Professional Documents
Culture Documents
CHAPTER
Data protection law was first introduced in Britain with the Data Protection Act 1984. It was
enacted as a result of a Council of Europe Convention [European Treaty Series no. 108 for
the Protection of Individuals with regard to Automated Processing and Personal Data] and
enabled the United Kingdom to sign up to a European treaty on trans-border data flows. The
reason for the introduction of data protection was therefore participation in the beginnings
of e-commerce rather than any desire to introduce a right of privacy.
The Data Protection Act 1998 repealed and replaced the 1984 Act, and the reason for the
new Act was, once again, driven by the European Community. The Data Protection
Directive [95/46/EC] had to be implemented into national law by October 1998. This time
the Act, reflecting the articles of the Directive, goes much further towards creating a privacy
law in the United Kingdom.
. Many personnel records are held on paper. Paper or manual files were not previously
subject to data protection law; the 1984 Act only applied to information held and
processed by electronic means. ‘Processing’ is defined widely to include obtaining,
organizing, holding and deleting or destroying information. (For a more detailed
consideration of defined terms, see Chapter 12).
. Employee personal data are often held or duplicated outside the HR department: for
example, appraisal material and sickness records are often held by line managers.
Speculative CVs may be received by line management and retained or passed between
managers without adequate control.
. The sensitivity of data held by the HR department makes it a likely target for data subjects’
questions (a ‘data subject’ is the individual to whom personal data relates). The 1998 Act
classifies certain information as ‘sensitive’; personal data relating to health, race, religion
and trade union membership is subject to more stringent regulation. In addition, HR
departments handle data such as information about salaries, promotions and employee
performance, all of which an employee would perceive as sensitive and which must be
dealt with in confidence.
. The employer owes a duty of confidentiality to its employees. Therefore a high level of
security and personnel staff reliability must be ensured.
2 Introduction
Arising from the report, the Information Commissioner’s Office has issued an Employment
Practices Data Protection Code (referred to as ‘the Employment Code’). The Employment
Code sets standards for the obtaining and processing of personal data within the
employment arena. It applies to every employer. The employer is held responsible for all
use of personal data relating to its employees, whether formally (within the HR department)
or informally, for instance in papers held by managers. In addition, the processing of
employee personal data must be undertaken in accordance with the Data Protection
Principles (referred to as ‘the Principles’). The Principles set out the requirements relating to
confidentiality, security and the fair processing of personal data – the elements of data
protection law. The Principles are considered in detail in Part II of this book.
In dealing with the issues identified in Robin Chater’s report – such as recruitment
practices, monitoring employee communications, record-keeping and medical testing –
the Employment Code effectively provides a level of detailed guidance on how the Office
sees the Principles applying in relation to HR activities. As such it is invaluable guidance
on how the regulator interprets and applies the Principles in relation to HR
administration.
The Data Protection Act 1998 raises serious issues for HR management. Outsourcing is
particularly common in relation to the administration of employee benefits, perhaps
because the employer seeks to concentrate on its key business activities and chooses to allow
other, ‘more expert’, organizations to handle non-key functions such as payroll, pensions
administration and fleet management. The outsourcing of functions involving the
processing of personal data is the subject of a new statutory duty requiring checks to be
made on the adequacy of security in place to protect personal data at the third-party service
supplier’s offices and systems. It is also a requirement to have a written contract with third-
party service suppliers who process personal data on behalf of the data controller, with
specific clauses covering data protection issues.
1. The Data Protection authority in the UK has undergone several changes of name. Initially the Data
Protection Registrar, the title changed to Data Protection Commissioner with the introduction of
the Data Protection Act 1998. It changed again to Information Commissioner when responsibility
for overseeing the implementation of the Freedom of Information Act 2000 was given to the Office.
Introduction 3
Another key issue for HR relates to the requirement to provide data subjects with
specific information about the data controller before they supply any personal data, known
as ‘subject information’. (The ‘data controller’ is the organization initiating the processing
of personal data, and in the HR context this is normally the employer). This means first
identifying and documenting the purposes for which personal data will be used in the
employer/employee relationship. In some cases, identifying the extent of the use of personal
data in the HR arena will be an issue in itself: examples include, the chairman’s use of home
addresses to send Christmas cards to key managers and staff or the distribution of
promotional material advising staff of offers on company goods and services or those
of other companies. If the employee was not informed that their personal data would be
used for these purposes, there is every chance that the employer would be breaking the law if
it allowed personal data to be so used.
All these issues and more are considered in the following chapters. Part I looks at HR
activities and highlights the data protection implications of each. It is organized into
chapters which correspond to HR functions such as recruitment, monitoring, employee
administration and employee benefits. The chapters are split into sections: for example, the
chapter on employee benefits includes sections on pension schemes, crèches, social clubs
and work in the community as well as a general one providing an overview of employee
benefits and the data protection implications they raise. Part I raises suggested action points
in each section which can be used to check your company’s compliance with the
requirements of the Data Protection Act and also for future verification. Draft wordings for
data protection notices and statements are included, and the elements of suggested policies
and procedures outlined.
Part II considers each of the Data Protection Principles in turn, starting with the legal
requirements and working through to their potential impact on HR activities. It provides a
technical view of the Act and its requirements. A thorough introduction to the Act for those
unfamiliar with its provisions, it is also a useful reference for HR professionals already
familiar with the Act wishing to explore key areas in depth to find solutions to particular
problems or identify alternative solutions to those suggested in Part I. If, for example,
compliance with a data subject access request raises particular problems for the
organization, refer to Chapter 19, ‘The Sixth Principle’, which considers subject rights
and exemptions from the need to comply.
Some of the material is duplicated across Parts I and II, but each part adds value in its
own way as they start from different standpoints. Part I starts from the HR standpoint and
considers the impact of the law on HR activities, while Part II starts from the legal
standpoint and considers the law using examples taken from the HR environment.
This page intentionally left blank
I Actions for
PART
employers
This page intentionally left blank
2 Managing data protection
CHAPTER
The Employment Practices Data Protection Code (‘the Employment Code’) emphasizes the
importance of identifying within the organization an individual who is responsible for data
protection compliance in relation to Human Resources. At the highest level, this individual
is responsible for ensuring that other managers – within and external to HR – are aware of
the employee personal data they hold. Furthermore, they should promote policies and
procedures to encourage best practice when handling employee personal data. This may be
achieved by providing training for all staff whose jobs involve the handling of such data as
well as by implementing policies and procedures to meet the requirements of the
Employment Code.
1) Policies on the disclosure of personal data (covering internal and external disclosures)
including:
. Legal obligations on the organization to disclose, for example to meet Inland Revenue
requirements or to provide information to company auditors.
. Cases in which the employee will be informed of the request for disclosure.
. Checks to carry out on credentials of those seeking disclosure.
. The position regarding the disclosure of sensitive data.
. The position regarding disclosure which would involve transfer of personal data
outside the European Economic Area.
. The review of non-regular disclosures.
2) Policy on how spent disciplinary notices are handled (part of disciplinary procedure).
3) Document retention policy, including deletion and destruction guidelines.
4) Personal data security policy including:
. Guidelines for using fax and e-mail to transmit confidential information.
. The use of laptops and homeworking generally.
. The security of paper files.
8 Actions for employers
. Audit trails.
. The use of shared facilities.
5) Subject rights procedures.
6) Interview policy and guidelines.
7) Policy on the provision of confidential references.
The Employment Code recommends that serious breaches of data protection policies should
be a disciplinary offence to impart the importance of compliance to staff.1
Staff training
Staff training needs to cover the following as a minimum:
Audit
The full extent of personal data processing activities within the Human Resources function
can best be identified by undertaking an audit of the HR department. An audit is key to
identifying what subject information should be provided to staff and prospective job
candidates and to checking that all processing of personal data currently under way meets
the requirements of fair processing. In subsequent chapters it is a foundation of suggested
compliance actions that a good knowledge of the processing activity undertaken in the
department has been established. The Employment Code also recommends that an
assessment is made of existing employee personal data, identifying who is responsible for
the data.3
The Employment Code clearly indicates that some audit activity is required to ensure
procedures are being followed.4 The Information Commissioner recommends audit as a tool
to identify the effectiveness of current policies and procedures. Suggested audit guidelines
have been set out in Guide to Data Protection Auditing published by the Information
SUGGESTED ACTIONS
Designate one person responsible for data protection compliance in relation to personnel
management and records. The following are the suggested actions to be carried out by this
designated individual:
SUBJECT ACCESS
Data subjects have the right to a copy of any information held about them by the
organization. The requirements are:
The company has forty days in which to respond to such a request with a complete copy of
any information held. Explanation of codes etc. must be provided and the information must
be in legible form. CCTV images are included in the definition of personal data, so it is
reasonable to assume that you may be asked for copies of relevant portions of tapes by
employees exercising this right.
A data subject who makes a request is also entitled to:
‘Direct marketing’ means the communication (by whatever means) of any advertising
or marketing material directed at particular individuals. Therefore mailshots, e-mails and
telephone calls are all included.
The Data Protection Act 1998 requires that such requests be made in writing and gives
the company a ‘reasonable’ period in which to amend records and mailing databases to
comply with the request.
The Act requires that such objections be made in writing. Data controllers are then under a
duty to review the decision manually: that is, by human intervention. The final decision may
be to reverse the automated decision or reaffirm it; the key to compliance with the exercise of
this right is the fact of human intervention. Automated decision-making would include such
activities as scoring psychometric or other qualificational tests set by the employer.
PROCEDURE
The strict legal requirement is that any notice exercising the right to subject access should be
issued in writing. If an employee purports to exercise a subject right by telephone or face to
face, the organization is entitled to request that the approach be made in writing. In
practice, an employer may take a more relaxed view or provide a form designed to elicit
information verifying the identity of the individual making the enquiry. The employee
might not be located in the same offices as HR personnel responding to the request, and it is
sensible to check the person’s identity. Any useful background information can be sought
from the individual both in relation to their enquiry and to assist in verification.
If it is believed that there are legitimate grounds for not complying with a subject access
request, seek legal advice.
SUGGESTED ACTIONS
. It is vital to identify when a right under the Act is being exercised – brief all HR staff on
data subject rights.
. Provide a documented procedure for employees to exercise their rights against the
organization; this will help to ensure that notices purporting to exercise rights are directed
at designated personnel who will know how to react.
. When a right is being exercised, deal with the matter quickly.
whom data is to be disclosed and any other information which would affect the data
subject’s decision to disclose the data requested.
It is important to identify all the purposes for which personal data is to be processed.
The Second Principle restricts processing to the stated purposes. Organizations must state
their intended processing purposes before obtaining personal data. Consent must then be
sought for any subsequent ‘new’ processing activity involving that personal data.
If your application is unsuccessful, we would normally retain your details on file for a period
not exceeding six months. Please let us know if you would like your details to be destroyed
immediately.
SUGGESTED ACTIONS
. Identify all processing (including obtaining, holding, using and disclosing) of personal
data undertaken by or for HR. Your list may include:
– Employee/staff data for staff administration including pay and conditions.
– Pension scheme member data for pension scheme administration.
– Data relating to pensioners for pension scheme administration.
– Data relating to employees’ and pensioners’ spouses for the administration of pension
scheme payments and group life insurance.
– Data relating to social club members for administration.
– Employee data for marketing.
– Data relating to ex-employees for statutory and contractual purposes.
– Data relating to temporary workers and/or contractors for administration purposes.
– Data relating to prospective employees for purposes of recruitment.
. Draft subject information to explain why personal data is required in each case and how it
will be used and disclosed. See the suggested wordings set out above.
. Position subject information on any forms where personal data is sought: for example, job
application forms, pension scheme membership application forms, social club member-
ship application forms, etc. Make sure you use lettering of equal font size, and position
the notice so it can be seen at least as easily as any other information or question on the
form.
. Also include subject information in any staff handbook and booklets describing the
pension scheme and other employee benefits. They can be included in induction or
welcome packs and on the company intranet, if one exists. Again, make sure that the
notice is given equal prominence with other terms and conditions.
. Include appropriate subject information in letters sent to acknowledge unsolicited CVs.
‘The processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than an obligation imposed by contract.’
For example, your auditor may require to check your payroll records or check personal
expenses claims. This condition covers the requirement to supply information about an
employee to the Inland Revenue or DSS. Complying with court orders also falls under this
condition.
‘The processing is necessary for the purposes of legitimate interests pursued by the data
controller or by the third party or parties to whom the data are disclosed, except where the processing
is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate
interests of the data subject.’
For example, marketing activity undertaken by an organization so long as the wishes of
data subjects are observed. This means avoiding inappropriate marketing where you know
the recipient does not want to receive marketing material.
This condition also covers the use of CCTV to protect business premises against crime,
but remember that the business interest must be balanced against the rights and freedoms
of individuals. CCTV cameras should be focused on the areas of the premises most open to
risk and should not, for instance, record employees if this can be avoided. (See, further,
Chapter 5).
SUGGESTED ACTIONS
. Identify and list all processing (remember to include obtaining, holding, using and
disclosing) of employee personal data. Your list is likely to include:
– Employee/staff data for staff administration including pay and conditions.
– Pension scheme member data for pension scheme administration.
– Data relating to pensioners for pension scheme administration.
– Data relating to employees’ and pensioners’ spouses for administration of pension;
scheme payments and group life insurance.
– Data relating to social club members for administration.
– Employee and/or pensioner data for marketing.
– Data relating to ex-employees for statutory and contractual purposes.
– Data relating to temporary workers and/or contractors for administration purposes.
– Data relating to prospective employees for purposes of recruitment.
– Supplier data for purchases and accounts.
– CCTV images for crime prevention and the prosecution of offenders.
. Check that each activity is covered by one or more of the conditions for fair processing
explained above.
. Document your findings and your work.
Sensitive data
‘Sensitive data’ is a defined term in the Data Protection Act 1998. It refers to personal data
consisting of information as to:
These categories of data have been identified as requiring a higher degree of care when
processing. More regulation of this type of processing may follow in future.
Currently the only additional requirement when processing sensitive data is to meet a
condition for the fair processing of sensitive data in addition to one or more of the
conditions for the fair processing of personal data. The conditions for the fair processing of
sensitive data are set out in Schedule 3 to the Data Protection Act 1998.
Most employers will process personal data relating to the health of their employees.
Holding sickness records constitutes the processing of sensitive data.
The processing is necessary for the purposes of exercising or performing any right or obligation which
is conferred or imposed by law on the data controller in connection with employment.
Contractual provisions such as the paying of sick pay or the administration of a private
medical scheme or income replacement scheme would be covered by this condition.
The information contained in the personal data has been made public as a result of steps
deliberately taken by the data subject.
This would apply, for example, where the data subject has provided sensitive data to the
press and the organization was asked to comment.
The processing is necessary for the purpose of, or in connection with, any legal proceedings (including
prospective legal proceedings), or for obtaining legal advice.
This will cover the seeking of legal advice in connection with an employee whose
performance is unsatisfactory, perhaps due to ill health.
The processing is of information as to racial or ethnic origin, necessary for the purpose of identifying
or keeping under review the existence or absence of equality of opportunity or treatment between
persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or
maintained, and is carried out with appropriate safeguards for the rights and freedoms of data
subjects.
The data subject has given his explicit consent to the processing of the sensitive data.
This condition may be relied upon if none of the other conditions for the fair processing of
sensitive data apply. However, there is a problem in relation to employment. In the context of
the employer/employee relationship it is now doubtful that proper consent can be given by
the employee to the processing of personal data relating to them by the employer. The view
has been expressed that in the relationship between employer and employee, the employee is
at such a disadvantage in terms of bargaining power that they are never able to give consent
freely and without undue influence from the employer. The Information Commissioner
(Elizabeth France, Commissioner 1992–2002) indicated that she agrees with this view.
The Information Commissioner’s Office accepts that this creates a problem for
employers processing sensitive data relating to employee sickness, for example. An Order
is being sought urgently from the Secretary of State to deal with this issue. In the meantime,
the position being adopted by the Office is that there are probably several legal obligations
on the employer requiring it to process sensitive data relating to employees without relying
on consent: three years’ statutory sick pay records must be kept pursuant to statute; there
is the common-law duty to other staff and to the sick employee (for example). While it is
accepted that this is a manufactured solution where none really exists, it does provide a
workable solution to the problem in the short term. HR professionals should keep abreast of
developments in this area as the manufactured solution is not viewed as a long-term one.
See page 21 for more detail on the issue of consent.
SUGGESTED ACTIONS
Identify all processing of sensitive data likely to be undertaken by the HR department (race,
religion, trade union membership, health, sex life, criminal records). Your list is likely to
include:
. The race or ethnic origin of employees/staff for the purpose of equal opportunities
monitoring.
. The health of employees/staff for the purpose of statutory and company sick pay schemes,
and to meet health and safety requirements.
. Trade union membership for administrative purposes.
Check that each activity is covered by one or more of the conditions for the processing of
sensitive data set out above.
2) Personal data shall be obtained only for one or more specified and lawful purposes and
shall not be processed in any manner incompatible with that purpose or those purposes.
3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
4) Personal data shall be accurate and, where necessary, kept up to date.
5) Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
6) Personal data must be processed in accordance with an individual’s rights under the
Act.
7) Appropriate technological and organizational measures shall be taken against the
unauthorized or unlawful processing of personal data and against the accidental loss or
destruction of, or damage to, personal data.
8) Personal data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the processing of personal
data.
The Employment Practices Data Protection Code, issued by the Information Commissioner,
has interpreted the Principles in relation to HR activities.
SUGGESTED ACTIONS
Security checks
. If you do not have an IT security policy which covers HR computer systems, document (at
a high level) the security systems which protect personal data held: for example, restricted
access by the use of passwords, access on a need-to-know basis, firewalls, back-up
arrangements, business continuity plans, etc.
. Document the security arrangements for personal data held in paper files: for instance by
using lockable filing cabinets, adhering to a ‘clean desk’ policy, using reliable and secure
archive arrangements, and ensuring the reliable and secure destruction of documents
containing confidential and ordinary information.
. Document how you ensure the reliability of staff who work in HR: for example, when
taking up references and supervising new employees, with regard to laptop use and
homeworking policies and procedures, and when providing training on security and
confidentiality issues and house security policies as documented above.
. Consider the adequacy of the security arrangements you have in place in relation to the
confidentiality of the employee personal data you process. Strengthen your arrangements
as necessary.
. Review your security arrangements periodically to ensure that you are still providing
adequate security for personal data considering the risk of disclosure or damage and the
harm that could result.
Ensure that each processing activity meets one or more of the conditions for fair processing.
(See page 15).
Ensuring that personal data held is adequate, relevant and not excessive
. Ensure the relevance of new personal data entering the department by undertaking a
review of the categories of personal data sought on any application forms (those for jobs,
membership of pension schemes or other employment benefit schemes, absence and
holiday forms, etc.). Consider if all the information is actually necessary to the stated
purpose for which it was obtained. For example:
– Are job application forms asking for too much detail for a sensible assessment to be
made of a candidate’s suitability for a junior position?
– Are job application forms asking for information which will only be relevant in relation
to the successful candidate? In which case, it is irrelevant in relation to most of the
candidates who complete the form.
– Are there any questions on forms of which you do not understand the relevance?
. Review the personal data provided by line managers to HR in reports and statistics
routinely required. Is sufficient information provided? Is any of the information
irrelevant?
. Check the relevance of personal data on existing files by undertaking a regular, rolling
purge of HR files. In particular:
– Ensure that you are following any document retention policies, procedures for
removing expired disciplinary warnings or details of spent criminal convictions from
files.
– Anonymize data held on files retained for statistical analysis only; personal data should
not be relevant to this activity.
Rights and lawful processing 21
the Code allows for the processing of sensitive data to meet statutory obligations on the data
controller in relation to employment to include normal sickness and absence reporting and
recording. As stated above, this is now the interim solution offered by the Information
Commissioner to resolve the issues of consent when processing sensitive data in the
employer/employee relationship.
SUGGESTED ACTIONS
. Amend contracts of employment to remove any clauses requiring data subject employees
to consent to data processing activity.
. Consider the processing of sensitive data in the HR context. Any processing activity which
is non-routine by HR standards should be cleared specifically with the Information
Commissioner’s Office as it is unlikely to be covered by the wider interpretation of the
condition relating to meeting legal obligations in the employment context.
. Ensure that the transfer of employee personal data outside the EEA does not rely on
employee consent to the transfer. Alternative justifications for the transfer must be
identified. (See page 55).
. Use marketing opt-out clauses if the employer intends to market its own goods and
services to employees or an opt-in clause if the intention is to market the goods and
services of third parties. (See Chapter 11).
. There are no special rules relating to interview notes or any other component of
recruitment records. For example, interview notes should be disclosed if an interviewee
exercises their right to access personal data relating to themselves. Under the 1984 Act,
personal opinions were excluded from the definition of ‘personal data’ and therefore
exempt from subject access. This is no longer the case.
. It should be stated, on any application form, to whom the information is being provided
and how it will be used, if this is not self-evident. (See page 13).
. Recruiters should only seek personal data relevant to the recruitment decision to be made.
Data required for personnel administration should be sought later, and only of the
successful candidate. (See Chapter 4).
. If sensitive data are collected, ensure a condition for processing sensitive data is satisfied.2
. A secure method for processing applications must be used.3
. Recruiters should be consistent in the way personal data is used when shortlisting
candidates for a particular position.4
. Recruiters should ensure that personal data recorded and retained following interview can
be justified as relevant to, and necessary for, the recruitment process itself, or for
defending the process against challenge.5
CRIMINAL OFFENCES
The Data Protection Act 1998 makes it a criminal offence to require candidates for jobs to
make a data subject access request to the police in relation to possible criminal records. The
new Criminal Records Bureau is now the only legal route to the obtaining of personal data
relating to the criminal records of prospective employees. The Employment Code provides
that employers should only seek information about an applicant’s criminal convictions if
that information can be justified in terms of the role offered. If the information is justified,
employers must make it clear that spent convictions do not have to be declared, unless the
post being filled is covered by the Exceptions Order to the Rehabilitation of Offenders
Act 1974.6
. Explain the use of psychometric tests to all candidates required to undergo them.
. Ensure that only personnel trained in the interpretation of psychometric test results have
access to the results and that a résumé of the results is produced for use by non-trained
personnel.
. Ensure that other personnel, including managers and directors, have no access whatsoever
to the results of psychometric tests, although they may have access to the résumé
prepared by the person trained in their interpretation.
. Ensure that psychometric test results are kept securely while in use and destroyed as soon
as the recruitment decision has been made.
PRE-EMPLOYMENT VETTING
‘Vetting procedures’ in this context involve something more than merely taking up one or
two simple references, as in the case of an employer which requires candidates to undergo a
credit reference check as part of standard recruitment procedure or calls for detailed
references concerning their reliability, trustworthiness with money and valuables, time-
keeping and sickness record, etc.
If you take up references simply to confirm the dates during which the job candidate
was employed, there is no need to take any further action in relation to vetting.
. A particularly good candidate agrees that their details may be retained for a longer,
specified, period in case another suitable job vacancy arises or to be a back-up for the
successful candidate in case the initial appointment proves unsuccessful.
. Some information is retained to show that the organization correctly operated its equal
opportunities procedure. Such information should be depersonalized wherever possible
(that is, retained without specific names and addresses being kept).
IMPLICATIONS OF INTERVIEWING
At the interview, check that the candidate knows the name of the employer and something
about its operations. If they have applied for a managerial position, this may include
reference to any group structure.
Explain that any information the interviewee volunteers will be treated in confidence
and used to assess their suitability for the job.
Show the candidate any statement of data protection policy and other material which
explains how their personal data will be handled if they succeed in getting the job.
Issues relating to recruitment 27
. That candidates will be required to undergo psychometric tests and what the results help
to determine.
. That personal data may be processed involving automated decision-taking and the details
of the process: for example that tests will be marked by automated means.
. That pre-employment vetting is to take place and what form that is to take, for example, if
a credit check is to be undertaken against the candidate’s name and address or if the
successful candidate will have to complete a supplementary questionnaire for other
background checks to be carried out by the organization or its regulator.
SUGGESTED ACTIONS
1) Review existing application forms (if used) and:
. Include appropriate data subject information for job candidates, picking up the issues
raised by other actions (below) to include on the form.
. Consider each question on the form and identify whether the information sought relates
to the assessment of the candidate for the job or if it relates to employment administration
if the applicant is successful. Remove all questions which are not directly relevant to the
assessment/recruitment decision (for example, National Insurance numbers, whether or
not a current driving licence is held if the position does not involve driving, etc.).
. If your recruitment procedure involves any automated decision-making, explain this
in the data subject information.
2) If application forms are not used, the following information should be included in letters
to candidates at the earliest opportunity:
. Appropriate data subject information for job candidates, picking up the issues raised
by other actions.
. If your recruitment procedure involves any automated decision-making, explain this
in the data subject information.
28 Actions for employers
3) If you receive unsolicited or speculative CVs, respond to the approach with the following
information at the earliest opportunity:
. Appropriate data subject information.
. An indication of how long speculative CVs will be retained, together with an
invitation for the prospect to withdraw their CV from consideration if the retention
period is exceptional, say, longer than six months.
. If your recruitment procedure involves any automated decision-making, explain this
in the data subject information.
. If your recruitment procedure involves the use of psychometric tests, adopt a policy
similar to the one suggested.
. If you use pre-employment vetting procedures, adopt a policy similar to the one
suggested.
. Adopt a policy on the retention of recruitment information similar to the one
suggested.
. Brief line managers on the data protection implications when interviewing candidates.
SUGGESTED ACTIONS
. Make formal appointments of one or more recruitment agencies either as part of a
continuing relationship or as one-off appointments when the organization is recruiting.
. Include the terms outlined in your contract with the recruitment agency(ies).
. Provide appointed recruitment agencies with a written résumé of the organization, its
name, line of business, etc. for candidates and prospective candidates.
5 Monitoring issues
CHAPTER
Monitoring employees
The monitoring of employee performance is not illegal. However, the monitoring of
communications falls within the scope of the Regulation of Investigatory Powers Act
2000 (RIPA) and the Lawful Business Practices Regulations. These statutory
instruments apply where communications are intercepted. For example, checking
the content of e-mails and recording telephone conversations are activities covered
by RIPA.
In addition, intercepting communications, and other forms of monitoring, which
involve personal data processing, must comply with the requirements of the Data Protection
Principles and the Employment Practices Data Protection Code. In general, compliance with
the Employment Code will ensure compliance with RIPA.
An entire section of the Employment Code is devoted to monitoring activities and
establishing appropriate benchmarks for such activity. These are the areas which should be
considered.
introduce new monitoring activities but should follow agreed practices and make
suggestions if they have any improvements to make.
The Employment Code also recommends considering which is the appropriate
department to undertake monitoring. In some cases, for example performance monitoring,
it will be appropriate for line management or compliance personnel to undertake the role.
In others, such as crime preventing and detection, it will be more appropriate for security
personnel to undertake the role.
. If the prevention of pilfering from cash tills is the objective, then CCTV cameras should be
targeted on cash tills.
. If the objective is to enforce the company’s policy forbidding the downloading of
undesirable material – such as pornography from the Internet, for example – then an
automated check on flesh tint pixels in images might be the first step. Further
investigation can be made if it appears that many of the images being stored or
downloaded feature flesh tints.
. If the objective is to identify employees abusing the employer’s e-mail facilities, it is
appropriate to review the traffic of e-mail to identify excessive personal use before
investigating further into the content of individual e-mails.
. If incoming e-mail has to be checked for time-critical messages during an employee’s
absence from work, it might be appropriate to review the subject headings to identify
those most likely to be relevant and to avoid those which appear to be of a personal
nature.
Monitoring is by its nature intrusive. Bearing in mind the question of human rights, it should
always be undertaken in such a way that the privacy and autonomy of individual employees
are respected. Targeted monitoring is more likely to achieve this than a wholesale approach.
The impact of monitoring on employees and their relationship with the employer
should be taken into account. Assess whether or not the perceived benefits of monitoring
are likely to outweigh the perceived risks, such as the alienation of employees, and the
amount of time spent by supervisory staff on undertaking monitoring.
the fair processing requirements are to be met. Generally, employees should know that
monitoring takes place and the reasons for it. The Information Commissioner’s view is that
covert monitoring is difficult to justify and should only be undertaken on the advice of – or
in collaboration with – the police.
One area which causes problems is the use of the employer’s facilities by employees for
personal or social purposes. Human rights law probably means that it would not be
reasonable to prohibit employees from taking some personal telephone calls at work, for
example in an emergency situation. Thus any policy will have to take this into account and
allow some degree of reasonable use. Policies relating to the use of corporate facilities for
private purposes must be audited and the rules enforced. If staff are aware that policies are
not imposed in practice, the practice will come to overrule the procedure.
The draft benchmarks in the Employment Code recommend that employees are given
the opportunity to explain their behaviour if monitoring reveals an apparent problem. The
results of monitoring could be misleading, and natural justice dictates that the person
involved be given the chance to present their side of an event.
MONITORING COMMUNICATIONS
The draft benchmarks recommend that employers set a clear policy on the use of their
facilities for personal communications. The policy should be practicable and applied in
practice.
Telephone, e-mail and fax monitoring affects the privacy of those making calls and
sending e-mails as well as those who receive them. Monitoring communications will thus
have an impact on employees of other organizations and members of the public
unassociated with the employer, such as employees’ spouses. The effect of monitoring on
such individuals needs to be taken into account when assessing the overall need for and
impact of monitoring. Consideration should be given to notifying callers and those sending
e-mail that the organization undertakes monitoring activity. Oftel regulations already
Monitoring issues 33
provide for callers to be notified if telephone calls are being recorded. Telephone calls are not
personal data unless they are recorded.
A further consideration is that not all private communication is carried out during a
private call or e-mail. A call or e-mail related to legitimate work activities might easily
include a personal comment or note. Monitoring business communication will necessarily
include monitoring some personal communication within the overall scheme.
If the employer provides a mobile telephone or a landline at an employee’s home, and
details of the account are sent direct to the employer then the disclosure (of the telephone
account use) constitutes a disclosure of personal data, in relation to the employee, their
family and callers to that telephone number.
SUGGESTED ACTIONS
. Decide who, within the organisation, is authorised to introduce monitoring activity. Make
sure you are able to demonstrate that the introduction and subsequent use of monitoring
is controlled.
. Consider and document the reasons why a particular form of employee monitoring is
required and the benefits expected to accrue from the monitoring.
. Consider the rights of employees have been taken into account and the likely impact of
the monitoring on employees and the employer/employee relationship.
. Based on your findings, make a decision as to whether or not the monitoring is justified
weighing the business benefits against the impact on employees and their privacy and
autonomy. Consider whether there are any viable alternatives to the chosen monitoring
activity.
. Target monitoring to address the business need. For example, if e-mails are to be checked
to identify any orders addressed to employees who are on holiday, then check only those
e-mails arriving in the period that the employee is on holiday and ignore any e-mails
which obviously do not relate to the purpose.
. Train those authorised to introduce monitoring and those who monitor other employees.
. If CCTV is to be used, follow the checks and actions in the CCTV section on page 34.
. If the use of company vehicles is to be monitored, only monitor the use of those vehicles
provided exclusively for business and related use or company vehicles when being used
for business and related use.
. If you are monitoring electronic communications consult the Regulation of Investigatory
Powers Act 2000 (‘RIPA’) and the Lawful Business Practice Regulations. If the aim of the
monitoring activity is to police a company policy restricting use of electronic
communication channels for personal reasons, ensure that the company’s policy is clear,
has been communicated to employees and is enforced by the company.
. If monitoring is undertaken by a third party, for example, private investigators or a credit
reference agency, ensure that the third party is aware that the subject of the monitoring is
an employee.
. Include any policies relevant to monitoring together with the monitoring policy in staff
information such as a staff handbook or the intranet.
. Tell employees what form monitoring will take and why it is being undertaken (note that
covert monitoring is very hard to justify under the Data Protection Act and should only be
undertaken if a crime is suspected and on the advice of the Police). Make sure that the
communication process includes new starters and temporary workers.
34 Actions for employers
1) The identity of the organization responsible for the operation of the CCTV.
2) The purposes for which CCTV is in use at the premises.
3) Details of how to contact the organization regarding the CCTV scheme.
For example – where an image of a camera is not used on a sign – the following wording is
recommended:
Images are being monitored for the purposes of [‘crime prevention and public safety’ or ‘to prevent
and detect crime’, for example]. This scheme is controlled by [name of organization].
For further information contact 01234-567-890
SUGGESTED POLICIES
Consider the following outline policies. Suggestions as to appropriate timescales are shown
in square brackets.
Monitoring issues 35
Quality of images
All tapes should be checked for damage and quality of the images recorded at least [weekly].
Any damaged tapes or tapes giving images of inferior quality should be replaced immediately.
Images should be erased from tapes prior to disposal.
When removal of tapes is approved, a formal receipt should be retained showing the date, identity
and authority of the person removing the tape and the purpose for which it is being removed.
A log should be kept of details relating to tapes removed from business premises. This should
include the name and authority of the person taking the tape, the reason for its removal, the date
and any other relevant circumstances.
The police may be allowed access to CCTV images at the organization’s discretion and in
accordance with its policy on disclosure of data if the request is relevant and made in writing. The
courts can order the disclosure of tapes.
Any organization which provides maintenance services or monitoring services in connection with
the CCTV scheme may have access to CCTV images recorded.
SUGGESTED ACTIONS
. Document why CCTV is to be installed and what it is intended to do or prevent.
. Appoint one individual to be responsible for the day-to-day operation of CCTV and its
compliance with the CCTV Code of Practice.
. When positioning the cameras, check that they pick up relevant images only (for
example, avoiding staff rest areas if the CCTV is being introduced to monitor cash
registers).
. If the cameras are intended to cover a public space, put up signs to warn the public that
they are entering a zone covered by surveillance equipment. (See the notes on
recommended signage).
. Establish and document CCTV policies.
