. Ensure the relevance of new personal data entering the department by undertaking a
review of the categories of personal data sought on any application forms (those for jobs,
membership of pension schemes or other employment benefit schemes, absence and
holiday forms, etc.). Consider if all the information is actually necessary to the stated
purpose for which it was obtained. For example:
– Are job application forms asking for too much detail for a sensible assessment to be
made of a candidate’s suitability for a junior position?
– Are job application forms asking for information which will only be relevant in relation
to the successful candidate? In which case, it is irrelevant in relation to most of the
candidates who complete the form.
– Are there any questions on forms of which you do not understand the relevance?
. Review the personal data provided by line managers to HR in reports and statistics
routinely required. Is sufficient information provided? Is any of the information
irrelevant?
. Check the relevance of personal data on existing files by undertaking a regular, rolling
purge of HR files. In particular:
– Ensure that you are following any document retention policies, procedures for
removing expired disciplinary warnings or details of spent criminal convictions from
files.
– Anonymize data held on files retained for statistical analysis only; personal data should
not be relevant to this activity.
Consent in the employer/employee relationship

When the Data Protection Act 1998 was enacted, legal advice suggested that the most
appropriate way to ensure the continuance of then current data-processing activities in the
employment arena was to seek the informed consent of the employee to itemized lists of HR
activities.
Current thinking is that consent can never be demonstrated to have been given freely in
the context of the employer/employee relationship.
One of the advisory groups on data protection issues in the Hague (the Article 29
Working Party) has considered the issue of consent between employer and employee in the
workplace. In an Opinion issued in September 2001 it suggested that where the employer is
required to process personal data for ‘necessary and unavoidable’ purposes associated with
employment administration, it would then be misleading if the employer were to seek to
rely on consent from the employee to legitimize the resultant personal data-processing
activities (Opinion 8/2001). The view expressed was that consent by an employee cannot be
demonstrated to have been freely given to the employer because of the risk of prejudice to
the employee’s continued employment and prospects at work.
The Information Commissioner and representatives from her Office have concurred
with the view of the advisory committee that it is very difficult to clearly establish that
consent was freely given by an employee to the employer’s personal data-processing activity.
Consent is not routinely required in order to process personal data legitimately. It is one
of the conditions for fair processing required to meet part of the First Data Protection
Principle. Generally, though, there are other conditions that may be relied upon in the
context of employee administration. It is a little more difficult to find alternative conditions
to legitimize the processing of sensitive data as the conditions are much more limited in
application as befits the subject matter. Therefore it is in the context of processing sensitive
data, sickness and absence records, details of trade union membership or criminal records
that the employer would generally seek to rely on the consent of the employee to meet a
condition for fair processing and thereby render the processing fair.
The other prime example where an employee’s consent is of key importance is in
relation to the transfer of personal data outside the European Economic Area. The Eighth
Principle prohibits the transfer of personal data outside the EEA to any territory which does
not provide adequate safeguards for the rights and freedoms of data subjects. However, there
are some exceptions to the prohibition, a key one being where the data subject has
consented to the transfer.
If the employer is effectively deprived of consent as a condition to establish fair
processing, this has a significant impact on its ability to process certain data and to process it
in certain ways.
WHERE CONSENT MAY BE REQUIRED

Consent is one of the conditions for the fair processing of personal data and, more
importantly, for the fair processing of sensitive data in which conditions are more
restrictive. The conditions for fair processing are set out in Schedule 2 to the Act. (Schedule 3
sets out the conditions for the fair processing of sensitive data, i.e. that relating to mental
and physical health, sex life, criminal records or charges, race or ethnic origin, religious or
political beliefs, membership of a trade union). While Schedule 2 conditions include a

number of practical alternatives to the obtaining of consent, Schedule 3 conditions do not
provide alternatives to consent in many situations.
Consent is also one of the exemptions to the prohibition on the transfer of personal
data outside the EEA. These exemptions are set out in Schedule 4 to the Act.
Another situation where consent is required is where personal data is obtained for a
stated purpose and the data controller subsequently identifies a further purpose for
processing the data which is not compatible with the original purpose. In this circumstance,
the data controller must revert to the data subject to ask for consent for the new processing
purpose. Again, this will prove difficult within the employer/employee relationship.
Finally, consent is required to the processing of personal data for the purposes of
marketing. This takes the form of the opt-out, or, for the marketing of products and services
provided by third parties (that is, a party other than the employer), an opt-in.
Consequences for employment contracts

It is not recommended that contracts of employment include consent clauses to the
processing of personal data relating to employee data subjects. Where these already form
part of the contract of employment, the wording should be amended so that the clause
operates as subject information. The Information Commissioner’s view has been clearly
stated: consent within the employer/employee relationship is unreliable, and to persist in
apparently relying on such clauses indicates that the data controller is not keeping up to
date with developments in data protection law.
Consequences for meeting the conditions for fair processing

When processing personal data, other appropriate conditions for fair processing (in
Schedule 2) will almost certainly apply. For example, there is a condition that the processing
is pursuant to a contract to which the data subject is a party, in this case the employment
contract; alternatively that the processing is in the legitimate business interests of the data
controller subject to the rights and freedoms of individual employees. For a further
explanation of the conditions for fair processing, see Chapter 14. For the application of the
First Principle to processing in the HR context. (See page 15).
Consequences for establishing fair processing of sensitive data

The processing of sensitive data must be justified on more restricted grounds (set out in
Schedule 3), and it is suggested that normal HR activity involves the processing of sensitive
data to meet statutory requirements. For example, the processing of data relating to health is
necessary for the administration of statutory sick pay, and the processing of data relating to
race or ethnic origin necessary to meet the requirements of equal opportunities monitoring.
In fact, this is the interim solution offered by the Information Commissioner to overcome
the deficiencies of Schedule 3 pending further legislative solutions. However, this solution
will not cover any exceptional processing activity involving sensitive data. It serves to
legitimize normal HR activity. Employers need to consider whether or not their processing
of sensitive data falls outside the norm for any reason and to seek advice if it does.
The first draft of the Employment Code of Practice suggested that the processing of
information relating to the employee’s absence due to illness would not be covered by the
statutory requirement condition for fair processing. This position has softened, largely in
response to the problem of establishing freely given employee consent. The final version of
the Code allows for the processing of sensitive data to meet statutory obligations on the data
controller in relation to employment to include normal sickness and absence reporting and
recording. As stated above, this is now the interim solution offered by the Information
Commissioner to resolve the issues of consent when processing sensitive data in the
employer/employee relationship.
Consequences when transferring employee personal data outside the EEA

When transferring employee personal data outside the EEA, there are other alternatives to
consent to legitimize the transfer. At worst the data controller can apply the adequacy test
and approve the transfer on the grounds that the transferee organization offers appropriate
levels of security and protection for individual rights in relation to the sensitivity and
confidentiality of the personal data being transferred. (See page 55).
Consequences for marketing

The Employment Practices Data Protection Code follows previous guidance in relation to
obtaining consent to marketing activity. The basic requirement is that data subjects be given
an opt-out to the use of their personal data for marketing purposes. There are other areas in
the Employment Code where consent is advocated: for example, when publishing
information relating to an employee (in reports and accounts, company brochures, in-
house magazines, etc.)2 the informed consent of that individual should be sought.
Employee consent is also advocated when one is approached for a reference by a third
party.3
SUGGESTED ACTIONS
. Amend contracts of employment to remove any clauses requiring data subject employees
to consent to data processing activity.
. Consider the processing of sensitive data in the HR context. Any processing activity which
is non-routine by HR standards should be cleared specifically with the Information
Commissioner’s Office as it is unlikely to be covered by the wider interpretation of the
condition relating to meeting legal obligations in the employment context.
. Ensure that the transfer of employee personal data outside the EEA does not rely on
employee consent to the transfer. Alternative justifications for the transfer must be
identified. (See page 55).
. Use marketing opt-out clauses if the employer intends to market its own goods and
services to employees or an opt-in clause if the intention is to market the goods and
services of third parties. (See Chapter 11).
2. Record Management, Publication and disclosures, benchmark 1.

3. Record Management, References – benchmarks 2 and 3.
4 Issues relating to recruitment
CHAPTER
Selection and recruitment of new personnel

The Employment Practices Data Protection Code sets out standards for the use of personal data
in the recruitment and selection of new personnel.1 The Employment Code can be seen as
‘fleshing out’ the Data Protection Principles, explaining how they might apply in relation to
HR activities. There is no conflict between the benchmark standards set out in the Employment
Code and the Data Protection Principles. The Employment Code provides guidance as to the
way the Information Commissioner applies the Principles in the HR context.
Some of the issues covered in the ‘Recruitment and Selection’ part of the Employment
Code which are not covered elsewhere require that:
. There are no special rules relating to interview notes or any other component of
recruitment records. For example, interview notes should be disclosed if an interviewee
exercises their right to access personal data relating to themselves. Under the 1984 Act,
personal opinions were excluded from the definition of ‘personal data’ and therefore
exempt from subject access. This is no longer the case.
. It should be stated, on any application form, to whom the information is being provided
and how it will be used, if this is not self-evident. (See page 13).
. Recruiters should only seek personal data relevant to the recruitment decision to be made.
Data required for personnel administration should be sought later, and only of the
successful candidate. (See Chapter 4).
. If sensitive data are collected, ensure a condition for processing sensitive data is satisfied.2
. A secure method for processing applications must be used.3
. Recruiters should be consistent in the way personal data is used when shortlisting
candidates for a particular position.4
. Recruiters should ensure that personal data recorded and retained following interview can
be justified as relevant to, and necessary for, the recruitment process itself, or for
defending the process against challenge.5
CRIMINAL OFFENCES
The Data Protection Act 1998 makes it a criminal offence to require candidates for jobs to
make a data subject access request to the police in relation to possible criminal records. The
1. Recruitment and Selection of New Personnel.

2. Handling applications, benchmark 5.
3. Handling applications, benchmark 6.
4. Shortlisting, benchmark 1.
5. Interviewing, benchmark 1.
Issues relating to recruitment 25
new Criminal Records Bureau is now the only legal route to the obtaining of personal data
relating to the criminal records of prospective employees. The Employment Code provides
that employers should only seek information about an applicant’s criminal convictions if
that information can be justified in terms of the role offered. If the information is justified,
employers must make it clear that spent convictions do not have to be declared, unless the
post being filled is covered by the Exceptions Order to the Rehabilitation of Offenders
Act 1974.6
THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

The Employment Code makes a series of recommendations in relation to psychometric
testing, vetting procedures and the retention of recruitment records respectively. Elements
for inclusion in suggested policies for each of these areas are set out below.
USE OF PSYCHOMETRIC TESTS

When and if using psychometric tests to assess candidates’ suitability for a job and to assist
in making a recruitment decision, organizations should:
. Explain the use of psychometric tests to all candidates required to undergo them.
. Ensure that only personnel trained in the interpretation of psychometric test results have
access to the results and that a résumé of the results is produced for use by non-trained
personnel.
. Ensure that other personnel, including managers and directors, have no access whatsoever
to the results of psychometric tests, although they may have access to the résumé
prepared by the person trained in their interpretation.
. Ensure that psychometric test results are kept securely while in use and destroyed as soon
as the recruitment decision has been made.
PRE-EMPLOYMENT VETTING
‘Vetting procedures’ in this context involve something more than merely taking up one or
two simple references, as in the case of an employer which requires candidates to undergo a
credit reference check as part of standard recruitment procedure or calls for detailed
references concerning their reliability, trustworthiness with money and valuables, time-
keeping and sickness record, etc.
If you take up references simply to confirm the dates during which the job candidate
was employed, there is no need to take any further action in relation to vetting.
Elements of a suggested policy relating to pre-employment vetting

When and if the organization undertakes pre-employment vetting it should:
. Restrict vetting procedures to successful candidates only.

. Restrict vetting procedures to jobs where there is a clear business need for pre-
employment vetting, for example in the case of persons being appointed to a position
6. Recruitment and Selection of New Personnel, Handling applications, benchmark 3.

in a regulated environment or senior appointments to authorized bodies which require

‘positive vetting’. Generally the organization should seek to show that vetting is justified
due to the potential harm that might otherwise result from an undesirable element being
introduced into the working environment.
. Restrict vetting questions in order to target specific issues and concerns allied to the job,
rather than a general ‘fishing expedition’.
. Consider each case referred for vetting before undertaking any checks, including:
– The impact of vetting on the candidate.
– The likelihood that you will be able to identify any potential threat through the
information being sought, and
– Any embarrassment likely to be caused by the vetting to the candidate’s friends or
family.
RETENTION OF RECRUITMENT FILES AND INFORMATION

Recruitment files should be kept secure at all times. In particular, the organization should
ensure there are secure transmission facilities for recruitment information internally and
externally.
When a recruitment decision is made, the relevant recruitment files relating to
unsuccessful candidates should be destroyed after a reasonable period (say, six months)
unless:
. A particularly good candidate agrees that their details may be retained for a longer,
specified, period in case another suitable job vacancy arises or to be a back-up for the
successful candidate in case the initial appointment proves unsuccessful.
. Some information is retained to show that the organization correctly operated its equal
opportunities procedure. Such information should be depersonalized wherever possible
(that is, retained without specific names and addresses being kept).
Information relating to the successful candidate which is required for employee

administration purposes should be transferred to a new personnel file for the new employee.
In particular:
. Information obtained during any pre-employment vetting should not be retained,

although the result of the vetting may be recorded and kept.
. Information relating to any criminal records of the successful candidate should be deleted
unless the information is relevant to the appointment.
IMPLICATIONS OF INTERVIEWING
At the interview, check that the candidate knows the name of the employer and something
about its operations. If they have applied for a managerial position, this may include
reference to any group structure.
Explain that any information the interviewee volunteers will be treated in confidence
and used to assess their suitability for the job.
Show the candidate any statement of data protection policy and other material which
explains how their personal data will be handled if they succeed in getting the job.
Other information should be supplied to the candidate at the beginning of the

interview if relevant:
. That candidates will be required to undergo psychometric tests and what the results help
to determine.
. That personal data may be processed involving automated decision-taking and the details
of the process: for example that tests will be marked by automated means.
. That pre-employment vetting is to take place and what form that is to take, for example, if
a credit check is to be undertaken against the candidate’s name and address or if the
successful candidate will have to complete a supplementary questionnaire for other
background checks to be carried out by the organization or its regulator.
Notes of the interview

When making a note of the interview, personal comments relating to interviewees should be
avoided. Generally avoid statements you would not want to share with the interviewee.
Keep notes factual and, where a personal opinion is included, it should be fair to the
candidate and other candidates for the job. Interviewers should be consistent in their
approach both mentally and in terms of the information recorded.
If offered information relating to the candidate’s physical or mental health, race,
religion, political beliefs, trade union membership or criminal record, only the bare facts
should be recorded; no opinion should be given about this information. Any follow-up
actions required will be taken by the HR department.
In particular, interviewers should bear in mind that interview notes:
. will be disclosed to the interviewee concerned if they ask to see them.

. will be used to evidence the company’s equal opportunities policies.
. will be retained for six months in respect of unsuccessful candidates and for a longer
period in respect of the successful candidate.
SUGGESTED ACTIONS
1) Review existing application forms (if used) and:
. Include appropriate data subject information for job candidates, picking up the issues
raised by other actions (below) to include on the form.
. Consider each question on the form and identify whether the information sought relates
to the assessment of the candidate for the job or if it relates to employment administration
if the applicant is successful. Remove all questions which are not directly relevant to the
assessment/recruitment decision (for example, National Insurance numbers, whether or
not a current driving licence is held if the position does not involve driving, etc.).
. If your recruitment procedure involves any automated decision-making, explain this
in the data subject information.
2) If application forms are not used, the following information should be included in letters
to candidates at the earliest opportunity:
. Appropriate data subject information for job candidates, picking up the issues raised
by other actions.
3) If you receive unsolicited or speculative CVs, respond to the approach with the following
information at the earliest opportunity:
. Appropriate data subject information.
. An indication of how long speculative CVs will be retained, together with an
invitation for the prospect to withdraw their CV from consideration if the retention
period is exceptional, say, longer than six months.
. If your recruitment procedure involves the use of psychometric tests, adopt a policy
similar to the one suggested.
. If you use pre-employment vetting procedures, adopt a policy similar to the one
suggested.
. Adopt a policy on the retention of recruitment information similar to the one
suggested.
. Brief line managers on the data protection implications when interviewing candidates.
Using agencies to recruit

The Employment Practices Data Protection Code emphasizes the importance of ensuring
that job candidates know the identity of the organization that is recruiting. This
requirement stems from the First Principle, the duty to process personal data fairly and
lawfully. In particular, the interpretation of the Principles explains that the processing of
personal data will not be deemed fair unless prescribed information has been supplied to the
data subject.
By introducing standard terms on which it deals with agencies the organization can
require them to act in accordance with the Data Protection Principles and to supply the
required information to candidates even where advertisements are carried ‘blind’ initially.
(A ‘blind’ advertisement is one where the prospective employer is not identified and which
is fronted by an agency, perhaps to keep a new venture secret or because of political
considerations).
ISSUES FOR INCLUSION IN TERMS OF BUSINESS WITH

RECRUITMENT AGENCIES
The terms of business should identify the obligations of the agency, including:
1) A general requirement to act in accordance with the Data Protection Principles.

2) A requirement that advertising copy be approved by the organization prior to
publication.
3) A requirement that the agency should always give all suitable candidates an information
pack about the organization as provided by it.
4) A requirement that the agency shall not submit applications to the organization unless
the candidate has both seen the information pack and has consented to the application
being made.
5) A requirement that the agency will always deal directly and exclusively with a named
person in the organization when handling recruitment on its behalf.
SUGGESTED ACTIONS
. Make formal appointments of one or more recruitment agencies either as part of a
continuing relationship or as one-off appointments when the organization is recruiting.
. Include the terms outlined in your contract with the recruitment agency(ies).
. Provide appointed recruitment agencies with a written résumé of the organization, its
name, line of business, etc. for candidates and prospective candidates.
5 Monitoring issues
CHAPTER
Monitoring employees
The monitoring of employee performance is not illegal. However, the monitoring of
communications falls within the scope of the Regulation of Investigatory Powers Act
2000 (RIPA) and the Lawful Business Practices Regulations. These statutory
instruments apply where communications are intercepted. For example, checking
the content of e-mails and recording telephone conversations are activities covered
by RIPA.
In addition, intercepting communications, and other forms of monitoring, which
involve personal data processing, must comply with the requirements of the Data Protection
Principles and the Employment Practices Data Protection Code. In general, compliance with
the Employment Code will ensure compliance with RIPA.
An entire section of the Employment Code is devoted to monitoring activities and
establishing appropriate benchmarks for such activity. These are the areas which should be
considered.
EXAMPLES OF MONITORING ACTIVITY

Monitoring may take the form of electronic scanning of internet usage to ensure that
employees follow a company policy prohibiting access to the internet for personal
reasons or use CCTV cameras in public areas such as the company car park or targeted
on cash tills. It may also include reading e-mails while an employee is absent from work
due to holidays, illness or injury to ensure that customer orders are picked up and dealt
with.
Some monitoring may be targeted at checking the performance of employees and how
well they do their job.
The benefit to the business of monitoring to enforce a company policy prohibiting
personal use of the internet is that employees are encouraged to devote their work time to
work related activities, improving ‘productivity’. Contrast monitoring by CCTV cameras in
the car park or targeted on cash tills which is aimed at crime prevention or detection and
improved public and employee safety.
Checking e-mails to pick up customer orders has an obvious benefit to the employer. It
ensures that business is not lost and keeps up customer relations.
IDENTIFY WHO IS AUTHORISED TO INSTIGATE MONITORING ACTIVITY

The Employment Code recommends that the introduction and use of employee monitoring
be controlled and that means restricted. Line managers should not be authorised to
Monitoring issues 31
introduce new monitoring activities but should follow agreed practices and make
suggestions if they have any improvements to make.
The Employment Code also recommends considering which is the appropriate
department to undertake monitoring. In some cases, for example performance monitoring,
it will be appropriate for line management or compliance personnel to undertake the role.
In others, such as crime preventing and detection, it will be more appropriate for security
personnel to undertake the role.
IDENTIFY THE BUSINESS NEED AND TARGET MONITORING APPROPRIATELY

It is vital to identify the business need that monitoring is to address, and then to target the
monitoring to address just that need and no other. To give a few examples:
. If the prevention of pilfering from cash tills is the objective, then CCTV cameras should be
targeted on cash tills.
. If the objective is to enforce the company’s policy forbidding the downloading of
undesirable material – such as pornography from the Internet, for example – then an
automated check on flesh tint pixels in images might be the first step. Further
investigation can be made if it appears that many of the images being stored or
downloaded feature flesh tints.
. If the objective is to identify employees abusing the employer’s e-mail facilities, it is
appropriate to review the traffic of e-mail to identify excessive personal use before
investigating further into the content of individual e-mails.
. If incoming e-mail has to be checked for time-critical messages during an employee’s
absence from work, it might be appropriate to review the subject headings to identify
those most likely to be relevant and to avoid those which appear to be of a personal
nature.
Monitoring is by its nature intrusive. Bearing in mind the question of human rights, it should
always be undertaken in such a way that the privacy and autonomy of individual employees
are respected. Targeted monitoring is more likely to achieve this than a wholesale approach.
The impact of monitoring on employees and their relationship with the employer
should be taken into account. Assess whether or not the perceived benefits of monitoring
are likely to outweigh the perceived risks, such as the alienation of employees, and the
amount of time spent by supervisory staff on undertaking monitoring.
TRAIN MONITORS ABOUT THEIR DATA PROTECTION OBLIGATIONS

Senior HR personnel and those who are authorised to introduce monitoring activity should
read the Employment Practices Data Code on Monitoring. Employees who undertake
monitoring should be briefed about data protection obligations relating to employee rights,
the processing of sensitive data and the importance of following monitoring policies.
OPENNESS ABOUT MONITORING

In accordance with respect for the privacy and autonomy of individual employees, the
organization must be open about its monitoring policy and practices. This is also required if
the fair processing requirements are to be met. Generally, employees should know that
monitoring takes place and the reasons for it. The Information Commissioner’s view is that
covert monitoring is difficult to justify and should only be undertaken on the advice of – or
in collaboration with – the police.
One area which causes problems is the use of the employer’s facilities by employees for
personal or social purposes. Human rights law probably means that it would not be
reasonable to prohibit employees from taking some personal telephone calls at work, for
example in an emergency situation. Thus any policy will have to take this into account and
allow some degree of reasonable use. Policies relating to the use of corporate facilities for
private purposes must be audited and the rules enforced. If staff are aware that policies are
not imposed in practice, the practice will come to overrule the procedure.
The draft benchmarks in the Employment Code recommend that employees are given
the opportunity to explain their behaviour if monitoring reveals an apparent problem. The
results of monitoring could be misleading, and natural justice dictates that the person
involved be given the chance to present their side of an event.
RESPONDING TO SPECIFIC PROBLEMS

When introducing new monitoring activity to deal with a specific problem it is important to
keep a sense of perspective. Monitoring should not be an emotional reaction to the problem
but the outcome of consideration of the damage to the business weighed against the right of
an employee to do their job without having someone looking over their shoulder all the time.
In particular, note that covert monitoring will only be justifiable in limited
circumstances and, even then, probably only with the backing of the police.
RELEVANCE OF INFORMATION OBTAINED

It is possible that monitoring will reveal information which is not relevant to the purpose
for which it was introduced. Unless employees are aware that such information will be
applied for other purposes, it should not be used unless it is evidence of a criminal offence or
gross misconduct. For example, monitoring the company reception area might be
undertaken for reasons of public and employee safety. If the monitoring activity reveals
liaisons between members of staff, this information must be disregarded unless their
behaviour constitutes gross misconduct under the employer’s disciplinary procedure.
MONITORING COMMUNICATIONS
The draft benchmarks recommend that employers set a clear policy on the use of their
facilities for personal communications. The policy should be practicable and applied in
practice.
Telephone, e-mail and fax monitoring affects the privacy of those making calls and
sending e-mails as well as those who receive them. Monitoring communications will thus
have an impact on employees of other organizations and members of the public
unassociated with the employer, such as employees’ spouses. The effect of monitoring on
such individuals needs to be taken into account when assessing the overall need for and
impact of monitoring. Consideration should be given to notifying callers and those sending
e-mail that the organization undertakes monitoring activity. Oftel regulations already
provide for callers to be notified if telephone calls are being recorded. Telephone calls are not
personal data unless they are recorded.
A further consideration is that not all private communication is carried out during a
private call or e-mail. A call or e-mail related to legitimate work activities might easily
include a personal comment or note. Monitoring business communication will necessarily
include monitoring some personal communication within the overall scheme.
If the employer provides a mobile telephone or a landline at an employee’s home, and
details of the account are sent direct to the employer then the disclosure (of the telephone
account use) constitutes a disclosure of personal data, in relation to the employee, their
family and callers to that telephone number.
SUGGESTED ACTIONS
. Decide who, within the organisation, is authorised to introduce monitoring activity. Make
sure you are able to demonstrate that the introduction and subsequent use of monitoring
is controlled.
. Consider and document the reasons why a particular form of employee monitoring is
required and the benefits expected to accrue from the monitoring.
. Consider the rights of employees have been taken into account and the likely impact of
the monitoring on employees and the employer/employee relationship.
. Based on your findings, make a decision as to whether or not the monitoring is justified
weighing the business benefits against the impact on employees and their privacy and
autonomy. Consider whether there are any viable alternatives to the chosen monitoring
activity.
. Target monitoring to address the business need. For example, if e-mails are to be checked
to identify any orders addressed to employees who are on holiday, then check only those
e-mails arriving in the period that the employee is on holiday and ignore any e-mails
which obviously do not relate to the purpose.
. Train those authorised to introduce monitoring and those who monitor other employees.
. If CCTV is to be used, follow the checks and actions in the CCTV section on page 34.
. If the use of company vehicles is to be monitored, only monitor the use of those vehicles
provided exclusively for business and related use or company vehicles when being used
for business and related use.
. If you are monitoring electronic communications consult the Regulation of Investigatory
Powers Act 2000 (‘RIPA’) and the Lawful Business Practice Regulations. If the aim of the
monitoring activity is to police a company policy restricting use of electronic
communication channels for personal reasons, ensure that the company’s policy is clear,
has been communicated to employees and is enforced by the company.
. If monitoring is undertaken by a third party, for example, private investigators or a credit
reference agency, ensure that the third party is aware that the subject of the monitoring is
an employee.
. Include any policies relevant to monitoring together with the monitoring policy in staff
information such as a staff handbook or the intranet.
. Tell employees what form monitoring will take and why it is being undertaken (note that
covert monitoring is very hard to justify under the Data Protection Act and should only be
undertaken if a crime is suspected and on the advice of the Police). Make sure that the
communication process includes new starters and temporary workers.
. Introduce a retention policy for information obtained by monitoring. The Employment

Code recommends a period not exceeding 6 months although this would need to be
overridden where information was required to support a police prosecution.
The use of CCTV

The Information Commissioner has issued a CCTV Code of Practice setting out standards of
good practice for the operation of closed circuit television schemes. These include required
signage to warn data subjects that a CCTV scheme is in operation. Elements of suggested
policies are given below.
Monitoring in the workplace is the subject of one of the sections of the Employment
Practices Data Protection Code issued by the Information Commissioner’s Office. It is
assumed that any CCTV scheme in operation on business premises will record images of
employees from time to time; therefore the requirements of the Employment Code are
relevant here. The requirements of the Employment Code in relation to monitoring at
work are explained in the general comments in this chapter on monitoring in the
workplace. The Employment Code is relevant to CCTV schemes if the cameras record
images of employees as well as of the public: for example, images of employees will be
captured if the cameras are trained on the organization’s car park or cover the reception
area.
Note that the data controller in relation to a CCTV scheme is the organization
responsible for the scheme. If the landlord is responsible for the scheme, the tenant will not
be the data controller unless it has access to the images for its own purposes. The
requirement to comply with the Code is the responsibility of the data controller.
REQUIRED WORDING FOR SIGNAGE

The signs should contain the following information:
1) The identity of the organization responsible for the operation of the CCTV.
2) The purposes for which CCTV is in use at the premises.
3) Details of how to contact the organization regarding the CCTV scheme.
For example – where an image of a camera is not used on a sign – the following wording is
recommended:
Images are being monitored for the purposes of [‘crime prevention and public safety’ or ‘to prevent
and detect crime’, for example]. This scheme is controlled by [name of organization].
For further information contact 01234-567-890
SUGGESTED POLICIES
Consider the following outline policies. Suggestions as to appropriate timescales are shown
in square brackets.
Quality of images
All tapes should be checked for damage and quality of the images recorded at least [weekly].
Tapes should be replaced, regardless of condition, every [six months].
Any damaged tapes or tapes giving images of inferior quality should be replaced immediately.
Images should be erased from tapes prior to disposal.
Physical security of the tapes

Tapes should be kept in a locked office out of office hours. During office hours the security
arrangements should include, for example, holding tapes in locked filing cabinets in offices with
restricted access to visitors and the public. Tapes should never be taken off business premises
without the written approval of the individual designated by the organization as responsible for
the CCTV scheme.
When removal of tapes is approved, a formal receipt should be retained showing the date, identity
and authority of the person removing the tape and the purpose for which it is being removed.
A log should be kept of details relating to tapes removed from business premises. This should
include the name and authority of the person taking the tape, the reason for its removal, the date
and any other relevant circumstances.
Retention of CCTV images

Recorded images should be kept for no longer than [fourteen days] before the tapes are reused.
Disclosure of CCTV images

Employees are entitled to access to CCTV images of themselves in accordance with data subject
rights under the Act.
The police may be allowed access to CCTV images at the organization’s discretion and in
accordance with its policy on disclosure of data if the request is relevant and made in writing. The
courts can order the disclosure of tapes.
Any organization which provides maintenance services or monitoring services in connection with
the CCTV scheme may have access to CCTV images recorded.
No other parties will be allowed access to the tapes.
SUGGESTED ACTIONS
. Document why CCTV is to be installed and what it is intended to do or prevent.
. Appoint one individual to be responsible for the day-to-day operation of CCTV and its
compliance with the CCTV Code of Practice.
. When positioning the cameras, check that they pick up relevant images only (for
example, avoiding staff rest areas if the CCTV is being introduced to monitor cash
registers).
. If the cameras are intended to cover a public space, put up signs to warn the public that
they are entering a zone covered by surveillance equipment. (See the notes on
recommended signage).
. Establish and document CCTV policies.
6 Staff training
CHAPTER
Employers are under a statutory duty to ensure the reliability of staff whose jobs involve
processing personal data. The Employment Practices Data Protection Code (Employment
Code) suggests that this duty cannot be discharged simply by taking up references on
employees or carrying out background checks. Appropriate action includes training for staff
whose jobs bring them into contact with personal data. The existence of relevant and
adequate policies and procedures will also demonstrate that the organization is using its best
endeavours to comply with the Data Protection Principles and the Employment Code.
In addition, the Employment Code suggests that the individual responsible for data
protection compliance in HR should take action to brief those staff whose jobs involve the
handling of employee personal data.1 These include directors, senior managers, line managers
and supervisors, trainers and those responsible for health and safety and facilities management.
Throughout the Employment Code there are references to staff training and what
should be covered. In summary it is recommended that the following need to be included as
a minimum:
. Guidance on criminal offences contained in the Act, such as what constitutes

unauthorized processing and how to avoid it.
. How deceit may be used to obtain information illegally from the organization.
. General guidelines for line managers identifying that they process employee personal data
on behalf of the organization and their responsibilities.
. General guidelines on how to identify and action the exercise of subject rights.
. General guidelines on the operation of ‘Chinese walls’ for those staff whose jobs involve
working for two or more companies or trustees.
. Employees’ rights of access to personal data and other rights.
CYCLE OF IMPROVEMENT
Policies and procedures
Training
Supervision and audit
1. Employment Code, High level management, benchmarks 2 and 5.

