Data protection

Originally issued in January 2000; latest revision January 2008

This factsheet gives introductory guidance. It:

• introduces the law associated with data protection and privacy
• provides an action plan for employers.

The legal position

There is a plethora of statutes which address data protection and privacy, but the main legislation governing data protection is the Data Protection Act 1998 (DPA) which came into force on 1 March 2000.

The DPA implements an EU Directive (the Data Protection Directive 95/46/EC) and both the Act and the Directive aim to give individuals rights in connection with the processing of manual and computerised personal data and on the movement of such data.

Other important statutory provisions concerning data protection are:

• The Human Rights Act 1998 (see our factsheet on Human rights for more information)
  • Go to our Human rights factsheet
• The Freedom of Information Act 2000 (FOI Act) - only applicable to public authorities
• The Regulation of Investigatory Powers Act 2000 (RIPA)
• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)
• The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/2905)
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
• The Environmental Information Regulations 2004 (SI 2004/3391)
• The United Kingdom Data Protection (Processing of Sensitive Personal Data) Order 2006 (SI 2006/2068).

The Public Interest Disclosure Act 1998 is not relevant to the protection of data as such, but does protect employees against detrimental treatment or dismissal as a result of any whistleblowing or disclosure of information in the public interest – see our whistleblowing factsheet for more information.

• Go to our factsheet on Whistleblowing

There is also an underlying common law rule that provides limited protection for confidential information in an employment context, ensuring that information, personal or otherwise, that is given in confidence is neither disclosed nor used for the recipient's benefit without consent.

The Data Protection Act 1998 (DPA)

In essence, data protection means that those who decide how and why personal data are processed (data controllers), must comply with certain data protection principles. Those about whom data are processed (data subjects) are also provided with a number of rights.

Data protection is an extremely complex and topical issue, especially following the high profile loss of two computer discs containing the entire child benefit data base of 25 million people. These were lost towards the end of 2007 when HM Revenue & Customes (HMRC) reportedly posted them to the National Audit Office using normal post. All organisations must take steps to handle, process and store data responsibly and keep up to date with legal developments in this area.

There are eight principles put in place by the DPA which specify that data must be:

• fairly and lawfully processed
• processed for limited purposes
• adequate, relevant and not excessive
• accurate
• not kept for longer than is necessary
• processed in line with your rights
• secure
• not transferred to countries outside the EU without adequate protection.

It is against the law if a data controller, for example an employer, does not keep to these principles.

The DPA applies to personal data in computerised, manual or any other format, as long as the data is in a system that allows the information to be readily accessible. Most personnel and employment files will be covered by the DPA.

CIPD members should see the more detailed information in our FAQ on Data protection, surveillance and privacy at work in the Employment Law at Work area of our website. 

• Go to our Data protection, surveillance and privacy at work FAQ

Another important source of information is The employment practices code¹ issued with supplementary guidance by the Information Commissioner. It is in four parts:

• Part 1: Recruitment and selection
• Part 2: Employment records
• Part 3: Monitoring at work
• Part 4: Information about workers health.

The Telecommunications (Lawful Business Practice) Regulations 2000

These regulations were issued under RIPA in order to comply with the Telecommunications Data Protection Directive. They cover all types of telecommunications (telephone, email, fax, etc) on public and private systems. Employers may intercept these with the parties’ consent.

They can also intercept without consent:

• to establish facts
• to find out if a communication is for business or private purpose
• for quality control or training
• to comply with regulatory or self-regulatory procedures 
• for system maintenance
• to detect unauthorised use
• to prevent or detect crime
• for national security purposes.

Organisations offering free telephone advice may monitor but not record calls. If employers do not have consent they will have to show that they have taken reasonable steps to inform the corresponding parties that there may be interception.

The Freedom of Information Act 2000 (FOI Act)

The FOI Act gives anybody the right to access information held by public authorities including central government. This means that members of the public have a right to access information held by the Home Office. The Act was implemented in two parts:

• The first stage required central government departments (including the Home Office) to make information available through their Publication Scheme from 30 November 2002. The aim of the Publication Scheme is to explain what information the Home Office makes available to the public and, where possible, provide an easy method of accessing this information.
• The second stage began in January 2005. From this date, everybody became entitled to ask a public authority in England, Wales and Northern Ireland for any recorded information that they keep.

