You may have missed it but last month saw the second European Data Protection Day. An EU survey has shown that public awareness of data protection across the EU is low, although the recent loss of two computer discs containing the details of every family in Britain receiving child benefit certainly raised the profile of the issue in this country.
Following the story about the child benefit discs the Information Commissioner, Richard Thomas has told the House of Commons Justice Committee that several organisations have approached the Commissioner “on a confessional basis” to report problems they have encountered themselves, including admissions that large corporations have on several occasions lost employee records.
On 25 January this year the Commissioner ruled that Marks & Spencer PLC was in breach of the Data Protection Act when a laptop containing the unencrypted personal information of 26,000 employees was stolen from the home of a data processor. Marks & Spencer was served with an enforcement notice ordering the company to fully encrypt its laptops by April 2008.
But losing information is not the only pitfall for employers. Keeping unnecessary, inaccurate or irrelevant personal information may provoke complaints as well. An employee (or job applicant) who believes that he or she has suffered a loss as a result of your breach of their data protection rights may raise a claim for damages and for the distress suffered as a result.
A failure to comply with an enforcement order can lead to fines of up to £5,000 in the magistrates’ court, unlimited fines in the Crown Court, and in the worst cases prosecution can lead to imprisonment.
Given the complexities of the rules on data protection and the amount of information which employers are obliged to keep records of it is understandable that HR departments are caught between the desire on one hand to keep all of their files indefinitely and an urge on the other to destroy or delete everything.
Striking the balance is possible with a careful and thoughtful approach and provided that all of the relevant people in an organisation understand their responsibility for data protection.
A quick reminder
In simple terms the rules on data protection apply to any company, firm, business etc. which holds or uses ‘personal data’ stored electronically or in a structured paper filing system (where it is readily accessible). Personal data includes any piece of data or information that has an identifiable person as its subject matter (eg. a job application letter, a contract of employment, payroll records, CCTV footage etc.). However, data protection does not apply to an individual acting in a personal capacity (eg. a home CCTV security system).
Where it applies, data protection sets out eight principles that information should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the legal rights of individuals
- Not transferred to other countries [especially outside of the EU] without adequate protection.
Employees have the right of access to much of the information that you hold about them and such requests should be met within 40 days of a formal request being made - although you can charge up to £10 to cover your administration costs! In particular you should be open about any sensitive information that you hold, such as health records and medical reports, and give your employees the opportunity to correct or comment on this type of information.
Notifying the Information Commissioner’s Office
Many companies falling within the ambit of the Data Protection Act are also legally required to be registered with the Information Commissioner.
The notification procedure is not arduous or expensive but a surprising number of organisations which should have notified the Commissioner, including an estimated 50% of recruitment and employment agencies, have failed to do so and face prosecution and fines.
Simply employing people and running the payroll and staff records does not in itself require a business to be registered, but trading and sharing any of that information does. You can find out if you need to register by completing an online questionnaire on the ICO website at http://forms.informationcommissioner.gov.uk/notify/self/question1.html
The basic rule is that running a database solely for the purpose of staff administration will make you a “data controller”, so while you must still observe the data protection principles, you are not required to be registered with the Commissioner.
There are a number of bogus registration agencies. They write to companies alleging that they are in breach of their data protection duties by not registering, and request a fee, usually in excess of the £35 the Information Commissioner charges. You can contact the Information Commissioner on 08456 30 60 60 if you are unsure whether a letter you have received is genuine.
Basic steps and rules
There should be at least one person in each organisation with ultimate responsibility for data protection. Others may have access to and deal with the information but it should be clear what the limits of their authority are and what steps they are required to take to protect the information they handle.
The principles to bear in mind are:
- Only gather and process as much information as you need.
- Identify your purpose in gathering the information and decide when you will no longer require it.
- Consider whether the information is ‘sensitive’ (for example, does it relate to somebody’s health, ethnicity, trade union membership etc.) and if so apply extra security.
- Inform your employees what information you hold about them, what you will use it for and who you might share it with.
- Ensure that the information you hold is accurate. Give employees the chance to correct the information you hold about them.