6 Staff training
CHAPTER
Employers are under a statutory duty to ensure the reliability of staff whose jobs involve
processing personal data. The Employment Practices Data Protection Code (Employment
Code) suggests that this duty cannot be discharged simply by taking up references on
employees or carrying out background checks. Appropriate action includes training for staff
whose jobs bring them into contact with personal data. The existence of relevant and
adequate policies and procedures will also demonstrate that the organization is using its best
endeavours to comply with the Data Protection Principles and the Employment Code.
In addition, the Employment Code suggests that the individual responsible for data
protection compliance in HR should take action to brief those staff whose jobs involve the
handling of employee personal data.1 These include directors, senior managers, line managers
and supervisors, trainers and those responsible for health and safety and facilities management.
Throughout the Employment Code there are references to staff training and what
should be covered. In summary it is recommended that the following need to be included as
a minimum:
CYCLE OF IMPROVEMENT
Policies and procedures
Training
These bring together some of the key aspects of data protection: confidentiality and security.
In addition you will need procedures for handling the exercise of subject rights such as the
right to access personal data relating to the data subject held by the business, the right to
object to direct marketing, etc.
The Employment Code recommends that serious breaches of data protection policies
should be a disciplinary offence to give compliance its due importance to staff.2
Specialist training might be appropriate for specific industries such as credit reference
agencies, financial services and the provision of health care and medical services. A risk
assessment of personal data held to support the main business activities is a useful starting
point. In particular, look to areas which process sensitive data.
Training is an ongoing process; existing employees may need refresher training on the
basic data protection issues relevant to their role. There will be a requirement for more
training when employees change jobs within the organization or take on new
responsibilities. The organization might benefit from some employees developing an
advanced level of knowledge of data protection issues and the way these affect the different
parts of the business.
Over time, data protection policies and procedures will develop or undergo amendment to
meet changing circumstances. Training will be given on new and amended policies and
procedures and the compliance of staff with those policies and procedures audited in due course.
SUGGESTED ACTIONS
Provide:
Undertake:
Briefing Note
The holding, using and processing of personal data in the United Kingdom is regulated by
the Data Protection Act 1998. In the broadest terms, data protection is about the
confidentiality and security of personal data and gives individuals certain rights including
the right to access information relating to them held by companies, government bodies,
medical trusts, etc.
Personal data is information about a living individual (the ‘data subject’). It includes
names, addresses, telephone numbers, etc. as well as opinions.
The Data Protection Act 1998 sets out minimum standards of required behaviour when
dealing with personal data. It also establishes the Office of the Information Commissioner,
a kind of ombudsman for the handling of personal data.
When using personal data relating to other company representatives and employees,
businesses and clubs are required to act in accordance with the Data Protection Principles.
Businesses and clubs are under a legal obligation to allow a ‘data subject’ (the individual
about whom personal data is held) access to the information relating to them on
computers and in most manual files. There is a limited period (40 days) in which to
respond to a data subject access request. It is important that any data subject access
request is identified when made and reported immediately to [named individual].
Other rights
Individuals have other rights under the Act relating to the way in which their personal
data is processed. Data protection issues will usually arise in connection with a complaint
or grievance. Identifying these issues quickly will help to resolve them within the time
limits set down by law.
Data protection law has always carried penalties for individuals (as well as businesses and
clubs) who breach the provisions. These are some areas you should consider.
The unauthorized obtaining or disclosure of personal data is a criminal offence. As a
minimum, you should always check that anyone requesting information has the right to
40 Actions for employers
access it. Think twice before giving out contact details on request. As a rule, never give
out home contact details. Instead, offer to contact the person yourself and ask them to
contact the enquirer.
Personal data should be treated confidentially and not used for any purpose other than
communication and activities related to business affairs. In addition personal data should
be kept secure, which means putting files away in cabinets in the evening and if you take
a break during the day.
In general you should treat other people’s personal data as you would want them
to treat your own.
Remember also that normal legal rules such as libel apply to written documents; do not
include opinions or personal comments which the data subject might find offensive.
Permitted disclosures
Some disclosures are required by law, and others are permitted because they are in
accordance with HR activity and have been explained to employees.
It is important to check the authority of anyone requesting access to personal data.
The following guidelines may assist in responding to enquiries:
. DSS Benefits agencies, Inland Revenue, and Customs and Excise have authority under
various Acts of Parliament to access information relating to individuals. Their request
should be made in writing and quote the Act under which they derive their authority to
gain access. Site visits should be prearranged and visitors should show you proof of
identity.
. Requests for access to information from the police are complied with at the discretion of
the organization. As a minimum, it is recommended that such requests be made in
writing, setting out the reasons why the disclosure is requested and the full name of the
police officer in charge of the case under investigation.
. Mortgage and housing related reference requests should be referred to the employee
concerned for permission before the request is answered.
. Work-related reference requests should be referred to the employee concerned if they
are still in employment. Reference requests for former employees may be answered so
long as they are in writing. A reference is exempt from disclosure if an employee or
ex-employee makes a data subject access request. However, this exemption ceases to
apply once the reference has been sent out.
If you are in any doubt about whether or not to respond to a request for information
relating to an employee or ex-employee, refer the request to whoever has responsibility
for data protection compliance in the organization
Unauthorized disclosures
. Make enquirers submit their request for access in writing, setting out the reasons why
they require access and what authority they are claiming.
. Be aware that some people will use deception to try to access personal information, for
example, some private investigators.
. Tell the employee when a request for access has been made; their permission to make
the disclosure is sufficient authority to disclose the information requested.
Reasonable security measures must be in place to guard against the risk of personal data
being accessed, altered or deleted without due authorization.
. In the office, make sure you operate a ‘clean desk’ policy; do not leave files on your desk
if you go out to lunch or when you go home at night.
. Use a screen saver to mask personal data on your PC monitor when you leave your desk
or if you are not working on your computer.
. Laptops and personal organizers must be backed up to computer files and databases
(‘C’ drives) in the office at least weekly in order to ensure that personal data is as
complete, accurate and as up to date as possible at all times.
. Personal data held on home PCs must be downloaded to computer files and databases
(‘C’ drives) in the office at least once a month to ensure that personal data is as
complete, accurate and as up to date as possible at all times.
7 Outsourcing HR activities
CHAPTER
A new statutory duty applies to employers who use service providers to process personal data
on their behalf. An employer is a data controller in respect of personal data relating to its
employees. If processing activity is outsourced – for example, using an external payroll
service – the Data Protection Principles require the employer to enter into a written contract
with the service provider incorporating specific terms relating to the security of the personal
data to be processed. They are also required to check that the service provider provides
adequate security for the personal data to be processed, both at the time of appointment and
regularly thereafter.
When inviting tenders for outsourced work, service providers should be asked about
their policy on data protection and for details of their relevant security arrangements. On
the new appointment of a service provider the required terms and conditions should be
incorporated into the contract between the organization and the service provider.
Existing arrangements with service providers should be checked to identify those that
involve the processing of personal data on behalf of the organization. Then the required
contract terms should be incorporated into the existing contractual arrangements. At review
meetings, or from time to time by letter, the organization should ask about security
arrangements and any breaches of security, in order to meet its statutory obligations.
description will be sent to the trainer in advance of the training event, which the trainer will
hold on behalf of the data controller and on his instructions. To a degree the trainer is acting
as a data processor. However, a trainer will elicit more personal data from the employees
during or after the training event, some of which will undoubtedly not be passed back to the
data controller/employer. Therefore the training consultant is making decisions in relation
to that additional personal data and acting as a data controller.
In yet other cases a service provider may be both data processor and joint data controller
with the data controller: for example, a pension fund administrator will administer and
manage a pension scheme on behalf of the pension scheme trustees. The administrator will
act on the instructions of the trustees generally, but those instructions may be worded very
widely so that the pension scheme administrator is making decisions relating to the data on a
daily basis. In this scenario, the scheme trustees and the scheme administrator would be joint
data controllers and the scheme administrator also a data processor on behalf of the trustees.
. Does the party process personal data supplied by the data controller?
. Is the processing undertaken on behalf of or for the benefit of the data controller?
. What do the parties intend should happen to the personal data when the relationship
between them ends? If the party is a data processor then personal data will either be
returned to the data controller or its nominated representative or deleted. The data
processor will have no further use for the data.
It should be explained that the Data Protection Act 1998 places certain statutory duties
on the organization to check the ongoing security arrangements of service providers. Useful
information to be provided by the service provider would include:
CONTRACTUAL TERMS
It should be explained further that it is also a requirement of the Data Protection Act 1998
that specific clauses be introduced to the contract between organizations and their service
providers. Suggested terms for inclusion are set out below.
In addition to the clauses required by statute it may be useful to include a couple of
additional ones. The first is to require the data processor to ensure that it passes on these
obligations to any contractors it might use. The second is to require that any information
reasonably requested by the organization will be supplied. This should enable regular checks
on security arrangements to be undertaken. For example, if the service provider is regulated,
then the organization might want to view any audit reports made by the regulator into the
service provider’s business.
. Only to act on instructions from [client] when processing personal data on your behalf.
. To comply with the Seventh Data Protection Principle in relation to the processing of personal
data on [client’s] behalf.
. To ensure that equivalent obligations of security are imposed on any third-party service supplier
to [the service provider] (‘subcontractors’) which process personal data on behalf of the [client].
. To report on security issues as may be required by the [client] from time to time.
SUGGESTED ACTIONS
. If the resource provider is a sister or associate company, ask whether the data protection
implications of the arrangement have been considered. If not, provide them with a
Outsourcing HR activities 45
copy of the explanation letter. Note that contracts are required between group
companies.
. If the service or resource provider is already providing services to the existing business, ask
for a copy of the data protection compliance reports for the last three years (if any) and
check that it covers the issues identified above as relevant to the relationship. If not
(or there are no such reports), take up the queries directly with the service provider after
discussion with contacts in the existing business.
. If the service or resource provider has not previously provided services to the organization,
then send a letter setting out the suggested queries to raise with existing and prospective
service providers, together with information about the proposed amendment to contract
terms. If the arrangements have not yet commenced, then the appropriate time to raise
the queries is during the tender process.
. On a continuing basis, make regular checks that the service supplier has an appropriate
level of security for computer systems and paper files which relate to your organization.
Ask whether there have been any breaches of security or confidentiality and, if so, what
action(s) they have taken to avoid a recurrence.
8 Employee benefits
CHAPTER
The Employment Code recommends that if the employer takes on the role of the broker
or one of its officers acts as group secretary for a private medical insurance scheme, any
personal data processed should be kept to a minimum. Access to the information should be
limited and not used for general employment purposes.1
Information provided to the employer at renewal may also be excessive. The employer
needs to know the total claims made during the period of insurance and possibly to have a
breakdown of high-value individual claims. However, it is submitted that the employer should
not be able to identify claimants from the information provided, which is routinely the case.
Company car
If fleet management is outsourced, it is likely that the service provider will be processing
personal data relating to employees who have company cars and is thereby acting as a data
processor. Ensure that the employer is meeting its statutory obligation to check that the
service provider has adequate security arrangements in place. It is a statutory requirement
that two specific clauses be incorporated into the agreement between the employer and the
service provider. For a full explanation, see Chapters 7 and 20.
If the use of company vehicles is monitored, make sure that the requirements of the
Employment Practices Data Protection Code are observed. (See, further, Chapter 5).
SUGGESTED ACTIONS
. Identify all employee benefits. Your list might include: medical insurance, permanent
health insurance, occupational health screening, company car, share option schemes.
. Identify any third parties involved in the administration of benefits. Remember that
pension scheme trustees are not the same legal entity as the employer; they are a third
party for the purposes of data protection.
. Check that outsourced service providers comply with the security arrangements and that
they are regulated by contracts containing the appropriate clauses. (See Chapters 7 and
20).
. Check that appropriate subject information is provided to employees in all cases. (See
page 13).
. Consider what personal data is passed between the employer and the benefit provider or
administrator at all stages. Check that it is adequate, relevant and not excessive and that
personal data obtained for purposes linked with the administration of benefits is not also
used for the purposes of personnel administration.
. If sensitive data (for example, details of illness or injury) is being processed, check that one
or more of the conditions for fair processing are being met. (See page 16).
Employee benefits 49
Crèches
RECORD-KEEPING
The Data Protection Principles encourage good record management practices. This means
having an appropriate document retention policy for paperwork and computer files relating
to the children in the crèche, prospective attendees, their parents and other third parties.
Appropriate retention periods should take into account the purposes for which the
information is required and any legal obligations, such as the duty to disclose information
to the social services or local authorities. Once clear operational requirements – in this case,
crèche administration – and legal requirements have been identified, appropriate record
retention periods should be documented and enforced.
Personal data which is no longer required should be disposed of securely. Many of the
records relating to the crèche will contain confidential information and sensitive data.
Therefore appropriately high levels of security should apply to the destruction of paper files
and the deletion of computer records that are no longer required.
Records that are in use should also be adequately protected against unauthorized access
or tampering. Chapter 20 suggests some of the actions that may be taken to establish and
improve security arrangements; however, it is likely that crèche premises will be reasonably
secure due to the need to keep children safe from intruders.
50 Actions for employers
SUGGESTED ACTIONS
. Introduce a document retention policy or check that any existing policy is adequate and
reasonable.
. Check that arrangements for the disposal of information that is no longer required are
secure.
. Revisit page 13 and introduce data subject information to key documents, particularly any
forms or questionnaires where personal data is requested.
. Check that one or more of the conditions for the fair processing of sensitive data is being
met.
. Check the security of documents and computer files relating to the crèche. Bear in mind
that this is possibly the most confidential information the organization holds.
Pension schemes
Pension scheme trustees will need data protection advice as much as employers. The
operation of a pension scheme is a notifiable activity, so the trustee body should be
registered for data protection. Pension scheme administration arrangements need to be
reviewed for compliance in the same way that other HR issues are reviewed. All the same
issues apply.
The pension scheme trustee body is not the same legal entity as the employer and must
be dealt with at arm’s length by the employer. This applies particularly when disclosing
personal data between the employer and the trustees. In many cases the trustees rely on the
employing company to undertake routine administration on their behalf. If this involves
the processing of personal data (which it almost certainly will), the employer is acting as an
outsource service provider to the trustees and a contract is needed to govern the relationship
between the data controller (the trustees) and the data processor (the company). (See
Chapter 7).
In addition, staff in HR who undertake administrative tasks on behalf of the trustees
should be made aware that when doing so they are acting on behalf of a third party.
‘Chinese walls’ are required to prevent the leakage of personal data held for employment
purposes to the trustees and the leakage of personal data held by the trustees for scheme
administration purposes to the employer.2 (‘Chinese walls’ are protocols within the
organization which operate so that ‘known’ facts in one department are kept confidential
from other departments. They may also apply within a department so that information used
for one purpose by a member of the HR team is kept confidential and not applied for
another purpose even though the same team member might be involved).
2. Employment Practices Data Protection Code, Record-keeping – Pensions and insurance, bench-
marks 1 and 3.
Employee benefits 51
also required to incorporate specific clauses into the contractual arrangements between
themselves as trustees and the administrators. (See Chapter 7 and, in Part II, Chapter 20).
SUGGESTED ACTIONS
. Ensure that the trustee body is registered for data protection. (See Chapter 23).
. Identify all personal data processing undertaken by, or on behalf of, the scheme trustees.
. Ensure that appropriate subject information is in place for scheme members, prospective
members, pensioners and pension visitors.
. Identify any third parties involved in processing personal data on behalf of the scheme
trustees – including the employer – and put contracts in place. (See Chapter 7).
. Check the relevance and adequacy of any information requested by the scheme trustees:
for example, on the pension scheme membership application form and the beneficiary
form (the deed of wish).
. Check that security arrangements for personal data relating to the scheme are adequate.
. If the trustees process sensitive data (for example, relating to the health of scheme
members), ensure that a condition for the fair processing of sensitive data is being met.
(See page 16).
. Provide training and procedures for HR staff who handle administrative tasks on behalf of
the trustees so that they understand the trustees are a body separate from the employer
and that there is a need for ‘Chinese walls’ between the two parties.
SOCIAL CLUBS
Some employers provide social facilities for employees or allow work facilities to be used for
the promotion of social clubs and activities. There is likely to be less formality about
arrangements for obtaining personal data in connection with social clubs and activities,
such as a notice on the staff noticeboard for employees to ‘sign up for next week’s trip to the
brewery’ etc.
52 Actions for employers
To some extent the employer’s responsibility for the compliance of, say, an in-house
football team’s personal data-processing activities could be argued. However, the indications
are that the Commissioner would consider that the employer owes a duty to its employees
to protect them from misuse of their personal data. Tolerating the use of its facilities to
publicize events means that the employer probably is responsible and certainly would be if
social activities were encouraged by the employer as a staff ‘perk’.
A prudent employer should therefore take steps to educate social club secretaries in
basic data protection law, for example to instruct them that personal data relating to social
club members should not be used in ways inconsistent with the purposes for which it was
obtained, or be disclosed without authority, retained for longer than is necessary, etc. A
relatively simple way to achieve this is to provide social club secretaries (formal and informal
secretaries) with guidelines as to expected behaviour when processing personal data on
company equipment and/or in company time.