Staff training 37
A cycle of improvement can be established: develop procedures to meet data protection

requirements relevant to the issues being addressed; provide training for those staff whose
jobs involve the handling of personal data, covering key aspects of data protection law and
your house policies and procedures; finally, audit or supervise to ensure that the policies and
procedures are followed in practice. Audit will reveal inadequacies in existing procedures
which can be amended and adjusted in the light of audit findings, thus completing the cycle.
POLICIES AND PROCEDURES RELEVANT TO DATA PROTECTION

Most businesses will have a number of policies and procedures that are relevant to data
protection, for example:
. Confidentiality of client and customer details.

. Office security – visitor sign-in requirements.
. Computer security – use of passwords and restricted access, screen savers.
. Paper file security – use of lockable filing cabinets, ‘clean desk’ policy.
. Homeworking policies.
. Laptop security.
These bring together some of the key aspects of data protection: confidentiality and security.
In addition you will need procedures for handling the exercise of subject rights such as the
right to access personal data relating to the data subject held by the business, the right to
object to direct marketing, etc.
The Employment Code recommends that serious breaches of data protection policies
should be a disciplinary offence to give compliance its due importance to staff.2
TRAINING TO FAMILIARIZE AND REINFORCE POLICIES AND PROCEDURES

All new staff should undergo induction training in order to familiarize themselves with
company rules and procedures. The interesting angle on data protection is that it benefits us all
as individuals. We have rights as data subjects, and we are comforted by knowing that our
affairs are handled confidentially by banks, building societies, doctors, opticians and so on.
The Information Commissioner’s Office has produced a DVD for schools with the aim of
educating young citizens in their data protection rights. This awareness of how data protection
applies to employees as individuals can be reinforced by demonstrating how data protection
applies to the organization and the effect this has on the employees carrying out their jobs.
More training may be required for those staff whose work will bring them into contact
with personal data: for example, those employed in the HR department, and those
responsible for health and safety or employee benefits administration. If the HR function is
decentralized, departmental supervisors probably need training to ensure that they handle
personal data relating to employees in an appropriate manner. The Data Protection Act 1998
creates a number of criminal offences with liability for individual employees as well as the
company, its directors and officers. Individuals who handle personal data should be made
aware of the offences as well as of house policies and procedures governing the processing of
personal data in the workplace.
2. Record Management, Management of data protection, benchmark 6.

Specialist training might be appropriate for specific industries such as credit reference
agencies, financial services and the provision of health care and medical services. A risk
assessment of personal data held to support the main business activities is a useful starting
point. In particular, look to areas which process sensitive data.
Training is an ongoing process; existing employees may need refresher training on the
basic data protection issues relevant to their role. There will be a requirement for more
training when employees change jobs within the organization or take on new
responsibilities. The organization might benefit from some employees developing an
advanced level of knowledge of data protection issues and the way these affect the different
parts of the business.
Over time, data protection policies and procedures will develop or undergo amendment to
meet changing circumstances. Training will be given on new and amended policies and
procedures and the compliance of staff with those policies and procedures audited in due course.
SUPERVISION AND AUDIT

Supervision and audit can provide feedback on the effectiveness of training material and
indicate further training needs. In this way the cycle of continuous improvement is
completed. Audit should be undertaken by a person independent of the training department
– and preferably of the organization – in order to obtain an objective view. At this level the
audit must include as wide a range of employees as possible, either by holding discussion
groups or carrying out one-on-one interviews. This is the only sure way to find out what
employees actually know about data protection and how it affects their jobs.
Policies and procedures can be amended and adjusted to make them more effective and to
incorporate actual scenarios that employees in the business face when handling personal data.
SUGGESTED ACTIONS
Provide:
. Induction training on data protection covering the most basic principles.

. Specialist training and supervision for those staff whose job involves personal data
processing, preferably including some on the job training.
. Training on the use and abuse of employee personal data for line managers and
supervisors etc.
. Information about data protection in staff handbooks, on the intranet, etc. for further
reference including reference to applicable policies and procedures and whom to contact
in the organization for further information and guidance.
Undertake:
. A regular audit of data protection issues generally to identify weaknesses in existing

training material and further training needs.
A list of appropriate policies and procedures is suggested in Chapter 2. Below is a suggested

briefing note for staff covering the day to day data protection issues they are likely to
encounter:
Staff training 39
Briefing Note
Data protection: Questions and answers for HR personnel
What is data protection?
The holding, using and processing of personal data in the United Kingdom is regulated by
the Data Protection Act 1998. In the broadest terms, data protection is about the
confidentiality and security of personal data and gives individuals certain rights including
the right to access information relating to them held by companies, government bodies,
medical trusts, etc.
Personal data is information about a living individual (the ‘data subject’). It includes
names, addresses, telephone numbers, etc. as well as opinions.
The Data Protection Act 1998 sets out minimum standards of required behaviour when
dealing with personal data. It also establishes the Office of the Information Commissioner,
a kind of ombudsman for the handling of personal data.
Data protection and HR
Information relating to colleagues at work constitutes personal data. ‘Colleagues’ means

employees, contractors, consultants and temporary workers.
Data protection principles
When using personal data relating to other company representatives and employees,
businesses and clubs are required to act in accordance with the Data Protection Principles.
Access to personal data by data subjects
Businesses and clubs are under a legal obligation to allow a ‘data subject’ (the individual
about whom personal data is held) access to the information relating to them on
computers and in most manual files. There is a limited period (40 days) in which to
respond to a data subject access request. It is important that any data subject access
request is identified when made and reported immediately to [named individual].
Other rights
Individuals have other rights under the Act relating to the way in which their personal
data is processed. Data protection issues will usually arise in connection with a complaint
or grievance. Identifying these issues quickly will help to resolve them within the time
limits set down by law.
How data protection law might affect you personally
Data protection law has always carried penalties for individuals (as well as businesses and
clubs) who breach the provisions. These are some areas you should consider.
The unauthorized obtaining or disclosure of personal data is a criminal offence. As a
minimum, you should always check that anyone requesting information has the right to
access it. Think twice before giving out contact details on request. As a rule, never give
out home contact details. Instead, offer to contact the person yourself and ask them to
contact the enquirer.
Personal data should be treated confidentially and not used for any purpose other than
communication and activities related to business affairs. In addition personal data should
be kept secure, which means putting files away in cabinets in the evening and if you take
a break during the day.
In general you should treat other people’s personal data as you would want them
to treat your own.
Remember also that normal legal rules such as libel apply to written documents; do not
include opinions or personal comments which the data subject might find offensive.
Permitted disclosures
Some disclosures are required by law, and others are permitted because they are in
accordance with HR activity and have been explained to employees.
It is important to check the authority of anyone requesting access to personal data.
The following guidelines may assist in responding to enquiries:
. DSS Benefits agencies, Inland Revenue, and Customs and Excise have authority under
various Acts of Parliament to access information relating to individuals. Their request
should be made in writing and quote the Act under which they derive their authority to
gain access. Site visits should be prearranged and visitors should show you proof of
identity.
. Requests for access to information from the police are complied with at the discretion of
the organization. As a minimum, it is recommended that such requests be made in
writing, setting out the reasons why the disclosure is requested and the full name of the
police officer in charge of the case under investigation.
. Mortgage and housing related reference requests should be referred to the employee
concerned for permission before the request is answered.
. Work-related reference requests should be referred to the employee concerned if they
are still in employment. Reference requests for former employees may be answered so
long as they are in writing. A reference is exempt from disclosure if an employee or
ex-employee makes a data subject access request. However, this exemption ceases to
apply once the reference has been sent out.
If you are in any doubt about whether or not to respond to a request for information
relating to an employee or ex-employee, refer the request to whoever has responsibility
for data protection compliance in the organization
Unauthorized disclosures
The unauthorized disclosure of personal data is a criminal offence. To protect yourself as

well as the organization, you should:
. Always check that anyone requesting information has the right to access it and check
their identity.
. Think twice before giving out contact details on request.
Staff training 41
. Make enquirers submit their request for access in writing, setting out the reasons why
they require access and what authority they are claiming.
. Be aware that some people will use deception to try to access personal information, for
example, some private investigators.
. Tell the employee when a request for access has been made; their permission to make
the disclosure is sufficient authority to disclose the information requested.
Security of files and computers
Reasonable security measures must be in place to guard against the risk of personal data
being accessed, altered or deleted without due authorization.
. In the office, make sure you operate a ‘clean desk’ policy; do not leave files on your desk
if you go out to lunch or when you go home at night.
. Use a screen saver to mask personal data on your PC monitor when you leave your desk
or if you are not working on your computer.
. Laptops and personal organizers must be backed up to computer files and databases
(‘C’ drives) in the office at least weekly in order to ensure that personal data is as
complete, accurate and as up to date as possible at all times.
. Personal data held on home PCs must be downloaded to computer files and databases
(‘C’ drives) in the office at least once a month to ensure that personal data is as
complete, accurate and as up to date as possible at all times.
7 Outsourcing HR activities
CHAPTER
A new statutory duty applies to employers who use service providers to process personal data
on their behalf. An employer is a data controller in respect of personal data relating to its
employees. If processing activity is outsourced – for example, using an external payroll
service – the Data Protection Principles require the employer to enter into a written contract
with the service provider incorporating specific terms relating to the security of the personal
data to be processed. They are also required to check that the service provider provides
adequate security for the personal data to be processed, both at the time of appointment and
regularly thereafter.
When inviting tenders for outsourced work, service providers should be asked about
their policy on data protection and for details of their relevant security arrangements. On
the new appointment of a service provider the required terms and conditions should be
incorporated into the contract between the organization and the service provider.
Existing arrangements with service providers should be checked to identify those that
involve the processing of personal data on behalf of the organization. Then the required
contract terms should be incorporated into the existing contractual arrangements. At review
meetings, or from time to time by letter, the organization should ask about security
arrangements and any breaches of security, in order to meet its statutory obligations.
What is a data processor?

The definition in Section 1(1) of the Data Protection Act 1998 states that a data processor, ‘in
relation to personal data, means any person (other than an employee of the data controller)
who processes the data on behalf of the data controller’.
The prime example of a data processor is an outsourced service provider such as a
payroll service provider. The employer will send payroll data to the payroll service each
month, and payslips will be generated and payments made into bank accounts on the due
date. The payroll service provider has no interest in the personal data per se; it processes the
data purely for the benefit of the data controller in return for remuneration. It acts solely on
the instructions of the data controller; it probably has no discretion to act independently
and no interest in doing so.
Another example of a data processor would be a registrar offering share registration
services, processing shareholder personal data on behalf of a listed company. The registrar
has no interest in processing the personal data except for the remuneration it receives from
the company by so doing. The data is processed on behalf of the company and for its benefit.
In some cases an organization which provides a service does so both as data controller
and data processor: for example, a training consultant will provide a training service to
employees of a data controller. Personal data such as an employee’s name and role or job
Outsourcing HR activities 43
description will be sent to the trainer in advance of the training event, which the trainer will
hold on behalf of the data controller and on his instructions. To a degree the trainer is acting
as a data processor. However, a trainer will elicit more personal data from the employees
during or after the training event, some of which will undoubtedly not be passed back to the
data controller/employer. Therefore the training consultant is making decisions in relation
to that additional personal data and acting as a data controller.
In yet other cases a service provider may be both data processor and joint data controller
with the data controller: for example, a pension fund administrator will administer and
manage a pension scheme on behalf of the pension scheme trustees. The administrator will
act on the instructions of the trustees generally, but those instructions may be worded very
widely so that the pension scheme administrator is making decisions relating to the data on a
daily basis. In this scenario, the scheme trustees and the scheme administrator would be joint
data controllers and the scheme administrator also a data processor on behalf of the trustees.
Identifying data processors

It is important that data controllers are able to identify their data processor(s) because of the
statutory duty on the data controller to comply with the Seventh Principle.
A data processor will be independent of the data controller – a third party – although it
may be a sister or associated company in a group of companies. (Remember that employees
of the data controller are not data processors as they constitute part of the data controller).
A data processor which does not act as a data controller in relation to personal data is not
subject to the Data Protection Principles in relation to that personal data. The only way the
data processor can be regulated under the Act is via the agency of the data controller; hence
the requirement for formal contracts obliging data processors to adhere to the Seventh
Principle.
Deciding whether or not a third party is a data processor is a matter of fact. The answers
to the following questions will help a data controller to decide whether or not a party is a
data processor:
. Does the party process personal data supplied by the data controller?
. Is the processing undertaken on behalf of or for the benefit of the data controller?
. What do the parties intend should happen to the personal data when the relationship
between them ends? If the party is a data processor then personal data will either be
returned to the data controller or its nominated representative or deleted. The data
processor will have no further use for the data.
Queries to raise with existing and prospective service providers

Service providers should be advised that the relationship with the employer appears to be
one involving the service provider in processing personal data on behalf of the employer.
For reference the service provider will be known as a ‘data processor’ under the Act. The
service provider should be given an opportunity to disagree with the assessment. Identifying
service providers is not always straightforward, and it may be better if the parties try to reach
agreement as to their respective roles and obligations.
It should be explained that the Data Protection Act 1998 places certain statutory duties
on the organization to check the ongoing security arrangements of service providers. Useful
information to be provided by the service provider would include:
. A statement of compliance with current data protection law.

. Such details of the service provider’s security arrangements as it is able to provide.
. Details as to how new employees are monitored.
. The controls within which new employees work to ensure that the service provider is
satisfied as to their reliability.
. The actions taken by the service provider to comply with the increased compliance
requirements of the 1998 Act.
. Confirmation that appropriate procedures are in place relating to the exercise of subject
rights.
. Confirmation that all staff are given training on how to handle the exercise of subject
rights.
. Confirmation that the service provider will advise the organization immediately should
any data subject of personal data processed on its behalf exercise their subject rights.
CONTRACTUAL TERMS
It should be explained further that it is also a requirement of the Data Protection Act 1998
that specific clauses be introduced to the contract between organizations and their service
providers. Suggested terms for inclusion are set out below.
In addition to the clauses required by statute it may be useful to include a couple of
additional ones. The first is to require the data processor to ensure that it passes on these
obligations to any contractors it might use. The second is to require that any information
reasonably requested by the organization will be supplied. This should enable regular checks
on security arrangements to be undertaken. For example, if the service provider is regulated,
then the organization might want to view any audit reports made by the regulator into the
service provider’s business.
SUGGESTED TERMS FOR INCLUSION

To the extent that [the service provider] is a data processor within the meaning of the Data
Protection Act 1998 it hereby undertakes:
. Only to act on instructions from [client] when processing personal data on your behalf.
. To comply with the Seventh Data Protection Principle in relation to the processing of personal
data on [client’s] behalf.
. To ensure that equivalent obligations of security are imposed on any third-party service supplier
to [the service provider] (‘subcontractors’) which process personal data on behalf of the [client].
. To report on security issues as may be required by the [client] from time to time.
SUGGESTED ACTIONS
. If the resource provider is a sister or associate company, ask whether the data protection
implications of the arrangement have been considered. If not, provide them with a
Outsourcing HR activities 45
copy of the explanation letter. Note that contracts are required between group
companies.
. If the service or resource provider is already providing services to the existing business, ask
for a copy of the data protection compliance reports for the last three years (if any) and
check that it covers the issues identified above as relevant to the relationship. If not
(or there are no such reports), take up the queries directly with the service provider after
discussion with contacts in the existing business.
. If the service or resource provider has not previously provided services to the organization,
then send a letter setting out the suggested queries to raise with existing and prospective
service providers, together with information about the proposed amendment to contract
terms. If the arrangements have not yet commenced, then the appropriate time to raise
the queries is during the tender process.
. On a continuing basis, make regular checks that the service supplier has an appropriate
level of security for computer systems and paper files which relate to your organization.
Ask whether there have been any breaches of security or confidentiality and, if so, what
action(s) they have taken to avoid a recurrence.
8 Employee benefits
CHAPTER
Employee benefits and perks

This chapter highlights the different data protection issues that arise in connection with
providing and administering employee benefits. The Principles apply to each function being
undertaken and to each party involved. In particular, attention should be paid to the subject
information provided to employees entitled to various benefits; some of the data protection
issues can be overcome by explaining the circumstances to employees. Many benefits
require the employee to complete a ‘membership application form’ of some description. A
form is the ideal location to provide specific subject information. Particular care is needed
where administration is outsourced, and the production of appropriate and lawful
paperwork may be beyond the direct control of the employer.
A further compliance issue is that where parties involved in HR activity are outsource
service providers, the Seventh Principle applies to make formal contractual arrangements
and continuing security checks on the service provider a necessity. It is important to identify
these relationships and deal with them correctly. (See Chapter 7).
DIFFERENT BENEFITS AND COMMON PROBLEMS

Medical insurance
Medical insurance pays for private medical treatment for the employee and possibly his or
her family members.
In some schemes the employer designates a member of staff to authorize claims on the
scheme. Claim forms obviously require details of the claimant and the medical condition
provided by the employee and possibly their medical practitioner. All this personal data is
disclosed to the designated person for authorization of the claim on behalf of the employer.
Ostensibly the reason for this disclosure is to verify the identity of the claimant and their
entitlement to claim. In fact, it constitutes an invasion of privacy to require the medical
condition to be disclosed to the employer; other ways could easily be found to verify the
claimant’s identity and the employer should really have no ongoing involvement in the claim.
The practice is in breach of the Principles. Principle Two requires that personal data be
adequate, relevant and not excessive for the purpose for which it is processed. Disclosure of
a medical condition to the employer as part of the claims process is intrusive and probably
breaches the Human Rights Act by its lack of respect for an individual’s private life. Breaches
of law constitute contravention of the First Principle, which requires that personal data be
processed lawfully.
The situation is aggravated when a claim relates to a spouse or other dependant of the
employee. The claimant’s medical details are disclosed to the employee as well as their
employer without any real justification.
Employee benefits 47
The Employment Code recommends that if the employer takes on the role of the broker
or one of its officers acts as group secretary for a private medical insurance scheme, any
personal data processed should be kept to a minimum. Access to the information should be
limited and not used for general employment purposes.1
Information provided to the employer at renewal may also be excessive. The employer
needs to know the total claims made during the period of insurance and possibly to have a
breakdown of high-value individual claims. However, it is submitted that the employer should
not be able to identify claimants from the information provided, which is routinely the case.
Permanent health insurance

Permanent health insurance pays monthly compensation to a worker who is no longer able
to continue in employment due to illness or injury. It is designed to replace salary for the
remainder of the individual’s working life.
The main issue here is the disclosure of personal data between employer and permanent
health insurance provider. Pension scheme trustees may also become involved. As an
individual worker is diagnosed as unable to continue working, one or more individuals
(possibly within the HR department) will start to explore the different financial options to
allow that worker to leave employment with a compensatory package. Care needs to be
taken to ensure that personal data is not disclosed between the parties except as strictly
necessary. This is a situation where a clear warning to employees that their personal data will
be shared between the parties (in this case the employer, the insurance company, and the
pension scheme trustees) avoids the issue and illustrates the value of appropriate and well
thought out subject information. Also, the employer should ensure that one or more of the
conditions for fair processing of sensitive data is met.
Occupational health screening

Occupational health screening involves medical checks on workers specifically to identify
the early symptoms of illnesses or injuries common to a particular industry.
The issue here is that personal data supplied in relation to occupational health
screening must not be used for the purposes of employee administration. The health
screening may show that a particular worker has a tendency towards a particular health
problem, but the employer must not allow that to influence them by discriminating against
that employee. Ideally the results of screening should not be made available to the employer
except in anonymized form for statistical analysis. The individual employee should be
advised of any problems specific to them and allowed to take the matter further with the
employer or not at their discretion.
Care needs to be taken to ensure that personal data is not disclosed between the parties
except as strictly necessary. The employer should also ensure that one or more of the
conditions for the fair processing of sensitive data is met as medical data is disclosed to it.
Company car
If fleet management is outsourced, it is likely that the service provider will be processing
personal data relating to employees who have company cars and is thereby acting as a data
processor. Ensure that the employer is meeting its statutory obligation to check that the
service provider has adequate security arrangements in place. It is a statutory requirement
1. Record Keeping, Pensions and insurance, benchmark 4.

that two specific clauses be incorporated into the agreement between the employer and the
service provider. For a full explanation, see Chapters 7 and 20.
If the use of company vehicles is monitored, make sure that the requirements of the
Employment Practices Data Protection Code are observed. (See, further, Chapter 5).
Share option schemes

A ‘Save As You Earn’ share option scheme allows individual employees to make regular
savings which may be applied against the purchase price of a predetermined number of
shares in the company at the expiry of a set period, usually five years.
Although the operation of a share option scheme involves the employing company, the
listed company in the group and a building society, all parties act in the capacity of data
controller rather than one or more processing personal data on behalf of the other(s). The
employing company notifies workers of the terms of the scheme and provides building
society application forms and company share scheme membership application forms for
completion and return. These forms are used by the building society and the listed company
(or its registrar) respectively to set up membership records. Neither party is acting on behalf
of another; in both cases the relationship with the employee is a direct one.
In some cases the employer may allow either the building society or the listed company
(if this is a different entity to the employer) to publicize the scheme using personal data.
This would be the case where the building society or listed company undertakes a
personalized mailing to employees inviting them to join the scheme. This necessarily
involves the transfer of employee personal data from the employer to the party undertaking
the mailing and may be deemed to be processing on behalf of the employer. In this case the
employer is under a statutory obligation to check the service provider’s security
arrangements and to incorporate two specific clauses into its contract with the service
provider. (For a full explanation, see Chapters 7 and 20).
SUGGESTED ACTIONS
. Identify all employee benefits. Your list might include: medical insurance, permanent
health insurance, occupational health screening, company car, share option schemes.
. Identify any third parties involved in the administration of benefits. Remember that
pension scheme trustees are not the same legal entity as the employer; they are a third
party for the purposes of data protection.
. Check that outsourced service providers comply with the security arrangements and that
they are regulated by contracts containing the appropriate clauses. (See Chapters 7 and
20).
. Check that appropriate subject information is provided to employees in all cases. (See
page 13).
. Consider what personal data is passed between the employer and the benefit provider or
administrator at all stages. Check that it is adequate, relevant and not excessive and that
personal data obtained for purposes linked with the administration of benefits is not also
used for the purposes of personnel administration.
. If sensitive data (for example, details of illness or injury) is being processed, check that one
or more of the conditions for fair processing are being met. (See page 16).
Crèches
PERSONAL DATA AND SENSITIVE DATA

A crèche facility will hold a lot of personal data, including much that is sensitive. The details
of other family members, doctors and persons authorized (and not authorized) to collect
individuals from the crèche are needed to ensure the children’s safety and well-being. The
First Principle requires that all data subjects be given specified information about the crèche
operator, the purposes for which personal data is required and any other relevant
information. See page 13 for a full explanation of the requirements. The mechanics of the
First Principle are explained in Chapter 14.
It is likely that records relating to the crèche will include medical details relating to the
children: for example, those concerning required medication and any medical conditions or
allergies. This is sensitive data, and its processing must meet one or more of the conditions
for fair processing. See page 16 for more information about the requirements for processing
of sensitive data.
In addition, it is a requirement that employees in the crèche facility are vetted to ensure
they do not have a criminal record. This is also sensitive data, in this case relating to the
crèche’s employees. The processing of all of these categories of sensitive data should be
authorised by reference to one or more of the conditions for fair processing of sensitive data.
(See, further, Chapter 3).
A further point is that any and all data must be disclosed to the social services on
request. They have a statutory right to view any information on a site visit or
inspection.
RECORD-KEEPING
The Data Protection Principles encourage good record management practices. This means
having an appropriate document retention policy for paperwork and computer files relating
to the children in the crèche, prospective attendees, their parents and other third parties.
Appropriate retention periods should take into account the purposes for which the
information is required and any legal obligations, such as the duty to disclose information
to the social services or local authorities. Once clear operational requirements – in this case,
crèche administration – and legal requirements have been identified, appropriate record
retention periods should be documented and enforced.
Personal data which is no longer required should be disposed of securely. Many of the
records relating to the crèche will contain confidential information and sensitive data.
Therefore appropriately high levels of security should apply to the destruction of paper files
and the deletion of computer records that are no longer required.
Records that are in use should also be adequately protected against unauthorized access
or tampering. Chapter 20 suggests some of the actions that may be taken to establish and
improve security arrangements; however, it is likely that crèche premises will be reasonably
secure due to the need to keep children safe from intruders.
SUGGESTED ACTIONS
. Introduce a document retention policy or check that any existing policy is adequate and
reasonable.
. Check that arrangements for the disposal of information that is no longer required are
secure.
. Revisit page 13 and introduce data subject information to key documents, particularly any
forms or questionnaires where personal data is requested.
. Check that one or more of the conditions for the fair processing of sensitive data is being
met.
. Check the security of documents and computer files relating to the crèche. Bear in mind
that this is possibly the most confidential information the organization holds.
Pension schemes
Pension scheme trustees will need data protection advice as much as employers. The
operation of a pension scheme is a notifiable activity, so the trustee body should be
registered for data protection. Pension scheme administration arrangements need to be
reviewed for compliance in the same way that other HR issues are reviewed. All the same
issues apply.
The pension scheme trustee body is not the same legal entity as the employer and must
be dealt with at arm’s length by the employer. This applies particularly when disclosing
personal data between the employer and the trustees. In many cases the trustees rely on the
employing company to undertake routine administration on their behalf. If this involves
the processing of personal data (which it almost certainly will), the employer is acting as an
outsource service provider to the trustees and a contract is needed to govern the relationship
between the data controller (the trustees) and the data processor (the company). (See
Chapter 7).
In addition, staff in HR who undertake administrative tasks on behalf of the trustees
should be made aware that when doing so they are acting on behalf of a third party.
‘Chinese walls’ are required to prevent the leakage of personal data held for employment
purposes to the trustees and the leakage of personal data held by the trustees for scheme
administration purposes to the employer.2 (‘Chinese walls’ are protocols within the
organization which operate so that ‘known’ facts in one department are kept confidential
from other departments. They may also apply within a department so that information used
for one purpose by a member of the HR team is kept confidential and not applied for
another purpose even though the same team member might be involved).
OUTSOURCING PENSION SCHEME ADMINISTRATION

Pension scheme administration is often outsourced. As scheme administration involves the
processing of personal data, the trustees are under a statutory duty to check the security
arrangements for personal data processed by the pension scheme administrators. They are
2. Employment Practices Data Protection Code, Record-keeping – Pensions and insurance, bench-
marks 1 and 3.
also required to incorporate specific clauses into the contractual arrangements between
themselves as trustees and the administrators. (See Chapter 7 and, in Part II, Chapter 20).
DEED OF WISH FORMS

An interesting issue arises in connection with deed of wish forms. These require the pension
scheme member to provide personal data relating to third parties. In this case, the third
parties are the beneficiaries of the member in the event of their death. In theory the trustees
should provide subject information to beneficiaries. Trustees should notify beneficiaries that
their personal data has been disclosed to the company’s pension scheme trustees in
connection with pension arrangements. This raises problems for the trustees of
communicating with beneficiaries in an appropriate way which must be via the scheme
member. Furthermore, the scheme member may not wish their beneficiaries to be aware that
they are beneficiaries. A practical solution and a preferable alternative may be to require the
deed of wish form to be supplied by the member in a sealed envelope. In this way the
trustees and/or employer are not involved in processing ‘personal data’ as the sealed
envelope does not identify the beneficiary data subjects.
SUGGESTED ACTIONS
. Ensure that the trustee body is registered for data protection. (See Chapter 23).
. Identify all personal data processing undertaken by, or on behalf of, the scheme trustees.
. Ensure that appropriate subject information is in place for scheme members, prospective
members, pensioners and pension visitors.
. Identify any third parties involved in processing personal data on behalf of the scheme
trustees – including the employer – and put contracts in place. (See Chapter 7).
. Check the relevance and adequacy of any information requested by the scheme trustees:
for example, on the pension scheme membership application form and the beneficiary
form (the deed of wish).
. Check that security arrangements for personal data relating to the scheme are adequate.
. If the trustees process sensitive data (for example, relating to the health of scheme
members), ensure that a condition for the fair processing of sensitive data is being met.
(See page 16).
. Provide training and procedures for HR staff who handle administrative tasks on behalf of
the trustees so that they understand the trustees are a body separate from the employer
and that there is a need for ‘Chinese walls’ between the two parties.
Social clubs and work in the community
SOCIAL CLUBS
Some employers provide social facilities for employees or allow work facilities to be used for
the promotion of social clubs and activities. There is likely to be less formality about
arrangements for obtaining personal data in connection with social clubs and activities,
such as a notice on the staff noticeboard for employees to ‘sign up for next week’s trip to the
brewery’ etc.
To some extent the employer’s responsibility for the compliance of, say, an in-house
football team’s personal data-processing activities could be argued. However, the indications
are that the Commissioner would consider that the employer owes a duty to its employees
to protect them from misuse of their personal data. Tolerating the use of its facilities to
publicize events means that the employer probably is responsible and certainly would be if
social activities were encouraged by the employer as a staff ‘perk’.
A prudent employer should therefore take steps to educate social club secretaries in
basic data protection law, for example to instruct them that personal data relating to social
club members should not be used in ways inconsistent with the purposes for which it was
obtained, or be disclosed without authority, retained for longer than is necessary, etc. A
relatively simple way to achieve this is to provide social club secretaries (formal and informal
secretaries) with guidelines as to expected behaviour when processing personal data on
company equipment and/or in company time.
The issues the employer should seek to cover might include:
. The use of company facilities to promote social activities for staff organized by individuals
or groups of staff with common interests (such as promoting a football or netball team,
arranging days out and arranging charity events) so long as this does not interfere with
company business.
. Awareness that involvement in a social club and arranging social activities involves the
processing of personal data relating to colleagues. Names and contact details (even where
this is a work telephone extension number or e-mail address) constitute personal data.
. Awareness that data protection law sets standards for the correct use of personal data and
that those involved in social clubs and arranging social activities are expected to observe
the Data Protection Principles.
. The importance of the security of any records containing personal data.
. A reminder of the general embargo on sourcing personal data from the HR department.
Personal data required to administer the social club should be obtained direct from the
members or participants.
. The importance of explaining to members and prospective members why the information
is required.
. That the aim should be to hold the minimum information in each case.
. A complaints procedure, possibly with the company or head of HR as final arbiter.
WORK IN THE COMMUNITY

