|
what is the data protection act?
The Data Protection Act applies to personal information, such as names, addresses, bank details and opinions expressed about an individual. It regulates the way information about them can be handled and used. It also gives rights eg access to information and compensation. It applies to computerised information and some organised manual records.
what information is classified as sensitive?
There are stricter rules about “sensitive “personal information. This includes information about racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, offences or alleged offences committed and proceedings relating to those offences or alleged offences.
You can only use sensitive personal information where you meet one or a narrower set of conditions for processing the information, as well as the conditions for processing standard personal information. Sensitive information can only be used where essential or where an individual has given explicit consent. You may need to get explicit consent unless you need the information to comply with legal or employment obligations or rights.
what are the data protection principles?
The eight principles are that personal information is:
- Processed fairly and lawfully
- Processed for one or more specified and lawful purposes and not further processed in any way that is incompatible with the original purpose
- Adequate, relevant and not excessive
- Accurate and , where necessary, kept up to date
- Kept for no longer that is necessary for the purpose for which it is being used
- Processed in line with the rights of individuals
- Kept secure with appropriate technical and organisational measures taken to protect the information
- Not transferred outside the European Economic Area unless there is adequate protection for the personal information being transferred.
what is notification?
Certain companies need to notify the Information Commissioner’s Office about what you use personal information for.
what companies need to notify?
Businesses which process information using computers, or which use CCTV equipment, generally have to notify the Information Commissioner about the information they are collecting and for what purpose. Any information processed for credit referencing, pensions administration and debt factoring must also seek notification. The general idea is that people can find out what personal information is available on them. Notification costs £35 and must be renewed annually. Check with the ICO.
which companies are exempt from notification?
Your company will be exempt if you only process people’s personal information for a limited number of business activities. For example information kept for staff administration is exempt. This includes processing information for personnel purposes such as hiring, paying, managing, disciplining and dismissing staff. Advertising, marketing and public relations activities which relate to your business, or its goods and services are also exempt. This exemption applies even if you buy in information for marketing purposes. Keeping information for your accounts on past, existing or prospective customers and suppliers is also excluded (but data obtained from a credit reference agency is not and must be notified). Information that helps you make decisions about whether to do business with a particular customer or supplier, and make financial and management forecasts is also exempt. Check with the ICO.
Remember that even if you do not need to notify, you must still comply with the Data Protection Act.
How do I make sure I use personal information fairly and lawfully?
When you obtain personal information you must tell individuals
- The name of your business or organisation
- What you use their information for
- Any other information needed to make your use of their personal information fair.
what do i need to tell an individual?
Tell them they have a right of access to their information and have it corrected if it is factually inaccurate. You should explain who is processing the information, the ways you will use the information.
what are an individuals’ rights under the data protection act?
Individuals have the right of obtain information held about them, the right to prevent direct marketing, the right to have personal information corrected, the right to compensation if necessary and the right to prevent automated decisions –eg decisions only made by a computer. They have a right to receive a copy of the personal information about them, to know about the sources used and who is processing it.
what rights do my workers have?
Workers have a legal right of access to information you hold on them. This includes data about grievance and disciplinary issues and details gained through monitoring. You should give the person access when they request it - although in law you have a 40 day time limit- unless it would make crime detection more difficult. Be very careful you do not inadvertently give out details about other people. Give the worker the right to correct faulty information, or comment and object on the record if it might adversely affect them. The details held could be genuinely wrong and it may not be either your fault or theirs. This also applies to any health information you gather.
If a worker objects to certain information because it causes them distress or harm you should delete it or stop using it unless there is a compelling reason to continue. Workers can claim compensation against you if they suffer a breach of the Act. They have a right to have inaccurate data corrected, destroyed, blocked or erased and can apply for a court order to enforce their rights.
what is a subject access request?
This is a written or electronic request from an individual to obtain access to the personal information about them. You can charge a fee up to £10 to give the information requested by a subject access request (SAR). The information you give must be in a permanent form such as a printout or letter.
how does the act affect recruitment of staff?
