As discussed in the last edition of let’s talk shop, awareness of obligations under the Data Protection Act (DPA) when dealing with customer and client data has increased following several high profile decisions of the Information Commissioner’s Office (ICO) - but what about employee data? Any business that engages workers and employees will also be subject to far reaching obligations under the DPA in relation to this information.
Clare Edwards, retail employment lawyer, considers the obligations under the DPA in conjunction with ICO guidance, and offers some practical tips for businesses when dealing with employee data.
What are employers required to do under the DPA?
As data controllers under the DPA, employers need to follow eight data protection principles when processing employee data. The principles not only include ensuring that personal data is fairly and lawfully processed, and that it is adequate, relevant and not excessive, but also that appropriate steps are taken against ‘unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’ (Principle 7).
The DPA will apply throughout the employment cycle, so recruitment and post-termination also have data protection implications for employers. The ICO recognises the extent of the need to process personal data in the employment context and has produced guidance to help employers lawfully process personal data of interviewees, workers, employees and former employees.
Recruitment – keep it simple
Applicants need to know that their data is only going to be used for recruitment or selection purposes, or informed if data will be used outside these purposes. Businesses also need to ensure that they are not collecting more data than is necessary for recruitment and selection purposes. For example, motoring offence details will only be required from applicants that are applying for roles where driving is a particular requirement.
During employment – a balance
The DPA recognises that employers have certain legal obligations in relation to workers and employees and that these obligations necessitate the processing of personal data. Consent is not always needed to process employee data lawfully, but other obligations under the DPA still apply, including the security obligation in Principle 7.
Extra caution needs to be taken when dealing with sickness records as they may constitute ‘sensitive personal data’, for which there is a higher threshold for processing under the DPA. The potential for harm resulting from accidental loss or damage to medical information held about workers and employees is great.
Care also needs to be taken with employee monitoring: although the ICO recognises that business may need to monitor workers and employees for safety, performance or disciplinary matters, covert monitoring will only be justified in exceptional circumstances. At the very least, employees need to be told what their employer will be doing and why.
Post-termination – be proactive
Keep employment records in line with a document retention policy or standard retention period. Consider legal limitation periods (for example, six years for contractual documentation) and ensure that destruction or deletion of personal data is effected securely. If a third party organisation will be engaged to destroy personal data on the business’s behalf, it is highly likely that the employer itself will remain ‘data controller’ under the DPA – having a contract in place with any third party provider is crucial to apportion liability.
Make sure that your organisation knows how to handle subject access requests (SARs), which can be raised at any time, and are not limited to the duration of the employment or customer relationship. A SAR could be sent to any part of your business (for example, HR or individual line managers), so you will need to know how to comply within the 40 day time limit. Be aware, too, that SARs may be made by third parties (such as occupational health practitioners), as well as staff or customers themselves. To that end, a SAR under the DPA is not limited to personnel or wages information, but might also include data that is commercially sensitive or that relates to your corporate entity. Knowing what falls within the scope of a request is key.
Decisions to monitor employees should be taken at sufficiently senior level and access to monitoring data restricted to those that absolutely require it – businesses need to limit the potential for unauthorised or unlawful processing, and accidental loss and destruction of personal data.
A clear and consistently applied policy is key, as well as training to ensure that employees are aware of obligations under the DPA. In the event of a security breach under the DPA emanating from an employee, a business must be able to show that it has provided DPA training, and taken other measures to safeguard personal data from a business standpoint. A serious approach to data protection must be demonstrated and may be a mitigating factor in the event of ICO sanction.
The ICO has the power to impose monetary penalty notices of up to £500,000 for breaches of the DPA, as well as powers to prosecute and issue undertakings and enforcement notices. In the context of the forthcoming EU General Data Protection Regulation (which will mean more stringent data protection obligations, increased fines and a wider definition of ‘personal data’), a heightened awareness of data protection by data subjects and several high profile ICO decisions, employers need to have a keener sense of obligations under the DPA when handling employee data. Employers would be well advised to act now to tighten up their data protection procedures so that when the EU Regulation takes effect, which is expected to be as early as 2017, they are already taking a proactive approach to compliance.