Many employers encourage staff to undertake work in the community, notably in relation to
schools and helping to promote educational aims and objectives. Usually the employer
encourages staff to participate in organized schemes and a scheme organizer is involved in
carrying out any vetting required. Remember that there will be police checks for those who
work with children and young people.
The records of employees who participate in such events constitute personal data, and
the Principles apply.
As a prudent employer it is worth checking that the organizer provides appropriate
subject information, that conditions are being met for the processing of sensitive data where
this is the case, and that processing is undertaken in accordance with the Principles.
SUGGESTED ACTIONS
. Provide guidelines to social club or event organizers about the correct use of personal data.
. Check that any schemes involving work in the community have considered data
protection issues in relation to the scheme. In particular, check:
– that subject information is provided to prospective participants and that it is adequate
and appropriate in the circumstances
– that any vetting required prior to joining the scheme is fully explained to prospective
participants on first contact with the scheme organizers.
9 Corporate issues
CHAPTER
Acting as a service company to a trading group

By virtue of the Seventh Data Protection Principle, companies which subcontract or
outsource any of their personal data processing activities are required to enter into written
contracts with their subcontractors and outsource service suppliers, and these contracts
should include two specific data protection terms.
Unfortunately, as data protection law does not recognize trading groups of companies,
this means that companies in a group are treated as independent parties. So if a group
contains one or more employing companies which employ staff on behalf of the other
trading companies, the relationship between the employing companies and the other
trading companies is seen as one to which the Seventh Principle will apply.
In essence, the trading companies have outsourced HR activities to another company in
the group. The employing company provides staff and undertakes data processing on behalf
of the trading companies. The employing company is a data processor; the trading company
is a data controller in respect to personal data processed as part of its business.
A similar situation arises where computer equipment is deemed to be owned by one or
more companies in a group for accounting purposes. Those trading companies which
process personal data on the computers are in principle outsourcing the processing to the
company which is deemed to own the computer equipment.
The contractual requirement arises from the Seventh Principle and the statutory duty is
set out in Schedule 1 to the Act, Part II, which deals with the interpretation of the
Principles.
Where the Seventh Principle applies, two issues must be covered in the contract. The
first is to ensure that any outsourced service suppliers and subcontractors (‘data processors’)
are contractually bound to act only on instructions from the trading company (‘data
controller’) when processing personal data supplied by the data controller.
The second is to comply with obligations equivalent to those imposed on the data
controller by the Seventh Data Protection Principle. The Seventh Principle relates to security
and states: ‘Appropriate technological and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or destruction
of, or damage to, personal data.’
REQUIRED CONTRACTUAL TERMS

Issues to be covered are:
. That the service company will only act on instructions from the trading company when
processing personal data on its behalf;
Corporate issues 55
. That the service company will comply with the Seventh Data Protection Principle in
relation to the processing of personal data on behalf of the trading company.
It might be possible to meet the contractual requirement of the Seventh Principle by all
relevant parties entering into one master agreement. All parties (employing company(ies),
computer equipment owners, the ‘data processors’ and trading companies, the ‘data
controllers’) would need to sign the agreement.
Otherwise separate agreements will be required between each data controller and its
data processor(s).
SUGGESTED ACTIONS
. Identify the employing company(ies) in the group.
. Identify the trading company(ies) in the group.
. Put in place contracts between the employing company (the ‘data processor’) and the
trading companies (the ‘data controllers’) incorporating the terms set out above.
Issues for international groups of companies

The Eighth Data Protection Principle acts as a blanket prohibition on the transfer of personal
data to territories outside the European Economic Area unless there is a presumption of
adequacy in relation to the data protection law in that territory.
There is provision in the EC Directive for territories outside the EEA with their own data
protection laws to be deemed adequate for the transfer of personal data. To date Switzerland,
Hungary and Canada have been found to meet the adequacy criteria. Therefore all transfers
of personal data within the EEA and to Switzerland, Hungary and Canada are lawful.
The EC has also approved the Safe Harbor arrangements in the United States. Safe
Harbor offers adequacy at company level. A company based in the United States has to
subscribe voluntarily to the arrangement which involves federal regulation. Any company
that subscribes is deemed to provide adequate protection for the rights and freedoms of data
subjects, and transfers of personal data to that company are lawful.
If an intended recipient of personal data is located in a territory outside the EEA and it is
neither in one of the approved countries nor a subscriber in the United States to Safe Harbor,
the following options are ordinarily available to legitimize the transfer:
. Consent of the data subject.

. Transfers made pursuant to (or to facilitate) a contract to which the data subject is a party.
. Transfers made pursuant to a contract which is for the benefit of the data subject.
. Transfer taking place on contract terms approved by the EC as providing adequate
protection for the rights and freedoms of data subjects. Standard terms are available on
the EC Commission web site.1
These options are exemptions (among others) set out in Schedule 4 to the Act.
Unfortunately these options do not wholly meet the need either in relation to transfers
1. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm.
of employee data to parent companies or to other recipients located outside the EEA. This is
primarily because consent is not reliable in the HR context. There is a view that an employee
cannot freely give consent to their employer because of the inherent pressure in the
relationship on the employee to consent to actions of the employer. The Information
Commissioner subscribes to this view. Organizations which seek to rely on consent obtained
from employees will find that consent challenged. Alternative arrangements should be
sought immediately. (For a full commentary on the issue of consent in the employer/
employee relationship see page 21).
Where an organization is part of an international group some transfer of employee
personal data outside the EEA is bound to occur. The use of international telephone
directories and e-mail address directories involves the disclosure and transfer of personal
data. The transfer of employee personal data is particularly likely if the organization’s head
office is located outside the EEA. The exemption applying to transfers pursuant to a contract
or to facilitate a contract with the data subject may apply to some routine disclosure of
employee personal data for HR purposes. Transfers may be made pursuant to the employee’s
contract of employment: for example, the approval of contractual bonus payments or
decisions relating to dismissal where this is part of the documented disciplinary procedure
etc. However, that exemption will not cover non-contractual obligations such as
international recruitment and selection or a redundancy programme.
If none of the conditions in Schedule 4 apply – which is the case in relation to some HR
disclosures to a parent company and all disclosures to a recipient in relation to a joint
venture, merger or acquisition – consideration may be given to using contractual terms.
Prescribed contract terms have been approved by the EC as providing adequate
protection for personal data transferred to countries where inadequate data protection law
exists. The contract should be entered into by the intended recipient of the personal data
and the employer. The approved terms are lengthy and may not be acceptable to the parties.
They are not particularly appropriate to the relationship between parent and subsidiary
company. In relation to parent companies, the employer will have a continuing relationship
with its parent to protect. The relationship will also mean that the subsidiary will have prior
experience of the integrity of the parent organization. An international group of companies
may also have international standards of data handling, security and confidentiality with
which the UK-based employer will be familiar. Therefore it is suggested that it would be
more appropriate to follow the adequacy test in relation to intra-group transfers.
The Adequacy test is a process whereby a data controller in the United Kingdom assesses
the adequacy of data protection in the country where the intended recipient of the personal
data is located. The process is long and involved, requiring research to be undertaken and a
judgement made at the end of the process.
As extra security for the transfer and to focus attention on the data protection issues
involved in a transfer of employee personal data it is recommended that the transfer be
undertaken on the terms set out below.
SUGGESTED TERMS OF TRANSFER

Although the intended recipient of the personal data is unable or unwilling to enter into a
contract relating to the supply of personal data on the terms approved by the European
Commission, nevertheless it is recommended that some form of agreement accompany any
transfer which is undertaken based on a self-assessment of adequacy.
Corporate issues 57
Issues to cover include:
. A restriction on the purposes for which the recipient may process the personal data.
. A prohibition on the processing of personal data for specific activities such as marketing,
or onward disclosure to third parties.
. A requirement to ensure that all reasonable security measures are in place for systems and
that staff whose jobs involve handling the personal data have adequate training in
confidentiality and security issues.
. A requirement that the personal data be deleted, destroyed or returned to the sender when
the recipient has concluded its processing activity.
SUGGESTED ACTIONS
. Identify the purposes for which transfers of employee personal data outside the EEA are
made.
. Identify the parties to whom employee data will be disclosed.
. If the purpose is routine HR administration which a parent company located overseas
requires for management planning or budgets, depersonalize or anonymize the data.
. If the purpose is to approve or make decisions affecting individual employees (for
example, bonus payments, promotion, dismissal, international recruitment and selec-
tion), anonymized data will not meet the need. In this case check that the employees
affected are aware that their personal data is to be transferred to the parent company for
specific purposes and incorporate the contract terms approved by the EC (see below).
. If the disclosure is in relation to a joint venture, merger or acquisition, check that the
employees affected are aware that their personal data is to be transferred for this purpose
and follow the contractual terms point below.
. Suggest that the intended recipient enter into a contract in the terms approved by the EC
for the transfer of personal data outside the EEA. The terms can be found at the relevant
web site.2
If this is not possible then follow the adequacy test below.
ADEQUACY TEST
. Find out about and document the data protection laws in effect in the country where the
recipient of the personal data is located.3 Alternatively you might ask the intended
recipient of the personal data for information.
. Find out and document whether or not the intended recipient of the personal data is a
member of any professional body or subscribes to a code of conduct or practice which
includes the need for confidentiality when dealing with personal data. Ask the recipient if
you are unsure, but all professional bodies will have a code of conduct.
. You should have some knowledge of the recipient’s security arrangements, whether or not
computer systems meet international standards, what internal policies and procedures
2. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm.
3. The privately owned web site at www.privacyinternational.org/survey gives details of the state of
data protection law in countries around the world.
protect confidentiality of personal data, etc. Document this also. If you have no prior
knowledge of the intended recipient, ask for information on all the above issues.
. Consider the confidentiality of the personal data involved and whether or not it is
‘sensitive data’. Consider and document your view as to the likely harm which would
result from unauthorized destruction or disclosure of the data.
. Check with other European offices (if any) as to their practice regarding the disclosure of
employee data to a parent or other recipient located outside the EEA.
. Given the information you have collected in response to the points raised above, make a
judgement as to whether or not you personally consider the transfer provides adequate
safeguards for the personal data given its confidentiality etc.
. If you are personally satisfied as to the security of the data and the integrity of the
transferee, make the transfer on terms such as the suggested ones set out above.
. Document the process you have gone through, the checks undertaken and the reasons
why you finally made the decision to transfer/not to transfer the personal data outside the
EEA.
Joint ventures, mergers and acquisitions

The thorniest data protection issues arise prior to a merger or joint venture transaction. In
preliminary discussions it may be necessary to disclose some personal data relating to key
employees. Subject information provided to employees may not cover the processing of
employee personal data for a purpose other than employment administration. Disclosure in
connection with a proposed merger or joint venture cannot truly be classified as routine
employment administration. So, unless the employees have been advised previously
(via subject information) that this might occur, no personal data may be disclosed without
telling them first. This might not be convenient if discussions are secret or at a delicate stage.
There is an exemption from subject information provisions where disclosure would
involve revealing price-sensitive information (the ‘Corporate Finance exemption’).
Obviously some mergers and acquisitions will be able to rely on that exemption. The
Corporate Finance exemption will also be an effective means of restricting the disclosure of
personal data to a data subject who makes a subject access request during the period of
embargo. Only the information which would reveal that negotiations are under way may be
withheld; other personal data should be supplied in accordance with the subject access
provisions.
There is also an exemption in relation to management forecasts and management
planning. To the extent that meeting the subject information provisions would be likely to
prejudice the conduct of the business or other activity of the organization, personal data
processed for management planning purposes is exempt from subject information
provisions. However, it may be stretching the point to try to argue that the disclosure of
employee personal data to a prospective acquirer is required for management planning
purposes.
For smaller, private companies, the only other option is to depersonalize or anonymize
personal data before disclosure. Nevertheless, caution is still required when dealing with key
employees. Personal data relating to the ‘Finance Director’, for example, will identify the
individual as clearly as their name. Hopefully the finance director will be one of the few who
are in the know about the proposed transaction.
Corporate issues 59
Once the transaction is in the public domain, employees may be informed that their
personal data will be disclosed in connection with the proposed transaction. As the
disclosure may still represent processing for a new purpose, employees should be asked for
their consent to the disclosure.
As the transaction proceeds care should be exercised in relation to the personal data
disclosed. The target organization should be selective about the information it provides.
Personnel records should not be provided in full as it would be difficult to justify such wide
disclosure; only relevant information should be provided. All personal data disclosed should
be subject to a duty of confidentiality binding the acquirer and its advisers. There should
also be a prohibition on the further disclosure of personal data supplied in connection with
the proposed transaction, and the processing of the data should be restricted to purposes of
evaluating the assets and liabilities of the target organization.
On completion of the transfer or acquisition, all parties’ notifications on the Data
Protection Register should be reviewed as there may be changes to be notified. In addition,
newly acquired personnel files should be checked for compliance with the Principles as
recommended in the Employment Practices Data Protection Code.
SUGGESTED ACTIONS
These action points are written from the perspective of the organization making the
disclosure of personal data. You may need to adapt them according to your organization’s
role in the transaction.
In preliminary discussions
. Ensure that an appropriate confidentiality clause has been signed to protect any
personal data that might be disclosed. In particular, place a prohibition on the
processing of such data for any purpose other than assessing the value of the assets and
liabilities of the proposed transaction.
. Identify those persons and companies to which the personal data will be disclosed: for
example, the interested party, its professional advisers, bankers, etc. Restrict the onward
disclosure of any personal data supplied to these third parties on a ‘need to know’ basis.
. If any of the parties are located outside the EEA, any transfer of personal data will be
subject to the Eighth Principle. (See page 55).
. If any personal data is to be disclosed at this stage, check that the employing company has
given employees appropriate data subject information notices to explain that disclosure
for these purposes may occur. If employees are not aware that their personal data might
be disclosed in such circumstances and this personal data cannot be anonymized
completely, explain the situation to them and obtain their consent before making any
disclosure.
. Check that any personal data to be disclosed to a third party – for example, by inclusion in
a data room – is anonymized as far as possible. If anonymized data is not sufficient for the
purposes of the third party, find out why, assess the reasonableness of the request and
document the reasons before making the disclosure.
. As personal data is disclosed ensure that it is duly marked as confidential and only disclose
such information as is required, i.e. do not disclose complete HR files but select only
relevant material.
As the project continues beyond preliminary discussion stage

. Ensure that appropriate confidentiality requirements continue to apply to protect any
personal data that might be disclosed/obtained.
. Continue to check that personal data supplied is relevant and not excessive, and supply
anonymized data wherever possible.
. Continue to check any requests for access to employee data for reasonableness and log
such requests.
At any time during discussions and negotiations

If at any time the transaction under consideration is one which could have an impact on the
price of any financial instrument (i.e. price-sensitive information), then information
relating to the proposed transaction need not be disclosed if a data subject makes a subject
access request.
On completion of the transaction

. Check the terms of all parties’ notifications on the Data Protection Register.
. Check all newly acquired HR files for compliance with the Principles in relation to the
adequacy and relevance of the material held.
10 Employee administration
CHAPTER
Record keeping
Most of the Data Protection Principles impact on record-keeping. The obligations to keep
personal data up to date, to ensure that only relevant data is processed and to keep personal
data secure are all directly applicable to record-keeping.
THE NEED FOR A DOCUMENT RETENTION POLICY

The key to keeping records compliant with the Principles is a robust, policed, document
retention policy. Note that the draft Employment Practices Data Protection Code suggested
maximum document retention periods for HR records. The final version of the Employment
Code omits the table set out below in favour of recommending that employers select and
document their own retention policy appropriate to their industry and practices. However,
the table from the Draft Employment Code is a useful starting point and gives an indication
of what the Information Commissioner’s Office would consider reasonable in normal
circumstances. If there are specific, business reasons to support longer or shorter retention
periods than those set out below, document those reasons.
When considering document retention, computer files as well as paper files need to be
considered. Ensure that computer systems allow personal data to be deleted permanently.
Some systems have the facility for automatic purging guidelines to be built into the record-
keeping system, which is impressive so long as there is provision for a manual override when
required.
The basis of a document retention policy – Table from the

Draft Employment Code
Document Suggested period of Keep or delete on

retention (see note) employee leaving
Application form Duration of employment Delete/destroy

References 1 year Delete/destroy
Payroll and tax information 6 years Keep 6 years
Sickness records 3 years Delete/destroy
Annual leave records 2 years Delete/destroy
Unpaid leave/special leave records 3 years Delete/destroy
Annual appraisal/assessment records 5 years Delete/destroy
Records relating to promotion, transfer, training, 1 year from end of Keep 1 year
disciplinary matters employment
References given/information supporting the reference 5 years from giving Keep 5 years from
reference giving reference
Summary of record of service such as name, position held, 10 years from end of Keep 10 years
dates of employment employment
Records relating to accident or injury at work 12 years Keep 12 years
The Employment Code features an entire section devoted to record-keeping.1 Among the
recommendations, here are some of the key ones not covered elsewhere:
. Employee personal data should be checked periodically by data subjects to ensure that it is
up to date and accurate.2
. Anonymize any data about workers and former workers where practicable.3
. If the holding of any information on criminal convictions of workers is justified, ensure
that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of
Offenders Act.4
DISCIPLINARY, GRIEVANCE AND DISMISSAL

The Employment Code makes a series of recommendations in relation to record-keeping in
these circumstances.5 In particular, it is emphasized that the Data Protection Act 1998 applies
to personal data processed in relation to disciplinary, grievance and dismissal proceedings.
It is recommended that employee personal data is not accessed or used merely because
it might have some relevance to a disciplinary or grievance investigation if access or use
would be either:
. Incompatible with the purpose(s) for which it was obtained, or

. Disproportionate to the seriousness of the matter under investigation.6
Records should be accurate, so the reason for termination of employment must be

accurately recorded and accord with what the employee was told was the reason for
termination. To keep files up to date there should be procedures on how ‘spent’ disciplinary
warnings are handled.
EQUAL OPPORTUNITIES MONITORING

The Employment Code makes a series of recommendations about the obtaining and
processing of information about a worker’s ethnic origin, disability or religion.7 Personal
data falling into these categories is sensitive data. Therefore the employer should ensure that
1. Record Management.
2. Record Management, benchmark 4.
3. Record Management, Retention of records, benchmark 2.
4. Record Management, Retention of records, benchmark 3.
5. Record Management, Disciplinary, grievance and dismissal proceedings.
6. Disciplinary, grievance and dismissal proceedings, benchmark 2.
7. Record Management, Equal opportunities monitoring, benchmarks 1 to 4.
Employee administration 63
equal opportunities monitoring satisfies one or more of the conditions for the fair
processing of sensitive data set out in Schedule 3 to the Act. There is a condition which
specifically relates to legitimate equal opportunities monitoring, so this is not a problem.
The Employment Code recommends that sensitive data processed for purposes of equal
opportunities monitoring should be maintained in anonymized form where practicable. In
many instances, information held for monitoring equal opportunities does not need to
identify individual workers.
FRAUD PREVENTION
The Employment Code makes a series of recommendations relating to the use of employee
personal data for purposes of fraud prevention.8 Some public employers will undertake
‘matching’ exercises with employee personal data against lists of persons in rent arrears for
example. The recommendations include consultation with trade unions or other worker
representatives before starting a data-matching exercise. Any legitimate concerns raised in
consultation should be followed up and any appropriate action taken before starting the
exercise.
The Employment Code also recommends that employees are reminded of the fact that
the employer undertakes fraud prevention exercises from time to time. This is in addition to
the requirement to provide subject information as required by the First Principle.
Employee personal data should not be disclosed to other organizations for the
prevention or detection of fraud9 unless:
. You are required by law to make the disclosure, or

. You believe that failure to disclose, in a particular instance, is likely to prejudice the
prevention or detection of crime, or
. The disclosure is provided for in workers’ contracts of employment.
SUGGESTED ACTIONS
. Adopt a sensible document retention policy.
. Anonymize personal data used for statistical and equal opportunities monitoring purposes
so that individuals cannot be identified.
. Read the guidance on security in Chapter 20.
Disclosure and publication of employee personal data
DISCLOSURES
Employers are routinely approached for information relating to their employees. All such
requests involve the disclosure of personal data relating to the employee concerned. Simply
confirming that a particular individual is employed by the company constitutes personal
data relating to that individual.
8. Record Keeping, Fraud prevention, benchmarks 1 to 3.

9. Fraud prevention, benchmark 3.
Most requests are genuine and justifiable; however, some will be attempts to elicit personal
data by deceit. The employer is under an obligation to make staff aware of this, particularly
those working in HR who are responsible for the handling of employee personal data.
Disclosures of employee personal data fall into three main categories:
1) Those disclosures required by law such as sharing information with the Inland Revenue,
National Insurance contributions agency, Child Support Agency, etc.
2) Those made at the request of the data subject, for example providing a reference for a
mortgage application, to a new employer or to ‘whom it may concern’.
3) Other, probably non-routine, requests from outside agencies such as solicitors and other
interested parties.
Obviously, disclosures required by law must be made subject to verification that the request
is genuine. A disclosure requested by the data subject should be made in accordance with
company policy, and will probably be made openly so that the employee is aware of its
content. In particular, references to be provided to new or prospective employers are the
subject of a series of recommendations in the Employment Code.10 This recommends
setting out a clear policy explaining who in the organization is authorized to give references
on its behalf. Anyone likely to be approached for a reference or to become a referee needs to
be aware of the policy.
Requests from other third parties should be dealt with in accordance with the
recommendations in the Employment Practices Data Protection Code. Employees should be
advised of the request and allowed to determine how it is handled, what information is
disclosed, etc. unless this would involve ‘tipping off’ the data subject in relation to a
criminal investigation.
Requests for information from the police fall into this last category. Organizations have
the discretion whether or not to comply with a request made by the police for access to
personal data held. While most organizations will ordinarily want to comply with such
requests, there should be a procedure to handle them properly and fairly in relation to the
employee.
Requests for details such as home contact or birth date by colleagues is another
non-routine request for the disclosure of employee personal data. The personal data held on
HR files is held for purposes related to HR administration, and a disclosure to another
member of staff for social purposes is processing for an unrelated purpose.
A robust internal disclosures policy is also recommended.
Issues to address in policy and procedures for the disclosure of employee

personal data externally
Set out the circumstances in which personal data relating to employees will be disclosed. For
example:
. Disclosure of employee personal data will be made where required by law (for example to
the Inland Revenue, National Insurance Contributions Agency, Child Support Agency).
. Disclosure of employee personal data will be made at the specific request of the employee
concerned, for example providing references.
10. Record Management, References.

. In all other cases, disclosure of employee personal data will only be made with the
knowledge and consent of the employee concerned.
The procedural requirements should include:
. Ensuring or requiring that the request be made in writing.

. Verification of the identity of the person making the request.
. Checking that the request is either authorized by reference to a statute (for example under
the Income Taxes Act etc.) or that the proposed disclosure is agreed by the employee
concerned.
. Provision for non-routine requests to be referred to the employee and acting according to
their instructions.
. Providing the employee with a copy of the personal data comprising the information in
the case of non-routine requests, noting the circumstances of the request in a central file
held for this purpose.
. How to deal with requests made by the police where they specify that the employee
should not be informed.
. The person in the organization to whom reference should be made for guidance on
difficult issues.
Issues to address in policy and procedures for internal disclosures

Provide an explanation as to why the employer is restricted in its use of employee personal
data for purposes other than those related to employee administration. Reference can be
made to the fact that all employees are data subjects and that the organization owes a duty
of confidentiality to all of them. Reference can be made to any data protection policy in
place.
Give examples of the types of request for personal data likely to fall into this category.
Examples might include requests for colleagues’ home contact details or birth dates so that
cards or flowers can be sent on, say, the birth of a child or during a period of absence due to
illness.
The recommended stance is that requests from individual employees for personal
details relating to a colleague will be declined by the employer on the grounds that to accede
would be a breach of the duty of confidentiality owed to employees. However, there may be
circumstances in which an employee has a legitimate requirement for a colleague’s personal
details. For example, a manager might request home contact details for an absent staff
member in order to check the situation regarding outstanding work. In these circumstances
it might be appropriate to approach the employee, asking them to contact the manager at
work rather than disclosing personal details.
Procedural elements to cover include:
. The person to whom enquiries should be addressed.

. The requirement for requests to be in writing or by e-mail, giving full details of the reasons
why the information is needed.
. The fact that details of any requests for personal information relating to colleagues will be
logged, together with details of the request and the decision.
THE PUBLICATION OF EMPLOYEE PERSONAL DATA

From time to time an employer will want to publish information relating to all or some of its
employees. This might involve, for example, putting photographs in company brochures, on
the web site or in a company magazine. It might involve providing quotes and background
information (years of experience, qualifications and membership of any professional or
industry bodies) to the press as part of a press release.
The Employment Practices Data Protection Code recommends that employees are given
advance warning of the publication of their personal data and the opportunity to approve
its publication.
Issues to address in policy and procedures for the publication of

employee personal data
The circumstances in which personal data relating to employees will be published. For example:
. Employee personal data will be published where required by law, for example in company
reports and financial statements.
. In all other cases, employee personal data will only be published with the full knowledge
and consent of the employee concerned, including the likely extent of the publication.
Procedural elements
The procedure should include:
. Providing the employee concerned with a description of the publication, including the
medium (print, web site, verbal), the shelf life of the publication, its intended and likely
audience, the content of the information, the personal data contained in the information.
. Obtaining the consent of the employee before publication.
. Taking account of any comments and requests for amendment requested by the employee.
SUGGESTED ACTIONS IN RELATION TO THE DISCLOSURE AND PUBLICATION

OF EMPLOYEE PERSONAL DATA
. Establish policies and procedures on the disclosure of employee personal data internally
and externally and communicate it to those staff who are likely to receive requests for
information about employees.
. Establish a policy and procedures on the publication of employee personal data and
communicate it to those staff who are likely to be involved in the publication of
information about the company and its employees.
. Check periodically that the policies and procedures are understood and are being
followed. In particular, check the log of non-routine requests for information.
Health and safety

Records that are retained for purposes of health and safety will contain personal data
relating to employees and others, such as visitors to the organization’s premises. Generally
the following records are held for health and safety purposes:
. Details of fire wardens and first-aiders. This information may be disclosed to the
emergency services to assist in managing an incident should one occur. Employees should
be aware of this disclosure of their personal data.
. Accident books and incident logs. These will necessarily contain sensitive data relating to
the physical and/or mental health of those involved in an accident at work.
. Visitors’ books. These require visitors to supply personal data and should be supported by
subject information.
. Claims files. These may contain sensitive data relating to an incident. The data will be
disclosed to insurers. The processing of this personal data is covered by an exemption as
being necessary for the purposes of defending legal rights. An insurance claim is made
when an organization recognises that someone has, or is likely to make, a legal claim for
liability against it.
Issues surrounding the use of medical testing for health and safety purposes are considered
below.
SUGGESTED ACTIONS
. Check that lists of fire wardens and first-aiders are accurate and kept up to date and that
there is a procedure to ensure this is always the case.
. Ensure that fire wardens and first-aid-certificate holders receive appropriate subject
information so that they are aware of the extent of personal data used for these
purposes, the parties to whom it will be disclosed and any other relevant information.
See page 13.
. Include appropriate subject information in or near to visitors’ books so that the persons
who are required to supply details are aware of the reasons why the information is
required. Again, page 13 is relevant.
. Include appropriate subject information in accident books so that the persons required to
supply details are aware of the reasons why the information is required. (Page 13 is also
relevant here).
. Amend the wording in accident books to include an explicit consent clause to the
processing of sensitive data. (See page 16).
. Check the security arrangements for claims files, which may be held outside the HR
department.
Medical testing
Many employers require their employees to undergo medical tests. The most common
circumstance is on appointment, when this is made ‘subject to’ a satisfactory medical.
Another situation where a medical might be required is if an employee is absent from work
for a long period due to illness. The employer might require the employee to undergo a
medical to assess their suitability for work or to support a claim made against permanent
health insurance (long-term sick pay).
In addition there are industries and work-related activities which carry a high risk factor
concerning the health of the employee: for example, using a pneumatic drill is potentially
harmful to an individual’s hearing and using a VDU screen potentially damaging to one’s
eyesight. These are circumstances where the medical testing of current employees might be
required.
THE IMPACT OF THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

At the time of going to print the ‘Medical Testing’ section of the Employment Code was still
in draft form, but substantial amendments to the draft were not anticipated. The
Employment Code supplements existing legislation which gives patients the right to view
their medical records, such as the Access to Medical Reports Act 1988 (‘AMRA’), and the
provisions of such legislation continue to apply.
If the employer intends to obtain information about its employees from medical
testing, then the Employment Code also applies.11 Note that the results of some medical
tests are not reported back to the employer. For example, the results of an eyesight test
undergone by a computer operator may not be required by the employer and never come
within its control. The Employment Code would not apply in these circumstances. Nor
would it apply if the results of the testing were not communicated to the employer in
written form. A clinic or doctor might perform a pre-employment medical and simply advise
the employer by telephone that the individual was fit for employment.
Where the Employment Code does apply, the prerequisite for any medical testing is
to establish clearly the business purpose that the testing is to achieve. For example,
pre-employment medicals are required to ensure that new employees are fit for the positions
for which they have been accepted. Eyesight tests for VDU operators are required to meet a
statutory obligation. Medical tests for employees on long-term sick leave may be required in
connection with permanent health insurance claims (that is, claims made under a long-term
sick pay scheme) or for work and succession planning purposes.
The Employment Code differentiates between the medical testing of prospective
employees and that of current employees. The medical testing of current employees should
only be undertaken on a voluntary basis unless it is both necessary and a proportionate
reaction to a significant health risk, or, in the case of an individual on long-term sick leave,
to establish continued unfitness for work and qualification for benefits under any
permanent health scheme.12
The Employment Code recommends that in deciding whether medical testing is a
necessary and proportionate measure an employer should carry out an assessment of the
likely reduction in risk or other benefits balanced against the extent of intrusion for the
individual. For example, employers are encouraged to consider using medical questionnaires
rather than making prospective employees undergo a medical examination. So an
assessment of the risk the employer is trying to avoid or mitigate is an essential first step.
The next step is to consider if there are other ways of avoiding or mitigating the risk, which
would avoid the necessity for medical testing. This process should be documented at every
stage so that the employer can show that it has duly considered the issues raised in the draft
‘Medical Testing’ section of the Employment Code.
11. Draft Medical Testing benchmarks and Record Management, Sickness and Accident Records,
benchmarks.
12. Draft Medical Testing benchmarks.
MEDICAL TESTING FOR HEALTH AND SAFETY

Medical testing undertaken for purposes of meeting health and safety requirements must
also be proportionate to the risk and must be carried out only on employees who are at risk.
Introducing company-wide medical tests so as not to differentiate between workers or to
encourage those in high-risk occupations to undergo tests is not advisable as it conflicts with
the draft benchmarks. For further discussion of data protection issues relating to health and
safety. (See page 66).
CONSENT
The Employment Code strongly recommends seeking the consent of workers to medical
testing. This apparently conflicts with the Information Commissioner’s stance in relation to
the unreliability of consent in the employer/employee relationship. (See page 21). However,
there is little alternative to consent in these circumstances, and in requiring consent the draft
Employment Code can at least specify that employees should be fully informed of the need
for medical testing and the likely consequences arising from the results.
RELEVANCE OF PERSONAL DATA PROCESSED

Information obtained as part of a medical test which is not strictly necessary for the purpose
of the tests must not be processed. The example in the draft ‘Medical Testing’ section of the
Employment Code involves a medical test showing that an individual is pregnant, a factor
not relevant to the individual’s ability to work safely. Information obtained in this way must
not be used for other, more general, employment purposes.
PROCESSING SENSITIVE DATA

All medical data is classified as ‘sensitive data’ under the Act, and there are tighter controls
over processing such data. The key current requirement is to meet one or more of the
conditions for fair processing set out in Schedule 3 to the Act. See page 16 for an explanation
of the requirements and consideration of the different applicable conditions.
Confidentiality is another key requirement when dealing with sensitive data. The
‘Record-Keeping’ section of the Employment Code has a section of recommendations
relating to sickness and absence records. It recommends that sickness records be kept
separately from absence records and that absence records (without a note of the reason for
absence where it is related to illness or injury) be used in preference to sickness records for
routine data processing.13 For example, the payroll department might need to know which
employees worked which days during the month for payroll calculation purposes, but the
reason for absence might not be relevant unless statutory sick pay was being reclaimed and
at no time should payroll personnel be privy to information about the nature of the illness
or injury.
There is a general duty of confidentiality concerning sickness records.14 The Employment
Code also recommends that confidentiality is maintained within the employing
13. Record Management, Sickness and accident records, benchmark 1.