The issues the employer should seek to cover might include:
. The use of company facilities to promote social activities for staff organized by individuals
or groups of staff with common interests (such as promoting a football or netball team,
arranging days out and arranging charity events) so long as this does not interfere with
company business.
. Awareness that involvement in a social club and arranging social activities involves the
processing of personal data relating to colleagues. Names and contact details (even where
this is a work telephone extension number or e-mail address) constitute personal data.
. Awareness that data protection law sets standards for the correct use of personal data and
that those involved in social clubs and arranging social activities are expected to observe
the Data Protection Principles.
. The importance of the security of any records containing personal data.
. A reminder of the general embargo on sourcing personal data from the HR department.
Personal data required to administer the social club should be obtained direct from the
members or participants.
. The importance of explaining to members and prospective members why the information
is required.
. That the aim should be to hold the minimum information in each case.
. A complaints procedure, possibly with the company or head of HR as final arbiter.
SUGGESTED ACTIONS
. Provide guidelines to social club or event organizers about the correct use of personal data.
. Check that any schemes involving work in the community have considered data
protection issues in relation to the scheme. In particular, check:
– that subject information is provided to prospective participants and that it is adequate
and appropriate in the circumstances
– that any vetting required prior to joining the scheme is fully explained to prospective
participants on first contact with the scheme organizers.
9 Corporate issues
CHAPTER
. That the service company will only act on instructions from the trading company when
processing personal data on its behalf;
Corporate issues 55
. That the service company will comply with the Seventh Data Protection Principle in
relation to the processing of personal data on behalf of the trading company.
It might be possible to meet the contractual requirement of the Seventh Principle by all
relevant parties entering into one master agreement. All parties (employing company(ies),
computer equipment owners, the ‘data processors’ and trading companies, the ‘data
controllers’) would need to sign the agreement.
Otherwise separate agreements will be required between each data controller and its
data processor(s).
SUGGESTED ACTIONS
. Identify the employing company(ies) in the group.
. Identify the trading company(ies) in the group.
. Put in place contracts between the employing company (the ‘data processor’) and the
trading companies (the ‘data controllers’) incorporating the terms set out above.
These options are exemptions (among others) set out in Schedule 4 to the Act.
Unfortunately these options do not wholly meet the need either in relation to transfers
1. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm.
56 Actions for employers
of employee data to parent companies or to other recipients located outside the EEA. This is
primarily because consent is not reliable in the HR context. There is a view that an employee
cannot freely give consent to their employer because of the inherent pressure in the
relationship on the employee to consent to actions of the employer. The Information
Commissioner subscribes to this view. Organizations which seek to rely on consent obtained
from employees will find that consent challenged. Alternative arrangements should be
sought immediately. (For a full commentary on the issue of consent in the employer/
employee relationship see page 21).
Where an organization is part of an international group some transfer of employee
personal data outside the EEA is bound to occur. The use of international telephone
directories and e-mail address directories involves the disclosure and transfer of personal
data. The transfer of employee personal data is particularly likely if the organization’s head
office is located outside the EEA. The exemption applying to transfers pursuant to a contract
or to facilitate a contract with the data subject may apply to some routine disclosure of
employee personal data for HR purposes. Transfers may be made pursuant to the employee’s
contract of employment: for example, the approval of contractual bonus payments or
decisions relating to dismissal where this is part of the documented disciplinary procedure
etc. However, that exemption will not cover non-contractual obligations such as
international recruitment and selection or a redundancy programme.
If none of the conditions in Schedule 4 apply – which is the case in relation to some HR
disclosures to a parent company and all disclosures to a recipient in relation to a joint
venture, merger or acquisition – consideration may be given to using contractual terms.
Prescribed contract terms have been approved by the EC as providing adequate
protection for personal data transferred to countries where inadequate data protection law
exists. The contract should be entered into by the intended recipient of the personal data
and the employer. The approved terms are lengthy and may not be acceptable to the parties.
They are not particularly appropriate to the relationship between parent and subsidiary
company. In relation to parent companies, the employer will have a continuing relationship
with its parent to protect. The relationship will also mean that the subsidiary will have prior
experience of the integrity of the parent organization. An international group of companies
may also have international standards of data handling, security and confidentiality with
which the UK-based employer will be familiar. Therefore it is suggested that it would be
more appropriate to follow the adequacy test in relation to intra-group transfers.
The Adequacy test is a process whereby a data controller in the United Kingdom assesses
the adequacy of data protection in the country where the intended recipient of the personal
data is located. The process is long and involved, requiring research to be undertaken and a
judgement made at the end of the process.
As extra security for the transfer and to focus attention on the data protection issues
involved in a transfer of employee personal data it is recommended that the transfer be
undertaken on the terms set out below.
. A restriction on the purposes for which the recipient may process the personal data.
. A prohibition on the processing of personal data for specific activities such as marketing,
or onward disclosure to third parties.
. A requirement to ensure that all reasonable security measures are in place for systems and
that staff whose jobs involve handling the personal data have adequate training in
confidentiality and security issues.
. A requirement that the personal data be deleted, destroyed or returned to the sender when
the recipient has concluded its processing activity.
SUGGESTED ACTIONS
. Identify the purposes for which transfers of employee personal data outside the EEA are
made.
. Identify the parties to whom employee data will be disclosed.
. If the purpose is routine HR administration which a parent company located overseas
requires for management planning or budgets, depersonalize or anonymize the data.
. If the purpose is to approve or make decisions affecting individual employees (for
example, bonus payments, promotion, dismissal, international recruitment and selec-
tion), anonymized data will not meet the need. In this case check that the employees
affected are aware that their personal data is to be transferred to the parent company for
specific purposes and incorporate the contract terms approved by the EC (see below).
. If the disclosure is in relation to a joint venture, merger or acquisition, check that the
employees affected are aware that their personal data is to be transferred for this purpose
and follow the contractual terms point below.
. Suggest that the intended recipient enter into a contract in the terms approved by the EC
for the transfer of personal data outside the EEA. The terms can be found at the relevant
web site.2
ADEQUACY TEST
. Find out about and document the data protection laws in effect in the country where the
recipient of the personal data is located.3 Alternatively you might ask the intended
recipient of the personal data for information.
. Find out and document whether or not the intended recipient of the personal data is a
member of any professional body or subscribes to a code of conduct or practice which
includes the need for confidentiality when dealing with personal data. Ask the recipient if
you are unsure, but all professional bodies will have a code of conduct.
. You should have some knowledge of the recipient’s security arrangements, whether or not
computer systems meet international standards, what internal policies and procedures
2. http://www.europa.eu.int/comm/internal_market/en/dataprot/news/clauses2faq.htm.
3. The privately owned web site at www.privacyinternational.org/survey gives details of the state of
data protection law in countries around the world.
58 Actions for employers
protect confidentiality of personal data, etc. Document this also. If you have no prior
knowledge of the intended recipient, ask for information on all the above issues.
. Consider the confidentiality of the personal data involved and whether or not it is
‘sensitive data’. Consider and document your view as to the likely harm which would
result from unauthorized destruction or disclosure of the data.
. Check with other European offices (if any) as to their practice regarding the disclosure of
employee data to a parent or other recipient located outside the EEA.
. Given the information you have collected in response to the points raised above, make a
judgement as to whether or not you personally consider the transfer provides adequate
safeguards for the personal data given its confidentiality etc.
. If you are personally satisfied as to the security of the data and the integrity of the
transferee, make the transfer on terms such as the suggested ones set out above.
. Document the process you have gone through, the checks undertaken and the reasons
why you finally made the decision to transfer/not to transfer the personal data outside the
EEA.
Once the transaction is in the public domain, employees may be informed that their
personal data will be disclosed in connection with the proposed transaction. As the
disclosure may still represent processing for a new purpose, employees should be asked for
their consent to the disclosure.
As the transaction proceeds care should be exercised in relation to the personal data
disclosed. The target organization should be selective about the information it provides.
Personnel records should not be provided in full as it would be difficult to justify such wide
disclosure; only relevant information should be provided. All personal data disclosed should
be subject to a duty of confidentiality binding the acquirer and its advisers. There should
also be a prohibition on the further disclosure of personal data supplied in connection with
the proposed transaction, and the processing of the data should be restricted to purposes of
evaluating the assets and liabilities of the target organization.
On completion of the transfer or acquisition, all parties’ notifications on the Data
Protection Register should be reviewed as there may be changes to be notified. In addition,
newly acquired personnel files should be checked for compliance with the Principles as
recommended in the Employment Practices Data Protection Code.
SUGGESTED ACTIONS
These action points are written from the perspective of the organization making the
disclosure of personal data. You may need to adapt them according to your organization’s
role in the transaction.
In preliminary discussions
. Ensure that an appropriate confidentiality clause has been signed to protect any
personal data that might be disclosed. In particular, place a prohibition on the
processing of such data for any purpose other than assessing the value of the assets and
liabilities of the proposed transaction.
. Identify those persons and companies to which the personal data will be disclosed: for
example, the interested party, its professional advisers, bankers, etc. Restrict the onward
disclosure of any personal data supplied to these third parties on a ‘need to know’ basis.
. If any of the parties are located outside the EEA, any transfer of personal data will be
subject to the Eighth Principle. (See page 55).
. If any personal data is to be disclosed at this stage, check that the employing company has
given employees appropriate data subject information notices to explain that disclosure
for these purposes may occur. If employees are not aware that their personal data might
be disclosed in such circumstances and this personal data cannot be anonymized
completely, explain the situation to them and obtain their consent before making any
disclosure.
. Check that any personal data to be disclosed to a third party – for example, by inclusion in
a data room – is anonymized as far as possible. If anonymized data is not sufficient for the
purposes of the third party, find out why, assess the reasonableness of the request and
document the reasons before making the disclosure.
. As personal data is disclosed ensure that it is duly marked as confidential and only disclose
such information as is required, i.e. do not disclose complete HR files but select only
relevant material.
60 Actions for employers
Record keeping
Most of the Data Protection Principles impact on record-keeping. The obligations to keep
personal data up to date, to ensure that only relevant data is processed and to keep personal
data secure are all directly applicable to record-keeping.
References given/information supporting the reference 5 years from giving Keep 5 years from
reference giving reference
Summary of record of service such as name, position held, 10 years from end of Keep 10 years
dates of employment employment
Records relating to accident or injury at work 12 years Keep 12 years
The Employment Code features an entire section devoted to record-keeping.1 Among the
recommendations, here are some of the key ones not covered elsewhere:
. Employee personal data should be checked periodically by data subjects to ensure that it is
up to date and accurate.2
. Anonymize any data about workers and former workers where practicable.3
. If the holding of any information on criminal convictions of workers is justified, ensure
that the information is deleted once the conviction is ‘spent’ under the Rehabilitation of
Offenders Act.4
1. Record Management.
2. Record Management, benchmark 4.
3. Record Management, Retention of records, benchmark 2.
4. Record Management, Retention of records, benchmark 3.
5. Record Management, Disciplinary, grievance and dismissal proceedings.
6. Disciplinary, grievance and dismissal proceedings, benchmark 2.
7. Record Management, Equal opportunities monitoring, benchmarks 1 to 4.
Employee administration 63
equal opportunities monitoring satisfies one or more of the conditions for the fair
processing of sensitive data set out in Schedule 3 to the Act. There is a condition which
specifically relates to legitimate equal opportunities monitoring, so this is not a problem.
The Employment Code recommends that sensitive data processed for purposes of equal
opportunities monitoring should be maintained in anonymized form where practicable. In
many instances, information held for monitoring equal opportunities does not need to
identify individual workers.
FRAUD PREVENTION
The Employment Code makes a series of recommendations relating to the use of employee
personal data for purposes of fraud prevention.8 Some public employers will undertake
‘matching’ exercises with employee personal data against lists of persons in rent arrears for
example. The recommendations include consultation with trade unions or other worker
representatives before starting a data-matching exercise. Any legitimate concerns raised in
consultation should be followed up and any appropriate action taken before starting the
exercise.
The Employment Code also recommends that employees are reminded of the fact that
the employer undertakes fraud prevention exercises from time to time. This is in addition to
the requirement to provide subject information as required by the First Principle.
Employee personal data should not be disclosed to other organizations for the
prevention or detection of fraud9 unless:
SUGGESTED ACTIONS
. Adopt a sensible document retention policy.
. Anonymize personal data used for statistical and equal opportunities monitoring purposes
so that individuals cannot be identified.
. Read the guidance on security in Chapter 20.
DISCLOSURES
Employers are routinely approached for information relating to their employees. All such
requests involve the disclosure of personal data relating to the employee concerned. Simply
confirming that a particular individual is employed by the company constitutes personal
data relating to that individual.
Most requests are genuine and justifiable; however, some will be attempts to elicit personal
data by deceit. The employer is under an obligation to make staff aware of this, particularly
those working in HR who are responsible for the handling of employee personal data.
Disclosures of employee personal data fall into three main categories:
1) Those disclosures required by law such as sharing information with the Inland Revenue,
National Insurance contributions agency, Child Support Agency, etc.
2) Those made at the request of the data subject, for example providing a reference for a
mortgage application, to a new employer or to ‘whom it may concern’.
3) Other, probably non-routine, requests from outside agencies such as solicitors and other
interested parties.
Obviously, disclosures required by law must be made subject to verification that the request
is genuine. A disclosure requested by the data subject should be made in accordance with
company policy, and will probably be made openly so that the employee is aware of its
content. In particular, references to be provided to new or prospective employers are the
subject of a series of recommendations in the Employment Code.10 This recommends
setting out a clear policy explaining who in the organization is authorized to give references
on its behalf. Anyone likely to be approached for a reference or to become a referee needs to
be aware of the policy.
Requests from other third parties should be dealt with in accordance with the
recommendations in the Employment Practices Data Protection Code. Employees should be
advised of the request and allowed to determine how it is handled, what information is
disclosed, etc. unless this would involve ‘tipping off’ the data subject in relation to a
criminal investigation.
Requests for information from the police fall into this last category. Organizations have
the discretion whether or not to comply with a request made by the police for access to
personal data held. While most organizations will ordinarily want to comply with such
requests, there should be a procedure to handle them properly and fairly in relation to the
employee.
Requests for details such as home contact or birth date by colleagues is another
non-routine request for the disclosure of employee personal data. The personal data held on
HR files is held for purposes related to HR administration, and a disclosure to another
member of staff for social purposes is processing for an unrelated purpose.
A robust internal disclosures policy is also recommended.
. Disclosure of employee personal data will be made where required by law (for example to
the Inland Revenue, National Insurance Contributions Agency, Child Support Agency).
. Disclosure of employee personal data will be made at the specific request of the employee
concerned, for example providing references.
. In all other cases, disclosure of employee personal data will only be made with the
knowledge and consent of the employee concerned.
. Employee personal data will be published where required by law, for example in company
reports and financial statements.
. In all other cases, employee personal data will only be published with the full knowledge
and consent of the employee concerned, including the likely extent of the publication.
Procedural elements
The procedure should include:
. Providing the employee concerned with a description of the publication, including the
medium (print, web site, verbal), the shelf life of the publication, its intended and likely
audience, the content of the information, the personal data contained in the information.
. Obtaining the consent of the employee before publication.
. Taking account of any comments and requests for amendment requested by the employee.
. Details of fire wardens and first-aiders. This information may be disclosed to the
emergency services to assist in managing an incident should one occur. Employees should
be aware of this disclosure of their personal data.
. Accident books and incident logs. These will necessarily contain sensitive data relating to
the physical and/or mental health of those involved in an accident at work.
. Visitors’ books. These require visitors to supply personal data and should be supported by
subject information.
. Claims files. These may contain sensitive data relating to an incident. The data will be
disclosed to insurers. The processing of this personal data is covered by an exemption as
being necessary for the purposes of defending legal rights. An insurance claim is made
when an organization recognises that someone has, or is likely to make, a legal claim for
liability against it.
Issues surrounding the use of medical testing for health and safety purposes are considered
below.
SUGGESTED ACTIONS
. Check that lists of fire wardens and first-aiders are accurate and kept up to date and that
there is a procedure to ensure this is always the case.
. Ensure that fire wardens and first-aid-certificate holders receive appropriate subject
information so that they are aware of the extent of personal data used for these
purposes, the parties to whom it will be disclosed and any other relevant information.
See page 13.
. Include appropriate subject information in or near to visitors’ books so that the persons
who are required to supply details are aware of the reasons why the information is
required. Again, page 13 is relevant.
. Include appropriate subject information in accident books so that the persons required to
supply details are aware of the reasons why the information is required. (Page 13 is also
relevant here).
. Amend the wording in accident books to include an explicit consent clause to the
processing of sensitive data. (See page 16).
. Check the security arrangements for claims files, which may be held outside the HR
department.
Medical testing
Many employers require their employees to undergo medical tests. The most common
circumstance is on appointment, when this is made ‘subject to’ a satisfactory medical.
Another situation where a medical might be required is if an employee is absent from work
for a long period due to illness. The employer might require the employee to undergo a
medical to assess their suitability for work or to support a claim made against permanent
health insurance (long-term sick pay).
