Posted: Monday, 1 March 2010 @ 14:42
The Data Protection Act 1998 introduced certain principles in dealing with personal information. The Act regulates dealing with ‘data’ which relates to any living person. It is important to realise that, as a small business, you certainly deal with ‘data’ under the Act on a daily basis.
There are two questions you need to ask yourself: Firstly, do you need to register under the Act?
The Act requires the Information Commissioner to maintain a Register of data ‘controllers’ and the purposes for which they use personal information. Data controllers are those who are responsible for processing personal information. To ‘process’ information you only have to store it or receive it. You do not have to be ‘active’ in any way. As the owner of a small business you will almost certainly ‘process’ data, in the form of personal information, even if it’s only about your own staff. Secondly, do you comply with the Act?
In summary the Act makes requirements as follows:
- That data be fairly and lawfully processed
- That data only be processed for specified purposes
- That data is adequate for the purpose for which it is collected, relevant and not excessive
- That data is accurate, and where necessary, kept up to date
- That data is not kept for longer than is necessary
- That data is processed in line with the rights of the individual
- That data is kept secure
- That data is not transferred to countries outside the European Economic Area unless there is adequate protection for the information
When it comes to employing people things start to get even more complex as is indicated by the three additional areas detailed below.
- Job Interviews
If you collect or use information about job applicants, you must use the information you collect for recruitment or selection only. It is a breach of the Act to collect personal information that is irrelevant or excessive so any application forms must reflect this requirement. For example, you should only ask for information about criminal convictions if this is justified by the type of job you are recruiting for. Don’t ask for ‘spent’ convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974.
Do not disclose personal information obtained to anyone else unless you have the person’s consent. This is an interesting concept for recruitment consultants who clearly must do this as a matter of course – but are they really getting full consent from job applicants?
If you monitor any of your employees by collecting or using information about them, the Act will apply. This can happen, for example, when you video workers to prevent or detect crime, when you check telephone logs to detect excessive private use, and when you monitor emails or check internet use.
Employees should be aware of the nature, extent, and reasons for any monitoring unless, exceptionally, covert monitoring is justified. It is good practice to advise them at the beginning of their employment and to send round reminders from time to time. However even this level of openness may not square with the interpretation put upon the Act by the Information Commissioner, whose view is:
• That monitoring is usually intrusive
• That employees expect to keep their personal lives private
• That employees are entitled to some privacy in the work environment
In short, following a complaint about your business, you may have to justify the reasons for the monitoring so it is a good idea to consider the reasons and decide if monitoring is a necessity.
If monitoring is to be used to enforce your rules and standards, make sure employees know clearly what these are and remember that you can only use information that you have gathered through monitoring for the purpose for which you did the monitoring in the first place.
- Employees’ Rights
An employee has a right under the Act to access information you hold on them. This includes information about grievance and disciplinary issues and information you obtain through monitoring. Normally you must give access when an employee requests it and you can only refuse this where providing it would prejudice the detection of crime.
Therefore, you may be given a ‘data access request’ by an employee (or former employee). Such a request does not need to be in any format – it just needs to be clear what information (generally described) is required.
You should have a system to deal with such access requests and provide the required information within 40 days. You should be careful about unwittingly giving personal data about another person when meeting the access request.
Be aware that an employee can claim compensation if they suffer as a result of a breach of the Act and may also gain access to material that can be used in an Employment Tribunal.
There are three initial steps to take to make sure you avoid problems under the Act:
1. Register under the Act (if you need to)
2. Always comply with the Act
3. Make sure your records are well managed and used responsibly by all staff.
Contact Cousins Business Law for advice on this topic.
Blog by Gary Cousins
Gary has been providing legal advice to shareholders, directors and business owners for over 25 years. Specialising in dispute resolution Gary is based in Birmingham with clients throughout the UK and overseas. View profile
This blog is not intended to constitute legal advice, nor is it intended to be a complete and authoritative statement of the law, and what we say might be out of date by the time you read it. You should always seek legal advice to confirm whether or how any information in this article applies to your particular situation. We offer a free telephone consultation
to discuss your particular circumstances.