14. Record Management, Sickness and accident records, benchmark 3.
organization. For example, other employees should not be supplied with details relating to
employee sickness unless the disclosure is to the employee’s manager who requires the
information for management and supervisory purposes. In particular, the Employment
Code disparages the practice of publishing a sickness ‘league table’ to compare the number
of days different employees are absent from work.
TESTING FOR DRUG OR ALCOHOL USE

The draft Medical Testing section of the Employment Code sets out recommended best
practice for undertaking the drug and alcohol testing of employees. In addition to the
general benchmarks for medical testing, key requirements are that drug and alcohol tests
should be undertaken on a voluntary basis unless there is a significant health and safety
purpose. The employer should establish a real necessity for the testing and be able to
demonstrate that the tests are a proportionate response to the safety risk both in relation to
the type of testing and the range of employees tested. For example, if drug and alcohol tests
are carried out on train drivers, there is no justified basis for extending the tests to
managerial staff simply to set a good example. For managerial staff to be tested there must
be a need: for instance, if they are routinely involved in work where the use of drugs or
alcohol could affect the safety of other individuals.
The results of drug and alcohol tests can significantly affect employees’ careers and
lives; thus the draft benchmarks stress the importance of using tests and testing procedures
of the highest technical quality.
Generally, covert testing will only be justifiable with the involvement, and on the
advice, of the police.15
GENETIC TESTING
It is accepted that genetic testing might be valid on health and safety grounds in exceptional
circumstances. The draft benchmarks in the Employment Code relating to genetic testing
are based on the conclusions of the Human Genetics Advisory Commission, which has
examined the implications of such testing in the employment arena.
In addition to the general requirements for medical testing, the key requirements for
genetic testing are that it should be undertaken on a voluntary basis unless there is a
significant health and safety risk posed by a particular employee or where it is known that a
specific working environment or practice poses a specific risk to employees with particular
genetic variations.
The draft benchmarks stress the importance of using tests of the highest technical
quality and reliability. The results of any test must always be communicated to the person
tested and professional advice and support should be made available when the results are
communicated.
If it is known that an individual has previously undergone a genetic test, they should
not be required to disclose the results of that test except where the information is needed to
show susceptibility – or lack of it – to harm from performing a job or to help assess current
ability (or inability) to perform a job safely.
15. Draft benchmarks from ‘Medical Testing’ section of the Employment Code.
SUGGESTED ACTIONS
The following is a checklist of actions to meet the recommendations in the draft Medical
Testing section of the Employment Code.
. Establish and document a clear business need for the testing.

. Ensure either that employees required to undergo testing have volunteered or that you
can demonstrate that the testing is required for health and safety purposes and that
employees’ rights have been taken into account.
. Ensure that the organization is meeting one or more of the conditions for the fair
processing of sensitive data. (See page 16).
. Explain the consequences of testing and of any adverse findings to employees prior to
undertaking any tests.
. If carrying out tests for drug or alcohol use, ensure that the tests used are of the highest
technical quality.
. If carrying out genetic testing, the results must be fully explained to the employee and
professional advisers should be available to provide support and guidance.
Company credit cards

A normal company credit card arrangement operates with the employee being given a
credit card in the company name. Statements on the account are sent direct to the
employer for payment. Most employers will check the expenditure itemized on the credit
card bill to ensure that only legitimate business expenses are processed through their
accounts.
Even where the employer allows the use of company credit cards for personal expenses
(that is, expenses not related to the business), these will not be allowed for tax purposes on
its trading accounts. If the employer does not require the reimbursement of personal
expenses by the employee, the total expenses will be taxable on P11D. Therefore the
employer needs to monitor the use of company credit cards and to distinguish personal
expenditure from legitimate expenses incurred on behalf of the company or when carrying
out authorized, business-related, activities.
The disclosure of employees’ spending habits constitutes a disclosure of personal data,
even in relation to business expenses. The credit card statements will identify specific
employees or allow them to be identified for the reasons outlined above.
Therefore subject information provided to employees who have the use of company
credit cards needs to cover this use and disclosure of their personal data.
Also, the position of the employer in relation to the credit card company needs to be
considered. The credit card company acts as a data processor in handling personal data
relating to company card users. This is a relationship that requires appropriate contractual
clauses to meet the requirements of the Seventh Principle. (See Chapter 7).
Finally, the monitoring of employees’ activity falls within the Employment Practices
Data Protection Code. Checking credit card statements is a form of monitoring. See Chapter
5 for a full explanation of how the Employment Code impacts on monitoring activity and
suggested actions to take.
SUGGESTED ACTIONS
. Ensure that employees are fully aware of the disclosure of personal data between employer
and the credit card company. (Refer to page 13).
. Treat credit card statements as personnel information. (Refer to page 61).
. Check that appropriate data protection terms are included in the agreement between the
employer and the credit card company. (Refer to Chapter 7).
. Confirm that appropriate actions are taken in relation to monitoring. (See Chapter 5).
11Marketing to staff
CHAPTER
If the organization is marketing to its own employees, the requirement is for an opt-out
clause to be provided before the personal data is processed for marketing purposes. This
means explaining that employee personal data will be used for marketing purposes in
subject information at the first contact with the data subject. This will probably be on the
application form or at interview. At the same time a marketing opt-out must be provided
and observed.
If the organization intends to allow third parties to market to its employees, an opt-in
clause is required. Note that in a group of companies where all staff are employed by a
service company, the promotion of other group companies’ products and services to staff
will require an opt-in.
Suggested clause wordings

Marketing opt-in clause
If you would be happy to receive details of offers on products and services from third parties,
please tick this box.
Marketing opt-out clause

We would like to tell you about our products and services from time to time (and a staff discount
is available). If you would prefer not to receive this information please tick this box.
AFFINITY BRANDING
An alternative method of marketing group products would be to undertake affinity branding
or hosting. The employer presents the product or service as its own. The fulfilment of
purchase orders is outsourced to the product or service provider. The product or service
provider is a data processor, processing employee personal data on behalf of the employer,
so the actions outlined in Chapter 7 are relevant.
SUGGESTED ACTIONS
. Check that employees are aware that their personal data will be (or is being) used for the
purposes of marketing. An established history of using employee data for marketing plus
appropriate subject information for new employees is required. If marketing to
employees is a new venture that has not previously been communicated to employees,
then:
. Advise employees in writing that the company wishes to use employee personal data to
promote its own or another company’s goods and services and seek their consent to such
use (an ‘opt-in’).
. Remember that other group companies must be treated on an arm’s length basis.
. Incorporate further data subject information into your proposed marketing material.
Follow the actions suggested on page 13 and add an opt-out consent clause to the use of
personal data for the purposes of marketing, including any data-sharing or disclosure to
third parties.
. Put in place a procedure to deal with requests from employees not to use their personal
data for marketing. (See page 10).
. Adhere to your own industry codes of practice and those of the Direct Marketing
Association.
. If you intend to access databases of other group companies, check that appropriate data
subject information notices were provided to employees explaining that their personal
data would be used by third parties to promote goods and services and that they were
given an opportunity to opt out of such promotions.
. As other group companies must be treated on an arm’s length basis, employees are
required to opt in in order to receive marketing material (including e-mails etc.) about
group products or services unless these can be badged as being provided by the employer.
(See Chapter 7).
II Explanation of the
PART
legal requirements
12 Definitions
CHAPTER
The problem with legal definitions is that they include other defined terms. To understand
each definition you need to have knowledge of the others. Therefore each of the definitions
below is explained in plain English before the technical, legal, aspects of each are
considered.
‘Personal data’
Personal data is information which relates to a living person. An individual’s name and
address are personal data relating to him or her. The following are examples of personal data
relating to most of us:
. Details and histories of bank accounts held by banks.

. Details and histories of mortgages held by building societies.
. Medical records held by doctors and hospitals.
. Tax and National Insurance records held by the Inland Revenue.
. Dental records held by dentists.
. Records of eyesight and eye problems held by opticians.
. Our shopping habits and purchase histories held by credit card and store card
companies.
. Details of household gas and electricity consumption held by utility companies.
. Details of properties held by the local council.
. Images caught by CCTV in shops.
. Employment records held by employers.
. Student records held at colleges and schools.
. Buying habits recorded when using loyalty ‘club cards’.
. Vehicle ownership and driver’s licence details held by the DVLA.
. Names and addresses for direct marketing held by any organization which sends out
marketing material.
. Membership records maintained by clubs, societies, professional and trade bodies.
. Library membership records.
. Pension records held by pension scheme trustees and administrators.
. Insurance details.
The list could go on, but it illustrates the breadth of the subject and starts to indicate some
of the issues.
78 The legal requirements
KEY POINTS TO NOTE

The definition of ‘personal data’ under the 1998 Act is wider than that under the 1984 Act
because it includes the following, not previously included:
. Data which is not immediately identifiable with an individual until referenced to another
file, or even a manual list. The 1984 Act definition specified that personal data meant data
that could be processed by reference to the data subject. Under the 1998 Act, data need not
be processed by reference to the data subject so long as they can be identified from either
the data or other information controlled by the data controller. For example, a list of
National Insurance numbers is personal data because these can be cross-referenced with
the individuals to whom they relate.
. The future intentions and opinions of the data controller in relation to the data subject
are now specifically included where previously they were excluded. This has an impact on
interview notes. Previously interview notes, as the opinion of the interviewer, were
exempt from data protection law; they are now within the definition and subject to data
protection provisions such as subject access.
. The requirement remains for personal data to relate to a living individual. Therefore data
relating to a corporate entity is not personal data. Although companies have a legal
existence, they do not have a physical existence; they act through their employees,
officers and directors. Information relating to these persons is personal data, even where
the information comprises bare contact details. If the individual is identifiable then the
information is personal data, even though – as with a business contact address – it may
relate to a business.
. Business information relating to a sole trader is personal data because it relates to the
individual and not to a company or other organization. Similarly, information relating to
a partnership which can be related to one of the partners is personal data.
. CCTV images and photographs of people who can be identified from them are personal data.
. Personal data may be held in a variety of media, including on a computer, on microfiche,
in paper records, in index card systems, in diaries and address books and in back-up
material. It may be held in current files and in archive files and records.
TECHNICAL DEFINITION OF PERSONAL DATA

Section 1(1) of the Data Protection Act 1998 defines data as:
information which;
a) is being processed by means of equipment operating automatically in response to instructions
given for that purpose,
b) is recorded with the intention that it should be processed by means of such equipment
c) is recorded as part of a relevant filing system or with the intention that it should form part of
a relevant filing system, or
d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined
by section 68.
Data, therefore, is information that is processed automatically. This includes information

held on a personal computer, in programmed telephones and fax machines, on
Definitions 79
microfiche and in imaged documents. It is also information forming or intended to form

part of a relevant filing system which potentially includes paper in filing cabinets, paper
on desks, paper in archives, diaries and address books, ‘little black books’, Roladex, index
card files, etc. It may also be an accessible record which is one that is a health record, an
educational record, or an accessible public record, all of which are defined terms
considered below.
Section 1(1) then defines personal data as data
which relate to a living individual who can be identified:

a) from those data, or
b) from the data and other information which is in the possession of, or is likely to come into the
possession of, the data controller and includes any expression of opinion about the individual
and any indication of the intentions of the data controller or any other person in respect of the
individual.
The elements of the definition are:
. Personal data relates to a living individual, not a company or charity or club. Nor does it
relate to deceased persons.
. The individual must be identifiable either from the data or from other information to
which the data controller has access.
‘Data subject’
This is the individual to whom personal data relates. A data subject need not be a United
Kingdom national. Any data relating to a living individual which is processed in the United
Kingdom is subject to the provisions of the Act. This applies whether the individual is
British, an EC citizen or located in a territory outside the EEA.
In the HR context, data subjects are employees, ex-employees and prospective
employees. Temporary workers, consultants, professional advisers, suppliers of goods and
services are also data subjects.
TECHNICAL DEFINITION OF ‘DATA SUBJECT’

The Act states that: ‘“data subject” means an individual who is the subject of’ personal data.
‘Data controller’
The data controller is the party (organization, company, club or individual) which makes
decisions about the personal data to be processed. It decides the purposes for which personal
data is to be processed, what personal data is required and how it is obtained.
A trading company is the data controller of personal data connected with the business,
its customers and suppliers. An employing company is the data controller of employee
personal data. The trustees of a pension scheme are the data controller of personal data
relating to past and present members of a pension scheme and their dependants. A charity is
the data controller of membership and subscriber lists. A club is the data controller of
personal data of its members, and so on.
TECHNICAL DEFINITION OF ‘DATA CONTROLLER’

Section 1(1) of the Act provides: ‘“data controller” means. . . . . .a person who (either alone or
jointly or in common with other persons) determines the purposes for which and the manner in
which any personal data are, or are to be, processed.’
. The data controller is the party which determines the purposes for which and the manner
in which personal data are processed. This is indicative of control over personal data. Note
that data protection law never concerns itself with concepts of ‘ownership’ of data. The
key element is control: the data controller is the one or more party which makes decisions
about the processing of personal data. So, for example, an employer which outsources its
payroll administration is a data controller because it gives instructions to the payroll
service provider about the administration of the payroll, who is to receive salary, on what
basis and subject to what timings, etc.
. Two or more bodies may be data controllers in relation to the same personal data. In the
example of processing personal data for payroll administration purposes, the Inland
Revenue and the National Insurance Contributions Agency will both operate as data
controllers in relation to payroll data (including personal data) supplied by the employer.
Employer, Inland Revenue and National Insurance Contributions Agency all process
personal data as data controllers and for different purposes.
‘Processing’
‘Processing’ is used in a very wide sense in relation to data protection. It includes obtaining,
using, holding and destroying and deleting personal data. Basically the term means
anything that might be done to or with data.
TECHNICAL DEFINITION OF ‘PROCESSING’

Section 1(1) of the Act provides:
‘processing’, in relation to information or data, means obtaining, recording or holding the

information or data or carrying out any operation or set of operations on the information or data,
including;
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, dissemination or otherwise making
available, or
d) alignment, combination, blocking, erasure or destruction of the information or data.
Definitions 81
‘Data processor’
A data processor is the party which carries out the processing of personal data on behalf of
another. It is providing a service in which it has no real interest except where it is paid for
the processing. In a group of companies, whichever one owns the computer equipment is
technically a data processor on behalf of the other companies in the group which use the
computer equipment.
Using the example of a payroll service provider, the data controller is the employer as
outlined above (see the definition of ‘data controller’), while the service provider processes
personal data on behalf of the data controller. The data processor – in this example, the
payroll service provider – has no interest in the data except that it is remunerated by the
data controller for carrying out the processing activity.
KEY POINT TO NOTE

A key point in this definition is that employees of the data controller are specifically
excluded from the definition. Employees fall within the authority of the data controller for
data protection purposes unless they commit some act outside that authority.
TECHNICAL DEFINITION OF ‘DATA PROCESSOR’

Section 1(1) of the Act reads: ‘“Data processor”, in relation to personal data, means any person
(other than an employee of the data controller) who processes the data on behalf of the data
controller.’
European Economic Area (EEA)

The following countries are currently within the EEA: Austria, Belgium, Denmark, Finland,
France, Germany, Greece, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands,
Norway, Portugal, Spain and Sweden.
Check that the list is up to date by referring to the web site of the Information
Commissioner (see below).1
TECHNICAL DEFINITION OF ‘EEA’

Section 70(1) of the Act defines ‘EEA State’ as: ‘A State which is a contracting party to the
Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by
the Protocol signed at Brussels on 17th March 11993.’
‘Relevant filing system’

This definition relates only to paper files and whether or not they are covered by data
protection law. The original intention was that not all paper files should be included in data
1. www.dataprotection.gov.uk.
protection law, and this definition was the way to distinguish between those files which
should be included and those which should not. In practice, the definition is probably
unimportant because the Information Commissioner has put forward the view that all paper
files are included and – unless your organization wants to run a test case through the courts
– the view of the regulator is best followed.
THE TECHNICAL DEFINITION OF ‘RELEVANT FILING SYSTEM’

Section 1(1) states:
‘Relevant filing system’ means any set of information relating to individuals to the extent that,
although the information is not processed by means of equipment operating automatically in
response to instructions given for that purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible.
. A set of information relating to individuals which is not processed by means of equipment

operating automatically in response to instructions given for that purpose, that is
information not held on computer.
. The set is structured, that is held in a filing system.
. The system is structured either by reference to individuals or by reference to criteria
relating to individuals, in such a way that specific information relating to a particular
individual is readily accessible.
Guidance from the office of the Information Commissioner suggests that the first criterion
to establish is whether the information is a ‘set’ or grouping of information such as HR files
or customer files. Then consider whether the information has a structure either based on
identifiers such as name or employee number or by reference to criteria relating to
individuals, for instance age, type of job or membership of a particular organization. Finally,
consider whether the system allows specific information relating to an individual to be
readily accessed.
This guidance means that any and all filing systems lie within the definition. A
representative from the Commissioner’s Office (on a Data Protection compliance seminar)
stated that even an individual’s messy desk could be regarded as structured because the
individual would be able to locate any particular piece of information on that desk if asked.
At a conference in February 2002 the Information Commissioner, Elizabeth France, said in
relation to the definition of a relevant filing system that ‘if you can find it for the boss, it’s
caught; if not, why are you keeping it?’ This wide interpretation of relevant filing system
may not be what was originally intended by Parliament. However, the regulator’s view must
be given due consideration and weight although there are recent signs that there may be
some opposition to the Commissioner’s view from the Courts.
In a County Court case, Durant v FSA, the Court considered the meaning of ‘relevant
filing system’. A manual personnel file with the employee’s name on the front was not
found to be a ‘relevant filing system’ and, therefore, the information contained in the file
was not ‘personal data’ for the purposes of the Data Protection Act 1998.
Definitions 83
This is the first case on the definition and for the first time there is a move away from
the very wide definition applied by the Information Commissioner. Until now the position
has been that every piece of paper has been deemed reasonably accessible and, therefore, the
information on it has been classified as ‘personal data’. The Court considered that the
information in the file was reasonably easily accessible but nonetheless, the file was not
within the meaning of ‘relevant filing system’.
The implications of the case are to introduce a degree of uncertainty when dealing with
paper files as to whether or not they are caught by the definition of personal data by virtue
of being in a ‘relevant filing system’. There will need to be more case law before certainty is
established. In the meantime employers may rely on the Durant case on a carefully judged,
ad hoc basis, for example, if specific material held in a paper file was to be excluded from a
response to a subject access request. A risk-averse employer will not want to run the chance
of being the next test case. Obviously a total overhaul of HR procedures in reliance on the
Durant judgement would be premature.
‘Notification’
Notification is not a defined term but arises from the notification regulations made pursuant
to the Act. It means arranging for an entry on the Data Protection Register showing the
name of the organization involved in the processing of personal data, the purposes for
which personal data is processed, and the categories processed. If the notification
regulations require an organization to register, then processing without registration is
prohibited.
Safe Harbor
This is a scheme operating in the United States whereby organizations formally agree to
follow a set of data protection principles and guidance. It is regulated by the United States
Department of Commerce and approved by the European Commission as offering an
adequate level of protection for the transfer of personal data to US organizations that have
signed up to the scheme.
‘Sensitive data’
A plain English interpretation cannot add to the technical definition, which is set out in
Section 2 of the Act and provides that:
Sensitive personal data means personal data consisting of information as to;
a) The racial or ethnic origin of the data subject,

b) His political opinions,
c) His religious beliefs or other beliefs of a similar nature,
d) Whether he is a member of a trade union (within the meaning of the Trade Union and Labour
Relations (Consolidation) Act 1992),
e) His physical or mental health or condition,

f) His sexual life,
g) The commission or alleged commission by him of any offence, or
h) Any proceedings for any offence committed or alleged to have been committed by him, the
disposal of such proceedings or the sentence of any court in such proceedings.
This is an exclusive definition. No other classes of data are ‘sensitive’ data.
‘Accessible record’
Section 68 of the Act provides that:
1) In this Act ‘accessible record’ means;

a) a health record as defined by subsection (2),
b) an educational record as defined by Schedule 11, or
c) an accessible public record as defined by Schedule 12.
2) In subsection (1)(a) ‘health record’ means any record which;
a) consists of information relating to the physical or mental health or condition of an
individual, and
b) has been made by or on behalf of a health professional in connection with the care of that
individual’.
Schedule 11 provides the definition of an education record but it relates exclusively to

schools. It does not cover Continuing Professional Development records or other records
maintained of training undergone by employees.
Pursuant to Section 69, a ‘health professional’ means any of the following:
a) a registered medical practitioner (a ‘registered medical practitioner’ includes any person who
is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in
such employment as is mentioned in subsection (3) of that section).
b) a registered dentist as defined by section 53(1) of the Dentists Act 1984,
c) a registered optician as defined by section 36(1) of the Opticians Act 1989,
d) a registered pharmaceutical chemist as defined by section 24(1) of the Pharmacy Act 1954 or
a registered person as defined by Article 2(2) of the Pharmacy (Northern Ireland) Order
1976,
e) a registered nurse, midwife or health visitor,
f ) a registered osteopath as defined by section 41 of the Osteopaths Act 1993,
g) a registered chiropractor as defined by section 43 of the Chiropractors Act 1994,
h) any person who is registered as a member of a profession to which the Professions
Supplementary to Medicine Act 1960 for the time being extends,
i) a clinical psychologist, child psychotherapist or speech therapist,
j) a music therapist employed by a health service body, and
k) a scientist employed by such a body as head of department.
Definitions 85
Table of sources of definitions in the Data Protection Act 1998

Taken from Section 71 – Index of defined expressions:
Section number
Accessible record 68
Address (in Part III) 16(3)
Business 70(1)
The Commissioner 70(1)
Credit reference agency 70(1)
Data 1(1)
Data controller 1(1) and (4)
Data processor 1(1), (4) and 63(3)
The Data Protection Directive 70(1)
Data Protection Principles 4 and Schedule 1
Data subject 1(1)
Disclosing (of personal data) 1(2)(b)
EEA State 70(1)
Enactment 70(1)
Enforcement notice 40(1)
Government department 70(1)
Health professional 69
Inaccurate (in relation to data) 70(2)
The non-disclosure provisions (in Part IV) 27(3)
Notification regulations (in Part III) 16(2)
Obtaining (of personal data) 1(2)(a)
Personal data 1(1)
Processing (of information or data) 1(1) and Paragraph 5 of Schedule 8
Recipient (in relation to personal data) 70(1)
Recording (of personal data) 1(2)(a)
Relevant filing system 1(1)
Sensitive personal data 2
The subject information provisions (in Part IV) 27(2)
Third party (in relation to processing of personal data) 70(1)
Using (of personal data) 1(2)(b)
13 Introduction to the
CHAPTER
Principles
All businesses are under a legal duty to comply with the Data Protection Act 1998. The only
exception from compliance with the Act is for a private individual who processes personal
data for domestic and family purposes only. It follows that all employers are likewise under a
legal duty to comply with the Act.
This section of the book covers the legal requirements of the Data Protection Act 1998.
It starts with the definitions and moves through an in-depth consideration of the eight Data
Protection Principles. Consideration of data subject rights are explained in Chapter 19.
The Data Protection Principles are the backbone of the compliance requirements of the
Act. They are set out in Schedule 1 of the Data Protection Act 1998. The Schedule is divided
into two parts. Part I contains the bare text of the Principles. Part II, entitled ‘Interpretation
of the principles in Part I’, sets out some further requirements for compliance with the
Principles as well as giving some guidance as to what is expected in order to meet
compliance standards.
Schedule 1 is incorporated into the Act by Section 4. This section also provides that it
is the duty of the data controller to comply with the Principles in relation to all personal
data with respect to which he is the data controller. At this point, therefore, there is no
duty on data processors to comply with the Principles. The distinction between data
controllers and data processors is critical as a result, and a significant part of later chapters
is devoted to identifying and analysing the relationship between data controllers and data
processors.
The Sixth Principle requires data controllers to have regard to the rights of data subjects
under the Act. Subject rights are set out in Part II of the Act, Sections 7–15. Since October
2001 all the subject rights have been in force, although subject access to certain, limited,
paper files can still benefit from the exemption provided by the second transitional period.
As this exemption is restricted to manual data subject to processing already under way as at
24 October 1998 and personal data processed for certain historical research purposes only, it
is not dealt with in this book.
Each chapter on the Principles starts with a short introduction, considers the actual
wording of the Principle or subject right, and then provides an analysis of the meaning.
Examples are given where these are appropriate.
Where guidance has been published by the Information Commissioner, and it assists in
understanding the legal requirements, this is included. As the Data Protection Principles
remain largely unchanged since their introduction under the Data Protection Act 1984,
reference is made to guidance issued in relation to the 1984 Act where it is thought to be still
relevant and helpful in interpreting current law.
Introduction to the Principles 87
The Employment Practices Data Protection Code

During 2002 the Information Commissioner published the two largest sections of the four-
part Employment Practices Data Protection Code (‘the Employment Code’). It sets out best
practice for the processing of employee personal data.
The chapters on the Principles include reference, where appropriate, to the Employment
Code. The Employment Code helps to illustrate how the Principles apply to HR activities
and, as a published code of practice, it will be used as a standard against which employers’
compliance with the Principles will be measured.
The Employment Code does not have the force of law, and any enforcement action
would be based on failure to meet the requirements of the Act rather than the Code. The
Code constitutes the Information Commissioner’s recommendations as to how the legal
requirements of the Act can be met. The Commissioner has stated that relevant benchmarks
in the Employment Code would be raised in any enforcement action in relation to the
processing of personal data in employment. It was also said that failure to meet the
particular benchmarks in the Employment Code is likely to mean that the employer is not
complying with the Act. However, although employers may seek alternative ways of
meeting the legal requirements, it should be borne in mind that the Employment Code sets
out the regulator’s recommendations and these must be given due consideration and
weight. So, although the Employment Code does not have the force of law, employers need
to meet the benchmark standards or be able to explain why it does not apply to them if that
is the case.
Other bodies will also use the benchmark standards in the Employment Code as a
measure of accepted industry best practice. For example, employment tribunals are likely to
use the Code as a reference.
As a reference document for employers, the Employment Code effectively considers
how the Act applies in the HR context and sets out best practice for complying with its
provisions. As such it is a useful starting point for data protection compliance within the HR
function at the least.
The Employment Code applies to personal data held for the purposes of employee
administration, which includes the payment of salaries and the administration of other
employee benefits.
The data subjects are:
. Employees.
. Ex-employees.
. Prospective employees.
. Employees’ families.
. Temporary staff.
. Contract staff.
Personal data in this context is likely to include:
. Personnel files on computer and in paper form.

. Training records relating to employees and other organizations’ employees if you run an
accredited training scheme on behalf of others.
. Recruitment files (application forms and interview notes, even those relating to
unsuccessful candidates).
. Supervisors’ records.
. Sickness records where individual employees are named or can be identified from other
information such as an employee number.
The Employment Code was put forward by the Information Commissioner as a draft
document in 2000. There has been extensive consultation with industry and worker
representative bodies. It is being issued in tranches, and there are four parts:
. Record keeping.
. Recruitment.
. Monitoring at work.
. Medical information (not yet issued in final form).1
Each part is designed to stand alone and starts with standard sections explaining the
perceived status of the Employment Code and continues with benchmarks applying to the
management of data protection compliance within HR. Each part of the Code includes
benchmarks and examples.
The following chapters deal with the substantive law, but references to relevant
benchmarks from the Employment Code have been included. The key issues for compliance
were highlighted in Part I.
1. As at August 2003.
14 The First Principle
CHAPTER
Interpreting the First Principle

The First Data Protection Principle requires data controllers to process personal data fairly
and in accordance with any relevant law. For employers this means the fair and legal
processing of personal data relating to employees, prospective employees, ex-employees,
temporary and contract workers.
In addition to the general duty to process personal data fairly and lawfully, data
controllers must meet specified requirements otherwise their personal data processing will
not be deemed fair. The first of these specified requirements is that the purpose for which
personal data is being processed must meet one or more of the conditions for fair processing
set out in a Schedule to the Data Protection Act 1998. In addition, if sensitive data is being
processed (that is, data relating to health, race or ethnic origin, membership of a trade
union, religious or political beliefs, sex life or criminal records), the purpose for which it is
being processed must meet one or more of the conditions for the fair processing of sensitive
data, also set out in Schedule 3 to the Act.
The second specific requirement for fair processing is that data subjects must be given
certain information about the data controller and the purposes for which personal data is to
be processed. In relation to employment, this means that employees and prospective
employees must be given information about the employer and the uses to which it puts
employee personal data.
In summary there are three aspects of fair processing under the First Data Protection
Principle. These are:
. The general duty to process fairly and lawfully.

