Irenicon
   Newsletters  

 man

Volume 16 - May 2002


The Changing face of Data Protection

breaker
back to newsletters

Collecting and using 'personal data' - information about individuals - is controlled under the Data Protection Act 1998. There are limits on what data you can collect and how you can use it. Stepping outside the rules can lead to expensive trouble.

Supervision of data protection is in the hands of the Information Commissioner. A draft Code of Practice on the use of personal data in employer/employee relationships is in progress. The first section (on recruitment selection) of the final code was issued in a 'pre-publication' version in March 2002, and the remaining three sections of the code are expected over the summer - on website www.dataprotection.gov.uk.

The Code seeks to promote best practice, and ensure compliance with the data protection principles. The principles state that personal data must be:

bullet point Fairly and lawfully processed 
  
bullet point Processed for limited purposes in manner compatible with purposes 
  
bullet point Adequate, relevant and not excessive 
  
bullet point Accurate 
  
bullet point Not kept for longer than is necessary 
  
bullet point Processed in accordance with individuals' rights 
  
bullet point Secure 
  
bullet point Not transferred to countries without adequate protection 
  
bullet point Managing Data Protection 
  
bullet point Who is responsible for data protection? 
  
bullet point Data Protection Audit


The principles in detail

Fairly and lawfully processed

Unless the business is only collecting and using data required by statute (e.g. PAYE), and not using it for anything else, you will need to be 'registered'. Employers however small, will inevitably need to register if they are going to keep appropriate information about employees to manage and protect the business.

'Lawful' processing requires that you process data within the parameters of your data registration. You can check your registration by looking at the website www.dpr.gov.uk. There is a useful "Do I need to register?" questionnaire if your organisation is not registered at all.

Even if data is 'processed' within your registration, you can still fall foul of other problems - e.g. confidentiality, or human rights issues. And the 'processing' must follow all the data protection principles.

top of page

Processed for limited purposes in manner compatible with purposes

You need to look at what data you use against your registration. If for example you keep your staff's home addresses and phone numbers in case of emergency call out (and this is the specific term of your registration) if you mail shot them/phone them as part of a sales campaign for your own products, or sell their data to a third party, this will be unlawful since you are not using the data for the stated purpose.

You need to study the wording of your registration to see if it entitles you to do the things you would reasonably want to do. If the wording is too narrow you will need to change it frequently in order to make sure you are registered for what you need to do.

The information Commissioner has a useful web site, which gives sample registrations (covering more than Human Resources) for a wide spectrum of organisations. You may find it helpful to work through the options and see what it suggests for your organisation.

Employers who run pension schemes will have to register the trustees of the pension scheme separately. Most Irenicon clients would therefore have two registrations - one for the employing organisation and one for the pension fund trustees.

top of page

Adequate, relevant and not excessive

These provisions relate to the purpose. In reality many personnel files are incomplete, out of date, full of old and irrelevant information. Unless you have a process of updating files it is likely that some records are incomplete, irrelevant and excessive.

top of page

Accurate

The biggest problem on personnel files is out of date home address/telephone numbers and pay rates. The problem multiplies when files are kept locally by line managers, where individual standards of record keeping vary. It can be equally difficult to keep a central personnel filing system up to date.

top of page

Not kept for longer than is necessary

The Code sets out guidelines retention times for different types of record, but recognises there may be a specific business case in some organisations supporting longer periods.

top of page

Processed in accordance with individuals' rights

A key right for all 'data subjects' is to be able to get a copy of information held. Bur the rights of all 'data subjects' must be respected. So if another individual would be identified by such a disclosure, you will need to check that you are not making an improper disclosure about that other individual! Getting the balance right on these types of issues can be tricky - so following the Code provides a helpful 'highway' where you know you are not going wrong.

top of page

Secure

It is surprising how many personnel files are not kept in locked filing cabinets, or how many are kept in locked cabinets with the key in them.

Similarly, many computer users use silly passwords - like password, which leaves data far from secure.

In the last two years we have some across:

  • files being removed completely by individuals during the course of disciplinary proceedings.
  • files being lost by mangers who took them home
  • files having read by inappropriate people - having been left on a desk in an unlocked asd asdasd office.

top of page

Not transferred to countries without adequate protection

We are not dealing with transfers outside the UK. You should check with anyone who processes data for you whether they are transferring data outside the UK. If so you should seek advice.

top of page

Managing Data Protection 

Securing personal data and making sure it is confidential is part of a bigger process of ensuring confidentiality of data within a business. There are other types of data such as customer discounts that need to be confidential that are not personal data or covered by the principles.

In the main, confidentiality is achieved by a mixture of securing the systems, training the individuals as to their responsibilities and ensuring that the 'contract of employment' requires appropriate confidentiality and provides suitable penalties for breaches.

None of this amounts to much if the culture of the business ignores these issues. If your Main Board Directors gossip about named individual's pay rates in a corridor, it doesn't matter what you write in your policies, your data is not going to be secured for long.

top of page

Who is responsible for data protection?

A Senior Manger should be responsible for Data Protection. It can be difficult, in the absence of published data, to work out who is responsible. Many data registrations were done by company secretaries or even agencies and not all of them are necessarily in your business today.

The responsibility for Data Protection goes beyond simply keeping your registration up to date. Many clients have made the HR Director responsible for employee data and the Marketing Director responsible for customer data. If you are not sure who is responsible in your organisation you should check with a board director or your company secretary. If you already have a Data Protection policy - this should name the responsible individuals.

Individual staff and managers are also responsible for maintaining the security and integrity of the data they have access to. Individuals can be criminally liable if they knowingly or recklessly disclose personal data with your organisation's consent.

You need to check:

  • your contracts/handbook contain suitable confidentiality clauses;
  • you have a data protection policy
  • record keeping is secure and accurate and limited to your registration purposes
  • everyone knows the rules.

top of page

Data Protection Audit

You may wish to consider a Data Protection Audit and a CD ROM to assist with this is freely available from the Information Commissioner's office. This contains flow charts/forms/checklists etc. This is a complex and detailed process. It is not necessary to go through the entire process in order to be compliant. However, in real terms it is necessary to go through some kind of process to establish what data you are holding/adding, who is keeping it, how and what steps are taken to ensure its accuracy. Without some kind of process you cannot be sure you have registered correctly and thus you cannot be sure you are acting lawfully.

top of page


breaker
back to newsletters

Irenicon Ltd is a company registered in England with company no. 01510166
Registered office  :  Airport House, Purley Way, Croydon, Surrey CR0 0XZ
Tel 08452 303050 | Fax 08452 303060 | Email info@irenicon.co.uk | Web www.irenicon.co.uk
Toolbar
Print Page - use browser PRINT button if not functioning Top of Page - use scrollbar if not functioning Previous Page - Use Browser BACK button if not functioning
Irenicon.co.uk - Bottom Page Border

This website contains information, not advice. We accept no legal liability for any use you make of it. We try to get information right when we post it to the site, but we aren't infallible. If you want advice, use our Consulting Service.

© 2004 - 2008 Irenicon Limited. All rights reserved

Designed By DestiNet - the home of NewZapp Email Marketing.
Top of Page - use scrollbar if not functioning
Print Page - use browser PRINT button if not functioning Top of Page - use scrollbar if not functioning Previous Page - Use Browser BACK button if not functioning