When you place a recruitment advert make sure you identify your company properly, so people know exactly who they are applying to. If you use a recruitment agency, make sure the agency identifies itself.
Applicants should be aware what information is being collected about them and how it will be used. To comply with the Act you must use the information you collect for recruitment and selection only, and not gather more personal information than you need. Ensure those involved in recruitment understand the Act. Keep the information secure and do not disclose to another organisation without the individual’s consent. Only ask for information about criminal convictions if this is justified by the type of job you are recruiting for. Unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974 do not ask for information on ‘spent’ convictions.
If you are going to verify the information a person provides, make sure they know how this will be done and what information will be checked. If you need to verify criminal conviction information, only do this by getting a ‘disclosure’ from someone at the Criminal Records Bureau. Follow the rules and procedures strictly and make sure you are entitled to receive this information. Do not hold detailed information on this other than that a satisfactory / unsatisfactory check was made.
You cannot base recruitment decisions solely on psychometric testing (too automated).
Keep all data for only as long as necessary.
what should i do about staff employment records?
While you do not need the consent of workers to keep records on them, staff should be aware what information is kept and how you will use it. Do not keep more than is relevant, or is excessive or out of date. You are legally obliged to disclose certain information to other agencies such as the tax office, for example, but do not disclose more than required. Let staff check their own records occasionally to keep everything up to date and in order. Do not give out confidential references etc without the worker’s permission.
Keep the records safe and secure and use password protection for computer information. Ideally keep sickness records separate to avoid them being viewed unnecessarily.
If you collect information about workers for pension or insurance schemes only use the information for the administration of the scheme. Any sensitive information collected to help monitor equal opportunities should only be used for that purpose, and where possible use information that does not allow particular workers to be identified.
Do not assume workers are happy for you to send them marketing material. Give them an opportunity to opt out. Remember to make active use of the shredder when you no longer have a business or legal requirement to keep records.
can i monitor my employees?
The Act does not prevent monitoring, but does require openness. Workers should be aware of any monitoring, the extent and reasons for it. Put up notices or signs in areas being monitored or send staff emails to keep them informed. Covert monitoring is rarely justified. Monitoring is usually intrusive, and workers are entitled to have some privacy at work. Monitoring can de-motivate staff and create an atmosphere of distrust. The Information Office (ICO) has a code of best practice to help businesses comply with the act.
can i monitor e-mails and web use?
There are legal restrictions on how you can monitor employees’ emails and Web use, but the law is complex and you should tread very carefully indeed or contact a solicitor. You can only inspect the content in a number of very restricted circumstances. Avoid opening e-mails, especially those clearly shown as private or personal. If workers are absent and you need to check e-mail or voice-mail accounts, make sure everyone is aware this will happen.
All employees must be informed if you carry out any e-mail, voice-mail or Web use monitoring, and it should be included in their contracts or referred to in a separate Internet policy. Inspecting the content of individual emails can be allowed for: recording transactions or other important business communications, making sure employees are complying with the law and internal policies, preventing abuse of telecoms system and checking emails when staff are on leave.
For further detailed information on Internet and Email Policies, contact www.acas.org.uk
am i allowed to video or audio monitor my staff?
If video or audio monitoring really can be justified, you must make sure the monitoring is specifically targeted at areas of particular risk and only used where workers wouldn’t expect much privacy. Again staff must be fully aware of this.
can i carry out secret monitoring?
Covert monitoring can rarely be justified. You should be satisfied that there are grounds for criminal activity or equivalent malpractice. Covert monitoring could only rarely be used as part of a specific investigation and must stop when the investigation is finished. It should not be used in toilets or private offices. Again, take specific advice for your company.
can i collect information about my workers’ health?
The Data Protection Act requires openness. Workers should know what information about their health is being collected and why. The collection and use of health information comes under the ‘sensitive data’ part of the Ac and so you must be able to satisfy one of the sensitive data conditions. You will be most likely to satisfy a sensitive data condition if it is necessary to collect health information to protect health and safety; or the collection is necessary to prevent discrimination on the grounds of disability; or each worker affected has given explicit consent.