. The requirement to meet one or more of the conditions for fair processing.
. The requirement to supply subject information.
Each of these aspects needs to be considered separately.
The general duty to process fairly and lawfully

‘Fair and lawful’ is given its plain English meaning. When deciding whether or not a data
controller is processing fairly, the Information Commissioner’s Office will look at the facts
of the case and decide whether or not the processing was fair in relation to that particular
case as well as whether or not the processing was generally fair. This is important because it
is possible for processing generally to be fair but for one person not to be treated fairly due
to procedures not being followed properly. For example, if recruitment procedures require
pre-employment vetting by credit reference search, candidates should have this explained
to them. If normal recruitment procedures provide for this explanation to be given before
the first interview – say, in the letter inviting the applicant for interview – if it is not
explained to one particular candidate albeit accidentally, then the processing will not be
fair in relation to that one candidate. Note that it may have been fair in relation to the
majority of candidates, but in this one isolated case, it was not fair. The test of fairness is
subjective.
HOW IS FAIRNESS ASSESSED?

The Information Commissioner has expressed the view that in assessing fairness, first and
paramount consideration must be given to the consequences of the processing to the
interests of the data subject. This view has been supported by the Data Protection
Tribunal.1
Some of the questions the Information Commissioner’s Office will ask when assessing
fairness are:
. Was the person supplying the data under the impression that it would be kept confidential
by the data controller, and was that impression justified by the circumstances?
. Was any unfair pressure used to obtain the information? Were any unjustified threats or
inducements made or offered?
. Was the person improperly led to believe that they must supply the information, or that
failure to provide it might disadvantage them?
LAWFUL PROCESSING
Again, ‘lawful processing’ is given its plain English meaning. Personal data must be
processed in accordance with any relevant legal requirements. These need not be criminal
offences; lawfulness also relates to civil law. For example, if personal data is processed under
a duty of confidentiality – bank or medical details, say – then the disclosure of that personal
data in breach of the duty of confidentiality will be unlawful. Similarly if a contract includes
a provision that personal data will not be retained for longer than a specified period, then a
party to the contract that retains the data beyond the specified period will be processing
personal data unlawfully.
In relation to employment law, processing payroll information to make unauthorized
deductions from salary would constitute unlawful processing.
An important development in relation to lawful processing is the Human Rights Act
2000, which sets out various rights for individuals, including the right to respect for the
privacy of family life, home and correspondence. Any system which purports to monitor
employee performance or behaviour must therefore include procedures and policies to
safeguard this right to respect for individual privacy. Data protection and human rights work
together to increase privacy for individual employees.
1. CCN Systems Limited and CCN Credit Systems Limited v The Data Protection Registrar, case DA/90
25/49/9 and Infolink v The Data Protection Registrar, case DA/90 25/49/9.
The First Principle 91
EXAMPLES FROM THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

The Employment Code applies the Principles specifically in relation to HR activities, so it is
essential reading to gain an understanding of how the Principles apply and how the
Information Commissioner’s Office is likely to interpret them.
The Employment Code recommends that where information is sought from a third
party in support of a candidate’s application for employment, a signed release should be
obtained from the candidate. This ensures that the data subject is aware that information is
being sourced from a third party if there is no other indication of consent. Normally,
requiring a candidate to provide contact details for third parties prepared to give references
will suffice to meet fair processing requirements, but there may be other occasions when it
would be appropriate to seek further consent. An example of this would be if further
references were to be required after appointment as part of an assessment of suitability for
promotion, or if information was to be sought from a school or university where no specific
contact details for reference purposes had been provided by the data subject.2 In addition,
the candidate should be given the opportunity to explain any discrepancies that the
information reveals. This provides a check on the accuracy of the material sourced from the
third party as well as meeting fair processing requirements.3
A further recommendation relates to the way that personal data is assessed when a
recruitment decision is being made. The Employment Code provides that the processing
should be consistent, so that it is ‘fair’.4
If the employer undertakes pre-employment vetting, it should be made clear to the data
subject that vetting will take place and how it will be conducted.5
It is fair to unsuccessful candidates to offer them the opportunity not to have their
details retained for consideration should future vacancies occur.6
SUGGESTED ACTIONS
Read the Employment Code and make sure that in-house procedures meet the benchmarks.
If there are special circumstances why you feel it is inappropriate to adopt a particular
benchmark, document your reasons and diary it for a regular review. This will show that the
benchmark has been considered, not ignored, and it will be a permanent record of reasons
which may be difficult to remember after a period of time has passed.
Think through the various HR activities: how is personal data obtained? How is it used
and disclosed? Is personal data processed fairly? When records are destroyed or deleted, is
the data or document retention policy fair to the employees and ex-employees?
You should already be aware of the legal issues relevant to HR; be aware also that
unlawful activities will constitute a breach of the First Principle if personal data is involved.
Remember that ‘unlawful’ simply means contrary to law, civil as well as criminal; there does
not have to be an offence for processing to be unlawful.
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.2.
3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.3 and
7.6.
The requirement to meet one or more of the conditions

for fair processing
There are a number of conditions for fair processing set out in Schedules to the Act, and any
processing must meet at least one of these conditions in order to be accepted as fair by the
Information Commissioner’s Office. These are first set out in summary in the table below
and are then considered in detail with examples of how they apply in relation to HR
activities.
Condition Comment
Consent Not reliable in the HR context

Contractual obligations Covers some of the HR functions e.g. those under a contract of
employment such as payroll, but note ‘obligations’ of the data controller
in relation to employment contracts, so it does not cover processing for
SSP purposes or Inland Revenue returns.
Legal obligations Covers many of the non-contractual obligations, e.g. in relation to health
and safety, Inland Revenue, etc.
Vital interests of the data subject Rarely used: ‘a matter of life or death’
Administration of justice and Rare in routine HR, possibly in relation to police enquiries.
government
Legitimate interests Where the interests of data controller or third party are deemed to
outweigh the harm to the data subject. A useful condition if you want to
market to employees or in a merger or takeover situation.
CONSENT
The first condition is that the data subject has given their consent to the processing. In
general, consent to personal data processing activities is not required under current data
protection law. There are occasions when it might be necessary if no other authority applies:
for example, if sensitive data is being processed (see below) and no other condition for the
fair processing of sensitive data applies. Consent may also be needed if personal data is to be
transferred to a country outside the EEA where adequate standards of data protection do not
exist. (See page 55).
If data subjects are asked to consent to data processing activities, the organization must
have a procedure to deal with those data subjects who refuse. For example, if you ask
employees to consent to provide details of illnesses if they are absent from work due to
sickness, how will you deal with the ones who refuse? For this reason most organizations
will avoid seeking consent if another condition can be met.
In the employer/employee relationship it is now doubtful that proper consent can be
given by the employee to the processing of personal data relating to them by the employer.
The view has been expressed that in the relationship between employer and employee, the
employee is at such a disadvantage in terms of bargaining power that they cannot ever give
consent freely and without undue influence from the employer, simply by virtue of the fact
that this is the employer. The former Information Commissioner indicated that she agreed
with this view. There is also a growing trend whereby the Office is encouraging data
controllers to try to find alternatives to seeking consent in most situations. Consent is being
seen as very much a last resort. (See page 67).
There is no definition of consent in the 1998 Act, but the EC Directive7 defines consent
with three key elements:
. Consent must be freely given.

. It must be specific and informed, so that all processing activity is described.
. It must constitute an indication that the data subject signifies his agreement; inaction will
not suffice.
In relation to this third point, the former Commissioner stated8 that a data subject may
signify consent other than in writing so long as there is some active communication
between the parties.
MEETING CONTRACTUAL OBLIGATIONS

The second condition which may apply is where processing is necessary for the
performance of a contract to which the data subject is a party. This is the condition
which will be favoured in relation to personal data processing activity in HR. The data
subject – in this case the employee – is party to a contract of employment. The employer
has a duty to provide remuneration and other employee benefits set out in the contract of
employment. Personal data processing for the purposes of payroll and other employee
benefit administration is therefore undertaken pursuant to the contract between the
parties.
This contractual condition has an additional element where the processing is necessary
for the taking of steps at the request of the data subject with a view to entering into a
contract. This covers pre-contractual processing activity, for example, when personal data is
supplied to the pension administrators so that a new employee can be offered membership
of the pension scheme and offered transfer terms for any existing pension. At the time the
details are supplied to the administrators, the employee (as a prospective pension scheme
member) has no contract with the pension scheme, but the details are disclosed and the
pension scheme administrators contact the prospective member with terms of membership
of the pension scheme. These are steps preliminary to entering into a contract with the data
subject, arguably even where the data subject then declines to enter into the contract on the
terms offered.
MEETING THE LEGAL OBLIGATIONS OF THE DATA CONTROLLER

Another important condition from the employer’s perspective is the third condition: the
processing is necessary for compliance with any legal obligation to which the data controller
is subject, other than an obligation imposed by contract. Many personal data processing
activities within HR are undertaken pursuant to this condition; for example, record-keeping
7. Reference 95/46/EC.
8. Legal guidance published in December 2001, ISBN 1 870466 23 3, Paragraph 3.1.5.
to comply with health and safety requirements, disclosing data to government departments
such as the National Insurance Contributions Agency or the DSS, obtaining personal data
from the Inland Revenue and so on.
PROTECTING THE VITAL INTERESTS OF THE DATA SUBJECT

Condition 4 applies where the processing is necessary in order to protect the vital interests
of the data subject. This has been interpreted by the Commissioner to mean a ‘life or death’
situation and is not generally particularly useful in routine HR administration, although
there could be circumstances involving the health of the data subject.9
THE ADMINISTRATION OF JUSTICE AND GOVERNMENT FUNCTIONS

The fifth condition relates to the administration of justice and Crown and public functions
and is unlikely to apply generally in relation to HR. However, it will cover situations where
personal data must be processed – as part of a police investigation, for example – or it might
be quoted as applying to information required by the Child Support Agency. It also covers
the exercise of any other functions of a public nature exercised in the public interest by any
individual. This would apply to processing undertaken on behalf of directors, officers or staff
members who have a public role, for instance the chairperson or committee member of a
professional institute or charity.
LEGITIMATE INTERESTS
The sixth condition is important in relation to most personal data processing activity. It
applies where the following elements can be established:
. Legitimate interests;
. Of the data controller or third parties to whom the data are disclosed;
. Balanced against the rights and freedoms or legitimate interests of the data subject.
This is a catch-all to a large extent and covers processing which cannot be brought within
the aegis of the contract of employment nor that of any other legal duty imposed on the
data controller. It is qualified to the extent that the data controller should balance its own
legitimate interests against those of data subjects.
A key area where this condition may apply is in relation to any marketing activity
undertaken to promote goods and services to employees. Many businesses promote their
own goods and services to staff at discounted prices, and these may arrange for offers from
other businesses to be made available as a ‘perk’ of employment. Where these promotions
require the processing of personal data – for example, if invitations are specifically addressed
to staff using name and work contact details – such processing would be legitimized by this
condition for fair processing. Certainly, marketing activity would not usually fall within
the contract of employment (unless the employer has committed itself to providing such
opportunities as part of the remuneration package, which seems unlikely) nor is the
employer meeting any other legal obligation when marketing to staff. Therefore the
9. See Legal Guidance – December 2001, Paragraph 3.1.3.

legitimate interests of the employer as a business provide a useful condition in these

circumstances. The qualification that the rights and freedoms of data subjects should not be
prejudiced would apply if, for example, an employee were to notify the company that they
did not want to be included in promotional offers. From the date of receipt of such a
notification, the employer would not be justified in relying on the sixth condition in
relation to that employee, because the employee is entitled to exercise their right not to
receive marketing literature and the employer is bound to respect that right when
processing personal data in reliance on this condition for fair processing.
The Commissioner has suggested a two-part test to establish whether this condition is
appropriate in any particular case. The first part is to consider the legitimacy of the interests
pursued by the data controller or third party. The second part is to consider the rights and
freedoms or legitimate interests of the data subject and decide whether or not these are
prejudiced by the processing activities of the data controller and, if so, whether the data
subject’s interests override those of the data controller.
There is provision for the Secretary of State to specify particular circumstances in which
the sixth condition is – or is not – to be judged as satisfied. To date no order has been made
pursuant to this clause.
Meeting one or more of the conditions for the fair

processing of sensitive data
Remember that processing involving sensitive data must meet one of the conditions for the
fair processing of personal data as well as one of the following conditions for the fair
processing of sensitive data. The two schedules are not exclusive, and any processing
involving sensitive data must be legitimized by reference to conditions from both lists. The
conditions which qualify processing of sensitive data as fair are laid out in the table below
and then explained in detail.
Condition Comment
Explicit consent Again unreliable in the HR context and note that a higher level of consent
(‘explicit’) is required than ‘consent’ from the conditions for fair
processing ordinary personal data.
Legal obligations in connection For example, processing to meet the requirements of SSP, Inland Revenue
with employment. and Benefits Agency requirements. Consider also legal obligations in
relation to other employees: for example, the disclosure of details of
infectious illness of one employee so that other employees can take
preventive measures.
Vital interests of the data subject Rarely used, a matter of ‘life or death’.
Non-profit-making bodies Applies to restricted activities and data subjects.
Information already in the public Cannot apply generally but only in relation to specific instances.
domain
Legal rights The establishment or defence of the legal rights of the employer: for
example, discussing the dismissal of an employee for absence through
sickness with a solicitor.
Administration of justice and Not generally useful in the HR context.

government
Medical purposes Restricted again, probably to ‘life or death’ situations where consent of
data subject cannot be obtained.
Equal opportunities monitoring An obvious condition for HR processing activity and designed for use
where equal opportunities are promoted and not otherwise.
EXPLICIT CONSENT
The first condition is that the data subject has given their explicit consent to the processing
of the personal data. As stated above, businesses are advised not to rely on consent as a
condition to establish fair processing unless they are able to handle those situations where a
data subject declines to give their consent. In addition, there is the issue that it is almost
impossible to establish that consent is freely given in the employer/employee relationship.
There is no definition of ‘explicit consent’ in the 1998 Act, but it is reasonable to assume
that the requirement is more rigorous than simple ‘consent’ required by the first clause of
Schedule 2.
MEETING LEGAL OBLIGATIONS IN CONNECTION WITH EMPLOYMENT

This condition applies where processing is necessary for the purposes of exercising or
performing any right or obligation which is conferred or imposed by law on the data
controller in connection with employment.
Obviously this will be a useful condition in the HR context. Note that there is no
corresponding condition to that contained in Paragraph 2 of the Second Schedule, which
states that processing necessary to perform a contract to which the data subject is party is
fair processing. An example where the condition to meet an employment right or obligation
might apply is where sensitive data is shared between employer and pension scheme trustees
as part of routine liaison and communication, particularly when an employee is likely to
retire early due to ill health. The rights and obligations relate to the contract of employment
which provides pension scheme membership as part of the employment remuneration
package as well as the pension scheme rules.
Another example is sensitive data relating to an accident or injury suffered at work
processed to meet health and safety requirements. Trade union membership is a category of
sensitive data which might be processed in order to deduct union dues from a person’s
salary.
There is provision for the Secretary of State to specify particular cases where this
condition may be excluded or to specify further conditions which must be met before the
condition can be regarded as satisfied. To date no order has been made pursuant to this
clause.
PROTECTING THE VITAL INTERESTS OF THE DATA SUBJECT OR ANOTHER

Condition 3 applies where processing is necessary in order to protect the vital interests of
the data subject. This has been interpreted narrowly by the Commissioner to mean a ‘life or
death’ situation and is not generally useful in routine HR administration. However, it is not
as straightforward in application as its counterpart in Schedule 2, and further conditions
apply.
The processing must be necessary to protect the vital interests of the data subject or
another person in a case where: first, consent cannot be given by or on behalf of the data
subject or, second, the data controller cannot reasonably be expected to obtain the consent
of the data subject. Where the claim is that the processing is necessary to protect the vital
interests of another person, the data controller could show that consent by or on behalf of
the data subject has been unreasonably withheld.
NON-PROFIT-MAKING BODIES
This condition applies where the data controller is not established or conducted for profit
and exists for political, philosophical, religious or trade-union purposes. This condition will
apply so long as the processing is carried out in the course of the data controller’s legitimate
activities, with appropriate safeguards for the rights and freedoms of specific categories of
data subject and does not involve the disclosure of personal data to a third party without the
data subject’s consent. The ‘specific categories of data subject’ referred to are those
individuals who either are members of the data controller or have regular contact with it in
connection with its purposes.
INFORMATION ALREADY IN THE PUBLIC DOMAIN

This condition provides that information comprising sensitive data which has been made
public as a result of steps deliberately taken by the data subject may be processed by the data
controller. A prime example of this condition in action occurred in January 2002, when
government ministers used the press to publicly reject families’ claims that elderly patients
had been failed by the National Health Service system by being left wearing soiled clothing
and with the effects of their injuries unwashed. The rebuttal included sensitive data relating
to these patients which explained that in their distress and confusion the elderly people had
strongly resisted moves to clean and re-clothe them. This apparent disclosure of sensitive
data was covered by the condition in Clause 5 namely that as the patients and their families
had already placed the details of these individuals’ health in the public domain via the press,
the rebuttal simply made use of the same information which was therefore already in the
public domain.
A sensible employer should seriously consider how wide a ‘public’ is required to
establish that sensitive data is in the public domain. For example, an employee who
contracts a contagious disease might alert some colleagues at work; whether or not this
would be sufficient to warn all staff about the problem on the basis that the information is
already in the public domain is doubtful. If disclosure of the identity of the employee were
unavoidable, the employer would seek to rely on condition two: that its legal obligations to
other members of staff require that sensitive data be processed.
LEGAL RIGHTS
This condition recognizes the need for sensitive data to be processed in connection with the
establishing or defending of legal rights. An employer might seek to rely on this condition if
an employee brings a personal injury claim against it for an accident or injury that occurred
at work. It also allows for the processing of sensitive data necessary for the purpose of
obtaining legal advice where legal proceedings are pending or anticipated.
ADMINISTRATION OF JUSTICE AND GOVERNMENT FUNCTIONS

As with Clause 5 of Schedule 2, this condition covers the processing necessary for the
administration of justice, for the exercise of any functions conferred on any person by or
under any enactment, or for the exercise of any functions of the Crown, a minister of the
Crown or a government department.
There is provision for the Secretary of State to specify particular cases where this
condition may be excluded or to specify further conditions which must be met before the
condition can be regarded as satisfied. To date no order has been made pursuant to this
clause.
MEDICAL PURPOSES
This condition covers the situation where processing is necessary for medical purposes and
is undertaken by a health professional or a person, who in the circumstances owes a duty of
confidentiality equivalent to that which would arise if that person were a health
professional.
For the purposes of this condition ‘medical purposes’ includes the purposes of
preventive medicine, medical diagnosis, medical research, the provision of care and
treatment and the management of health care services.
This condition obviously has application in relation to occupational health screening
(preventive medicine) and medical insurance (the provision of care and treatment and the
management of health care services).
EQUAL OPPORTUNITIES MONITORING

This condition applies to processing of information as to racial or ethnic origin which is
necessary for the purpose of identifying or keeping under review the existence or absence of
equality of opportunity or treatment between persons of different racial or ethnic origins.
The processing must be undertaken with a view to enabling such equality to be promoted or
maintained, and must be carried out with appropriate safeguards for the rights and freedoms
of data subjects.
There is provision for the Secretary of State to specify particular circumstances in
which processing is, or is not, to be taken to provide the appropriate safeguards for the
rights and freedoms of data subjects. To date no order has been made pursuant to this
clause.
This is an important condition in relation to equal opportunities monitoring, although
it is worth noting that many employers could rely on condition two, which would apply to
processing necessary for the purposes of exercising or performing any right or obligation
which is conferred or imposed by law on the data controller in connection with
employment. Equal opportunities monitoring is an obligation imposed by law on certain
data controllers.
FURTHER CONDITIONS
Over and above the conditions for the fair processing of sensitive data included in the
Schedule to the Act and detailed above, there is provision for the Secretary of State to specify
additional circumstances in which the fair processing of sensitive data may be established.
To date one order, the Data Protection (Processing of Sensitive Data) Order 2000, has been
made. It provides for the fair processing of sensitive data in a variety of circumstances. These
are laid out in the following table, and considered in detail below.
Circumstances Comment
Prevention or detection of Limited in application, requiring substantial public interest, not simple
unlawful acts prevention of crime that affects the employer such as theft etc.
Confidential counselling services Limited in application, also requiring substantial public interest, and
explicit consent must first have been considered and rejected.
Insurance and pensions Limited in application, assisting the life and pensions industry only.
Equal opportunities An obvious condition for HR processing activity but designed for use
where equal opportunities are promoted, not otherwise.
Political opinions Limited in application, applies only to political organizations not
businesses.
Research Limited in application, restricted to substantial public interest.
Police Limited in application, restricted to the police.
Prevention or detection of unlawful acts

The conditions require that processing be in the substantial public interest. Arguably any
processing related to the prevention or detection of any unlawful act is in the public
interest, but the requirement is that it should be in the ‘substantial’ public interest, so it is
obviously not intended to be applied to any and all unlawful acts. The provisions are for:
. Processing undertaken in circumstances in which the consent of the data subject would
prejudice the prevention or detection of the unlawful act;
. Processing necessary for the discharge of any function designed to protect the public
against dishonesty, malpractice or other seriously improper conduct by, or the unfitness or
incompetence of any person, or the mismanagement of any body or association.
Confidential counselling services

This condition requires that processing be in the substantial public interest and applies to
processing necessary for the discharge of any function which is designed for the provision
of confidential counselling, advice, support or any other service. There is a qualification
that explicit consent should normally be sought, but this condition will apply if the
processing is carried out without the explicit consent of the data subject, either because
consent would prejudice the provision of the counselling etc., or because consent cannot
be given by the data subject, or because the data controller cannot reasonably be expected
to obtain explicit consent.
Insurance business and occupational pension schemes

Conditions have also been established under the Sensitive Data Order to allow the fair
processing of sensitive data necessary for the purpose of carrying on an insurance business or
making determinations in connection with eligibility for and benefits payable under an
occupational pension scheme. The processing of sensitive data relating to health only is
permissible if it relates to the parent, grandparent, great-grandparent or sibling of an insured
person or member of a pension scheme. A further qualification is that the processing must
not support measures or decisions in connection with the data subject. Thus information
relating to the medical histories of close relatives may be processed for the purposes of
assessing the risk posed by an individual making an insurance proposal or being considered
for entry into pension scheme membership or benefits. The information cannot be processed
to make a decision relating to the parent, grandparent, great-grandparent or sibling.
A further qualification is that the processing be necessary in a case where the data
controller cannot reasonably be expected to obtain the explicit consent of the data subject
(in this case the parent, grandparent, etc.) and is not aware that the data subject has
withheld their consent.
Additional condition applying to processing to monitor equal opportunities

In the same way as the processing of sensitive data relating to race or ethnic origin may be
processed fairly to monitor equal opportunities, so may sensitive data relating to religion be
processed for this purpose. Interestingly, the Order also provides for data subjects to prevent
such processing by notice to the data controller, which has the effect of creating a new
mini-right for data subjects.
Processing sensitive data relating to political opinions

A new condition allows the processing of sensitive data relating to the political opinions of data
subjects where the processing is undertaken by political organizations and where it neither
causes, nor is likely to cause, substantial damage or distress to data subjects or any other person.
The Order also provides for data subjects to prevent such processing by notice to the
data controller.
Research
Processing that is in the substantial public interest and necessary for research purposes may
benefit from another new condition for the fair processing of sensitive data set out in the
Sensitive Data Order. The requirements are that the processing does not support measures or
decisions with respect to any particular data subject unless the data subject’s explicit
consent is obtained in addition and the processing neither causes nor is likely to cause
substantial damage or distress to the data subject or any other person.
Business research is unlikely to qualify as being in the significant public interest yet
some sectors may be able to take advantage of the condition. Examples include
pharmaceutical companies developing new drugs and universities and other research
bodies operating on a non-profit-making basis.
The police
Processing that is necessary for the exercise of any functions conferred on a constable by any
rule of law is fair processing under the Sensitive Data Order.
Summary
The conditions for the fair processing of personal data provide several options for employers
processing personal data for personnel administration, the administration of employment
benefits and pension schemes, marketing, and the meeting of health and safety requirements.
The additional conditions which apply to the processing of sensitive data are much
narrower in application. Key omissions include processing in the legitimate interests of the
data controller, which is a useful catch-all in relation to personal data processing. Another
omission is processing necessary for the performance of a contract to which the data subject
is party. As a result employers should (rightly) conclude that fewer processing activities
involving sensitive data will be permissible. Certainly there are limited grounds for the
processing of sensitive data for marketing purposes, for example, unless the employer has
the consent of the employee.
Consent is something of an issue in the HR arena, as the Commissioner concurs with
the view that consent by an employee to the personal data-processing activities of their
employer is unlikely to meet any sensible interpretation of having been ‘freely’ given. So
consent is (at least) an inappropriate condition on which to rely in relation to the processing
of personal data in regard to HR activities.
It can be seen that consent is not a prerequisite to fair processing; however, many other
conditions may apply, particularly in relation to the processing of personal data rather than
sensitive data.
Finally, it is worth noting that even where personal data processing activity meets one
or more of the conditions for fair processing, it does not follow that the processing is fair.
Fairness will depend on the circumstances of the processing (the subjective test referred to
earlier) and on the subject information requirements being met.
Suggested actions
This is an area of data protection law that is largely unseen by the outside world. Only when
an organization is under investigation in relation to other data protection problems will it
be asked to declare on which of the conditions for fair processing it seeks to rely when
processing personal data and sensitive data.
However, the conditions contain many of the elements of modern data protection law,
and making an initial assessment of the most likely conditions to apply to any processing
activity is a useful activity in the short term, leading to a greater understanding of data
protection law. In the longer term it might be an invaluable activity, if the business or HR
department is dealing with a data protection problem and the issue of conditions for fair
processing arises, any advance thoughts on the subject will be helpful. Document any
thoughts may you have on the conditions applicable to your department’s processing activity.
The requirement to supply subject information

The First Principle requires a data controller to supply specified information to data subjects
before any personal data is obtained from them. The information required is:
. The identity of the data controller and – if the data controller has nominated a
representative for the purposes of the Act – the identity of that representative;
. Details about the purposes for which personal data is processed or is intended to be
processed;
. Any further information which is necessary, having regard to the specific circumstances in
which the data is being or is to be processed, to enable the processing in respect of the data
subject to be fair.
THE IDENTITY OF THE DATA CONTROLLER

This is a straightforward requirement, and in practice the data controller’s name usually
features on literature where subject information is required. The ideal location for a subject
information notice is on any form that purports to gather personal data. In relation to HR
this means job application forms, pension scheme membership forms, sickness and
absence forms, appraisal forms, etc. In-house forms usually carry the employer’s name,
meeting the part of the requirement that the identity of the data controller must be
shown.
Where letters are used – for example, when acknowledging receipt of a speculative CV
or a statement of the standard terms and conditions of employment – the full legal title of
the employer will be shown on the letterhead.
Whether or not the full legal title of the data controller is required is not certain, there is
no case law or handy definition to provide guidance. It does seem to be proper to use the full
legal title for registered companies, however, as there can then be no doubt as to the identity
of the data controller. This is an important aspect in the context of job advertisements
which invite potential applicants to apply with details of their qualifications and
experience. The advertisement is clearly inviting candidates to submit personal data, and
the subject information requirements should be met within the body of the advertisement.
Many employers rely on their company logo to indicate their identity, especially where the
advertisement is double-branded with the identity of any recruitment agency. Advertisers
should consider whether or not the legal titles of both agency and prospective employer
need to be included in the text of the advertisement. It may not be necessary where the
advertiser is a household name, but then many companies overestimate their public
reputation or use a corporate identity in connection with several trading companies in a
group. It is a point to consider.
An example of a representative nominated for the purposes of the Act would be a share
registrar nominated to handle queries from shareholders of the data controller. The
company in which shareholders have chosen to invest is the data controller, the
administration of the share register is outsourced to a share registrar service provider, and
it is practical for queries to be handled directly by the registrar. In these circumstances
the registrar can be nominated as representative of the data controller for the purposes of
the Act.
THE PURPOSES FOR WHICH THE DATA IS INTENDED TO BE PROCESSED

These should include a reference to the main processing activity and any ancillary activities.
Care needs to be taken to identify all processing activities for inclusion in the wording of the
subject information notice.
ANY OTHER INFORMATION RELEVANT IN THE CIRCUMSTANCES

One way to identify what information could be relevant is to consider if there is any
information which would affect the data subject’s decision to supply the information
requested. This includes, for example:
. Details of any third parties to whom the data will be disclosed;

. Other sources of personal data relating to the data subject;
. The consequences of not supplying the information requested;
. The period of time during which the personal data will be retained.
So, for example, a subject information notice on a job application form might read:
The information requested on this form is required for the purpose of assessing your suitability for
employment with (Name of Employer Limited). All the information we request is necessary to
assist us in making our employment decision and we may not be able to process your application
further if you do not answer all the questions. We will take up references from the persons you
nominate on the form. If your application is successful, the application form will form part of
your contract of employment with the firm. If your application is unsuccessful we will hold this
application form for a period not exceeding one year in case any other suitable position arises.
This draft notice covers:
. The identity of the data controller [Name of Employer Limited].

