Best practice for employers regarding the Data Protection Act 1998

The Data Protection Act 1998 (“DPA 1998”) can be a thorn in the side of employers if proper attention isn’t paid to the requirements of the DPA 1998 and its consequent obligations. This post will therefore examine the obligations that employers are under regarding the DPA 1998 and what employers should do to ensure compliance.

The DPA 1998 regulates the use of personal data and gives individuals the right of access to that data, as well as requiring the holders of personal data to give access to it and setting down a ‘best practice’ framework within which employers should work regarding personal data.

Pursuant to these requirements the first port of call for an employer is setting up a logical filing system in which employee information is stored. Information that should be collected includes (among others):

  1. Personal details of the employee (address, contact details, age, next of kin, ethnicity, whether they have any disabilities etc.)
  2. Bank account details (for payment of wages)
  3. The employee’s employment history
  4. Details of the employee’s job (duties, description, salary etc.)
  5. The terms and conditions which are attached to the job
  6. The employee’s absence record
  7. The employee’s disciplinary record
  8. The employee’s appraisal information
  9. The employee’s job evaluation

The employer must allow access to an individual’s employee files (although if there is not a coherent and easily accessible filing system then the employer may escape the obligation – this is a dangerous game to play, though) and obtain the employee’s consent for their personal data to be held by the employer.

The employer must also follow the eight Data Protection Principles set out:

  1. Process data fairy and lawfully and to meet on of the conditions set out in DPA 1998
  2. Obtain and process data for only specified and lawful purposes
  3. Hold data only where relevant and not excessive to purpose
  4. Data should be accurate and up to date
  5. Not to keep data longer than necessary
  6. Process data in accordance with the rights of data subjects
  7. Take measures to prevent unauthorised processing of data and against accidental loss
  8. Not to transfer data outside of the European Ec Area unless to a country which has adequate data protection and controls

If an employee makes a “Subject Access Request” for access to their personal data then the employer must respond to this request within 40 days if the following conditions are satisfied:

  1. The request is in writing
  2. The fee (up to £10 normally) has been paid
  3. The employee has supplied info regarding their identity and location of information
  4. The employer hasn’t recently complied with a similar or identical request by the same employee

There are a limited number of exceptions to the employer’s duty to disclose the personal data of an employee. Employers are not obliged to disclose

  1. References given by you
  2. References received from other employers if disclosure would impart information about another individual (unless that individual consents)
  3. Documents that would prejudice an employer’s business (i.e. information regarding redundancies or mergers)
  4. Documents that would give away an employer’s negotiating position (i.e. regarding salaries)
  5. Documents that are relevant to legal proceedings in relation to legal rights
  6. Documents that might compromise national security or hamper the detection of crime

An important further point to note is that “sensitive” personal data (i.e. regarding their ethnicity, race, disability, age etc.) can only be held with the explicit consent of the employee. This should be obtained when first employing the employee and an explanation given for the retention of such information.

Below are a few suggestions on what employers should do to ensure compliance with the Data Protection Act:

  1. Decide what information needs to be kept in an employee’s personnel records
  2. Notify employees of what information is held and the reasons for holding it
  3. Appoint an employee as data controller
  4. Clarify rules about access to data
  5. Ensure confidentiality is maintained
  6. Ensure information is kept accurate and up to date
  7. Review existing forms such as application forms to ensure information required is justified
  8. Make unauthorized disclosure of confidential information a disciplinary offence
  9. Train line managers in the implications of the Data Protection Act
  10. Notify the information commissioner that you are retaining information on individual employees
  11. Include a written Data Protection policy either within or with the Staff Handbook