The Information Commissioner's Office has recently published a new Guidance Note titled "Disclosure of Employee Information Under TUPE". The Note aims to clarify the steps which organisations should take in order to comply with the terms of the Data Protection Act 1998 (DPA) whilst simultaneously following the procedure for supplying information about their employees under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE).
Under the terms of TUPE an organisation is required to provide "employee liability information" (specific information concerning the workforce that is subject to the transfer under TUPE) to the new employer ahead of a transfer or change in service provision taking place. Because it is a legal obligation, the disclosure of such information is thus a permitted exception for the purposes of the DPA.
However, an organisation must not purely fulfil their obligations under TUPE to the detriment of the duties imposed on them by the DPA. Confusion often arises for many employers particularly where personal information is disclosed, with uncertainty as to how obligations can be fulfilled under both the DPA and TUPE. The Information Commissioner's Guidance aims to provide clarification for organisations accompanied by good practice advice to aid an organisation to ultimately avoid a breach of the DPA in the TUPE process.
Employers are obliged to provide the employee liability information not less than 14 days before the transfer takes place and to update it where necessary. If a transferor employer fails to comply with its obligations under TUPE, it may face tribunal proceedings brought by the new employer. Where an Employment Tribunal finds the transferee's complaint well founded, the Tribunal makes a declaration to that effect and may make an award of compensation to be paid by the transferor to the transferee, with a minimum of £500 per employee in respect of whom employee liability information was not provided, or was incomplete or incorrect. The Information Commissioner's Guidance is intended as a tool to assist in clarifying the interaction between the DPA and TUPE and avoiding any such action.
Both parties must comply with the DPA when handling the employee liability information, for example, by ensuring it is accurate, up-to-date and secure. There will be circumstances where requests will be made for information in addition to that required under TUPE. For example, there may be a number of possible bidders in the sale of a business or a service provision change and only one will become the eventual employer, or potential transferees may request information over and above that required to be provided by TUPE. In such circumstances, it is important that organisations continue to comply with their obligations under the DPA.
The Guidance recommends that an organisation should provide anonymous information wherever possible in such circumstances or at the least remove obvious identifiers such as the employees' names. The Guidance also suggests that it is prudent for an organisation to divulge this additional information with consent (if not prevented by insider trading restrictions); otherwise suitable safeguards should be insisted upon, e.g. warranties that the information will be used for no other purpose than in connection with the transfer or confidentiality agreements.
The new employer will require to be in possession of the employment record of each individual in the workforce shortly after the transfer in order to effectively manage and handle the business. The Guidance also gives advice to both the former employer and the new employer as to best practice in relation to these employment records.
The former employer need not obtain permission from an employee to transfer their personal information to the new employer. However, the new employer is advised to consider whether all of the information on the personnel records is required and should destroy surplus, unnecessary information. Retention of personal employee information by the former employer must be justified by an acceptable need to keep the information. Furthermore, it is essential that the information must not be kept for longer than is necessary by the former employer and where the information is no longer required it should be destroyed.
The Guidance imparts advice on good practice, which is essential for any organisation if they wish to avoid a breach of the DPA or TUPE Regulations. Essentially, organisations must be conscious of the impact data protection has when transferring a business or provision of services.