. The purposes for which the data will be processed – assessing suitability for employment
and if successful, forming part of the contract of employment.
. Other information relevant in the circumstances, such as:
– ‘If some of the information requested is not provided we may not be able to process
your application’, and
– ‘We will seek information from referees . . .’, and
– ‘We hold unsuccessful applications for an unusually long period of time.’ (Six months is
accepted as the usual period).
DATA OBTAINED FROM THIRD PARTIES

Where personal data is not obtained direct from the data subject but from a third party, the
data controller should ensure that the data subject was given a subject information notice
which included the fact that the data would be disclosed. If an appropriate notice has not
been given, the data controller must provide subject information when the data is first
processed by them. It is assumed, therefore, that if a data controller purchased a mailing list,
when first using the list to mail to data subjects, appropriate wording should be included
about the data controller’s personal data-processing activities. Where data is not collected
direct from the data subject, the data controller is still under an obligation to ensure that the
appropriate subject information notice has been given; otherwise they must give an
appropriate subject information notice direct to the data subject within a reasonable time of
commencing processing activity. In practice this means checking what information has
been received by the data subject at the time the personal data was obtained. If an employer
uses a recruitment agency or headhunter, the information provided by the agency to the
data subject will determine whether or not an additional subject information notice is
required to cover the employer’s processing activity. When an employer is asked to provide a
reference, it should check that the data subject is aware that references are being taken up
and agrees to the provision of the information requested.
There are exceptions to the requirement to provide subject information notices where
the personal data was obtained from a third party. These apply:
. Where providing the subject information would involve disproportionate effort, or

. Where the disclosure is one required by law.
If a data controller intends to rely on the disproportionate effort exemption they must
record the reasons why compliance involves disproportionate effort.
The subject information provisions are a new requirement under the 1998 Act and may
require changes to documentation so that subject information is assured of reaching the
target. Forms requesting personal data are an obvious location for a notice: for example, job
application forms, product or service application forms, quotation forms, cut-out forms in
newspapers. Areas more difficult to deal with are telephone interviews and face-to-face
interviews in the course of which personal data is recorded. Procedures are required to
ensure that staff carrying out telephone or face-to-face interviews provide a scripted subject
information notice or a document including such a notice for the data subject to read. It will
still pose a higher risk to compliance than would, say, a printed statement on a form because
in most cases it will not suffice to show that subject information is provided. If one data
subject does not receive the specified information, then the processing of personal data
relating to them is unfair. The test is a subjective one.
TIMING OF PROVIDING SUBJECT INFORMATION

Clause 2 of Part II of Schedule 1 considers two scenarios: the first where the data is obtained
from the data subject and the second where it is obtained from a third party. It is not
specifically stated that subject information should be provided before personal data is
obtained, but the Commissioner has always insisted that this should be the case. This
is sensible as obtaining personal data direct from the data subject obviously involves some
form of communication between the data controller and the data subject and, therefore,
providing subject information is not difficult. Also, as the data subject may make a decision
whether or not to supply the data requested on the basis of the data controller’s stated
processing purposes, this must be provided before any personal data is supplied.
In the second scenario, where the personal data is sourced from a third party, the
requirement is that subject information be provided before the ‘relevant time’. This is
defined as the time when the data controller first processes the data or within a reasonable
period of disclosure to a third party being envisaged. This means that the data controller
who sources personal data from a third party must check what subject information was
provided to the data subject(s) and, if this is not adequate, supplement it with further
information to meet the requirements of the First Principle. An obvious example is where a
company buys in a mailing list. If the list is used for direct marketing, an appropriate subject
information notice should form part of the first marketing initiative involving persons
named on the list. This will be acceptable and within the relevant time.
PROMINENCE OF SUBJECT INFORMATION – SIZE AND POSITIONING

The Information Commissioner has stated that it would be inappropriate to set down rules
about the size, positioning and wording of notification clauses, so it is a matter of
judgement, data controllers should keep in mind ‘fairness’. The following are questions the
Commissioner’s Office would consider when assessing the adequacy of the prominence
given to a notice:
1) Is the typeface or font in the notification of at least an equivalent size to the type face or
font used in the rest of the form?
2) If not, is the print nevertheless of sufficient size for the data subject’s eye to be drawn to
it?
3) Are the layout and print size such that the notification is clear and easy to read?
4) Is the notification placed at or very close to the place where the data subject supplies
their details or signs the form?
5) If not, is it placed in such a way that the data subject will inevitably see it in the course of
filling in the form?
6) If not, is it nevertheless placed where the data subject’s eye will be drawn to it?
7) Is the general nature and presentation of the form such that it conveys to the data
subject the need to read carefully all the details including the notification clause?
As a general rule, the size of font or typeface used for the notice should be no less prominent
than any font or typeface used for any other part of the document.
WHAT MAKES AN EFFECTIVE NOTICE?

The following are the type of questions the Commissioner’s Office are likely to consider
when assessing the efficacy of subject information:10
1) Do the words used convey all the likely non-obvious uses and disclosures of the
customer’s information?
2) Do the words properly convey the fact that information about the customer will be
passed on to others?
3) Do the words convey the full implications for the customer of the use or disclosure, for
example that he/she might receive telephone marketing calls?
4) Do the words explain the above in a way that would be understood by the great majority
of likely data subjects?
MARKETING FAIRLY
It has already been seen that a subject information notice should contain all information
relevant in the circumstances to allow a data subject to decide whether or not to supply the
personal data requested. Clauses which explain about the use of personal data for marketing
activity should include an opt-out, so that data subjects can decline to allow their personal
data to be used for marketing purposes. Although many European countries require positive
10. Text taken from Commissioner’s website.

action from a data subject to indicate a willingness for their personal data to be used for
marketing purposes (an opt-in clause), the Commissioner’s Office accepts that the position
in the United Kingdom where opt-out clauses are standard, is acceptable.
TELEPHONE MARKETING
The situation is that any intended use of personal data for the purposes of telemarketing or
telephone work should be specifically disclosed.
EXEMPTIONS FROM THE SUBJECT INFORMATION REQUIREMENTS

There are no significant exemptions from the requirement to supply subject information.
Also it should be noted that the subject information provisions take effect to overrule any
enactment or rule of law prohibiting or restricting the disclosure, or authorizing the
withholding, of information. The main force of this provision is felt in relation to subject
access requests, but it makes the point that data protection law overrides many other areas
of law and any organization choosing not to comply with subject information requirements
for example, had better take legal advice on the likely consequences.
EXAMPLES FROM THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

The Employment Code provides that when advertising a job the name of the employer and
any recruitment agency must be clearly indicated so that applicants are aware of the name
of the organization(s) before they submit any personal data. The purposes for which the
personal data will be processed should also be stated if this is not obvious. The purpose of
making a recruitment decision or selecting a shortlist will usually be obvious as the text of
advertisements invites prospective candidates to apply for the position advertised.
However, care must be taken with any other non-obvious purposes to which the data is
to be put. For example, if an applicant’s details are to be assessed to identify their suitability
for a training programme when they are not suitable for the job advertised, this should be
stated.
The location of subject information notices will depend on the correspondence
between data controller and data subject. If a telephone interview is conducted, then a
spoken form of words will be required. If applications for a job are invited online, then an
appropriate form of words is required on the web page before the data subject submits their
application.
If the employer undertakes pre-employment vetting, it should be made clear to the data
subject that such vetting will take place and how it will be conducted.11
If the details of unsuccessful applicants are to be retained against future suitable
positions, this is information ‘relevant in the circumstances’ and applicants should be
advised of it as part of the subject information requirements. They should be given the
opportunity to have their details removed from the relevant file.12
RECOMMENDED ACTIONS
Take the time to identify how personal data is obtained and its use for HR purposes. Your list
is likely to include application forms, CVs, employee details forms and pension scheme
forms for new employees. On a continuing basis you might receive personal data relating to
employees on sickness and absence forms, in accident books, on appraisal forms and in
training feedback. Some of the data will be provided by third parties, the Inland Revenue,
Benefits Agency, referees, doctors and recruitment agencies. Most data will be supplied by
the employees themselves. Normal HR activities will involve the processing of personal data
for HR administration and the administration of employee salaries and other benefits; work
planning and management may also be relevant. Remember to include marketing activity if
the organization’s goods or services are promoted internally using personal data or if affinity
schemes are in place (whereby a third party promotes to a group of data subjects – in this
case, the employees of an organization – offering discounted goods and services).
Once you have identified how personal data is obtained and its use around the
organization, draft appropriate subject information notices and ensure these are included
on forms, in staff handbooks, etc. so that all current and prospective employees will see
them. Remember to include temporary workers and contractors. Remember also to put a
notice on your web site if you invite applications over the internet.
Document how and when this review was undertaken and what actions resulted from it.
This may prove useful in future if your organization or department is challenged on data
protection issues.
Check that third parties which supply personal data have given appropriate subject
information notices. Pay particular attention to recruitment agencies: it is a good idea to
give them a note of the points you would like to be drawn to the attention of prospective
candidates when you are recruiting. Include subject information in that list of points.
Read the recruitment section of the Employment Practices Data Protection Code and
make sure that your procedures and documents meet the required benchmarks. If you
decide that a particular benchmark is not appropriate to your department or organization,
document the reasons for future reference.
15 The Second Principle
CHAPTER
Interpreting the Second Principle

The Second Principle reads: ‘Personal data shall be obtained only for one or more specified and
lawful purposes and shall not be processed in any manner incompatible with that purpose or those
purposes.’
The key elements of the Principle are that:
. Personal data must be processed for purposes known at the time of obtaining the data.
. All processing must link back to the original purpose for which it was obtained.
. All purposes for which data is processed must be lawful.
Each of these three elements need to be considered and their impact on personal data
processing in the HR context assessed.
Personal data must be processed for purposes known

at the time of obtaining the data
This is probably the biggest restriction in current data protection law. Organizations must be
able to identify the purposes for which the data will be processed before (or at the time of )
obtaining the data. It means that personal data cannot be sought in the hope that one day it
will be useful for purposes as yet unknown. This accords with the First Principle which
requires that individuals be given prescribed information before any personal data is
obtained. (See Chapter 14). The prescribed information includes the purposes for which the
data is intended to be processed. So if the purposes are unknown at the time of obtaining the
data, the individual data subjects cannot be given the required information.
The requirement is to specify the purposes for which personal data is processed. In
addition to meeting the subject information requirements of the First Principle, the entry in
the Data Protection Register includes specified purposes for which personal data will be
processed.
For the HR department, this means that all the activities for which employee personal
data is processed need to be identified. The obvious ones relate to employment
administration, the administration of employee benefits and work planning and manage-
ment. Less obvious ones might include marketing to employees, the use of personal data by
third parties measuring the assets and liabilities of the employer for purposes of mergers and
takeovers.
These are the processing purposes which must be disclosed to employees to meet the
subject information requirements. For more detailed guidance and suggested actions to help
The Second Principle 109
meet the subject information requirements. (See page 13). The purposes for which employee
personal data are processed should coincide with the employer’s notification entry on the
Data Protection Register.
All processing must link back to the original purposes

for which it was obtained
‘Processing’ is defined to include using, holding and disclosing personal data. Thus any
activity involving personal data after it has been obtained is subject to this rule, that it be
handled in such a way as to be compatible with the original purpose for which it was
obtained. For example, data obtained from an employee for the purpose of payroll
administration may be disclosed to the Inland Revenue because that disclosure is
compatible with the original purposes. However, to disclose that same data to a charity
seeking to collect funds for a good cause would not be compatible with the purpose of
payroll administration.
The main danger to employer data controllers is unintentionally restricting HR
activities by failing to have correctly worded subject information for employees. In general it
is preferable to use wide wordings to describe HR activities and give examples rather than try
to create a definitive list.
When personal data is to be processed for a ‘new’ purpose – that is, one that was not
foreseen and therefore not included in subject information at the time of obtaining the data
– then the permission of the data subject is required. This is in itself a problem in the HR
context. (See page 21). However, that is what will be required before the processing can take
place.
All purposes for which data is processed must be lawful

This necessarily follows on from the First Principle (see Chapter 14). An example of unlawful
processing would be the disclosure of personal data in breach of a duty of confidentiality.
Employers owe their employees a duty of confidentiality in relation to employee personal
data. This would be breached if the employer were to publicize details of an employee’s
home life without their prior agreement.
Limited exception to the requirement to comply with the

Second Principle
In limited circumstances there is an exemption from the requirement to comply with the
Second Principle. Where the processing of personal data is only undertaken for research
purposes (including statistical or historical purposes) then it is not to be regarded as
incompatible with the purposes for which it was obtained so long as the following
requirements are met:
. The data must not be processed to support measures or decisions with respect to particular
individuals.
. The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject.
This means that if personal data is processed for genuine research purposes, the processing
need not relate to the purpose for which the data was originally obtained. However, the data
must not be used to make decisions about individual data subjects.
For example, if an employer keeps detailed records of the reasons for employee absences
the stated purpose of processing that personal data is to administer the company’s sick pay
scheme and SSP. The employer may then decide to undertake an occupational health study
of its employees over a given period purely for purposes of research. This purpose was
unforeseen at the time employees were asked for information about their absences from
work and therefore no subject information was provided. Processing the sickness records for
this new purpose would be in breach of the Second Principle; however it would be
permissible under the exemption for research purposes.
Note that the employer would not be able to use the research to identify individuals
whose behaviour deviated from the norm in any way. Such use would amount to making
decisions about individual data subjects and would invalidate the exemption which
provides that personal data must not be used to support measures or decisions relating to
particular individuals.
16 The Third Principle
CHAPTER
Interpreting the Third Principle

Principles Three to Five inclusive are the most straightforward of the Eight Principles.
The Third Principle in particular has no interpretative provisions to be taken into account.
The text may be read and understood at face value.
The Third Principle reads: ‘Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.’
The terms ‘adequate’, ‘relevant’ and ‘not excessive’ are considered separately below.
None of the terms are defined. We must make judgements as to what is adequate, relevant
and not excessive in each case. This may vary according to circumstances. Some examples
from the Information Commissioner’s caseload are included at the end of the chapter.
Personal data to be adequate for the purpose

An employer holds personal data relating to its employees for the purposes of employee
administration. Routine employee administration includes administering employee benefits
and remuneration as well as maintaining records of annual leave and absences through
illness or injury. Job performance and evaluation can also be seen as part of employee
administration; recording appraisals, disciplinary and grievance issues are valid activities
under this heading. Employee administration also covers keeping records relating to former
employees so that the employer is able to respond to requests for references from other
employers and to supply information which may be requested by the Inland Revenue or
Benefits Agency. If the employer holds insufficient information to be able to meet these
obligations, it would be holding inadequate records for the purpose for which personal data
was intended to be processed.
Therefore the measure of adequacy relates to being able to meet obligations undertaken
as part of the original purposes for which data was obtained.
An employer is under an obligation to an employee to administer the contract of
employment correctly and fairly during employment and to provide information about the
employee to outside organizations as requested by the employee. It is also under an
obligation to provide information relating to employees and ex-employees to a number of
government departments and statutory bodies. Employers’ record-keeping policies should
be based on meeting these obligations.
Thus adequacy relates not only to the information sought from data subjects but also to
the length of time the data controller considers it necessary to retain the information. There
is no official guidance on appropriate document retention periods. It is reasonably
considered to be a matter dependent on the business and its particular circumstances.
However, an early draft of the Employment Code included a table of recommended

retention periods for HR records. This is reproduced on page 61.
Personal data to be relevant to the purpose

The Employment Code gives several good examples of obtaining data that is not relevant to
the purpose. Employment application forms often include questions relating to employee
administration rather than the recruitment decision. One example is National Insurance
numbers, which are routinely sought on application forms. These have no impact on the
recruitment decision and are sought at this early stage simply to ease the administrative
burden of setting up new employee records and payroll. However, the Information
Commissioner’s view (in the Employment Code) is that the information is not relevant to
the recruitment decision.
Furthermore, as a number of application forms completed by unsuccessful candidates
will also include National Insurance numbers which will never be used at all, these should
not be routinely obtained from all candidates but only from the successful candidate. This is
a slightly different aspect of relevance. If information is sought in several cases but only
really needed in one case, that constitutes processing personal data that is not relevant.
Another example of this is the question on job application forms relating to whether or not
the applicant holds a current driving licence. This information is only relevant in relation to
applicants for jobs as drivers or where a company car is offered as part of the remuneration
package. It should not be routinely sought in relation to candidates for other positions
where driving a vehicle is not part of the job.
If some of the questions on the application form are not relevant to all jobs, data is
therefore being sought which is irrelevant. Organizations are expected to differentiate
between the level of detail required from a prospective senior manager and that required
from a new postroom worker.
The effect of the requirement to process relevant data could well signal the end of job
application forms. HR departments are being directed towards restricting questions on
application forms to those relevant to the recruitment decision and to differentiate between
senior and less senior roles under recruitment.
Personal data not excessive for the purpose

There is substantial overlap between what is relevant and what is not excessive. Take the
example of application forms which include questions that are not relevant to the
recruitment decision and some that are not relevant to the level of job advertised. To obtain
data from a number of prospective candidates must result in obtaining personal data that is
excessive for recruitment purposes. Obtaining ten National Insurance numbers when only
the one belonging to the successful candidate will be required means that the organization
is holding excessive data. Obtaining information about driving licences from candidates for
jobs which do not involve driving is likewise excessive for the purpose.
The Third Principle 113
Other published guidance

Guidance on the 1984 Act issued by the Information Commissioner’s Office included a list
of factors to be taken into account by enforcement teams when judging whether personal
data was adequate, relevant and not excessive for the purpose. These are the factors:
. The number of individuals on whom data is held.

. The number of individuals for whom data is used.
. The nature of the item of personal data.
. The length of time for which it is held.
. The way it was obtained.
. The possible consequences for individuals of its holding or erasure.
. The way in which it is used.
. The purpose for which it is held.
The point is made in the guidance that the Office would not accept that information is
relevant merely on the say-so of the data controller.
Examples
The following cases illustrate the application of the Third Principle.1
In processing a mortgage customer’s application for a current account, a bank was found
to have acted in breach of the Third Data Protection Principle when it carried out three
credit reference checks on the applicant. A series of unfortunate circumstances resulted in
the customer being the subject of a marker on his bank account indicating possible fraud.
Thus the processing of the personal data was inadequate and excessive.
A health authority carried out a ‘lifestyle survey’. A question had been included in the
survey which did not relate clearly to either the data subject’s health or the declared aims of
the survey. The inclusion of the question was held to be a breach of the Third Principle
because it was irrelevant.
An indicator on an individual’s credit reference file showed that the bank account
holder had got into financial difficulties. Although this was accurate, it was still held to be
inadequate because the fact that the individual had entered into an agreed arrangement
with the bank to rectify the situation had not been recorded.

Considering relevance in relation to vetting procedures, the Employment Code
recommends that vetting should only be undertaken where there are ‘particular and
significant risks to the employer, clients, customers or others’ and it provides that other,
less intrusive alternatives should be considered before undertaking vetting. Also, vetting
should be targeted at successful applicants, not undertaken generally on all applicants, at
1. Taken from the Commissioner’s Case histories and enquiries for 2000–2001.
the specific risk identified. It should not be used for general intelligence-gathering: in
other words, ensure that the extent and nature of personal data sought is relevant and
not excessive for the purpose for which it is being processed.2
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmarks 7.1, 7.2,
7.4.
17 The Fourth Principle
CHAPTER
Interpreting the Fourth Principle

Principles Three to Five inclusive are the most straightforward of the Eight Principles. There
are no additional requirements set out in the interpretative provisions to be taken into
account. The interpretative provisions serve several purposes. As well as setting out
additional compliance requirements, notably for the First and the Seventh Principles, there
is some codification of the accumulated wisdom on interpretation dating back to the 1984
Act.
The absence of any additional compliance requirements means that the text of
Principles Three to Five may be read and understood at face value.
The Fourth Principle reads: ‘Personal data shall be accurate and, where necessary, kept up to
date.’
The text of this Principle is unchanged from the 1984 Act, although the numbering is
different; it was formerly the Fifth Data Protection Principle. The interpretation of the
Principle has changed subtly. A useful proviso has been added to give a bit of flexibility in
certain cases where inaccurate data is processed despite the data controller having taken
reasonable steps to ensure its accuracy.
There are two elements to this Principle. Personal data should be: a) accurate and b) kept
up to date where necessary.
Accuracy
The requirement that personal data be accurate is not absolute. Where personal data is
inaccurate but the data controller can show that the information in the data is reproduced
in its records exactly as it was obtained, then there is no breach of this Principle. So, for
example, if an employee completes a job application form and supplies inaccurate
information which the employer believes to be true, then the employer is not in breach
of the Fourth Principle even though its employee personal data contains inaccurate
information.
Where possible the data controller should take reasonable steps to ensure the accuracy
of personal data. So, again using the example of the employee supplying false information
on a job application form, if the false information were that their date of birth was in 2003,
this is evidently inaccurate and the employer should confirm the actual year of birth for the
record. Likewise if the inaccurate information can easily be checked. For example, if the
employee gives a National Insurance number which differs from that on their P45, the
employer would be expected to investigate further and not accept the information at face
value.
A further qualification to the requirement that personal data be accurate applies where
the data controller holds information which is known or believed to be inaccurate but a
note has been made on the record that this is the case. There may be occasions when
retaining an original inaccuracy has value for the data controller and the Fourth Principle
cannot be used to require it to amend its records and erase the inaccurate information. So,
for example, a discrepancy in employment dates on a job application form might be
explained by the data subject (job applicant) but the data controller would wish to retain the
data in its original form with an explanation of the inaccuracy. The record might be retained
in this form as part of a disciplinary action or simply as an anomaly to bear in mind in future
dealings with the employee.
OTHER PUBLISHED GUIDANCE

Guidance on the text of the Fourth Principle issued under the 1984 Act is still relevant, the
text of the Principle having remained unchanged. In ‘The Guidance – Third Series’
published in November 1994 in relation to the 1984 Act, the Registrar commented that the
first part of this Principle (then the Fifth Principle) is stated in unqualified terms. Ergo data is
either accurate or it is not. However when considering whether or not it would be
appropriate to taken action against a data controller found to be in breach of the part of the
Principle requiring accuracy, the following factors would be taken into account:
. The significance of the inaccuracy. Has it caused, or is it likely to cause, damage or distress
to the data subject?
. The source from which the inaccurate information was obtained. Was it reasonable for the
data controller to rely on information received from that source?
. Any steps taken to verify the information. Did the data controller attempt to check its
accuracy with another source? Would it have been reasonable to ask the data subject,
either at the time of collection or at another convenient opportunity, whether the
information was accurate?
. The procedures for data entry and for ensuring that the system itself does not introduce
inaccuracies into the data.
. The procedures followed by the data controller when the inaccuracy came to light. Were
the data corrected as soon as the inaccuracy became apparent? Was the correction passed
on to any third parties to whom the inaccurate data may already have been disclosed? Did
the inaccuracy have any other consequences in the period before it was corrected? If so,
what has the data controller done about those consequences?
Keeping personal data up to date

The Fourth Principle provides that personal data be kept up to date only where necessary. A
record intended to provide a snapshot of circumstances as at a given date will obviously not
require to be updated. For example, a sensible employer will require employees to keep it
advised of changes in their circumstances such as change of address etc. However, it is not
necessary for the employer to update the individual’s recruitment file, application form, etc.
to show the new address. The recruitment file shows data correct as at the date of
recruitment; subsequent changes in details are recorded elsewhere.
The Fourth Principle 117
OTHER PUBLISHED GUIDANCE

The Commissioner has stated1 that it may be important for the purpose of the data processing
that personal data be current, for example where personal data is processed to determine
whether or not to provide credit. This is an area where a data subject could suffer damage (by
not being offered credit) if personal data is inaccurate. Suggested factors to take into account
are set out in the guidance for data controllers and the Information Commissioner’s Office:
. Any record of when personal data was obtained or updated.

. Awareness of the data controller that personal data may not be up to date.
. Any procedures to update personal data and the effectiveness of those procedures.
. Whether or not the non-currency of the personal data is likely to cause damage or distress
to the data subject.
Examples
Inaccurate personal data may cause damage or distress to a data subject. The following
examples (taken from the Commissioner’s case histories) illustrate the need for personal
data to be kept up to date.
A complaint was received about personal data recorded on a credit reference file.
Although the account had been written off some years earlier and the balance on the
account was nil, nevertheless the impression was given that the account was current. Under
normal procedures an account written off would be removed from current files after a set
period, usually six years from the relevant date. This particular account with its current
indicator would remain on file indefinitely in contravention of the lender’s normal
practices. This was found to be a breach of the Fourth Principle.
Again, the potentially significant impact on a data subject of inaccurate personal data is
shown by a case involving a loan applicant. The bank operator recording details of the
application incorrectly accepted archive details relating to the applicant’s home address and
employment. When the bank tried to contact the applicant, using the inaccurate details, it
appeared as though a false address and false employment details had been provided. The
bank concluded that an attempt was being made to obtain a loan fraudulently. As a result a
fraud warning indicator was attached to the file and may have been shared with other
financial institutions in due course. The fraud warning was deleted once the mistake had
been brought to the attention of the bank.
Inaccurate personal data can give a misleading impression. Two individuals once
married to each other but now divorced complained that a credit reference agency had
declined to note that they were not now connected. The root of the problem was an
incorrect assumption by a member of the agency’s staff that the two were in fact still
connected. This was found to be a breach of the Fourth Principle.
A police force mistakenly attributed another person’s record to an individual
undergoing an employment vetting check. The individual complained that this constituted
a breach of the Data Protection Act. The police force agreed to modify its procedures to
prevent a recurrence and made an ex-gratia payment to the individual.
1. December 2001 Legal Guidance paragraph 3.4.


The Employment Code recommends that where information is sought from a third party in
support of a prospective candidate’s application for employment, the candidate should be
given the opportunity to explain any discrepancies that the information reveals. This
provides a check on the accuracy of the material sourced from the third party as well as
meeting fair processing requirements.2
A further recommendation is that personal data that are recorded and retained
following interview can be justified as relevant either to the recruitment process or for
defending the recruitment process against challenge.3
18 The Fifth Principle
CHAPTER
Interpreting the Fifth Principle

Principle Five is a very straightforward one. There are no interpretative provisions to be
taken into account at all. The absence of any additional compliance requirements means
that the text may be read and understood at face value.
The Fifth Principle reads: ‘Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes.’
This is a clear exhortation to purge computer and paper files and delete old and
unwanted information even where this comprises personal data. It goes even further than
that because it challenges data controllers to consider the length of time for which personal
data is retained and whether or not those retention periods are appropriate with regard to
the purpose for which the data was obtained.
The key to processing personal data in accordance with this Principle is to ensure that
appropriate document retention policies and guidelines are in place and being followed.
Furthermore, if these differ from what would normally be expected to apply, the reasons
why an unusual retention period or unusual deletion policy was considered necessary in the
circumstances should be documented. See page 61 for guidance on retention policies.
Data held for research purposes

Records that are retained for purposes of research should have personal data removed from
them where possible, anonymizing the records so that no data subjects are identifiable from
the information retained.
Section 33 of the Act provides that personal data held only for research purposes
(including statistical or historical purposes) may be held indefinitely (disregarding the
provisions of the Fifth Principle) so long as the following requirements are met:
. The data must not be processed to support measures or decisions with respect to particular
individuals.
. The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject.
This useful exemption under Section 33 is not lost even where:
. Personal data is disclosed to another person so long as it is for research purposes only;
. It is disclosed to the data subject, at his request or with his consent.
. It is disclosed to a person acting on behalf of the data subject.
. A person makes the disclosure reasonably believing that the disclosure falls with these
grounds when in fact it does not.

If personal data has been processed pursuant to a relationship between data controller and
data subject, then the retention of the personal data should be considered at the
termination of that relationship in the view of the Commissioner.1 The example given
relates to HR:
For example, the data subject may be an employee who has left the employment of the data
controller. The end of the relationship will not necessarily cause the data controller to delete all
the personal data. It may well be necessary to keep some of the information so that the data
controller will be able to confirm details of the data subject’s employment for, say, the provision of
references in the future or to enable the employer to provide the relevant information in respect of
the data subject’s pension arrangements. It may well be necessary in some cases to retain certain
information to enable the data controller to defend legal claims, which may be made in the
future. Unless there is some other reason for keeping them, the personal data should be deleted
when the possibility of a claim arising no longer exists, i.e. when the relevant statutory time limit
has expired.

The Employment Code recommends that employers establish appropriate employee record
retention policies based on the business need and that these should be rigorously adhered
to.2 One of the early drafts of the Employment Code included a suggested table of retention
periods relating to HR files and records. Although this was removed from the final version it
provides a useful insight into the sort of retention periods the Information Commissioner
considers appropriate. The table is reproduced on page 61.
In the recruitment process, once a decision to appoint a candidate has been made
careful consideration should be given to what personal data is to be transferred from the
recruitment file to the employee’s work records. Some of the information will not be
relevant and should be destroyed, particularly that relating to sensitive data on criminal
convictions and the detail of any vetting exercises (although the results of the vetting
process may be retained).3
The CCTV Code of Practice

The CCTV Code provides some suggested retention periods for recorded images in different
circumstances, applying the Fifth Principle.
1. December 2001 Legal Guidance etc., paragraph 3.5.

3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmarks 8.2, 8.3,
8.4.
The Fifth Principle 121
Publicans may find seven days an appropriate length of time to keep recorded images if
the purposes of the processing are public safety and the detection and prevention of crime
because they will soon be made aware of any incident, such as a fight, occurring on their
premises.
Organizations which record images of street activity for crime prevention purposes may
not need to retain images for longer than thirty-one days unless they are required for
evidential purposes in legal proceedings.
Banks and building societies recording images at ATMs for the purposes of resolving
customer disputes might reasonably retain recorded images for up to three months in order
to provide information about cash withdrawals. The Information Commissioner suggests
this retention period, which is based on the interval at which individuals receive their
account statements.
19 The Sixth Principle
CHAPTER
This chapter focuses on the Sixth Data Protection Principle and the interpretative provisions
relevant to the Sixth Principle contained in Schedule 1 to the Act. The Sixth Principle is
concerned with data subject rights. It reads: ‘Personal data shall be processed in accordance with
the rights of data subjects under this Act.’
The meaning of ‘rights of data subjects’ is not open-ended. The rights are restricted to
those created pursuant to specific sections of the Act. They are:
. Subject access request;1

. Notice from a data subject that he or she is exercising his or her right to prevent
processing likely to cause damage or distress to himself or another;2
. Notice from a data subject that personal data relating to him or her should not continue
to be processed for purposes of direct marketing;3
. Notice requiring the data controller to ensure that certain decisions taken by automated
means be reviewed.4
A breach of any of these rights can be assessed by the Information Commissioner’s Office
but the rights are enforceable through the Courts.
Data subject rights not covered by the Sixth Principle

Other data subject rights are created by the Data Protection Act, and these are rights granted
on application to the court. These are:
. The right to compensation for failure in certain circumstances;

. Rights in relation to inaccurate data.
There are yet other rights, created by the Sensitive Data Order which sets out additional
conditions for the fair processing of sensitive data. Certain of these conditions are qualified
by allowing data subjects the right to prevent the processing of sensitive data relating to
them under the condition.
Each subject right is considered below.
1. Data Protection Act 1998 Section 7.

The Sixth Principle 123
Subject access request

Data subjects have a right to a copy of any information comprising personal data relating to
them that is in the control of the data controller. ‘Control’ means in its possession or in the
possession of a party over which the data controller has power to demand its possession.
This is the case where the personal data is in the possession of a data processor who holds
the data on behalf of the data controller.
A data subject who makes a request is entitled to:
. Confirmation that the company holds personal data relating to them.