In addition there are industries and work-related activities which carry a high risk factor
concerning the health of the employee: for example, using a pneumatic drill is potentially
harmful to an individual’s hearing and using a VDU screen potentially damaging to one’s
68 Actions for employers
eyesight. These are circumstances where the medical testing of current employees might be
required.
11. Draft Medical Testing benchmarks and Record Management, Sickness and Accident Records,
benchmarks.
12. Draft Medical Testing benchmarks.
Employee administration 69
CONSENT
The Employment Code strongly recommends seeking the consent of workers to medical
testing. This apparently conflicts with the Information Commissioner’s stance in relation to
the unreliability of consent in the employer/employee relationship. (See page 21). However,
there is little alternative to consent in these circumstances, and in requiring consent the draft
Employment Code can at least specify that employees should be fully informed of the need
for medical testing and the likely consequences arising from the results.
organization. For example, other employees should not be supplied with details relating to
employee sickness unless the disclosure is to the employee’s manager who requires the
information for management and supervisory purposes. In particular, the Employment
Code disparages the practice of publishing a sickness ‘league table’ to compare the number
of days different employees are absent from work.
GENETIC TESTING
It is accepted that genetic testing might be valid on health and safety grounds in exceptional
circumstances. The draft benchmarks in the Employment Code relating to genetic testing
are based on the conclusions of the Human Genetics Advisory Commission, which has
examined the implications of such testing in the employment arena.
In addition to the general requirements for medical testing, the key requirements for
genetic testing are that it should be undertaken on a voluntary basis unless there is a
significant health and safety risk posed by a particular employee or where it is known that a
specific working environment or practice poses a specific risk to employees with particular
genetic variations.
The draft benchmarks stress the importance of using tests of the highest technical
quality and reliability. The results of any test must always be communicated to the person
tested and professional advice and support should be made available when the results are
communicated.
If it is known that an individual has previously undergone a genetic test, they should
not be required to disclose the results of that test except where the information is needed to
show susceptibility – or lack of it – to harm from performing a job or to help assess current
ability (or inability) to perform a job safely.
15. Draft benchmarks from ‘Medical Testing’ section of the Employment Code.
Employee administration 71
SUGGESTED ACTIONS
The following is a checklist of actions to meet the recommendations in the draft Medical
Testing section of the Employment Code.
SUGGESTED ACTIONS
. Ensure that employees are fully aware of the disclosure of personal data between employer
and the credit card company. (Refer to page 13).
. Treat credit card statements as personnel information. (Refer to page 61).
. Check that appropriate data protection terms are included in the agreement between the
employer and the credit card company. (Refer to Chapter 7).
. Confirm that appropriate actions are taken in relation to monitoring. (See Chapter 5).
11Marketing to staff
CHAPTER
If the organization is marketing to its own employees, the requirement is for an opt-out
clause to be provided before the personal data is processed for marketing purposes. This
means explaining that employee personal data will be used for marketing purposes in
subject information at the first contact with the data subject. This will probably be on the
application form or at interview. At the same time a marketing opt-out must be provided
and observed.
If the organization intends to allow third parties to market to its employees, an opt-in
clause is required. Note that in a group of companies where all staff are employed by a
service company, the promotion of other group companies’ products and services to staff
will require an opt-in.
AFFINITY BRANDING
An alternative method of marketing group products would be to undertake affinity branding
or hosting. The employer presents the product or service as its own. The fulfilment of
purchase orders is outsourced to the product or service provider. The product or service
provider is a data processor, processing employee personal data on behalf of the employer,
so the actions outlined in Chapter 7 are relevant.
SUGGESTED ACTIONS
. Check that employees are aware that their personal data will be (or is being) used for the
purposes of marketing. An established history of using employee data for marketing plus
appropriate subject information for new employees is required. If marketing to
employees is a new venture that has not previously been communicated to employees,
then:
74 Actions for employers
. Advise employees in writing that the company wishes to use employee personal data to
promote its own or another company’s goods and services and seek their consent to such
use (an ‘opt-in’).
. Remember that other group companies must be treated on an arm’s length basis.
. Incorporate further data subject information into your proposed marketing material.
Follow the actions suggested on page 13 and add an opt-out consent clause to the use of
personal data for the purposes of marketing, including any data-sharing or disclosure to
third parties.
. Put in place a procedure to deal with requests from employees not to use their personal
data for marketing. (See page 10).
. Adhere to your own industry codes of practice and those of the Direct Marketing
Association.
. If you intend to access databases of other group companies, check that appropriate data
subject information notices were provided to employees explaining that their personal
data would be used by third parties to promote goods and services and that they were
given an opportunity to opt out of such promotions.
. As other group companies must be treated on an arm’s length basis, employees are
required to opt in in order to receive marketing material (including e-mails etc.) about
group products or services unless these can be badged as being provided by the employer.
(See Chapter 7).
II Explanation of the
PART
legal requirements
This page intentionally left blank
12 Definitions
CHAPTER
The problem with legal definitions is that they include other defined terms. To understand
each definition you need to have knowledge of the others. Therefore each of the definitions
below is explained in plain English before the technical, legal, aspects of each are
considered.
‘Personal data’
Personal data is information which relates to a living person. An individual’s name and
address are personal data relating to him or her. The following are examples of personal data
relating to most of us:
The list could go on, but it illustrates the breadth of the subject and starts to indicate some
of the issues.
78 The legal requirements
. Data which is not immediately identifiable with an individual until referenced to another
file, or even a manual list. The 1984 Act definition specified that personal data meant data
that could be processed by reference to the data subject. Under the 1998 Act, data need not
be processed by reference to the data subject so long as they can be identified from either
the data or other information controlled by the data controller. For example, a list of
National Insurance numbers is personal data because these can be cross-referenced with
the individuals to whom they relate.
. The future intentions and opinions of the data controller in relation to the data subject
are now specifically included where previously they were excluded. This has an impact on
interview notes. Previously interview notes, as the opinion of the interviewer, were
exempt from data protection law; they are now within the definition and subject to data
protection provisions such as subject access.
. The requirement remains for personal data to relate to a living individual. Therefore data
relating to a corporate entity is not personal data. Although companies have a legal
existence, they do not have a physical existence; they act through their employees,
officers and directors. Information relating to these persons is personal data, even where
the information comprises bare contact details. If the individual is identifiable then the
information is personal data, even though – as with a business contact address – it may
relate to a business.
. Business information relating to a sole trader is personal data because it relates to the
individual and not to a company or other organization. Similarly, information relating to
a partnership which can be related to one of the partners is personal data.
. CCTV images and photographs of people who can be identified from them are personal data.
. Personal data may be held in a variety of media, including on a computer, on microfiche,
in paper records, in index card systems, in diaries and address books and in back-up
material. It may be held in current files and in archive files and records.
information which;
a) is being processed by means of equipment operating automatically in response to instructions
given for that purpose,
b) is recorded with the intention that it should be processed by means of such equipment
c) is recorded as part of a relevant filing system or with the intention that it should form part of
a relevant filing system, or
d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined
by section 68.
. Personal data relates to a living individual, not a company or charity or club. Nor does it
relate to deceased persons.
. The individual must be identifiable either from the data or from other information to
which the data controller has access.
‘Data subject’
This is the individual to whom personal data relates. A data subject need not be a United
Kingdom national. Any data relating to a living individual which is processed in the United
Kingdom is subject to the provisions of the Act. This applies whether the individual is
British, an EC citizen or located in a territory outside the EEA.
In the HR context, data subjects are employees, ex-employees and prospective
employees. Temporary workers, consultants, professional advisers, suppliers of goods and
services are also data subjects.
‘Data controller’
The data controller is the party (organization, company, club or individual) which makes
decisions about the personal data to be processed. It decides the purposes for which personal
data is to be processed, what personal data is required and how it is obtained.
A trading company is the data controller of personal data connected with the business,
its customers and suppliers. An employing company is the data controller of employee
personal data. The trustees of a pension scheme are the data controller of personal data
relating to past and present members of a pension scheme and their dependants. A charity is
80 The legal requirements
the data controller of membership and subscriber lists. A club is the data controller of
personal data of its members, and so on.
. The data controller is the party which determines the purposes for which and the manner
in which personal data are processed. This is indicative of control over personal data. Note
that data protection law never concerns itself with concepts of ‘ownership’ of data. The
key element is control: the data controller is the one or more party which makes decisions
about the processing of personal data. So, for example, an employer which outsources its
payroll administration is a data controller because it gives instructions to the payroll
service provider about the administration of the payroll, who is to receive salary, on what
basis and subject to what timings, etc.
. Two or more bodies may be data controllers in relation to the same personal data. In the
example of processing personal data for payroll administration purposes, the Inland
Revenue and the National Insurance Contributions Agency will both operate as data
controllers in relation to payroll data (including personal data) supplied by the employer.
Employer, Inland Revenue and National Insurance Contributions Agency all process
personal data as data controllers and for different purposes.
‘Processing’
‘Processing’ is used in a very wide sense in relation to data protection. It includes obtaining,
using, holding and destroying and deleting personal data. Basically the term means
anything that might be done to or with data.
‘Data processor’
A data processor is the party which carries out the processing of personal data on behalf of
another. It is providing a service in which it has no real interest except where it is paid for
the processing. In a group of companies, whichever one owns the computer equipment is
technically a data processor on behalf of the other companies in the group which use the
computer equipment.
Using the example of a payroll service provider, the data controller is the employer as
outlined above (see the definition of ‘data controller’), while the service provider processes
personal data on behalf of the data controller. The data processor – in this example, the
payroll service provider – has no interest in the data except that it is remunerated by the
data controller for carrying out the processing activity.
1. www.dataprotection.gov.uk.
82 The legal requirements
protection law, and this definition was the way to distinguish between those files which
should be included and those which should not. In practice, the definition is probably
unimportant because the Information Commissioner has put forward the view that all paper
files are included and – unless your organization wants to run a test case through the courts
– the view of the regulator is best followed.
‘Relevant filing system’ means any set of information relating to individuals to the extent that,
although the information is not processed by means of equipment operating automatically in
response to instructions given for that purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible.
Guidance from the office of the Information Commissioner suggests that the first criterion
to establish is whether the information is a ‘set’ or grouping of information such as HR files
or customer files. Then consider whether the information has a structure either based on
identifiers such as name or employee number or by reference to criteria relating to
individuals, for instance age, type of job or membership of a particular organization. Finally,
consider whether the system allows specific information relating to an individual to be
readily accessed.
This guidance means that any and all filing systems lie within the definition. A
representative from the Commissioner’s Office (on a Data Protection compliance seminar)
stated that even an individual’s messy desk could be regarded as structured because the
individual would be able to locate any particular piece of information on that desk if asked.
At a conference in February 2002 the Information Commissioner, Elizabeth France, said in
relation to the definition of a relevant filing system that ‘if you can find it for the boss, it’s
caught; if not, why are you keeping it?’ This wide interpretation of relevant filing system
may not be what was originally intended by Parliament. However, the regulator’s view must
be given due consideration and weight although there are recent signs that there may be
some opposition to the Commissioner’s view from the Courts.
In a County Court case, Durant v FSA, the Court considered the meaning of ‘relevant
filing system’. A manual personnel file with the employee’s name on the front was not
found to be a ‘relevant filing system’ and, therefore, the information contained in the file
was not ‘personal data’ for the purposes of the Data Protection Act 1998.
Definitions 83
This is the first case on the definition and for the first time there is a move away from
the very wide definition applied by the Information Commissioner. Until now the position
has been that every piece of paper has been deemed reasonably accessible and, therefore, the
information on it has been classified as ‘personal data’. The Court considered that the
information in the file was reasonably easily accessible but nonetheless, the file was not
within the meaning of ‘relevant filing system’.
The implications of the case are to introduce a degree of uncertainty when dealing with
paper files as to whether or not they are caught by the definition of personal data by virtue
of being in a ‘relevant filing system’. There will need to be more case law before certainty is
established. In the meantime employers may rely on the Durant case on a carefully judged,
ad hoc basis, for example, if specific material held in a paper file was to be excluded from a
response to a subject access request. A risk-averse employer will not want to run the chance
of being the next test case. Obviously a total overhaul of HR procedures in reliance on the
Durant judgement would be premature.
‘Notification’
Notification is not a defined term but arises from the notification regulations made pursuant
to the Act. It means arranging for an entry on the Data Protection Register showing the
name of the organization involved in the processing of personal data, the purposes for
which personal data is processed, and the categories processed. If the notification
regulations require an organization to register, then processing without registration is
prohibited.
Safe Harbor
This is a scheme operating in the United States whereby organizations formally agree to
follow a set of data protection principles and guidance. It is regulated by the United States
Department of Commerce and approved by the European Commission as offering an
adequate level of protection for the transfer of personal data to US organizations that have
signed up to the scheme.
‘Sensitive data’
A plain English interpretation cannot add to the technical definition, which is set out in
Section 2 of the Act and provides that:
‘Accessible record’
Section 68 of the Act provides that:
a) a registered medical practitioner (a ‘registered medical practitioner’ includes any person who
is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in
such employment as is mentioned in subsection (3) of that section).
b) a registered dentist as defined by section 53(1) of the Dentists Act 1984,
c) a registered optician as defined by section 36(1) of the Opticians Act 1989,
d) a registered pharmaceutical chemist as defined by section 24(1) of the Pharmacy Act 1954 or
a registered person as defined by Article 2(2) of the Pharmacy (Northern Ireland) Order
1976,
e) a registered nurse, midwife or health visitor,
f ) a registered osteopath as defined by section 41 of the Osteopaths Act 1993,
g) a registered chiropractor as defined by section 43 of the Chiropractors Act 1994,
h) any person who is registered as a member of a profession to which the Professions
Supplementary to Medicine Act 1960 for the time being extends,
i) a clinical psychologist, child psychotherapist or speech therapist,
j) a music therapist employed by a health service body, and
k) a scientist employed by such a body as head of department.
Definitions 85
Section number
Accessible record 68
Address (in Part III) 16(3)
Business 70(1)
The Commissioner 70(1)
Credit reference agency 70(1)
Data 1(1)
Data controller 1(1) and (4)
Data processor 1(1), (4) and 63(3)
The Data Protection Directive 70(1)
Data Protection Principles 4 and Schedule 1
Data subject 1(1)
Disclosing (of personal data) 1(2)(b)
EEA State 70(1)
Enactment 70(1)
Enforcement notice 40(1)
Government department 70(1)
Health professional 69
Inaccurate (in relation to data) 70(2)
The non-disclosure provisions (in Part IV) 27(3)
Notification regulations (in Part III) 16(2)
Obtaining (of personal data) 1(2)(a)
Personal data 1(1)
Processing (of information or data) 1(1) and Paragraph 5 of Schedule 8
Recipient (in relation to personal data) 70(1)
Recording (of personal data) 1(2)(a)
Relevant filing system 1(1)
Sensitive personal data 2
The subject information provisions (in Part IV) 27(2)
Third party (in relation to processing of personal data) 70(1)
Using (of personal data) 1(2)(b)
13 Introduction to the
CHAPTER
Principles
All businesses are under a legal duty to comply with the Data Protection Act 1998. The only
exception from compliance with the Act is for a private individual who processes personal
data for domestic and family purposes only. It follows that all employers are likewise under a
legal duty to comply with the Act.
This section of the book covers the legal requirements of the Data Protection Act 1998.
It starts with the definitions and moves through an in-depth consideration of the eight Data
Protection Principles. Consideration of data subject rights are explained in Chapter 19.
The Data Protection Principles are the backbone of the compliance requirements of the
Act. They are set out in Schedule 1 of the Data Protection Act 1998. The Schedule is divided
into two parts. Part I contains the bare text of the Principles. Part II, entitled ‘Interpretation
of the principles in Part I’, sets out some further requirements for compliance with the
Principles as well as giving some guidance as to what is expected in order to meet
compliance standards.
Schedule 1 is incorporated into the Act by Section 4. This section also provides that it
is the duty of the data controller to comply with the Principles in relation to all personal
data with respect to which he is the data controller. At this point, therefore, there is no
duty on data processors to comply with the Principles. The distinction between data
controllers and data processors is critical as a result, and a significant part of later chapters
is devoted to identifying and analysing the relationship between data controllers and data
processors.
The Sixth Principle requires data controllers to have regard to the rights of data subjects
under the Act. Subject rights are set out in Part II of the Act, Sections 7–15. Since October
2001 all the subject rights have been in force, although subject access to certain, limited,
paper files can still benefit from the exemption provided by the second transitional period.
As this exemption is restricted to manual data subject to processing already under way as at
24 October 1998 and personal data processed for certain historical research purposes only, it
is not dealt with in this book.
Each chapter on the Principles starts with a short introduction, considers the actual
wording of the Principle or subject right, and then provides an analysis of the meaning.
Examples are given where these are appropriate.
Where guidance has been published by the Information Commissioner, and it assists in
understanding the legal requirements, this is included. As the Data Protection Principles
remain largely unchanged since their introduction under the Data Protection Act 1984,
reference is made to guidance issued in relation to the 1984 Act where it is thought to be still
relevant and helpful in interpreting current law.