- Keep information securely – if it goes to external users make sure they guarantee that they will keep it secure (special rules apply if the information is passed outside of the EU).
- Delete information when you no longer require it.
- Protection – Security and Monitoring
Your payroll database could be worth a lot of money to gangs of fraudsters and hackers. Consider whether you have sufficient protection built into your system. Software is available to alert IT staff to any unusual activity taking place. Encryption of sensitive information is a sensible step and you could disable USB ports on your staff’s computers to ensure that they do not copy company information. Make sure it is understood that a breach of data protection is a disciplinary offence and that you have the right to impose appropriate sanctions.
You may wish to protect your legitimate business interests by monitoring your staff in some way. Whether it is monitoring their email and internet use or installing CCTV you cannot do this without there being some intrusion on their privacy. Avoid allegations of spying by being open about what you are doing and why, and ensure that the information you obtain which is not relevant to your purpose is destroyed.
Covert surveillance (eg. hidden cameras) should only be used in exceptional circumstances (for example to investigate an allegation of an criminal offence, such as theft). Even then, the use of covert surveillance should be ‘proportionate’ – eg. it should be of a limited duration – and authorised by a high ranking employee.
What should I keep and what should I destroy?
HR departments often groan under the strain of heavy filing cabinets containing all manner of information about employees from dates of birth to GCSEs and written warnings. Anybody who has defended a tribunal claim knows that incomplete employee records can put you at a disadvantage from the start, but how do you respond if an employee claims that holding information about them infringes their data protection rights?
Remember that the information you hold should be adequate, relevant and not excessive.
The Information Commissioner’s advice is that for most employers this will mean regularly “weeding” files to discard all that which is no longer relevant or which has expired.
Other independent legal commentators take a more cautious view. Whilst the statutory limitation period for most actions is six years (three to six months for most employment tribunal claims), other claims can be brought many years after the event.
For example, the time limit for Equal Pay claims continues whilst a difference in pay between a man and a woman doing the same (or equivalent) job continues to exist (even though the actual event which gave rise to the difference may have happened many years previously). The time limit for Equal Pay claims can be extended further in cases where an employer has ‘hidden’ the difference in pay. In addition, even if there is a non-discriminatory reason for the pay differential – the employer will struggle to prove that is the case if it has destroyed the historic records that evidenced the reasons for the pay difference.
Employers are therefore in an unenviable situation as to where to strike a balance.
You have statutory duties to keep records on:
- Hours worked by your employees – to show that you abide by the Working Time Regulations.
- The pay your employees receive – to comply with the Minimum Wage Act and the requirement to issue pay statements.
- Tax and national insurance paid in respect of your employees.
- Holidays taken by staff (Working Time Regulations again).
- Sick leave taken (over four days) and SSP paid.
- Crime prevention information.
- Accounting and pensions data.
- Mortgage / insurance administration undertaken in respect of employees.
- Health & safety incident reports.
- Evidence that your employees are entitled to work in the UK.
It is good practice to keep records of:
- Personal and contact details – name, address, emergency contact, work related disabilities or injuries.
- History – date continuous employment commenced, relevant qualifications, posts held, training and appraisals, disciplinary action.
- Copies of employees’ employment contracts.
- Absence records.
- Meetings with trade unions and employee representatives (keep for ten years).
- Termination of employments and redundancy consultations.
Consider how your information is filed. In the same way that equal opportunities forms are “anonymised” and taken out of the recruitment process, ask whether some of the information you keep is still relevant to an individual, or would your purpose in keeping it be satisfied by storing it some other way? It may be appropriate to restrict access to some parts of a person’s file, such as their health record, pay details or any other sensitive details, whilst giving wider access to information about their training and skills. Remember you should only give access to any information to those who need it. You may wish to assess the effectiveness of an absence reporting policy over a long period but this could be done in a separate file where absence patterns are recorded but individuals are not named.
The principles of data protection are clear – always ask “why am I holding this information?” The mechanics of adequately protecting it may be more complex but if you can answer the first question then there should always be a way. Speak to a member of the Cobbetts team if you need any further help – our advice is always necessary, relevant and not excessive!