. Be advised if the data is subject to any automated decision-making process.
. Be advised of the logic involved in any automated processing in certain circumstances.
. Be advised of the purposes for which personal data relating to them is processed.
. Be advised of the sources of the personal data.
Data controllers may charge data subjects a fee of up to ten pounds to help towards
administration costs. The data controller has forty days from receipt of the fee in which to
consider the validity of the request and whether any exemptions apply and to supply the
information requested or explain why certain information is being withheld.
An explanation of codes and references used in the information must be provided if the
meaning is not clear. The information must be provided in legible form unless an alternative
medium is agreed with the data subject or if providing it in a legible form would involve
‘disproportionate effort’.
The logic involved in any automated processing must be disclosed in certain
circumstances. These are where a decision:
. Significantly affects a data subject, and

. Is, or is likely to be, made by fully automated means, and
. Involves evaluation of the data subject: for example their performance at work, their
creditworthiness, etc.
A data controller does not have to comply with this part of the subject access request if the
disclosure of the logic involved in the automated processing would constitute the disclosure
of a ‘trade secret’.
SUBJECT ACCESS RIGHTS – EXCEPTIONS

There are limited exceptions to the requirement to comply fully with a valid subject access
request.5 Other than in respect of ‘the formalities’ (see below), where exceptions apply, they
apply in relation to specific information which may be withheld. Other relevant
information (that is, personal data relating to the data subject making the request) must
still be disclosed in accordance with the subject access procedure in Section 7 of the Act. The
5. Set out in Section 7 of the Data Protection Act 1998, Schedule 7 and various Orders made under the
Act.
following list, while not comprehensive, considers some of the more generally applicable
exceptions.
THE FORMALITIES
A data controller is not obliged to comply with a request for subject access unless he has
received:
. A request in writing, and

. a fee not exceeding ten pounds if applicable (a lower fee applies to credit reference
agencies and a higher one to certain health records), and
. such information as he may reasonably require in order to satisfy himself as to the identity
of the person making the request and to locate the information sought.
The Freedom of Information Act 2000 has added a further proviso to the final point.6 Where
a data controller reasonably requires further information to confirm the identity of the data
subject and locate the information sought, and asks the data subject for more information, if
the information is not supplied then the data controller is not under a duty to comply with
the subject access request.
PERSONAL DATA RELATING TO OTHER DATA SUBJECTS

Where compliance with the request would necessarily involve the disclosure of information
relating to another individual (including the fact that information has been provided by
that other party) who can be identified from that information, there is no obligation to
comply with the request unless:
. The other party has consented to the disclosure of the information to the person making
the request, or
. It is reasonable in all the circumstances to comply with the request without the consent of
the other party.
In this context what is ‘reasonable’ will depend on:
. Any duty of confidentiality owed to the other party.

. Any steps taken by the data controller to obtain the consent of the other party.
. Whether the other party is capable of giving or refusing consent.

Guidance has been published by the Information Commissioner7 about how to deal with
subject access requests which will result in personal data relating to a third party being
disclosed. In particular, advising the enquirer of the source of personal data relating to them
will often result in disclosing another person’s personal data. The Commissioner identifies
key questions for data controllers when dealing with subject access requests involving the
potential disclosure of personal data relating to third parties:
6. Section 7(3) of the Freedom of Information Act 2000.

7. Subject Access Rights and Third Party Information, published March 2000.
. Does the information being accessed contain information about a third party?
. If so, would its disclosure reveal the identity of the third party?
. In deciding this, has other information which the data subject has received or may receive
been taken into account?
. To what extent can the information be edited so it can be supplied without revealing the
identity of the third party?
. Has the third party previously given the information to the person making the subject
access request?
. If, or to the extent that, the information will identify the third party, has the third party
consented to the disclosure?
. If not, should consent be sought?
. Is it reasonable to disclose the third-party information without consent?
. Is the third-party information confidential or sensitive or harmful?
. Is the third-party information of particular importance to the person making the subject
access request?
There is a key exception to the third party rules suggested above. If the subject access request
relates to health records and the third party is a health professional who has compiled or
contributed to the health record (or has been involved in the care of the data subject in their
capacity as a health professional), then access cannot be refused on the grounds that the
identity of a third party would be disclosed.
HEALTH RECORDS
There is an exemption where a health professional considers that serious harm to the data
subject’s physical or mental health or condition is likely to be caused by giving access to
personal data.8
Before deciding whether this exemption applies, any data controller who is not a health
professional is obliged to consult the health professional responsible for the clinical care of
the data subject (the ‘appropriate’ health professional – there are provisions where there is
more than one such health professional or none at all).
The obligation to consult does not apply where the data subject has already seen or
knows about the information which is the subject of the request, nor in certain limited
circumstances where consultation has been carried out prior to the request being made.
There are provisions applying where a request is made by a third party on behalf of the
data subject, which apply if the data subject is a minor or mentally incapacitated.
A health record is defined in the 1998 Act as being any record which consists of
information relating to the physical or mental health or condition of an individual, and has
been made by or on behalf of a health professional in connection with the care of that
individual.
A ‘health professional’ is any of the following:
a) a registered medical practitioner (a ‘registered medical practitioner’ includes any

person who is provisionally registered under Section 15 or 21 of the Medical Act 1983
and is engaged in such employment as is mentioned in Subsection (3) of that Section);
8. Data Protection (Subject Access Modification) (Health) Order 2000.

b) a registered dentist as defined by Section 53(1) of the Dentists Act 1984;

c) a registered optician as defined by Section 36(1) of the Opticians Act 1989;
d) a registered pharmaceutical chemist as defined by Section 24(1) of the Pharmacy Act
1954 or a registered person as defined by Article 2(2) of the Pharmacy (Northern
Ireland) Order 1976;
e) a registered nurse, midwife or health visitor;
f ) a registered osteopath as defined by Section 41 of the Osteopaths Act 1993;
g) a registered chiropractor as defined by Section 43 of the Chiropractors Act 1994;
h) any person who is registered as a member of a profession to which the Professions
Supplementary to Medicine Act 1960 for the time being extends;
i) a clinical psychologist, child psychotherapist or speech therapist;
j) a music therapist employed by a health service body, and
k) a scientist employed by such a body as head of department9
REFERENCES
There is a limited exception for references in the hands of the referee. Personal data are
exempt from a subject access request if they consist of a reference given or to be given in
confidence by the data controller for the purposes of education, training or employment.
Note that the exemption does not apply in the hands of the recipient of the reference.
MANAGEMENT FORECASTING
Personal data processed for the purposes of management forecasting or management
planning to assist the data controller in the conduct of any business or other activity are
exempt from subject access. The exemption applies only to the extent to which subject
access would be likely to prejudice the conduct of the business. This includes circumstances,
for example, where a business relocation is under consideration and specific individuals are
the subject of discussion either for relocation with the business or for redundancy. A subject
access request from a data subject in these circumstances could be handled without
providing access to the planning and discussion relating to the business relocation if that
would prejudice the relocation.
CORPORATE FINANCE
This exemption applies when responding to a subject access request could reveal price
sensitive business information. Obviously it will only apply to, and in relation to, quoted
companies.
Businesses involved in providing a corporate finance service, offering underwriting or
advice on issues of shares and other instruments, are exempt from responding to certain
subject access requests. The exemption also applies to businesses generally to restrict access
to price-sensitive information so that the orderly functioning of financial markets is not
prejudiced.10
9. Section 69 of the 1998 Act.

10. Data Protection (Corporate Finance Exemption) Order 2000 (184).
NEGOTIATIONS
If negotiations are under way between the data controller and the data subject, this
exemption may apply to prevent the data subject from accessing details of the data
controller’s intentions. Otherwise, the subject access provisions would operate to force the
data controller to show his hand.
Personal data which consist of records of the intentions of the data controller in relation
to any negotiations with the data subject are exempt from the subject information
provisions. The exemption only applies to the extent that disclosure to meet subject
information requirements would be likely to prejudice those negotiations.
LEGAL PROFESSIONAL PRIVILEGE

Personal data are exempt from subject access if the data consists of information in respect of
which a claim to legal professional privilege could be maintained in legal proceedings. This
is restrictive in real terms. Legal professional privilege is not very wide; it only applies to
communication between a legal adviser and the data controller.
SELF-INCRIMINATION
A person need not comply with any request or order regarding subject access to the extent
that it would reveal evidence of criminal activity by the data controller. Disclosure to meet a
subject access request should not involve the data controller in revealing the commission of
any offence (other than an offence under the Data Protection Act) or expose them to
proceedings for that offence.
Other data subject rights
THE RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE DAMAGE

OR DISTRESS
Section 10 of the Act gives a right to data subjects to prevent processing likely to cause damage
or distress. The Act requires that data subjects give notice to the data controller, in writing,
setting out the reasons why processing is causing, or is likely to cause, substantial damage or
distress to themselves or another and why the damage or distress is or would be unwarranted.
The data controller then has a period of twenty-one days in which to respond either that
he has complied or intends to comply with the request or giving reasons for not complying.
A response to the effect that the data controller does not intend to comply wholly or in part
with the request must make out a case that the request is unjustified and state the grounds for
that opinion. The data subject may apply to the court for a decision as to whether or not the
continued processing – and the data controller’s decision – is justified in the circumstances.
Exceptions to this right are set out in Paragraphs 1–4 of Schedule 2 to the Act. They are:
. Where the data subject has given consent to the processing;

. Where processing is necessary for the performance of a contract to which the data subject
is a party or for taking steps preliminary to entering into such a contract;
. Where processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than a contractual obligation;
. Where processing is necessary in order to protect the vital interests of the data subject.
RIGHT TO PREVENT PROCESSING FOR THE PURPOSES OF DIRECT MARKETING

Section 11 of the Act gives data subjects the right to prevent the processing of personal data
relating to them for the purposes of direct marketing. A data subject may make a written
request at any time to require the data controller to cease, or not to begin, processing their
personal data for the purposes of direct marketing. ‘Direct marketing’ means the
communication (by whatever means) of any advertising or marketing material which is
directed to particular individuals. Therefore mailshots, e-mails and telephone calls are all
included.
The Data Protection Act requires that such requests be made in writing and gives the
data controller a ‘reasonable’ period in which to amend records and mailing databases to
comply with the request.
RIGHT TO OBJECT TO AUTOMATED DECISION TAKING

A data subject has the right to object to decisions taken by automated means in
circumstances where the decision:
. Is taken by or on behalf of the company, and

. Significantly affects that individual, and
. Is based solely on the processing by automatic means of the individual’s personal data, and
. Is taken for the purpose of evaluating matters relating to them.
The requirement is for the objection to be set out in writing. Examples of areas likely to be
affected are:
. Automated recruitment systems;

. Automated marking of psychometric and other tests;
. Credit scoring.
The data controller is under a legal obligation to review the decision taken by automated
means. The reviewer must be a human being. The reviewer may concur or disagree with the
automated decision.
Rights not covered by the Sixth Principle

Other rights under the Act are not subject to the Sixth Principle. These are as follows:
RIGHT TO COMPENSATION
Any individual who suffers damage by reason of contravention of any of the requirements of
the Act is entitled to compensation from the data controller pursuant to Section 13 of the
Act. Similarly the individual is entitled to compensation if he suffers distress as well as

damage or for distress only if the contravention relates to processing of personal data for
special purposes.
‘Special purposes’ means one or more of the following:
. The purposes of journalism.

. Artistic purposes.
. Literary purposes.
Actual financial loss was recoverable under the 1984 Act if it was due to actions in
contravention of the Act. The 1998 Act has extended the right to include compensation for
damage or distress due to contravention of the Act.
RIGHTS IN RELATION TO INACCURATE DATA

A data subject may apply to the court for the rectification, blocking, erasure or destruction of
personal data relating to them on the basis that the data is inaccurate pursuant to Section 14
of the Act. This applies even when the data controller obtained the inaccurate data from a
third party or the data subject. The court may also choose to require the data controller (and
any other data controllers holding the same data) to supplement the existing data to record
the true facts as approved by the court.
Compensation may also be awarded by the court if the data subject has suffered damage
as a result of the inaccurate data.
RIGHT TO PREVENT PROCESSING OF SENSITIVE DATA

A feature of the Sensitive Data Order11 is that it gives data subjects the right to require a data
controller to cease processing sensitive data relating to them if the processing is undertaken
for the purposes of identifying and monitoring equal opportunities in relation to religious
beliefs, physical or mental health or political views.
Exercise of the right must be by notice in writing to the data controller. A reasonable
period must be stated at the end of which the data controller is required to have ceased
processing. The data controller must have ceased processing those personal data at the end
of that period.
11. The Data Protection (Processing of Sensitive Data) Order 2000 (417).
20 The Seventh Principle
CHAPTER
This chapter examines the Seventh Data Protection Principle and the interpretative
provisions relevant to the Seventh Principle contained in Schedule 1 to the Act.
Key words and phrases with a technical meaning are explained in Chapter 12 and are
important to a clear understanding of the law and guidance on this point.
The Seventh Principle is concerned primarily with the security of personal data. The
basic requirement is that appropriate security must be in place to protect personal data.
The more sensitive and confidential the data and the more harm likely to result from its
accidental loss or disclosure, the tighter security is required.
In addition to the basic security requirement there are two additional requirements. The
first relates to staff whose jobs involve the handling of personal data. Employers are under a
legal obligation to ensure that such staff are reliable. The second relates to outsourcing. Data
controllers have a legal duty to ensure that their data processors take appropriate security
measures throughout the life of their relationship. Furthermore, data controllers are
responsible for putting in place with their data processors a written contract including two
specific clauses relating to the Seventh Principle.
Basic requirement for security of personal data

The text of the Seventh Principle reads: ‘Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data.’
Note that the requirement is for appropriate security of personal data. Guidance about
determining what might be ‘appropriate’ is provided in the interpretative provisions:
. Having regard to the state of technological development, and

. the cost of implementing any measures,
. the measures must ensure a level of security appropriate to –
. the harm that might result from such unauthorised or unlawful processing or accidental loss,
destruction or damage as are mentioned in the seventh principle, and
. the nature of the data to be protected.1
The guidance reinforces the fact that this is not an absolute obligation and it spells out
the factors to take into account when assessing the ‘appropriateness’ of any security
measures.
1. This is the actual text of Paragraph 9 of Schedule 1 Part II. Author’s phrasing and use of bullet
points.
The Seventh Principle 131
The first point is that security will depend on the state of technological development.
The appropriateness of security measures will be assessed by reference to the state of
technological development. HR managers need to keep abreast of enhancements in record-
keeping systems. Any significant improvements introduced generally need to be
incorporated into HR systems within a reasonable period of time if the department is not
to fall behind required standards.
Secondly, the cost of appropriate security measures is expressly to be factored into the
assessment of what is appropriate. It would seem that ‘appropriateness’ in relation to cost
will be influenced by the financial standing of the data controller. Costs which would be
appropriate if borne by, say, a BP or a Shell Oil might not be appropriate if the data controller
is a small business. The Information Commissioner’s view is that there can be no standard
set of security measures to meet the requirements of the Seventh Principle.2 Different
security measures will be required to meet different circumstances.
The nature of the data to be protected will dictate, to some extent, the harm that might
result from unauthorized access, unauthorized processing, loss or damage. Processing
includes the obtaining, using, holding and destroying of personal data. For example, a
greater degree of harm can be envisaged from the unauthorized disclosure of, say, sensitive
data relating to health than of straightforward personal data such as an individual’s name
and address (which might be found in a telephone directory in any event).
Sensitive categories of data are not the only types of data which might give rise to an
increased duty of care when processing personal data. For example, financial data relating
to the earnings of an employee would be regarded as confidential, and the scope for harm to
result from unauthorized disclosure is greater than if the employee’s name and address were
to be disclosed. ‘Appropriateness’ of security measures will depend on the harm that might
result from the unauthorized access, processing or destruction of personal data. The
Information Commissioner encourages data controllers to adopt a risk-based approach to
security.3
Returning to the text of the Seventh Principle, both technical and organizational
security measures are expressly required. The impact of the inclusion of paper files within
the definition of personal data (see Chapter 12) means that technical security measures
alone are not sufficient to protect personal data against unlawful access, damage or
destruction. The safeguarding of paper files requires a different approach to that employed
on computer file and database security. There is also a physical risk to personal data held in
computer files and databases which has perhaps become more apparent recently with the
spate of laptop thefts. It is no longer sufficient simply to think and plan in terms of firewalls,
password security and back-up facilities; organizational security measures are also a
necessary component of a realistic security system.
COMPLYING WITH THE SEVENTH DATA PROTECTION PRINCIPLE

The Commissioner’s view is that there can be no standard set of security measures to meet
the requirements of the Seventh Principle. Different security measures will be required to
meet different circumstances; however, the requirement is to guard against unauthorized
destruction or deletion, amendment or disclosure of personal data.

Physical security of computer equipment, paper and microfiche files is important. At

the highest level, physical security starts with the security of business premises. Within the
HR department, confidential files should be protected in lockable filing cabinets or in offices
with restricted access. A ‘clean desk’ policy encourages staff to use filing cabinets and storage
areas. Within the HR department the Employment Practices Data Protection Code provides
that employers should base security measures on the risks of unauthorized access to, or loss
or damage of, employment records.4 In particular: ‘Institute a system of secure cabinets, access
controls and passwords to ensure that staff can only gain access to employment records where they
have a legitimate business need to do so.’ 5
If computer equipment or paper files are taken out of the office, appropriate security is
required. This can be established by policies and procedures applicable to users of lap-top
computers and those employees who work from home either permanently or occasionally.
On the subject of taking work out of the office the Employment Code states: ‘Ensure that if
employment records are taken off-site e.g. on laptop computers, this is controlled. Make sure only the
necessary information is taken and there are security rules for staff to follow.’ 6
The security of personal data in transit is easily overlooked. The transmission of
personal data by fax and e-mail should be the subject of policies and procedures aimed at
ensuring security and confidentiality. HR managers need to consider the implications of
shared facilities such as printers or e-mail addresses, not just in the HR department but in
the business with which HR staff communicate. Hot-desking creates practical problems for
HR staff trying to ensure that employee personal data is received by the correct line
manager, for example. The Employment Code states: ‘Take account of the risks of transmitting
confidential worker information by fax or e-mail. Only transmit such information between locations
if a secure network or comparable arrangements are in place. In the case of e-mail, deploy some
technical means of ensuring security such as encryption.’ 7
System security may not be under the control of the HR manager. IT security tends to be
a business-wide concern with business-wide solutions such as password protection, locking
PCs, screen savers, restricted access, user-verification procedures, virus protection measures
and firewalls for Internet connections, etc. There are ISO standards8 for computer security,
and larger organizations should be applying those standards or ones equivalent to those
standards.
Maintaining appropriate levels of security depends heavily on policies and procedures.
These are only effective if they are practical and realistic, communicated properly to all staff
and policed. In particular, for the data controller to be able to demonstrate that policies and
procedures are being followed, audit is an important tool. Audit will also reveal which
procedures are impractical or inappropriate. Training is essential if staff are to understand
the reasons why policies and procedures exist. This will, in turn, help staff to remember
relevant procedures and apply them. See Chapter 6.

8. ISO 7799.
Employees and the security of personal data

The interpretative provisions state:9 ‘The data controller must take reasonable steps to ensure the
reliability of any employees of his who have access to the personal data.’
Employers have a duty to ensure the security of personal data of which they are the data
controller by reference to controlling the activities of their employees. Note that this is not
an absolute obligation: the requirement is that reasonable steps be taken. The requirement is
also a continuing one. Controls are required both prior to the employee gaining access to
personal data and on a continuing basis.
Reasonable steps almost certainly includes staff training, and this is emphasized in the
Employment Practices Data Protection Code. Employers are to ensure that staff ‘are aware of
the extent to which they can be criminally liable if they knowingly or recklessly disclose personal
data outside their employer’s policies and procedures.’ 10
The Employment Code also says:11
Take steps to ensure the reliability of staff that have access to workers’ records. Remember this is
not just a matter of carrying out background checks. It also involves training and ensuring that
workers understand their responsibilities for confidential or sensitive information. Place
confidentiality clauses in their contracts of employment.
Finally, the Employment Code recommends that serious breaches of data protection rules
should be a disciplinary offence.12
Data controllers and data processors

The Seventh Principle regulates the relationship between the data controller and its data
processor(s). Where the processing of personal data is carried out by a data processor on
behalf of a data controller, the latter is under an obligation to choose a data processor able to
provide sufficient guarantees in respect of its technical and organizational security
measures. Furthermore, the data controller must take reasonable steps to ensure that the
data processor complies with those measures.
In addition there is the requirement for written contracts. Specifically, the data
controller is not to be regarded as complying with the Seventh Principle unless:
a) the processing is carried out under a contract:

i) which is made or evidenced in writing, and
ii) under which the data processor is to act only on instructions from the data controller, and
b) the contract requires the data processor to comply with obligations equivalent to those
imposed on a data controller by the seventh principle.13
9. Paragraph 10 of Schedule 1 Part II.

10. Record Management – High level management, benchmark 5.
12. Record Management – High level management, benchmark 5.
13. Paragraph 12 of Part II of Schedule 1.
The Principles themselves do not, prima facie, regulate the activities of data processors. The
Act provides that data controllers are subject to the Principles. The Seventh Principle applies
so that data controllers are responsible for the compliance of data processors. Appropriate
security measures are the key part of that obligation. It also means that data protection
compliance of data processors must be policed by the data controller.
In summary, the data controller is under an obligation to ensure that appropriate
security requirements are imposed on third parties which process personal data on its
behalf. This means checking that data processors have appropriate security for personal data
or to require guarantees that such security is in place and putting in place a written contract
containing two specific terms. See Chapter 7 for an explanation of what constitutes a data
processor and suggested actions to take in the HR context. Chapter 8 is also relevant: it
considers the relationships between employers and benefit administrators to determine
those which are data processors.
WHAT IS A DATA PROCESSOR?

A data processor is the party that carries out the processing of personal data on behalf of
another party. It is providing a service in which it has no real interest except where it is paid
for the processing.
Technical definition of ‘data processor’

Section 1(1) of the Act reads: ‘“Data processor”, in relation to personal data, means any person
(other than an employee of the data controller) who processes the data on behalf of the data
controller.’
The prime example of a data processor is an outsource service provider such as a payroll
administrator. The employer sends payroll data to the payroll administrator at agreed
periods, and the payroll administrator generates payslips and makes payments into bank
accounts on the due date. The payroll administrator has no interest in the personal data per
se; it processes the data purely for the benefit of the data controller in return for
remuneration. It acts solely on the instructions of the data controller; it probably has no
discretion to act independently and no interest in doing so.
Another example of a data processor would be a registrar offering share registration
services, processing shareholder personal data on behalf of a listed company. Companies are
under a statutory duty to maintain registers of shareholders. This is a function which is
often outsourced to a registrar. The registrar has no interest in processing the personal data
except for the remuneration it receives from the company by so doing. The data is processed
on behalf of the company and for its benefit.
Yet another example would be a mailing house. Customer lists are supplied by the data
controller to the mailing house to effect a mailing. If mailing addresses include names or job
titles which identify the individual, then personal data is being processed. The mailing
house has no interest in processing the personal data except that it receives remuneration
from the data controller for doing so. The mailing house is a data processor in respect of the
mailing lists supplied.
Identifying data processors

It is important that data controllers are able to identify their data processor(s) because of the
statutory duty on the data controller to comply with the Seventh Principle.
A data processor will be independent of the data controller – a third party – although it
may be a sister or associated company in a group of companies. (See page 54).
Deciding whether or not a third party is a data processor is a matter of fact. The answers
to the following questions will help a data controller to decide whether or not a party is a
data processor.
. Does the party process personal data supplied by or on behalf of the data controller?
For example, a company might buy a mailing list from a third party and arrange for the list
containing personal data to be supplied direct to its preferred mailing house. The personal
data was not supplied directly by the data controller but on its behalf. This does not affect
the underlying relationship between mailing house and the data controller. The mailing
house is a data processor on behalf of the data controller.
. Is the processing undertaken on behalf of or for the benefit of the data controller?
Processing undertaken on behalf of the data controller will indicate that the processor is a
data processor. Processing undertaken for the benefit of the data controller does not
necessarily indicate that the processor is a data processor.
. Does the third party have any interest in the personal data apart from remuneration for
the service provided to the data controller?
A variety of examples are given above.
. Does the third party take decisions in regard to the personal data it processes?
The processor may be a data controller in its own right if it uses the personal data for its own
purposes or deals with it in any way that would suggest that it is the data controller.
. Is there a degree of autonomy or does the third party act only on instructions from the
data controller?
. What do the parties intend should happen to the personal data when the relationship
between them ends?
If the party is a data processor, then personal data will either be returned to the data
controller or its nominated representative or deleted. The data processor will have no
further use for the data.
THE OBLIGATION TO CHECK COMPLIANCE

To discharge its duty under the Seventh Principle in relation to data processors the data
controller must first check that the data processor has security measures in place to protect
personal data from unauthorized access, deletion or amendment. Both the adequacy and
the appropriateness of the security measures must be assessed. The Seventh Principle refers
to ‘appropriate’ measures, so there is a degree of risk assessment involved. The data
controller should first assess the risks inherent in the personal data to be disclosed to the
data processor and then assess whether or not the data processor has taken adequate steps to
protect personal data in its control.
The data controller is unable to make an assessment without information. So the first
step would be to require the prospective data processor to provide information about its
compliance with current data protection law. It should be asked for such details of its
security arrangements as it is able to provide without compromising that security.
Information should be requested about staff training on data protection issues, how
employees are supervised and the controls within which employees work to ensure that it is
satisfied as to their reliability. This may be particularly important in respect of new
employees and temporary workers.
THE CONTRACTUAL REQUIREMENT

Where personal data is processed by a data processor on behalf of a data controller, in
addition to their duty to ensure that data processors keep personal data secure, the data
controller must take specific contractual steps in order to comply with the Principle.
The data controller will not be deemed to be compliant with the Seventh Principle
unless there is a written contract in place between the parties incorporating specific terms.
Thus data processors are made subject to the security provisions of the Seventh Principle
which would otherwise not apply to them at all.
The specific contractual terms required constitute a restriction on the data processor
requiring it to act only on instructions from the data controller when processing personal
data on behalf of the data controller. There is also a requirement that it comply with
obligations equivalent to those imposed on the data controller by the Seventh Principle.
The impact of the requirement is that organizations must enter into a written contract
with subcontractors and outsource service providers where this is not already the case.
Where a contractual relationship already exists between a data controller and a data
processor the relevant clauses can usually be incorporated into the agreement by an exchange
of letters signed on behalf of the data processor to signify their agreement to the amendment.
In addition to the terms specified in the interpretation of the Seventh Principle, data
controllers may find it useful to include a reference in the contract to its obligation to
monitor compliance and to establish its right to question security arrangements and any
breaches of confidentiality and to gain access to any document it may decide is relevant in
that regard.
GROUPS OF COMPANIES AND THE SEVENTH PRINCIPLE

Data protection law does not recognize trading groups of companies. Each company must
notify separately and is deemed to be a ‘third party’ for the purposes of data protection.
Therefore companies in a group must consider their relationship with other companies in
the group on an ‘arm’s length’ basis. For example, if one company (usually a ‘service’
company) is the employing company in the group and effectively supplies staff to other,
trading companies in the group then it will be a data processor if those staff process personal
data in carrying out their job. Consider that most jobs will involve handling personal data to
some extent, especially if office-based. (See page 54).
The requirement for written contracts will apply. Even between group companies there
is no relaxation of this requirement. However, the Commissioner has suggested that such
companies seek legal advice on the possibility of entering into one contract with all group
companies as signatories in preference to a number of contracts between the service
company and each individual trading company.
DATA PROCESSORS OUTSIDE UNITED KINGDOM JURISDICTION

The wording of Paragraph 12 of the interpretative provisions is that the contract with a data
processor should require it to comply with obligations equivalent to those imposed on the
data controller by the Seventh Principle. The effect of the word ‘equivalent’ is to place data
processors located outside the United Kingdom under the same restriction as UK-based data
processors. A data processor may be outside the jurisdiction of the Data Protection Act 1998,
but if the data controller is within that jurisdiction then it must ensure that its data
processor(s) adhere(s) to security requirements commensurate with those required by the
Seventh Principle regardless of their geographic location. This is important where a data
controller uses the services of data processors located outside the EEA.
Summary
The impact of the Seventh Principle is to create a need for:
. Risk assessment of all personal data-processing activities.

. Appropriate security measures based on the degree of risk identified, state of the art and
the cost of implementation.
. Documented policies and procedures with security features.
. Staff training and communication of policies and procedures.
. Audit to ensure that policies and procedures are adequate and practical and that they are
being followed in practice.
. Identification of data processors.
. Careful vetting of prospective data processors at tender stage to check that their system
and organizational security measures are adequate.
. Written contracts with data processors. The terms of the contract must include a
requirement that the data processor act only on the instructions of the data controller in
relation to processing personal data and that it adhere to the Seventh Data Protection
Principle.
. Continued monitoring of the data processor’s performance in relation to security.
21 The Eighth Principle
CHAPTER
This chapter considers the Eighth Data Protection Principle which relates to the transfer of
personal data outside the EEA. The Principle and relevant interpretative provisions are set
out in Schedule 1 to the Act.
Key words and phrases with a technical meaning are explained in Chapter 12 and are
important to a clear understanding of the law and guidance on this point.
Interpreting the Eighth Principle

The Eighth Principle reads: ‘Personal data shall not be transferred to a country or territory outside
the European Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal data.’
The key points to note are:
. There is a prohibition on the transfer of personal data.