Introduction to the Principles 87
. Employees.
. Ex-employees.
. Prospective employees.
. Employees’ families.
. Temporary staff.
. Contract staff.
. Recruitment files (application forms and interview notes, even those relating to
unsuccessful candidates).
. Supervisors’ records.
. Sickness records where individual employees are named or can be identified from other
information such as an employee number.
The Employment Code was put forward by the Information Commissioner as a draft
document in 2000. There has been extensive consultation with industry and worker
representative bodies. It is being issued in tranches, and there are four parts:
. Record keeping.
. Recruitment.
. Monitoring at work.
. Medical information (not yet issued in final form).1
Each part is designed to stand alone and starts with standard sections explaining the
perceived status of the Employment Code and continues with benchmarks applying to the
management of data protection compliance within HR. Each part of the Code includes
benchmarks and examples.
The following chapters deal with the substantive law, but references to relevant
benchmarks from the Employment Code have been included. The key issues for compliance
were highlighted in Part I.
1. As at August 2003.
14 The First Principle
CHAPTER
pre-employment vetting by credit reference search, candidates should have this explained
to them. If normal recruitment procedures provide for this explanation to be given before
the first interview – say, in the letter inviting the applicant for interview – if it is not
explained to one particular candidate albeit accidentally, then the processing will not be
fair in relation to that one candidate. Note that it may have been fair in relation to the
majority of candidates, but in this one isolated case, it was not fair. The test of fairness is
subjective.
. Was the person supplying the data under the impression that it would be kept confidential
by the data controller, and was that impression justified by the circumstances?
. Was any unfair pressure used to obtain the information? Were any unjustified threats or
inducements made or offered?
. Was the person improperly led to believe that they must supply the information, or that
failure to provide it might disadvantage them?
LAWFUL PROCESSING
Again, ‘lawful processing’ is given its plain English meaning. Personal data must be
processed in accordance with any relevant legal requirements. These need not be criminal
offences; lawfulness also relates to civil law. For example, if personal data is processed under
a duty of confidentiality – bank or medical details, say – then the disclosure of that personal
data in breach of the duty of confidentiality will be unlawful. Similarly if a contract includes
a provision that personal data will not be retained for longer than a specified period, then a
party to the contract that retains the data beyond the specified period will be processing
personal data unlawfully.
In relation to employment law, processing payroll information to make unauthorized
deductions from salary would constitute unlawful processing.
An important development in relation to lawful processing is the Human Rights Act
2000, which sets out various rights for individuals, including the right to respect for the
privacy of family life, home and correspondence. Any system which purports to monitor
employee performance or behaviour must therefore include procedures and policies to
safeguard this right to respect for individual privacy. Data protection and human rights work
together to increase privacy for individual employees.
1. CCN Systems Limited and CCN Credit Systems Limited v The Data Protection Registrar, case DA/90
25/49/9 and Infolink v The Data Protection Registrar, case DA/90 25/49/9.
The First Principle 91
SUGGESTED ACTIONS
Read the Employment Code and make sure that in-house procedures meet the benchmarks.
If there are special circumstances why you feel it is inappropriate to adopt a particular
benchmark, document your reasons and diary it for a regular review. This will show that the
benchmark has been considered, not ignored, and it will be a permanent record of reasons
which may be difficult to remember after a period of time has passed.
Think through the various HR activities: how is personal data obtained? How is it used
and disclosed? Is personal data processed fairly? When records are destroyed or deleted, is
the data or document retention policy fair to the employees and ex-employees?
You should already be aware of the legal issues relevant to HR; be aware also that
unlawful activities will constitute a breach of the First Principle if personal data is involved.
Remember that ‘unlawful’ simply means contrary to law, civil as well as criminal; there does
not have to be an offence for processing to be unlawful.
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.2.
3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.3 and
7.6.
4. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 5.1.
5. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 7.3.
6. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 8.5.
92 The legal requirements
Condition Comment
CONSENT
The first condition is that the data subject has given their consent to the processing. In
general, consent to personal data processing activities is not required under current data
protection law. There are occasions when it might be necessary if no other authority applies:
for example, if sensitive data is being processed (see below) and no other condition for the
fair processing of sensitive data applies. Consent may also be needed if personal data is to be
transferred to a country outside the EEA where adequate standards of data protection do not
exist. (See page 55).
If data subjects are asked to consent to data processing activities, the organization must
have a procedure to deal with those data subjects who refuse. For example, if you ask
employees to consent to provide details of illnesses if they are absent from work due to
sickness, how will you deal with the ones who refuse? For this reason most organizations
will avoid seeking consent if another condition can be met.
In the employer/employee relationship it is now doubtful that proper consent can be
given by the employee to the processing of personal data relating to them by the employer.
The view has been expressed that in the relationship between employer and employee, the
employee is at such a disadvantage in terms of bargaining power that they cannot ever give
consent freely and without undue influence from the employer, simply by virtue of the fact
The First Principle 93
that this is the employer. The former Information Commissioner indicated that she agreed
with this view. There is also a growing trend whereby the Office is encouraging data
controllers to try to find alternatives to seeking consent in most situations. Consent is being
seen as very much a last resort. (See page 67).
There is no definition of consent in the 1998 Act, but the EC Directive7 defines consent
with three key elements:
In relation to this third point, the former Commissioner stated8 that a data subject may
signify consent other than in writing so long as there is some active communication
between the parties.
7. Reference 95/46/EC.
8. Legal guidance published in December 2001, ISBN 1 870466 23 3, Paragraph 3.1.5.
94 The legal requirements
to comply with health and safety requirements, disclosing data to government departments
such as the National Insurance Contributions Agency or the DSS, obtaining personal data
from the Inland Revenue and so on.
LEGITIMATE INTERESTS
The sixth condition is important in relation to most personal data processing activity. It
applies where the following elements can be established:
. Legitimate interests;
. Of the data controller or third parties to whom the data are disclosed;
. Balanced against the rights and freedoms or legitimate interests of the data subject.
This is a catch-all to a large extent and covers processing which cannot be brought within
the aegis of the contract of employment nor that of any other legal duty imposed on the
data controller. It is qualified to the extent that the data controller should balance its own
legitimate interests against those of data subjects.
A key area where this condition may apply is in relation to any marketing activity
undertaken to promote goods and services to employees. Many businesses promote their
own goods and services to staff at discounted prices, and these may arrange for offers from
other businesses to be made available as a ‘perk’ of employment. Where these promotions
require the processing of personal data – for example, if invitations are specifically addressed
to staff using name and work contact details – such processing would be legitimized by this
condition for fair processing. Certainly, marketing activity would not usually fall within
the contract of employment (unless the employer has committed itself to providing such
opportunities as part of the remuneration package, which seems unlikely) nor is the
employer meeting any other legal obligation when marketing to staff. Therefore the
Condition Comment
Explicit consent Again unreliable in the HR context and note that a higher level of consent
(‘explicit’) is required than ‘consent’ from the conditions for fair
processing ordinary personal data.
Legal obligations in connection For example, processing to meet the requirements of SSP, Inland Revenue
with employment. and Benefits Agency requirements. Consider also legal obligations in
relation to other employees: for example, the disclosure of details of
infectious illness of one employee so that other employees can take
preventive measures.
Vital interests of the data subject Rarely used, a matter of ‘life or death’.
Non-profit-making bodies Applies to restricted activities and data subjects.
Information already in the public Cannot apply generally but only in relation to specific instances.
domain
Legal rights The establishment or defence of the legal rights of the employer: for
example, discussing the dismissal of an employee for absence through
sickness with a solicitor.
96 The legal requirements
EXPLICIT CONSENT
The first condition is that the data subject has given their explicit consent to the processing
of the personal data. As stated above, businesses are advised not to rely on consent as a
condition to establish fair processing unless they are able to handle those situations where a
data subject declines to give their consent. In addition, there is the issue that it is almost
impossible to establish that consent is freely given in the employer/employee relationship.
There is no definition of ‘explicit consent’ in the 1998 Act, but it is reasonable to assume
that the requirement is more rigorous than simple ‘consent’ required by the first clause of
Schedule 2.
death’ situation and is not generally useful in routine HR administration. However, it is not
as straightforward in application as its counterpart in Schedule 2, and further conditions
apply.
The processing must be necessary to protect the vital interests of the data subject or
another person in a case where: first, consent cannot be given by or on behalf of the data
subject or, second, the data controller cannot reasonably be expected to obtain the consent
of the data subject. Where the claim is that the processing is necessary to protect the vital
interests of another person, the data controller could show that consent by or on behalf of
the data subject has been unreasonably withheld.
NON-PROFIT-MAKING BODIES
This condition applies where the data controller is not established or conducted for profit
and exists for political, philosophical, religious or trade-union purposes. This condition will
apply so long as the processing is carried out in the course of the data controller’s legitimate
activities, with appropriate safeguards for the rights and freedoms of specific categories of
data subject and does not involve the disclosure of personal data to a third party without the
data subject’s consent. The ‘specific categories of data subject’ referred to are those
individuals who either are members of the data controller or have regular contact with it in
connection with its purposes.
LEGAL RIGHTS
This condition recognizes the need for sensitive data to be processed in connection with the
establishing or defending of legal rights. An employer might seek to rely on this condition if
98 The legal requirements
an employee brings a personal injury claim against it for an accident or injury that occurred
at work. It also allows for the processing of sensitive data necessary for the purpose of
obtaining legal advice where legal proceedings are pending or anticipated.
MEDICAL PURPOSES
This condition covers the situation where processing is necessary for medical purposes and
is undertaken by a health professional or a person, who in the circumstances owes a duty of
confidentiality equivalent to that which would arise if that person were a health
professional.
For the purposes of this condition ‘medical purposes’ includes the purposes of
preventive medicine, medical diagnosis, medical research, the provision of care and
treatment and the management of health care services.
This condition obviously has application in relation to occupational health screening
(preventive medicine) and medical insurance (the provision of care and treatment and the
management of health care services).
FURTHER CONDITIONS
Over and above the conditions for the fair processing of sensitive data included in the
Schedule to the Act and detailed above, there is provision for the Secretary of State to specify
additional circumstances in which the fair processing of sensitive data may be established.
To date one order, the Data Protection (Processing of Sensitive Data) Order 2000, has been
made. It provides for the fair processing of sensitive data in a variety of circumstances. These
are laid out in the following table, and considered in detail below.
Circumstances Comment
Prevention or detection of Limited in application, requiring substantial public interest, not simple
unlawful acts prevention of crime that affects the employer such as theft etc.
Confidential counselling services Limited in application, also requiring substantial public interest, and
explicit consent must first have been considered and rejected.
Insurance and pensions Limited in application, assisting the life and pensions industry only.
Equal opportunities An obvious condition for HR processing activity but designed for use
where equal opportunities are promoted, not otherwise.
Political opinions Limited in application, applies only to political organizations not
businesses.
Research Limited in application, restricted to substantial public interest.
Police Limited in application, restricted to the police.
. Processing undertaken in circumstances in which the consent of the data subject would
prejudice the prevention or detection of the unlawful act;
. Processing necessary for the discharge of any function designed to protect the public
against dishonesty, malpractice or other seriously improper conduct by, or the unfitness or
incompetence of any person, or the mismanagement of any body or association.
Research
Processing that is in the substantial public interest and necessary for research purposes may
benefit from another new condition for the fair processing of sensitive data set out in the
Sensitive Data Order. The requirements are that the processing does not support measures or
decisions with respect to any particular data subject unless the data subject’s explicit
consent is obtained in addition and the processing neither causes nor is likely to cause
substantial damage or distress to the data subject or any other person.
Business research is unlikely to qualify as being in the significant public interest yet
some sectors may be able to take advantage of the condition. Examples include
pharmaceutical companies developing new drugs and universities and other research
bodies operating on a non-profit-making basis.
The police
Processing that is necessary for the exercise of any functions conferred on a constable by any
rule of law is fair processing under the Sensitive Data Order.
The First Principle 101
Summary
The conditions for the fair processing of personal data provide several options for employers
processing personal data for personnel administration, the administration of employment
benefits and pension schemes, marketing, and the meeting of health and safety requirements.
The additional conditions which apply to the processing of sensitive data are much
narrower in application. Key omissions include processing in the legitimate interests of the
data controller, which is a useful catch-all in relation to personal data processing. Another
omission is processing necessary for the performance of a contract to which the data subject
is party. As a result employers should (rightly) conclude that fewer processing activities
involving sensitive data will be permissible. Certainly there are limited grounds for the
processing of sensitive data for marketing purposes, for example, unless the employer has
the consent of the employee.
Consent is something of an issue in the HR arena, as the Commissioner concurs with
the view that consent by an employee to the personal data-processing activities of their
employer is unlikely to meet any sensible interpretation of having been ‘freely’ given. So
consent is (at least) an inappropriate condition on which to rely in relation to the processing
of personal data in regard to HR activities.
It can be seen that consent is not a prerequisite to fair processing; however, many other
conditions may apply, particularly in relation to the processing of personal data rather than
sensitive data.
Finally, it is worth noting that even where personal data processing activity meets one
or more of the conditions for fair processing, it does not follow that the processing is fair.
Fairness will depend on the circumstances of the processing (the subjective test referred to
earlier) and on the subject information requirements being met.
Suggested actions
This is an area of data protection law that is largely unseen by the outside world. Only when
an organization is under investigation in relation to other data protection problems will it
be asked to declare on which of the conditions for fair processing it seeks to rely when
processing personal data and sensitive data.
However, the conditions contain many of the elements of modern data protection law,
and making an initial assessment of the most likely conditions to apply to any processing
activity is a useful activity in the short term, leading to a greater understanding of data
protection law. In the longer term it might be an invaluable activity, if the business or HR
department is dealing with a data protection problem and the issue of conditions for fair
processing arises, any advance thoughts on the subject will be helpful. Document any
thoughts may you have on the conditions applicable to your department’s processing activity.
. The identity of the data controller and – if the data controller has nominated a
representative for the purposes of the Act – the identity of that representative;
. Details about the purposes for which personal data is processed or is intended to be
processed;
. Any further information which is necessary, having regard to the specific circumstances in
which the data is being or is to be processed, to enable the processing in respect of the data
subject to be fair.
So, for example, a subject information notice on a job application form might read:
The information requested on this form is required for the purpose of assessing your suitability for
employment with (Name of Employer Limited). All the information we request is necessary to
assist us in making our employment decision and we may not be able to process your application
further if you do not answer all the questions. We will take up references from the persons you
nominate on the form. If your application is successful, the application form will form part of
your contract of employment with the firm. If your application is unsuccessful we will hold this
application form for a period not exceeding one year in case any other suitable position arises.
uses a recruitment agency or headhunter, the information provided by the agency to the
data subject will determine whether or not an additional subject information notice is
required to cover the employer’s processing activity. When an employer is asked to provide a
reference, it should check that the data subject is aware that references are being taken up
and agrees to the provision of the information requested.
There are exceptions to the requirement to provide subject information notices where
the personal data was obtained from a third party. These apply:
If a data controller intends to rely on the disproportionate effort exemption they must
record the reasons why compliance involves disproportionate effort.
The subject information provisions are a new requirement under the 1998 Act and may
require changes to documentation so that subject information is assured of reaching the
target. Forms requesting personal data are an obvious location for a notice: for example, job
application forms, product or service application forms, quotation forms, cut-out forms in
newspapers. Areas more difficult to deal with are telephone interviews and face-to-face
interviews in the course of which personal data is recorded. Procedures are required to
ensure that staff carrying out telephone or face-to-face interviews provide a scripted subject
information notice or a document including such a notice for the data subject to read. It will
still pose a higher risk to compliance than would, say, a printed statement on a form because
in most cases it will not suffice to show that subject information is provided. If one data
subject does not receive the specified information, then the processing of personal data
relating to them is unfair. The test is a subjective one.
1) Is the typeface or font in the notification of at least an equivalent size to the type face or
font used in the rest of the form?
2) If not, is the print nevertheless of sufficient size for the data subject’s eye to be drawn to
it?
3) Are the layout and print size such that the notification is clear and easy to read?
4) Is the notification placed at or very close to the place where the data subject supplies
their details or signs the form?
5) If not, is it placed in such a way that the data subject will inevitably see it in the course of
filling in the form?
6) If not, is it nevertheless placed where the data subject’s eye will be drawn to it?
7) Is the general nature and presentation of the form such that it conveys to the data
subject the need to read carefully all the details including the notification clause?
As a general rule, the size of font or typeface used for the notice should be no less prominent
than any font or typeface used for any other part of the document.
1) Do the words used convey all the likely non-obvious uses and disclosures of the
customer’s information?
2) Do the words properly convey the fact that information about the customer will be
passed on to others?
3) Do the words convey the full implications for the customer of the use or disclosure, for
example that he/she might receive telephone marketing calls?
4) Do the words explain the above in a way that would be understood by the great majority
of likely data subjects?
