Data protection


Sarah Rushton, Moon Beever Last Modified  10 March 2015

Key points

  • The Data Protection Act 1998 (DPA) applies to all organisations that process personal data relating to their employees or others, such as customers.
  • If an organisation processes data, it should ensure that it is included on the register of data controllers unless it is exempt from the requirement to do so.
  • The DPA sets out principles which should be followed by those who process personal data; it also gives rights to those whose personal data is being processed, for example employees.
  • Personal data must be processed fairly and lawfully in accordance with the DPA.
  • Special rules exist in relation to ‘sensitive personal data’.
  • Where data is processed it should be carried out in accordance with eight data protection principles.
  • The Information Commissioner's Office Employment Practices Code on data protection gives detailed practical guidance to employers on how to comply with the DPA.
  • Access to medical reports which are provided by employees’ doctors is also covered by the Access to Medical Reports Act 1988.
  • Employees may make a ‘subject access request’ on payment of a fee of not more than £10. They are entitled to know what information is held about them and to receive copies of that information. Subject access requests should be actioned promptly and normally within 40 calendar days.
  • Employers should formulate a data protection policy appropriate to their business that deals with the type(s) of data held about employees and the use to which that data may be put.
  • Employers should ensure that good practices are followed by their employees where their job involves processing or having access to protected data.

Recent developments

Enforced subject access requests
On 10 March 2015 a provision contained in Section 56 of the Data Protection Act 1998 (DPA) making ‘enforced subject access requests’ unlawful, which had been inactive, came into force.

The practice of making 'enforced subject access requests' involves one person (an employer, for example) requiring another (for example, an employee) to submit a ‘subject access request’ to specific bodies in order to obtain their personal data and share it with the first person. Employers have used this method to get around the Rehabilitation of Offenders Act 1974, which prevents them from requiring the disclosure of ‘spent’ convictions from potential recruits (although they can ask job candidates if they have criminal convictions).

Section 56 makes enforced subject access requests a criminal offence under the DPA, which could include personal criminal liability for some staff, potentially incurring an unlimited fine in England and Wales (different limitations apply in Scotland and Northern Ireland.

Employers’ responsibilities under the Vetting and Barring regime are unaltered by the change.

The Information Commissioner’s Office has produced guidance on how the prohibition operates.