Consent, if given, must be given freely and you need to justify the benefits of having the health information. Gathering such information can be very intrusive and staff can expect to keep their personal health information private and expect employers to respect this privacy.
how can i collect information about workers’ health?
Firstly consider if there are other ways to deliver the benefits you want which would be more acceptable to staff. Perhaps consider health questionnaires instead of medical testing, for example. Collect information in areas of highest risk only – for example those working in a hazardous environment - and for as few workers as necessary.
Keep the information very secure indeed, for example by password protection or keeping in a sealed envelope in a worker’s file. Only allow the data to be seen on an absolute need to know basis. Do not collect more than you really need or keep longer than necessary. Delete when required.
Let workers know that information about their health is being collected and why. Notices and emails should be sent out and if works have to undergo medical tests make sure they have as much detail as they need. (As well as knowing and understanding what sort of report you will receive as a result.)
can i test staff for drugs and alcohol?
Testing workers for drugs and alcohol is only usually justifiable for health and safety reasons. Where testing is used to enforce a company’s business rules and standards, you must have made sure the rules and standards have been clearly set out to staff so everyone clearly understands what is expected of them.
If you are collecting the information for health and safety reasons make sure you use the least intrusive forms of testing and make sure workers know exactly what they are being tested for, and why. Ensure random testing, if it can really be justified, is genuinely random and not subjective to personal whims. In addition do not collect personal information by testing everyone if it is the case that only certain workers carrying out specific activities need to be tested.
can i use the information about workers in other ways?
Do not assume you have permission to discuss a person’s business or personal affairs with their spouse, partner or friend, unless you have been formally notified in writing that you may do so. Do not use the information for any other purpose than that requested by yourself or your company originally.
i have been contacted by an “agency” which says i must register/notify under the data protection act and pay a large fee - what should i do?
Do not be misled by any company which approaches and demands money. These are not official companies. You can complain to your local Trading Standards Department about bogus companies, but do not pay over any money.
If your business processes personal information on computer you may indeed need to be on the register of data controllers, but you can do this yourself. This register is officially maintained by the Information Commissioner. You only need to pay an annual notification fee of £35 and no VAT is payable.
what should i do if i need to notify the information commissioner?
The Information Commissioner enforces the Data Protection Act and promotes good practice in handling personal information. It publishes guidance and has a helpline to encourage good codes of practice. It also takes enforcement action where necessary and maintains a register of data controllers – those responsible for processing personal information. Complaints are also looked at and publicity undertaken. The Information Commissioner also enforces the Freedom of Information Act 2000 which regulates access to information held by public authorities.
If you are not exempt you must give details about the processing of personal information to the Information Commissioner so it can be included in a public register and people can find out what personal information is held on them. The details to be notified are:
- name and address of the data controller or their representative
- description of the information being processed
- purpose of processing the information
- those to whom the information will be or may be disclosed
- countries outside the European Economic Area – the EU plus Norway, Iceland and Liechtenstein – where data may be transferred
- Certain details on information security measures
Either call the information Commissioner Notification Line: 01625 545 740 or send a notification form. Notifications must be renewed annually for a £35 fee. Changes, which must be notified as soon as possible, are made free of charge
what are the penalties for non compliance?
Offences include notification (where a data controller has failed to notify or make changes to their notification entry), also knowingly or recklessly obtaining, disclosing, selling etc of personal information without the consent of the data controller and also non-compliance with a notice issued by the Information Commissioner. The Information Commissioner can bring a criminal prosecution. Failure to notify carries a maximum penalty of £5,000 plus costs in a Magistrates’ court or an unlimited fine in the Crown Court. If an individual suffers damage and /or distress as a result of non-compliance he or she can apply to the Court for compensation.
where can I get further help?
Phone 01625 545745 for general enquiries or 01625 545 for the notification helpline. Or consult the website www.informationcommissioner.gov.uk .
|