MARKETING FAIRLY
It has already been seen that a subject information notice should contain all information
relevant in the circumstances to allow a data subject to decide whether or not to supply the
personal data requested. Clauses which explain about the use of personal data for marketing
activity should include an opt-out, so that data subjects can decline to allow their personal
data to be used for marketing purposes. Although many European countries require positive
action from a data subject to indicate a willingness for their personal data to be used for
marketing purposes (an opt-in clause), the Commissioner’s Office accepts that the position
in the United Kingdom where opt-out clauses are standard, is acceptable.
TELEPHONE MARKETING
The situation is that any intended use of personal data for the purposes of telemarketing or
telephone work should be specifically disclosed.
11. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 7.3.
12. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 8.5.
The First Principle 107
RECOMMENDED ACTIONS
Take the time to identify how personal data is obtained and its use for HR purposes. Your list
is likely to include application forms, CVs, employee details forms and pension scheme
forms for new employees. On a continuing basis you might receive personal data relating to
employees on sickness and absence forms, in accident books, on appraisal forms and in
training feedback. Some of the data will be provided by third parties, the Inland Revenue,
Benefits Agency, referees, doctors and recruitment agencies. Most data will be supplied by
the employees themselves. Normal HR activities will involve the processing of personal data
for HR administration and the administration of employee salaries and other benefits; work
planning and management may also be relevant. Remember to include marketing activity if
the organization’s goods or services are promoted internally using personal data or if affinity
schemes are in place (whereby a third party promotes to a group of data subjects – in this
case, the employees of an organization – offering discounted goods and services).
Once you have identified how personal data is obtained and its use around the
organization, draft appropriate subject information notices and ensure these are included
on forms, in staff handbooks, etc. so that all current and prospective employees will see
them. Remember to include temporary workers and contractors. Remember also to put a
notice on your web site if you invite applications over the internet.
Document how and when this review was undertaken and what actions resulted from it.
This may prove useful in future if your organization or department is challenged on data
protection issues.
Check that third parties which supply personal data have given appropriate subject
information notices. Pay particular attention to recruitment agencies: it is a good idea to
give them a note of the points you would like to be drawn to the attention of prospective
candidates when you are recruiting. Include subject information in that list of points.
Read the recruitment section of the Employment Practices Data Protection Code and
make sure that your procedures and documents meet the required benchmarks. If you
decide that a particular benchmark is not appropriate to your department or organization,
document the reasons for future reference.
15 The Second Principle
CHAPTER
. Personal data must be processed for purposes known at the time of obtaining the data.
. All processing must link back to the original purpose for which it was obtained.
. All purposes for which data is processed must be lawful.
Each of these three elements need to be considered and their impact on personal data
processing in the HR context assessed.
meet the subject information requirements. (See page 13). The purposes for which employee
personal data are processed should coincide with the employer’s notification entry on the
Data Protection Register.
. The data must not be processed to support measures or decisions with respect to particular
individuals.
110 The legal requirements
. The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject.
This means that if personal data is processed for genuine research purposes, the processing
need not relate to the purpose for which the data was originally obtained. However, the data
must not be used to make decisions about individual data subjects.
For example, if an employer keeps detailed records of the reasons for employee absences
the stated purpose of processing that personal data is to administer the company’s sick pay
scheme and SSP. The employer may then decide to undertake an occupational health study
of its employees over a given period purely for purposes of research. This purpose was
unforeseen at the time employees were asked for information about their absences from
work and therefore no subject information was provided. Processing the sickness records for
this new purpose would be in breach of the Second Principle; however it would be
permissible under the exemption for research purposes.
Note that the employer would not be able to use the research to identify individuals
whose behaviour deviated from the norm in any way. Such use would amount to making
decisions about individual data subjects and would invalidate the exemption which
provides that personal data must not be used to support measures or decisions relating to
particular individuals.
16 The Third Principle
CHAPTER
The point is made in the guidance that the Office would not accept that information is
relevant merely on the say-so of the data controller.
Examples
The following cases illustrate the application of the Third Principle.1
In processing a mortgage customer’s application for a current account, a bank was found
to have acted in breach of the Third Data Protection Principle when it carried out three
credit reference checks on the applicant. A series of unfortunate circumstances resulted in
the customer being the subject of a marker on his bank account indicating possible fraud.
Thus the processing of the personal data was inadequate and excessive.
A health authority carried out a ‘lifestyle survey’. A question had been included in the
survey which did not relate clearly to either the data subject’s health or the declared aims of
the survey. The inclusion of the question was held to be a breach of the Third Principle
because it was irrelevant.
An indicator on an individual’s credit reference file showed that the bank account
holder had got into financial difficulties. Although this was accurate, it was still held to be
inadequate because the fact that the individual had entered into an agreed arrangement
with the bank to rectify the situation had not been recorded.
1. Taken from the Commissioner’s Case histories and enquiries for 2000–2001.
114 The legal requirements
the specific risk identified. It should not be used for general intelligence-gathering: in
other words, ensure that the extent and nature of personal data sought is relevant and
not excessive for the purpose for which it is being processed.2
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmarks 7.1, 7.2,
7.4.
17 The Fourth Principle
CHAPTER
Accuracy
The requirement that personal data be accurate is not absolute. Where personal data is
inaccurate but the data controller can show that the information in the data is reproduced
in its records exactly as it was obtained, then there is no breach of this Principle. So, for
example, if an employee completes a job application form and supplies inaccurate
information which the employer believes to be true, then the employer is not in breach
of the Fourth Principle even though its employee personal data contains inaccurate
information.
Where possible the data controller should take reasonable steps to ensure the accuracy
of personal data. So, again using the example of the employee supplying false information
on a job application form, if the false information were that their date of birth was in 2003,
this is evidently inaccurate and the employer should confirm the actual year of birth for the
record. Likewise if the inaccurate information can easily be checked. For example, if the
employee gives a National Insurance number which differs from that on their P45, the
employer would be expected to investigate further and not accept the information at face
value.
116 The legal requirements
A further qualification to the requirement that personal data be accurate applies where
the data controller holds information which is known or believed to be inaccurate but a
note has been made on the record that this is the case. There may be occasions when
retaining an original inaccuracy has value for the data controller and the Fourth Principle
cannot be used to require it to amend its records and erase the inaccurate information. So,
for example, a discrepancy in employment dates on a job application form might be
explained by the data subject (job applicant) but the data controller would wish to retain the
data in its original form with an explanation of the inaccuracy. The record might be retained
in this form as part of a disciplinary action or simply as an anomaly to bear in mind in future
dealings with the employee.
. The significance of the inaccuracy. Has it caused, or is it likely to cause, damage or distress
to the data subject?
. The source from which the inaccurate information was obtained. Was it reasonable for the
data controller to rely on information received from that source?
. Any steps taken to verify the information. Did the data controller attempt to check its
accuracy with another source? Would it have been reasonable to ask the data subject,
either at the time of collection or at another convenient opportunity, whether the
information was accurate?
. The procedures for data entry and for ensuring that the system itself does not introduce
inaccuracies into the data.
. The procedures followed by the data controller when the inaccuracy came to light. Were
the data corrected as soon as the inaccuracy became apparent? Was the correction passed
on to any third parties to whom the inaccurate data may already have been disclosed? Did
the inaccuracy have any other consequences in the period before it was corrected? If so,
what has the data controller done about those consequences?
Examples
Inaccurate personal data may cause damage or distress to a data subject. The following
examples (taken from the Commissioner’s case histories) illustrate the need for personal
data to be kept up to date.
A complaint was received about personal data recorded on a credit reference file.
Although the account had been written off some years earlier and the balance on the
account was nil, nevertheless the impression was given that the account was current. Under
normal procedures an account written off would be removed from current files after a set
period, usually six years from the relevant date. This particular account with its current
indicator would remain on file indefinitely in contravention of the lender’s normal
practices. This was found to be a breach of the Fourth Principle.
Again, the potentially significant impact on a data subject of inaccurate personal data is
shown by a case involving a loan applicant. The bank operator recording details of the
application incorrectly accepted archive details relating to the applicant’s home address and
employment. When the bank tried to contact the applicant, using the inaccurate details, it
appeared as though a false address and false employment details had been provided. The
bank concluded that an attempt was being made to obtain a loan fraudulently. As a result a
fraud warning indicator was attached to the file and may have been shared with other
financial institutions in due course. The fraud warning was deleted once the mistake had
been brought to the attention of the bank.
Inaccurate personal data can give a misleading impression. Two individuals once
married to each other but now divorced complained that a credit reference agency had
declined to note that they were not now connected. The root of the problem was an
incorrect assumption by a member of the agency’s staff that the two were in fact still
connected. This was found to be a breach of the Fourth Principle.
A police force mistakenly attributed another person’s record to an individual
undergoing an employment vetting check. The individual complained that this constituted
a breach of the Data Protection Act. The police force agreed to modify its procedures to
prevent a recurrence and made an ex-gratia payment to the individual.
2. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 4.3.
3. The Employment Practices Data Protection Code, Recruitment and Selection, benchmark 6.1.
18 The Fifth Principle
CHAPTER
. The data must not be processed to support measures or decisions with respect to particular
individuals.
. The data must not be processed in such a way that substantial damage or distress is, or is
likely to be, caused to any data subject.
. Personal data is disclosed to another person so long as it is for research purposes only;
. It is disclosed to the data subject, at his request or with his consent.
. It is disclosed to a person acting on behalf of the data subject.
120 The legal requirements
. A person makes the disclosure reasonably believing that the disclosure falls with these
grounds when in fact it does not.
For example, the data subject may be an employee who has left the employment of the data
controller. The end of the relationship will not necessarily cause the data controller to delete all
the personal data. It may well be necessary to keep some of the information so that the data
controller will be able to confirm details of the data subject’s employment for, say, the provision of
references in the future or to enable the employer to provide the relevant information in respect of
the data subject’s pension arrangements. It may well be necessary in some cases to retain certain
information to enable the data controller to defend legal claims, which may be made in the
future. Unless there is some other reason for keeping them, the personal data should be deleted
when the possibility of a claim arising no longer exists, i.e. when the relevant statutory time limit
has expired.
Publicans may find seven days an appropriate length of time to keep recorded images if
the purposes of the processing are public safety and the detection and prevention of crime
because they will soon be made aware of any incident, such as a fight, occurring on their
premises.
Organizations which record images of street activity for crime prevention purposes may
not need to retain images for longer than thirty-one days unless they are required for
evidential purposes in legal proceedings.
Banks and building societies recording images at ATMs for the purposes of resolving
customer disputes might reasonably retain recorded images for up to three months in order
to provide information about cash withdrawals. The Information Commissioner suggests
this retention period, which is based on the interval at which individuals receive their
account statements.
19 The Sixth Principle
CHAPTER
This chapter focuses on the Sixth Data Protection Principle and the interpretative provisions
relevant to the Sixth Principle contained in Schedule 1 to the Act. The Sixth Principle is
concerned with data subject rights. It reads: ‘Personal data shall be processed in accordance with
the rights of data subjects under this Act.’
The meaning of ‘rights of data subjects’ is not open-ended. The rights are restricted to
those created pursuant to specific sections of the Act. They are:
A breach of any of these rights can be assessed by the Information Commissioner’s Office
but the rights are enforceable through the Courts.
There are yet other rights, created by the Sensitive Data Order which sets out additional
conditions for the fair processing of sensitive data. Certain of these conditions are qualified
by allowing data subjects the right to prevent the processing of sensitive data relating to
them under the condition.
Each subject right is considered below.
Data controllers may charge data subjects a fee of up to ten pounds to help towards
administration costs. The data controller has forty days from receipt of the fee in which to
consider the validity of the request and whether any exemptions apply and to supply the
information requested or explain why certain information is being withheld.
An explanation of codes and references used in the information must be provided if the
meaning is not clear. The information must be provided in legible form unless an alternative
medium is agreed with the data subject or if providing it in a legible form would involve
‘disproportionate effort’.
The logic involved in any automated processing must be disclosed in certain
circumstances. These are where a decision:
A data controller does not have to comply with this part of the subject access request if the
disclosure of the logic involved in the automated processing would constitute the disclosure
of a ‘trade secret’.
5. Set out in Section 7 of the Data Protection Act 1998, Schedule 7 and various Orders made under the
Act.
124 The legal requirements
following list, while not comprehensive, considers some of the more generally applicable
exceptions.
THE FORMALITIES
A data controller is not obliged to comply with a request for subject access unless he has
received:
The Freedom of Information Act 2000 has added a further proviso to the final point.6 Where
a data controller reasonably requires further information to confirm the identity of the data
subject and locate the information sought, and asks the data subject for more information, if
the information is not supplied then the data controller is not under a duty to comply with
the subject access request.
. The other party has consented to the disclosure of the information to the person making
the request, or
. It is reasonable in all the circumstances to comply with the request without the consent of
the other party.
. Does the information being accessed contain information about a third party?
. If so, would its disclosure reveal the identity of the third party?
. In deciding this, has other information which the data subject has received or may receive
been taken into account?
. To what extent can the information be edited so it can be supplied without revealing the
identity of the third party?
. Has the third party previously given the information to the person making the subject
access request?
. If, or to the extent that, the information will identify the third party, has the third party
consented to the disclosure?
. If not, should consent be sought?
. Is it reasonable to disclose the third-party information without consent?
. Is the third-party information confidential or sensitive or harmful?
. Is the third-party information of particular importance to the person making the subject
access request?
There is a key exception to the third party rules suggested above. If the subject access request
relates to health records and the third party is a health professional who has compiled or
contributed to the health record (or has been involved in the care of the data subject in their
capacity as a health professional), then access cannot be refused on the grounds that the
identity of a third party would be disclosed.
HEALTH RECORDS
There is an exemption where a health professional considers that serious harm to the data
subject’s physical or mental health or condition is likely to be caused by giving access to
personal data.8
Before deciding whether this exemption applies, any data controller who is not a health
professional is obliged to consult the health professional responsible for the clinical care of
the data subject (the ‘appropriate’ health professional – there are provisions where there is
more than one such health professional or none at all).
The obligation to consult does not apply where the data subject has already seen or
knows about the information which is the subject of the request, nor in certain limited
circumstances where consultation has been carried out prior to the request being made.
There are provisions applying where a request is made by a third party on behalf of the
data subject, which apply if the data subject is a minor or mentally incapacitated.
A health record is defined in the 1998 Act as being any record which consists of
information relating to the physical or mental health or condition of an individual, and has
been made by or on behalf of a health professional in connection with the care of that
individual.
REFERENCES
There is a limited exception for references in the hands of the referee. Personal data are
exempt from a subject access request if they consist of a reference given or to be given in
confidence by the data controller for the purposes of education, training or employment.
Note that the exemption does not apply in the hands of the recipient of the reference.
MANAGEMENT FORECASTING
Personal data processed for the purposes of management forecasting or management
planning to assist the data controller in the conduct of any business or other activity are
exempt from subject access. The exemption applies only to the extent to which subject
access would be likely to prejudice the conduct of the business. This includes circumstances,
for example, where a business relocation is under consideration and specific individuals are
the subject of discussion either for relocation with the business or for redundancy. A subject
access request from a data subject in these circumstances could be handled without
providing access to the planning and discussion relating to the business relocation if that
would prejudice the relocation.
CORPORATE FINANCE
This exemption applies when responding to a subject access request could reveal price
sensitive business information. Obviously it will only apply to, and in relation to, quoted
companies.
Businesses involved in providing a corporate finance service, offering underwriting or
advice on issues of shares and other instruments, are exempt from responding to certain
subject access requests. The exemption also applies to businesses generally to restrict access
to price-sensitive information so that the orderly functioning of financial markets is not
prejudiced.10
NEGOTIATIONS
If negotiations are under way between the data controller and the data subject, this
exemption may apply to prevent the data subject from accessing details of the data
controller’s intentions. Otherwise, the subject access provisions would operate to force the
data controller to show his hand.
Personal data which consist of records of the intentions of the data controller in relation
to any negotiations with the data subject are exempt from the subject information
provisions. The exemption only applies to the extent that disclosure to meet subject
information requirements would be likely to prejudice those negotiations.
SELF-INCRIMINATION
A person need not comply with any request or order regarding subject access to the extent
that it would reveal evidence of criminal activity by the data controller. Disclosure to meet a
subject access request should not involve the data controller in revealing the commission of
any offence (other than an offence under the Data Protection Act) or expose them to
proceedings for that offence.
. Where processing is necessary for compliance with any legal obligation to which the data
controller is subject, other than a contractual obligation;
. Where processing is necessary in order to protect the vital interests of the data subject.
The requirement is for the objection to be set out in writing. Examples of areas likely to be
affected are:
The data controller is under a legal obligation to review the decision taken by automated
means. The reviewer must be a human being. The reviewer may concur or disagree with the
automated decision.
RIGHT TO COMPENSATION
Any individual who suffers damage by reason of contravention of any of the requirements of
the Act is entitled to compensation from the data controller pursuant to Section 13 of the
The Sixth Principle 129
Actual financial loss was recoverable under the 1984 Act if it was due to actions in
contravention of the Act. The 1998 Act has extended the right to include compensation for
damage or distress due to contravention of the Act.
11. The Data Protection (Processing of Sensitive Data) Order 2000 (417).
20 The Seventh Principle
CHAPTER
This chapter examines the Seventh Data Protection Principle and the interpretative
provisions relevant to the Seventh Principle contained in Schedule 1 to the Act.