. It applies outside the EEA.
. It applies unless there is an adequate level of protection for the rights and freedoms of
relevant data subjects.
The prohibition
In practice there are exemptions and exceptions which might take personal data outside the
prohibition. These exceptions cover specific circumstances set out in Schedule 4 to the Act.
This means that the prohibition on the transfer of personal data outside the EEA does not
apply if one or more of the conditions in Schedule 4 are met. The more commonly
applicable conditions are considered below.
SCHEDULE 4 CONDITIONS
Consent
A data subject may consent to the transfer of personal data relating to him or herself
notwithstanding that the transfer takes the personal data outside the EEA. Consent must be
freely given and informed. The fact of the transfer and that protection for the rights of the
data subject may not meet standards within the EEA must be communicated. There are
problems with establishing freely given consent in the HR context. (See page 21 for a full
explanation).
The Eighth Principle 139
Where the data subject is party to a contract

A key exception to the general prohibition is where the transfer is necessary for the
performance of a contract between the data subject and the data controller. A further
condition applies where steps are taken at the request of the data subject with a view to their
entering into a contract with the data controller.
Generally this condition will apply to any transfers required pursuant to the contract of
employment. So if a transfer of employee personal data is necessary for the administration
of employee benefits and the transferee is located in a territory outside the EEA, the transfer
may be made despite the Eighth Principle. However, the transfer must be truly ‘necessary’. If
a group chooses to base its administrative functions outside the EEA, it will not be able to
argue for the necessity of employee personal data to be transferred to it. The location of the
administration function is a matter of choice, not of necessity.
This restricted interpretation1 of what is necessary has other implications. Applying the
same logic, arguably if the objectives of the contract could be achieved without transferring
personal data outside the EEA, then the transfer is unnecessary and fails to meet the criterion of
necessity and therefore the Schedule 4 condition. An illustration in the context of insurance is
helpful. If a broker seeks terms for insurance for a client, should it be restricted to underwriters
located in the EEA and prevented from approaching non-EEA underwriters? If terms can be put
forward by an EEA underwriter, then how may the broker justify approaching underwriters
outside the EEA if that approach involves the disclosure of personal data? It appears that it is
not possible for the contract condition to be relied upon in these circumstances.
Legal claims
Transfers may be made where they are necessary in connection with any legal proceedings.
The condition includes prospective legal proceedings, obtaining legal advice or establishing,
exercising or defending legal rights.
There is no requirement that the data subject be a party to the legal proceedings or
prospective legal proceedings.
WITHIN THE EEA

Countries within the European Economic Area are deemed to have an adequate level of
protection for personal data. The EC Directive on Data Protection sets the basic data
protection requirements throughout the EEA. The Directive also provides for countries
outside the EEA to be designated by the European Commission as providing an adequate
level of protection for the rights and freedoms of data subjects. This is known as the
‘presumption of adequacy’.
To date Switzerland, Hungary and Canada have been designated as providing adequate
data protection. Transfers of personal data to these countries may be effected without
further checks as to adequacy.
In the United States, the Safe Harbor arrangements have been approved by the EC as
providing an adequate level of protection, so any organization that subscribes to Safe Harbor
is deemed to provide adequate data protection.
1. ‘International Transfers of Personal Data’ published by the Information Commissioner, Paragraph

8.3.
Countries within the European Economic Area

Austria Greece Netherlands
Belgium Iceland Norway
Denmark Ireland Portugal
Finland Italy Spain
France Liechtenstein Sweden
Germany Luxembourg
The Channel Islands and the Isle of Man are not part of the EEA.
ASSESSING ADEQUACY
If none of the conditions in Schedule 4 applies and the country in which the intended
transferee of the personal data is located has not been presumed adequate, the data
controller must make its own assessment of adequacy. The data controller must assess the
adequacy of protection for data subjects’ rights and freedoms both in the territory where the
transferee is located and as offered by the transferee organization.
Certain circumstances may help to establish adequacy: for example, if the transfer is
one between a data controller and its data processor and an appropriate contract is in place
to meet the requirements of the Seventh Principle. (See Chapter 20). It may help to
establish adequacy if the transfer is one within an international group of companies and
agreed standards of data processing apply. If the transfer is being made within an industry
sector where professional rules or a code of conduct apply, this may also be factored into
the assessment of adequacy. The Information Commissioner pointed out that these
circumstances in themselves could not be relied on completely to establish adequacy but
that they would count in favour of (or against) a final assessment of adequacy.2
This interpretation may be at least partially incorrect. The relationship between a data
controller and a data processor is regulated by the Seventh Principle. It requires, inter alia,
that the data controller:
. Investigate the data processor’s security measures for the processing of personal data.
. Restrict the processing of personal data processed on its behalf so that the data processor
may only act on its instructions.
Given these two conditions, no other circumstances would appear to be relevant to the
decision relating to adequacy.
The adequacy test

The factors relevant to a decision about ‘adequacy’ are set out in the interpretative
provisions, which state:
An adequate level of protection is one which is adequate in all the circumstances of the case,
having regard in particular to;
a) the nature of the personal data,
2. ‘Transborder dataflows’ published by the Information Commissioner in July 1999, Paragraph 11.5.
The Eighth Principle 141
b) the country or territory of origin of the information contained in the data,

c) the country or territory of final destination of that information,
d) the purposes for which and period during which the data are intended to be processed,
e) the law in force in the country or territory in question,
f) the international obligations of that country or territory,
g) any relevant codes of conduct or other rules which are enforceable in that country or territory
(whether generally or by arrangement in particular cases), and
h) any security measures taken in respect of the data in that country or territory.3
The Information Commissioner has issued guidance amounting to a recommended

procedure to assess adequacy.4 The ‘Adequacy Test’ is to be applied if a proposed transfer
does not fall within one of the exceptions in Schedule 4 and that transfer is to an organization
located in a territory which has not been approved by the European Commission. In these
circumstances, the following steps are considered the Good Practice Approach:
1) Consider the type of transfer involved and whether this assists in determining adequacy,
for example if the transfer is within an industry sector where professional rules or
standards apply (underwriters, for example) or is a transfer within an international group
of companies. Although this will not establish adequacy prima facie, it may go some way
towards it because the data controller has a level of knowledge about the security and
procedures within the transferee company and may have an ongoing relationship which
both parties will wish to protect.
2) Consider:
. The nature of the personal data (consider sensitive personal data in particular).
. The country or territory of origin of the personal data.
. The purposes for which and period during which the data are intended to be processed.
. The harm that might result from improper processing.
. The law in force in the country or territory in question.
. The international obligations of that country or territory.
. Any relevant codes of conduct or other rules which are enforceable in the country or
territory.
. Any security measures taken in respect of the data in that country or territory.
. The extent to which data protection standards have been adopted.
. Whether there is a means of ensuring the standards are achieved in practice.
. Whether there is an effective mechanism for individuals to enforce their rights or
obtain redress if things go wrong.
3) Think whether there are any circumstances in your knowledge or that of others involved
in the proposed transfer which indicate to you that it is not appropriate to make the data
transfer: for example, if you are aware of breaches of confidentiality at the transferee
company or other data security problems.
Use of contracts
In addition, contractual terms may be used to supplement the security of personal data
transfers. However, unless you are able to use the standard terms approved by the European
3. Schedule 1 Part II Paragraph 13.

4. ‘Transborder dataflows’ published by the Information Commissioner in July 1999.
Union and the Information Commissioner, then it is unlikely that a non-standard contract
(i.e. not one approved in full by the EC or the Information Commissioner) would legitimize
a transfer of personal data outside the EEA without the adequacy test risk assessment
yielding a positive result in addition.
The issues you should seek to cover in a non-standard contract are:
. Purpose limitation – restricting the purpose(s) for which the personal data supplied can be
processed.
. Security – requiring appropriate technical and organizational security measures be taken
by the disclosee.
. Restrictions on onwards transfers.
. Additional safeguards for sensitive personal data.
Notice of inadequate protection

Even if the transfer has been justified by one of the Schedule 4 conditions, or is being made
to an approved territory or following a positive adequacy finding, consider whether there
are any circumstances in your knowledge or that of others involved in the proposed transfer
which indicate to you that it is not appropriate to make the data transfer: for instance, if you
are aware of breaches of confidentiality at the transferee company or other data security
problems, any transfer of personal data may be in breach of the Eighth Principle.
Summary
. Transfers within the EEA are authorized.
. Transfers to countries which have been approved by the European Commission are
likewise authorized, currently Hungary, Canada or Switzerland.
. Transfers to the United States to companies which subscribe to Safe Harbor are approved.
. Other transfers must be authorized by the adequacy test unless one of the conditions in
Schedule 4 is met.
22 The Information
CHAPTER
Commissioner
The role of the Data Protection Registrar was created by the Data Protection Act 1984. The
first incumbent, Eric Howe, was given a choice of location for the new Data Protection Office
and selected Wilmslow because that was where he lived. The Registrar’s Office was set up to
be an independent regulatory authority, and that remains the case.
The EC Directive on Data Protection [95/46/EC] was published in final form in 1995. It
was intended to harmonize data protection regulation throughout the member states of the
European Union. A deadline for member states to implement its provisions was set for
October 1998. The Data Protection Act 1998 was the British implementation; interestingly,
several EU member states are still to bring in appropriate legislation. One of the
requirements of the Directive was that member states should appoint a Data Protection
Commissioner, therefore the 1998 Act changes the name of the Data Protection Registrar to
that of Commissioner. With the introduction of the Freedom of Information Act 2000 the
name changed again, to that of Information Commissioner.
Structure of the Office of the Information Commissioner

The Commissioner is supported by a team of approximately 130 staff in the following
departments:
. The strategic policy group, the drivers in the development of data protection guidance.
. The freedom of information group.
. The compliance department, including the enquiry line.
. The legal department.
. The investigations department, exclusively staffed by ex-policemen.
. The notification department, responsible for maintaining the register of data
controllers.
. The marketing department.
RESPONSIBILITIES AND FUNCTIONS

These are set out in the Data Protection Act 1998. In general terms, the Office is responsible
for data protection and freedom of information in the United Kingdom. Its duties include
carrying out assessments of compliance. These are investigations of the circumstances of
processing activity carried out at the request of an individual or organization (not
necessarily a data subject of the organization under investigation). At the end of the
investigation the Office will issue its formal assessment of the compliance or non-
compliance of the activity complained of and any data subject who believes they have been
disadvantaged by the processing is at liberty to take up the matter in the civil courts.
Assessments are not necessarily linked to legal enforcement action.
Organizations can be compelled to cooperate with an assessment. If the Office requests
information to facilitate the assessment and the organization fails or refuses to comply, the
Office has a power under Section 43 to require the information to be provided. Failure to
comply with such a notice would be a criminal offence under Section 47.
The Commissioner is also under a duty to promote the development and use of codes of
practice. Codes of practice may be European or national. There is a working party (the
Article 29 Working Party) which considers codes and proposed codes at the European level.
An example of a code under consideration is the IATA Recommended Practice 1774 on data
protection in relation to international air transport.
At national level, some codes have been drafted by trade associations with input from
the Office. The ABI code for insurers includes standards for data protection approved by the
Commissioner. Other codes have been initiated by the Commissioner, such as the
Employment Practices Data Protection Code.
The Information Commissioner’s Office is also responsible for issuing guidance on data
protection issues in response to demand from industry. Some examples include:
. Legal guidance on the Act issued in December 2001.

. A guide to data protection auditing issued in December 2001.
. An educational CD-ROM ‘the Plumstones’ issued for use in schools.
There is also the enforcement activity of the Office. To date the enforcement procedure has
only been used after negotiation has failed to persuade a data controller to amend its
personal data-processing activities. There are signs that the Office is starting to take a
tougher line with enforcement. Once an enforcement notice is issued, non-compliance is a
criminal offence under Section 47 of the Act.
Finally, there is the duty to maintain the register of data controllers. The notification
process has been streamlined. It is possible to notify online as well as by telephone. The
process involves a standard template based on the data controller’s industry. Data
controllers should check the activities outlined before signing and resubmitting the forms
for registration. The register is publicly available information. Again, it can be accessed via
the Internet. The registration department has issued updated guidance (based on the 1998
Act and notification regulations) on notification requirements and how a data controller
can identify whether or not it needs to notify.
23 Notification
CHAPTER
If you are required to notify, it is a criminal offence to fail to do so. Similarly any changes in
activities must be notified to the Registrar; again, failure to do so is a criminal offence.
It is unlikely that HR activity alone will determine whether or not an organization
should be registered for data protection. The rules and exemptions from notification apply
to the business activities of the organization and notification or registration for purposes of
employment administration will naturally follow from the need to register at all.
As a general indication the following organizations will need to be registered:
. Complex organizations involving groups of companies which ‘share’ personal data. This
will include organizations where there is one service or employing company and one or
more trading companies. The normal operation of the business will require that personal
data is shared between the employing company and the trading company(ies) for work
planning and management.
. Organizations providing the following services:
– Advertising agency.
– Accountancy and auditing.
– Legal services.
– Credit referencing, debt administration and factoring.
– Crime prevention and the prosecution of offenders.
– Education.
– Financial services.
– Health administration and the provision of health services.
– Marketing.
– Mortgage, insurance-broking and insurance administration.
– Pastoral care.
– Pensions administration.
– Private investigation.
– The trading and sharing of personal data.
. Organizations with responsibility for CCTV.
. Organizations which use credit reference information or trade and/or share personal
data.
. Organizations which market goods and services using personal data obtained from a
third party (i.e. buy in mailing lists or undertake promotions to their customers jointly
with other companies) or which market goods and services on behalf of third parties or
clients.
Exemptions
The small business exemption (or ‘core business exemption’) applies where the organization
only processes personal data for:
1) Advertising, marketing and PR only in relation to its own goods and services.
2) Administration of customer/client and supplier records.
3) Staff administration.
There is an exemption from registration for organizations whose personal data is held not
on computer but in paper files only.
There is a further exemption for charitable organizations. It applies where the data
controller is a not-for-profit organization and processes personal data only for the purpose of
establishing and maintaining records of membership and of those with whom it has regular
contact. The exemption also allows administration of employees, accounts and record-
keeping and limited advertising and promotional activity directed solely towards its own
members.
How to register or notify

Registration can be instigated by telephone or online. Registration entries are based on a
standard template for each industry, so it is important to check that it covers all the
organization’s personal data-processing activities.
Registration entries should also be checked regularly against personal data processing
activities to pick up those changes to activities which are notifiable.
24 Criminal offences
CHAPTER
The following criminal offences are created under the Data Protection Act 1998:
. Failure to notify or register with the Data Protection Register when processing activities
involving personal data are such that registration is required.1 (See Chapter 23 for an
explanation of when notification is required).
. Failure to keep the notification up to date with current personal data processing activity.2
It is a defence if the person charged with the offence can show that they exercised all due
diligence to comply with the requirement to keep the notification up to date and
accurate.
. The unauthorized disclosure or obtaining of personal data.3
. Requiring candidates for employment to apply to the police for a copy of their criminal
record, if any, using the subject access right in the Act.4
The Freedom of Information Act 2000 includes the facility to bring in a new data protection
offence. Anyone employed by a public authority who deletes or destroys records in order to
frustrate a subject access request could be guilty of an offence under the Act once the section
has been implemented.
Liability for data protection offences

Companies can be guilty of the offences in the Act, such as failure to notify.
The offences can be committed by individuals, and include the unauthorized disclosure
or obtaining of personal data. For example, a police officer who accesses the Driver and
Vehicle Licensing Authority records for a private purpose not connected with police activity
will be guilty of an offence. In such circumstances the police authority might not be guilty
of the same offence if it can show that individual employees were given training about
authorized disclosures and the misuse of personal data and that there were procedures in
place to discourage unauthorized activity.
A director, manager or officer of a company can be liable for Data Protection Act
offences5 if they consent to or connive at the commission of the offence or if the offence can
be shown to be attributable to any neglect on their part.
1. Section 21 Data Protection Act 1998.

2. Section 21 of the Act.
Penalties
On summary conviction, the limit is a £5,000 fine; on indictment, it is unlimited.
Index
abuses, of personal data 2 Chater, Robin E.J. 2

access rights see data subject access requests Chinese walls 8, 36, 50
Access to Medical Reports Act (1998) 68 company car 47
accessible record, definition of 84 company credit cards 71–2
accuracy, of personal data compensation, right to 11, 122, 128–9
Employment Code on 118 compliance assessments 143–4
ensuring 20 compliance reports 45
examples 117 computer files
inaccurate data, rights in relation to 12, retention policy for 61
122, 129 security of 19, 41, 54
job application forms 115–16 confidentiality
published guidance on 116 Data Protection Act (1998) 1
adequacy to purpose, of personal data joint ventures 59
111–13 medical testing 69–70
agency recruitment references 8
organization, identification of 28–9 security arrangements for 19, 40
suggested actions 29 and staff training 37
terms of business 28 consent, in employer/employee relationship
see also recruitment definition of 93
AMRA see Access to Medical Reports Act employment contracts, consequences for
(1998) 22
application forms see job application forms fair processing, conditions for 22–3
Article 29 Working Party 21 international groups of companies, issues
audit for 56
findings, acting on 9 marketing, consequences for 22, 23, 73,
guidelines 8–9 74
importance of 132 medical testing 69
staff training on 38 and new processing purpose 22
audit trails, on computer systems 9 personal data, transfer outside EEA 21, 22,
automated data processing 23, 138
and abuse of personal data 2 refusal, procedure for 92–3
disclosure of logic of 123 sensitive data 21–2
automated decision-taking, right to object suggested actions 23
to 11, 13, 128 unreliability of freely given 18, 21, 22–3,
92–3
CCTV Council of Europe Convention (European
Code of Practice, on retention periods 35, Treaty Series 108) 1
120–21 crèches 49, 50
data controller, responsibility of 34 credit reference checks 113, 117
images, data subject access to 10 criminal convictions, retention of
and personal data 78 information on 62
signage, required wording for 34 criminal investigations, disclosure of
suggested actions 35 personal data in relation to 64
suggested policies criminal offences, under Data Protection Act
images, disclosure of 35 (1998)
physical security, of tapes 35 liability 147
quality of images 35 penalties 148
use of 16, 30, 31, 33 staff training on 36, 37, 39–40
150 Index
criminal records, access to 24–5 Data Protection Registrar 2

Criminal Records Bureau 25 see also Information Commissioner
data subject, definition of 1, 79
data controller data subject access requests 39
and data subject, balance between automated processing, disclosure of logic
legitimate interests of 94–5 of 123
definition of 3, 79–80 CCTV images 10
future intentions and opinion of 78 coded information, disclosure of meaning
identification of 13, 102 of 123
legal obligations of 93–4, 135–6 entitlements, of subject 123
responsibilities of 36 exceptions to requirement for compliance
data controller/data processor relationship corporate finance 13, 126
42–3, 86, 133–7 health records 125–6
data processor legal professional privilege 127
definition of 42–3, 80, 134 management forecasting 13, 126
employing company as 54 negotiations, prejudicing of 13, 127
identification of 13, 43, 134–5 references 126
outside UK jurisdiction 137 self-incrimination 127
data protection, definition of 39 sensitive data 1
Data Protection Act (1984) and staff training 36
Data Protection Registrar, creation of third parties, data relating to 124–5
143 fees for 123
introduction of 1 procedure for 12–13, 124
Data Protection Act (1998) data subject information
accessible record, definition of 84 additional relevant information,
criminal offences under 147–8 disclosure of 13–14
data controller, definition of 79–80 data controller, identification of 13, 102
data processor, definition of 42, 80 examples from Employment Code 106
data subject, definition of 79 exemptions from 106
definitions, sources of 85 intended processing purposes, disclosure
and EC Directive on Data Protection 1, of 13–14, 102
143 marketing, fairness of 105–6
EEA, definition of 81 meaning of 3
HR-related data, conditions for processing other relevant information 103
15–16 prominence of 105
notification, meaning of 83 recommended actions 107
personal data, definition of 78–9 sample wording
processing, definition of 80 for employee 14
relevant filing system, definition of 81–3 for job candidate 14–15
sensitive data, definition of 15–16, 83–4 for pension scheme member 14
service providers, statutory duties of 44 subject information notices 103–4, 105
data protection awareness 37 suggested actions 15
Data Protection Commissioner 2, 143 telephone marketing 106
see also Information Commissioner third parties, information obtained from
Data Protection Directive (95/46/EC) 1, 103–4
143 timing of 104
Data Protection Principles 2, 18–19 data subject rights 86
and Employment code 87–8 automated decision-taking, right to
fair and legal processing, checks for 19–20 object to 11, 13, 128
introduction to 86–8 compensation, right to 11, 122, 128–9
personal data damage or distress, right to prevent
ensuring accurate, relevant and not processing causing 11, 13, 127–8
excessive 20, 115–16 direct marketing, right to prevent
keeping up to date 20, 116–17 processing for purposes of 10–11, 13,
not keeping longer than necessary 20, 128
119–20 guidelines for 8
security checks 19 inaccurate data, rights in relation to 12,
Data Protection Register 108–9, 144 122, 129
Index 151
interpreting 122 employee reliability 19, 130, 133

sensitive data, right to prevent processing employee surveillance 2
of 122, 129 see also CCTV; monitoring
staff training 36 Employment Code 22, 23
suggested actions 13 abuses, of personal data 2
see also data subject access requests accuracy 118
deceit, and obtaining of information 8, 36 agency recruitment 28–9
disciplinary procedures 7 CCTV, use of 34–5
disclosures, permissible 40–41 data protection management 2, 7–9
document retention and Data Protection Principles 24
CCTV images 35, 120–21 benchmark standards, and enforcement
computer files 61 action 87
monitoring issues 34 data subjects, range of 87
not longer than necessary 20, 119–20 personal data, scope of 87–8
policy on 7, 9, 20 as published code of practice for
recruitment files 26, 91 complying with the Act 87
retention periods 61–2, 111–12, 120 sections of 88
duplication, of records 1 data subject rights 10–13
Durant v FSA case 82–3 disclosure of employee information 64,
66
e-commerce, and need for data protection 1 document retention periods,
e-mail, monitoring of 30, 31, 32–3, 132 recommended 61–2, 120
EC Directive on Data Protection (95/46/EC) employee reliability, and security of
1, 143 personal data 130, 133
EEA, and prohibition of transfer of personal fair processing 91
data outside medical insurance schemes 47
adequacy, presumption of 139 medical testing 68
Adequacy Test 55, 56, 57–8, 140–41 monitoring activities 30–34, 71
consent, issue of 21, 22, 23, 56, 128, 138 principles, interpretation of 19
contracts, use of 56, 141–2 record keeping 61–3
EEA countries 81, 139–40 recruitment 24–8
exemptions from security 132
consent 138 staff training 36–41
contract, data party subject to 56, 138, vetting procedures 113–14
139 employment contracts, and EEA transfers
legal claims 139 56, 138, 139
inadequate protection, notice of 142 Employment Practices Data Protection Code
interpreting 138 see Employment Code
legitimizing transfer, options available for equal opportunities monitoring, and
55–6 sensitive data 17, 62–3, 98, 100
Safe Harbor scheme 55 European Economic Area see EEA
suggested actions 57
terms of transfer, suggested 56–7 fair processing, requirement for
employee administration 61–72 consent, issue of 92–3
employee benefits 9, 46–53 contractual obligations 93
employee data data controller, legal obligations of
adequacy to purpose 111–12 93–4
disclosure of data subject, protecting vital interests of
external versus internal 64–5 94
non-routine requests from outside justice and government functions,
agencies 64 administration of 93–4
required by law 64 legitimate interests of data controller and
publication of data subject, balance between 94–5
issues to address in policy and suggested actions 101
procedures for 66 see also sensitive data, fair processing of
procedural elements 66 fairness, assessment of 89–90
suggested actions 66 fees, for data subject requests 123
suggested actions 66 France, Elizabeth 18, 82–3
152 Index
fraud prevention 2, 63 Lawful Business Practices Regulations 30, 33

see also CCTV lawful processing, meaning of 15–16,
Freedom of Information Act (2000) 124, 89–90, 109
143, 147 line managers, training for 8, 36–8
Guide to Data Protection Auditing marketing, to staff

(Information Commissioner) 8–9 affinity branding 73
clause wordings
health and safety opt-in clause 73
records kept for 66 opt-out clause 73
suggested actions 67 and consent 22, 23, 73, 74
health insurance 47 and data subject rights 10–11, 13, 128
health professional, definition of 125–6 and fairness 105–6
Howe, Eric 143 legitimate interests of data controller and
Human Genetics Advisory Commission data subject, balance between 94–5
70 suggested actions 73–4
Human Rights Act (2000) 90 medical conditions, disclosure of 46
medical insurance 46–7
inaccuracy, data subject rights in relation to medical testing
12, 122, 129 circumstances of 67–8
Information Commissioner confidentiality 69–70
adequacy, assessing 140–41 consent, requirement for 69
consent issue, interim solution to 18, 21, drug/alcohol use, testing for 70
22–3 Employment Code, impact of 68
Data Protection Registrar, creation of 143 genetic testing 70
openness of monitoring 32 for health and safety 69
Information Commissioner’s Office 2 personal data obtained, relevance of 69
codes of practice, development and use of prospective versus current employees 68
144 and risk assessment 68
compliance assessments 143–4 sensitive data, processing of 69
enforcement activity 144 suggested actions 71
guidance, issuing of 144 membership application forms 46
referral to 13 mergers and acquisitions see joint ventures
register of data controllers, maintenance monitoring
of 144 authorized person, identification of
internet usage, monitoring of 30, 31 30–31, 33
interview notes 24, 26–7 business need, identification of 31, 33
interview policy and guidelines 8 CCTV, use of 34–5
ISO standards, for system security 132 communications 30, 32–3
IT security policy 19 corporate facilities, use for private
purposes 32–3
job application forms covert 31–2, 33
and accuracy of personal data 115–16 credit card statements, checking of 71
recruitment decision, relevance of documenting reasons for 33
information to 91, 112 employee rights, taking into account 33
review of 27–8 impact of 31, 33
secure processing of 24 information obtained, relevance of 32
statement of person(s) to whom information retention policy 34
information to be provided 24 monitors, training of 31, 33
see also recruitment of performance 30
joint ventures privacy, respect for 31
confidentiality 59 specific problems, responding to 32
‘Corporate Finance’ exemption 58 suggested actions 33–4
management planning exemption 58 by third parties 33
personal data, caution over disclosure of
59 notification
preliminary discussions 58–9 exemptions 146
suggested actions 59–60 meaning of 83
Index 153
methods of 146 interview notes, access to 24, 26–7

organizations required to register 145 policies and procedures 9
pre-employment vetting 25–6, 49, 113–14
occupational health screening 47 psychometric tests, use of 25
Opinion (8/2001) 21 recruitment decision, relevance of
outsourcing information to 24, 112
and agency recruitment 28 recruitment files, retention of 26
contractual terms 44 sensitive data, ensuring conditions for 24
data processor suggested actions 27–8
definition of 42–3 see also job application forms
identification of 43 references 25
security arrangements 42, 44, 45, 46, confidentiality of 8
50–51, 54, 136 data subject access requests 126
and security of personal data 130 requests to employer for 64
service providers, queries to raise with registration see notification
43–4 Regulation of Investigatory Powers Act
suggested actions 44–5 (2000) 30, 33
third-party HR service providers 9 Rehabilitation of Offenders Act (1974) 25, 62
written contract, requirement for 42, 46, relevant filing system, definition of 81–3
54, 136 research purposes, data held for 100,
see also data controller/data processor 109–10, 119–20
relationship retention see document retention
rights see data subject rights
paper files
relevant filing system, definition of 81–3 Safe Harbor scheme 55, 83
security of 1, 19, 41, 81–3 security
pension schemes appropriateness of
administration, outsourcing of 50–51 costs 131
Chinese walls, need for 50 data, nature of 131
deed of wish forms 51 meaning of 130
pension fund administrator, as data organizational and technical security
controller and processor 43 measures, requirement for 131
sensitive data, sharing of 96 technological development, state of
suggested actions 51 131
trustee bodies 50 unauthorized access, harm resulting
performance monitoring 30 from 131
personal data, definition of under 1998 Act CCTV tapes 35
78–9 compliance measures
personal expenses, taxation of 71 audit, importance of 132
phone calls, monitoring of 32–3 data in transit 132
Principles see Data Protection Principles physical security 131
privacy, right to respect for 90 system security 132
processing, definition of 80 working at home 132
psychometric tests, use of 2, 25 of computers 41
and contractual requirements 42, 46, 54,
record keeping 136
disciplinary, grievance and dismissal 62 of paper files 1, 19, 41, 81–3
document retention policy 61–2 policy for 7–8
equal opportunities monitoring 62–3 of recruitment information 26
fraud prevention 63 regular review of 19
practices 49 sensitive data
suggested actions 63 confidential counselling services 99
recruitment and consent, issue of 18, 21, 96, 101
consistency when shortlisting 24 crèches 49
criminal offences, and access to criminal data subject or another, protecting vital
records 24–5 interests of 96–7
information following interview, data subject rights in relation to 122, 129
relevance of 24 definition of 15–16, 83–4
154 Index
equal opportunities monitoring 17, 62–3, staff training

98, 100 briefing note, sample for HR personnel
fair processing of 17–18, 21–2 39–41
insurance business 100 cycle of improvement, establishment of
justice and government functions, 36–7
administration of 8 data compliance issues, briefing on 9
legal rights 97–98 data controller, responsibilities of 36
medical purposes 46, 69, 98 employee reliability, and security of
non-profit-making bodies 97 personal data 130, 133
pension schemes 96, 100 employers, responsibilities of 36
police 100 induction training 38
political opinions 100 issues covered by 36
public domain, information already in 97 new staff, monitoring of 9
recruitment 24 as ongoing 38
research 100 policies and procedures, familiarization
restricted processing of 101 and reinforcement of 37–8
suggested actions 18 social club secretaries 52
unlawful acts, prevention or detection of specialist training 38
99 suggested actions 38
Sensitive Data Order (2000) 99–100, 122, supervision and audit 38
129 subject access see data subject access
service company, acting as to trading group requests
computer equipment, use of 54 subject information see data subject
contractual terms 54–5 information
data controller, trading company as 54 subject rights see data subject rights
data controller/data processor
relationship 136–7 trading groups of companies see service
data processor, employing company as 54 company, acting as to trading group
security arrangements 54
suggested actions 55 up-to-date, keeping information 20, 116–17
written contract, requirement for 54 Use of Personal Data in Employer/Employee
share registration services 42 Relationships, The (Chater) 2
sick leave, long-term and medical testing 67,
68 vetting procedures 25–6, 49, 113–14
social clubs 51–2
staff handbook 33, 38 work in the community 52–3

Data Protection For The HR Manager

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Protection For The HR Manager

Uploaded by

Copyright:

Available Formats

1 Introduction

The challenge for HR managers in the United Kingdom

Spotlight on the potential abuses of personal data in the

. Employee surveillance and fraud prevention measures;

Recommended policies and procedures

. What constitutes unauthorized processing and how to avoid it.

1. Record Management – Management of data protection, benchmark 6.

Commissioner in December 2001. One of the recommendations is that an independent

ACTING ON AUDIT FINDINGS

. Audit data protection compliance in relation to HR issues on a regular basis.

5. Record Management – Security, benchmark 3.

Data subject rights

. The request must be made in writing.

. Conﬁrmation that the company holds personal data relating to them.

THE RIGHT TO PREVENT PROCESSING FOR THE PURPOSES OF

1. Record Management, benchmark 2.

THE RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE

. Where the data subject has given consent to the processing.

THE RIGHT TO OBJECT TO AUTOMATED DECISION-TAKING

. Is taken by or on behalf of the data controller, and

THE RIGHT TO COMPENSATION

RIGHTS IN RELATION TO INACCURATE DATA

ELEMENTS OF A DATA SUBJECT RIGHTS PROCEDURE FOR EMPLOYEES

Subject access requests

. Management forecasts, to the extent to which their disclosure would be likely to

The exercise of other rights

Data subject information

SUGGESTED WORDING FOR TYPICAL SUBJECT INFORMATION IN

Subject information for an employee

Subject information for a pension scheme member

Subject information for a job candidate

Conditions for lawful processing

CONDITIONS FOR PROCESSING HR-RELATED DATA

1) The racial or ethnic origin of the data subject.

3) Their religious beliefs or other beliefs of a similar nature.

COMMONLY APPLICABLE CONDITIONS FOR THE FAIR PROCESSING OF

This covers equal opportunities monitoring and reporting.

The Data Protection Principles

The Principles are as follows:

1) Personal data shall be processed fairly and lawfully.

Checks for fair and legal processing

– Data relating to employees’ and pensioners’ spouses for administration of pension

Keeping personal data up to date and accurate

Not keeping personal data longer than is necessary

Consent in the employer/employee relationship

WHERE CONSENT MAY BE REQUIRED

political beliefs, membership of a trade union). While Schedule 2 conditions include a

Consequences for employment contracts

Consequences for meeting the conditions for fair processing

Consequences for establishing fair processing of sensitive data

Consequences when transferring employee personal data outside the EEA

Consequences for marketing

2. Record Management, Publication and disclosures, benchmark 1.

Selection and recruitment of new personnel

1. Recruitment and Selection of New Personnel.

THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

USE OF PSYCHOMETRIC TESTS

Elements of a suggested policy relating to pre-employment vetting

. Restrict vetting procedures to successful candidates only.

6. Recruitment and Selection of New Personnel, Handling applications, benchmark 3.

in a regulated environment or senior appointments to authorized bodies which require

RETENTION OF RECRUITMENT FILES AND INFORMATION

Information relating to the successful candidate which is required for employee