Employment law- Data protection
The Data Protection Act governs the use of personal data held about an individual by businesses and other organisations. As employers are required to store employee records, they must comply with the Act. It is therefore important for employees to be aware of what information an employer can hold about them, and their rights to access such information.
The Act requires organisations to comply with the following principles to ensure that data is:
• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• not kept for longer than is necessary;
• processed in line with your rights;
• not transferred to countries outside the EU without adequate protection.
Employers should tell employees if personal data is being held about them and if so, how their information will be used.
Employees are advised to check whether their employer operates a data protection policy and their rights under it, as well as any obligations if they themselves deal with personal data about other employees or clients.
What information can be held?
The Act covers computerised records and some paper records, providing they are held in a ‘relevant filing system’, which must be well-structured or have some sort of system. Sensitive personal data (for example, information about an employee’s health, racial or ethnic origins, religion or belief, sexual orientation or criminal history) should not be held on an employee’s personal file without their explicit consent. If an employee provided such information on their job application form or during an interview, it should be deleted from their personal file, unless the employer needs to retain it for legal reasons.
An employer may also retain information relating to an employee’s expired disciplinary warnings, although as employers are obliged to ensure that data is not kept for longer than is necessary, they should review whether the information should still be retained.
Accessing your records under the Act.
Employees have the right to apply for a copy of any personal data that is held by their employer on a computer, which may in effect be their whole personnel file (and will include memos, and matters relating to performance appraisal). This is known as a ‘subject access request’ and should be made in writing.
An employer may charge a fee of up to £10 for each request and must provide the information within 40 days. If an employer feels that your request is not justified, they should explain why. If you disagree with their reasons, you may be able to apply to court to decide whether you are entitled to access the information. However, an employer does not have to comply with a subject access request if it would require them to disclose information relating to an identifiable third party. Neither does an employer have to disclose information regarding any proposed pay rise, promotion, transfer, training or redundancy.
Recent case law has stated that the data controller’s implied obligation to carry out a search on receipt of a SAR was limited to what was “reasonable and proportionate”. It is been held that it is not necessary for the corporate data controller to search its directors’ private email accounts where there was no evidence they had been used for company business.
In addition, an employee has the right to ask for information to be corrected or deleted from their file if it is inaccurate or likely to cause them substantial and unwarranted damage or distress. The employer then has 21 days to remove the information. If they do not, an employee could apply for a court order to force the employer to correct or delete the information.
An employer may retain personal information provided by job applicants during the recruitment process, for example, keeping an applicant’s CV on file in case any further vacancies arise in the future. The Act states that personal data should not be kept for longer than is necessary for the particular purpose for which it is being retained, so it would seem that such information should be deleted after a reasonable period of time. According to the Employment Practices Data Protection Code, unsuccessful candidates should be advised if the employer intends to keep their details on file and given the opportunity to have them removed.
A job applicant may wish to see the information held about them by the prospective employer if, for example, they believe they were discriminated against in the application process due to their age, sex, or race. They too have the right to make a subject access request for any information held about them by a prospective employer, including notes made on them at interview. Former employees A former employee is also entitled to make a subject access request in respect of the data held about them by their former employer. Again, as an employer should not keep personal data for longer than is necessary, they may delete the information if it is no longer needed.
After having left employment, former employees are entitled to request a copy of an employment reference, but as the former employer has no obligation under the Act to provide this, the request should be made to the prospective employer. This is especially relevant to those applicants who have been turned down after being offered a job because a negative reference has been sent by their former employers. I have seen many such cases and most people do not realise they have the right to see what has been written.