Key words and phrases with a technical meaning are explained in Chapter 12 and are
important to a clear understanding of the law and guidance on this point.
The Seventh Principle is concerned primarily with the security of personal data. The
basic requirement is that appropriate security must be in place to protect personal data.
The more sensitive and confidential the data and the more harm likely to result from its
accidental loss or disclosure, the tighter security is required.
In addition to the basic security requirement there are two additional requirements. The
first relates to staff whose jobs involve the handling of personal data. Employers are under a
legal obligation to ensure that such staff are reliable. The second relates to outsourcing. Data
controllers have a legal duty to ensure that their data processors take appropriate security
measures throughout the life of their relationship. Furthermore, data controllers are
responsible for putting in place with their data processors a written contract including two
specific clauses relating to the Seventh Principle.
The guidance reinforces the fact that this is not an absolute obligation and it spells out
the factors to take into account when assessing the ‘appropriateness’ of any security
measures.
1. This is the actual text of Paragraph 9 of Schedule 1 Part II. Author’s phrasing and use of bullet
points.
The Seventh Principle 131
The first point is that security will depend on the state of technological development.
The appropriateness of security measures will be assessed by reference to the state of
technological development. HR managers need to keep abreast of enhancements in record-
keeping systems. Any significant improvements introduced generally need to be
incorporated into HR systems within a reasonable period of time if the department is not
to fall behind required standards.
Secondly, the cost of appropriate security measures is expressly to be factored into the
assessment of what is appropriate. It would seem that ‘appropriateness’ in relation to cost
will be influenced by the financial standing of the data controller. Costs which would be
appropriate if borne by, say, a BP or a Shell Oil might not be appropriate if the data controller
is a small business. The Information Commissioner’s view is that there can be no standard
set of security measures to meet the requirements of the Seventh Principle.2 Different
security measures will be required to meet different circumstances.
The nature of the data to be protected will dictate, to some extent, the harm that might
result from unauthorized access, unauthorized processing, loss or damage. Processing
includes the obtaining, using, holding and destroying of personal data. For example, a
greater degree of harm can be envisaged from the unauthorized disclosure of, say, sensitive
data relating to health than of straightforward personal data such as an individual’s name
and address (which might be found in a telephone directory in any event).
Sensitive categories of data are not the only types of data which might give rise to an
increased duty of care when processing personal data. For example, financial data relating
to the earnings of an employee would be regarded as confidential, and the scope for harm to
result from unauthorized disclosure is greater than if the employee’s name and address were
to be disclosed. ‘Appropriateness’ of security measures will depend on the harm that might
result from the unauthorized access, processing or destruction of personal data. The
Information Commissioner encourages data controllers to adopt a risk-based approach to
security.3
Returning to the text of the Seventh Principle, both technical and organizational
security measures are expressly required. The impact of the inclusion of paper files within
the definition of personal data (see Chapter 12) means that technical security measures
alone are not sufficient to protect personal data against unlawful access, damage or
destruction. The safeguarding of paper files requires a different approach to that employed
on computer file and database security. There is also a physical risk to personal data held in
computer files and databases which has perhaps become more apparent recently with the
spate of laptop thefts. It is no longer sufficient simply to think and plan in terms of firewalls,
password security and back-up facilities; organizational security measures are also a
necessary component of a realistic security system.
Take steps to ensure the reliability of staff that have access to workers’ records. Remember this is
not just a matter of carrying out background checks. It also involves training and ensuring that
workers understand their responsibilities for confidential or sensitive information. Place
confidentiality clauses in their contracts of employment.
Finally, the Employment Code recommends that serious breaches of data protection rules
should be a disciplinary offence.12
The Principles themselves do not, prima facie, regulate the activities of data processors. The
Act provides that data controllers are subject to the Principles. The Seventh Principle applies
so that data controllers are responsible for the compliance of data processors. Appropriate
security measures are the key part of that obligation. It also means that data protection
compliance of data processors must be policed by the data controller.
In summary, the data controller is under an obligation to ensure that appropriate
security requirements are imposed on third parties which process personal data on its
behalf. This means checking that data processors have appropriate security for personal data
or to require guarantees that such security is in place and putting in place a written contract
containing two specific terms. See Chapter 7 for an explanation of what constitutes a data
processor and suggested actions to take in the HR context. Chapter 8 is also relevant: it
considers the relationships between employers and benefit administrators to determine
those which are data processors.
A data processor will be independent of the data controller – a third party – although it
may be a sister or associated company in a group of companies. (See page 54).
Deciding whether or not a third party is a data processor is a matter of fact. The answers
to the following questions will help a data controller to decide whether or not a party is a
data processor.
. Does the party process personal data supplied by or on behalf of the data controller?
For example, a company might buy a mailing list from a third party and arrange for the list
containing personal data to be supplied direct to its preferred mailing house. The personal
data was not supplied directly by the data controller but on its behalf. This does not affect
the underlying relationship between mailing house and the data controller. The mailing
house is a data processor on behalf of the data controller.
. Is the processing undertaken on behalf of or for the benefit of the data controller?
Processing undertaken on behalf of the data controller will indicate that the processor is a
data processor. Processing undertaken for the benefit of the data controller does not
necessarily indicate that the processor is a data processor.
. Does the third party have any interest in the personal data apart from remuneration for
the service provided to the data controller?
. Does the third party take decisions in regard to the personal data it processes?
The processor may be a data controller in its own right if it uses the personal data for its own
purposes or deals with it in any way that would suggest that it is the data controller.
. Is there a degree of autonomy or does the third party act only on instructions from the
data controller?
. What do the parties intend should happen to the personal data when the relationship
between them ends?
If the party is a data processor, then personal data will either be returned to the data
controller or its nominated representative or deleted. The data processor will have no
further use for the data.
data processor and then assess whether or not the data processor has taken adequate steps to
protect personal data in its control.
The data controller is unable to make an assessment without information. So the first
step would be to require the prospective data processor to provide information about its
compliance with current data protection law. It should be asked for such details of its
security arrangements as it is able to provide without compromising that security.
Information should be requested about staff training on data protection issues, how
employees are supervised and the controls within which employees work to ensure that it is
satisfied as to their reliability. This may be particularly important in respect of new
employees and temporary workers.
companies seek legal advice on the possibility of entering into one contract with all group
companies as signatories in preference to a number of contracts between the service
company and each individual trading company.
Summary
The impact of the Seventh Principle is to create a need for:
This chapter considers the Eighth Data Protection Principle which relates to the transfer of
personal data outside the EEA. The Principle and relevant interpretative provisions are set
out in Schedule 1 to the Act.
Key words and phrases with a technical meaning are explained in Chapter 12 and are
important to a clear understanding of the law and guidance on this point.
The prohibition
In practice there are exemptions and exceptions which might take personal data outside the
prohibition. These exceptions cover specific circumstances set out in Schedule 4 to the Act.
This means that the prohibition on the transfer of personal data outside the EEA does not
apply if one or more of the conditions in Schedule 4 are met. The more commonly
applicable conditions are considered below.
SCHEDULE 4 CONDITIONS
Consent
A data subject may consent to the transfer of personal data relating to him or herself
notwithstanding that the transfer takes the personal data outside the EEA. Consent must be
freely given and informed. The fact of the transfer and that protection for the rights of the
data subject may not meet standards within the EEA must be communicated. There are
problems with establishing freely given consent in the HR context. (See page 21 for a full
explanation).
The Eighth Principle 139
Legal claims
Transfers may be made where they are necessary in connection with any legal proceedings.
The condition includes prospective legal proceedings, obtaining legal advice or establishing,
exercising or defending legal rights.
There is no requirement that the data subject be a party to the legal proceedings or
prospective legal proceedings.
The Channel Islands and the Isle of Man are not part of the EEA.
ASSESSING ADEQUACY
If none of the conditions in Schedule 4 applies and the country in which the intended
transferee of the personal data is located has not been presumed adequate, the data
controller must make its own assessment of adequacy. The data controller must assess the
adequacy of protection for data subjects’ rights and freedoms both in the territory where the
transferee is located and as offered by the transferee organization.
Certain circumstances may help to establish adequacy: for example, if the transfer is
one between a data controller and its data processor and an appropriate contract is in place
to meet the requirements of the Seventh Principle. (See Chapter 20). It may help to
establish adequacy if the transfer is one within an international group of companies and
agreed standards of data processing apply. If the transfer is being made within an industry
sector where professional rules or a code of conduct apply, this may also be factored into
the assessment of adequacy. The Information Commissioner pointed out that these
circumstances in themselves could not be relied on completely to establish adequacy but
that they would count in favour of (or against) a final assessment of adequacy.2
This interpretation may be at least partially incorrect. The relationship between a data
controller and a data processor is regulated by the Seventh Principle. It requires, inter alia,
that the data controller:
. Investigate the data processor’s security measures for the processing of personal data.
. Restrict the processing of personal data processed on its behalf so that the data processor
may only act on its instructions.
Given these two conditions, no other circumstances would appear to be relevant to the
decision relating to adequacy.
An adequate level of protection is one which is adequate in all the circumstances of the case,
having regard in particular to;
a) the nature of the personal data,
2. ‘Transborder dataflows’ published by the Information Commissioner in July 1999, Paragraph 11.5.
The Eighth Principle 141
1) Consider the type of transfer involved and whether this assists in determining adequacy,
for example if the transfer is within an industry sector where professional rules or
standards apply (underwriters, for example) or is a transfer within an international group
of companies. Although this will not establish adequacy prima facie, it may go some way
towards it because the data controller has a level of knowledge about the security and
procedures within the transferee company and may have an ongoing relationship which
both parties will wish to protect.
2) Consider:
. The nature of the personal data (consider sensitive personal data in particular).
. The country or territory of origin of the personal data.
. The purposes for which and period during which the data are intended to be processed.
. The harm that might result from improper processing.
. The law in force in the country or territory in question.
. The international obligations of that country or territory.
. Any relevant codes of conduct or other rules which are enforceable in the country or
territory.
. Any security measures taken in respect of the data in that country or territory.
. The extent to which data protection standards have been adopted.
. Whether there is a means of ensuring the standards are achieved in practice.
. Whether there is an effective mechanism for individuals to enforce their rights or
obtain redress if things go wrong.
3) Think whether there are any circumstances in your knowledge or that of others involved
in the proposed transfer which indicate to you that it is not appropriate to make the data
transfer: for example, if you are aware of breaches of confidentiality at the transferee
company or other data security problems.
Use of contracts
In addition, contractual terms may be used to supplement the security of personal data
transfers. However, unless you are able to use the standard terms approved by the European
Union and the Information Commissioner, then it is unlikely that a non-standard contract
(i.e. not one approved in full by the EC or the Information Commissioner) would legitimize
a transfer of personal data outside the EEA without the adequacy test risk assessment
yielding a positive result in addition.
. Purpose limitation – restricting the purpose(s) for which the personal data supplied can be
processed.
. Security – requiring appropriate technical and organizational security measures be taken
by the disclosee.
. Restrictions on onwards transfers.
. Additional safeguards for sensitive personal data.
Summary
. Transfers within the EEA are authorized.
. Transfers to countries which have been approved by the European Commission are
likewise authorized, currently Hungary, Canada or Switzerland.
. Transfers to the United States to companies which subscribe to Safe Harbor are approved.
. Other transfers must be authorized by the adequacy test unless one of the conditions in
Schedule 4 is met.
22 The Information
CHAPTER
Commissioner
The role of the Data Protection Registrar was created by the Data Protection Act 1984. The
first incumbent, Eric Howe, was given a choice of location for the new Data Protection Office
and selected Wilmslow because that was where he lived. The Registrar’s Office was set up to
be an independent regulatory authority, and that remains the case.
The EC Directive on Data Protection [95/46/EC] was published in final form in 1995. It
was intended to harmonize data protection regulation throughout the member states of the
European Union. A deadline for member states to implement its provisions was set for
October 1998. The Data Protection Act 1998 was the British implementation; interestingly,
several EU member states are still to bring in appropriate legislation. One of the
requirements of the Directive was that member states should appoint a Data Protection
Commissioner, therefore the 1998 Act changes the name of the Data Protection Registrar to
that of Commissioner. With the introduction of the Freedom of Information Act 2000 the
name changed again, to that of Information Commissioner.
. The strategic policy group, the drivers in the development of data protection guidance.
. The freedom of information group.
. The compliance department, including the enquiry line.
. The legal department.
. The investigations department, exclusively staffed by ex-policemen.
. The notification department, responsible for maintaining the register of data
controllers.
. The marketing department.
disadvantaged by the processing is at liberty to take up the matter in the civil courts.
Assessments are not necessarily linked to legal enforcement action.
Organizations can be compelled to cooperate with an assessment. If the Office requests
information to facilitate the assessment and the organization fails or refuses to comply, the
Office has a power under Section 43 to require the information to be provided. Failure to
comply with such a notice would be a criminal offence under Section 47.
The Commissioner is also under a duty to promote the development and use of codes of
practice. Codes of practice may be European or national. There is a working party (the
Article 29 Working Party) which considers codes and proposed codes at the European level.
An example of a code under consideration is the IATA Recommended Practice 1774 on data
protection in relation to international air transport.
At national level, some codes have been drafted by trade associations with input from
the Office. The ABI code for insurers includes standards for data protection approved by the
Commissioner. Other codes have been initiated by the Commissioner, such as the
Employment Practices Data Protection Code.
The Information Commissioner’s Office is also responsible for issuing guidance on data
protection issues in response to demand from industry. Some examples include:
There is also the enforcement activity of the Office. To date the enforcement procedure has
only been used after negotiation has failed to persuade a data controller to amend its
personal data-processing activities. There are signs that the Office is starting to take a
tougher line with enforcement. Once an enforcement notice is issued, non-compliance is a
criminal offence under Section 47 of the Act.
Finally, there is the duty to maintain the register of data controllers. The notification
process has been streamlined. It is possible to notify online as well as by telephone. The
process involves a standard template based on the data controller’s industry. Data
controllers should check the activities outlined before signing and resubmitting the forms
for registration. The register is publicly available information. Again, it can be accessed via
the Internet. The registration department has issued updated guidance (based on the 1998
Act and notification regulations) on notification requirements and how a data controller
can identify whether or not it needs to notify.
23 Notification
CHAPTER
If you are required to notify, it is a criminal offence to fail to do so. Similarly any changes in
activities must be notified to the Registrar; again, failure to do so is a criminal offence.
It is unlikely that HR activity alone will determine whether or not an organization
should be registered for data protection. The rules and exemptions from notification apply
to the business activities of the organization and notification or registration for purposes of
employment administration will naturally follow from the need to register at all.
. Complex organizations involving groups of companies which ‘share’ personal data. This
will include organizations where there is one service or employing company and one or
more trading companies. The normal operation of the business will require that personal
data is shared between the employing company and the trading company(ies) for work
planning and management.
. Organizations providing the following services:
– Advertising agency.
– Accountancy and auditing.
– Legal services.
– Credit referencing, debt administration and factoring.
– Crime prevention and the prosecution of offenders.
– Education.
– Financial services.
– Health administration and the provision of health services.
– Marketing.
– Mortgage, insurance-broking and insurance administration.
– Pastoral care.
– Pensions administration.
– Private investigation.
– The trading and sharing of personal data.
. Organizations with responsibility for CCTV.
. Organizations which use credit reference information or trade and/or share personal
data.
. Organizations which market goods and services using personal data obtained from a
third party (i.e. buy in mailing lists or undertake promotions to their customers jointly
with other companies) or which market goods and services on behalf of third parties or
clients.
146 The legal requirements
Exemptions
The small business exemption (or ‘core business exemption’) applies where the organization
only processes personal data for:
1) Advertising, marketing and PR only in relation to its own goods and services.
2) Administration of customer/client and supplier records.
3) Staff administration.
There is an exemption from registration for organizations whose personal data is held not
on computer but in paper files only.
There is a further exemption for charitable organizations. It applies where the data
controller is a not-for-profit organization and processes personal data only for the purpose of
establishing and maintaining records of membership and of those with whom it has regular
contact. The exemption also allows administration of employees, accounts and record-
keeping and limited advertising and promotional activity directed solely towards its own
members.
The following criminal offences are created under the Data Protection Act 1998:
. Failure to notify or register with the Data Protection Register when processing activities
involving personal data are such that registration is required.1 (See Chapter 23 for an
explanation of when notification is required).
. Failure to keep the notification up to date with current personal data processing activity.2
It is a defence if the person charged with the offence can show that they exercised all due
diligence to comply with the requirement to keep the notification up to date and
accurate.
. The unauthorized disclosure or obtaining of personal data.3
. Requiring candidates for employment to apply to the police for a copy of their criminal
record, if any, using the subject access right in the Act.4
The Freedom of Information Act 2000 includes the facility to bring in a new data protection
offence. Anyone employed by a public authority who deletes or destroys records in order to
frustrate a subject access request could be guilty of an offence under the Act once the section
has been implemented.
Penalties
On summary conviction, the limit is a £5,000 fine; on indictment, it is unlimited.
Index