Access to information

If information falls within the DPA, a data subject has a right to request a copy. The request must be in writing, accompanied by sufficient detail to enable the data to be identified and a fee of £10 paid in advance. The information must be supplied within 40 days. An audit of the various filing systems, including private and duplicate systems, will be necessary to enable the 40-day limit to be met.

Health information

Together with information on race, religion or belief, union membership, sexual life and crimes, health information is classed as sensitive information by the law. It can only be held with the explicit consent of the individual, which creates problems for holding health records. For new employees consent may be included in their employment contract. Existing employees may be asked to give their consent, but if this is refused the employer still has to make a decision and will have to act on the information supplied to it.

References

In general, data subjects who are persistent may be able to gain access to their references. This depends, however, upon whether the request is made of the organisation providing the reference (usually the previous or current employer) or the organisation requesting the reference (the new or prospective employer). The recipient of a confidential reference can only disclose the reference by complying with the DPA's confidentiality rules. The referee who has given a confidential reference for employment, self employment or educational purposes can withhold the reference from disclosure, though this only applies where the reference is given in confidence. See our factsheet on References for more information on this topic.

• Go to our References factsheet

Email and the Internet

 
Many legal issues arise concerning employee' potential abuses of email and the Internet. As a starting point, all organisations should implement a comprehensive Internet and communications policy. This, and other aspects of employees' use of email and the Internet, are dealt with in our factsheet on Internet and email policies.

• Go to our Internet and email policies factsheet

The terms of the DPA differ in several respects from the Telecommunications (Lawful Business Practice) Regulations concerning the form of consent required before an employer can access information. The Information Commission recommend that an employer should have a policy setting out permitted use and that monitoring should be as unintrusive as possible, for example using traffic data rather than accessing the content of an email.

Sending information abroad

 
Information may be sent to any country within the European Economic Area or to Hungary or Switzerland. It may be sent to an organisation in the USA only if that organisation has signed up to the Safe Harbour Agreement made with the European Union. Otherwise the employer needs to gain the consent of the employee.

Action plan

Organisations should:

• Appoint a data controller, ie a person to be in charge of all aspects of information, including the DPA and FOI Act.
• Audit information systems to find out who holds what data, and why.
• Consider why information is collected and how it is used. Issue guidelines for managers about how to gather, store and retrieve data.
• Ensure that all information collected now complies with the Data Protection Act 1998.
• Check the security of information stored.
• Check the transfer of data outside the European Economic Area.
• Check the organisation’s use of automated decision making.
• Review policy and practice in respect of references.
• Review or introduce a policy for the private use of telephones, email and post.

Useful contacts

• Ministry of Justice: data sharing and protection 

References

1. INFORMATION COMMISSIONER. (2005) The employment practices code. Wilmslow: Information Commissioner’s Office. Available at http://www.ico.gov.uk/what_we_cover/
   data_protection/guidance/codes_of_practice.aspx

Further reading

CIPD members can use our Advanced Search to find additional library resources on this topic and also use our online journals collection to view journal articles online. People Management articles are available to subscribers and CIPD members in the People Management online archive. CIPD books in print can be ordered from our Bookstore

• Go to Advanced Search
• Go to our online journals collection
• Go to People Management online archive
• Go to our online Bookstore

Books and reports

ROME, P. (2007) Data protection in practice. Employment law bulletin. Kingston upon Thames: Wolters Kluwer. 

Journal articles

FAHEY, S. (2007) For your eyes only. Occupational Health. Vol 59, No 1, January.

TEMPERTON, E. and SHAMSEE, K. (2007) When personal info becomes personal data. People Management. Vol 13, No 20, 4 October. p21.

This factsheet was originally written by Olga Aikin and updated by Lisa Ayling, solicitor and employment law consultant.