Data Protection
Add a note hereKey points
§  Add a note hereUnder the Data Protection Act 1998, employers who store and process personal data about their employees – whether in a computerised, paper-based or other relevant filing system – must ensure that the data in question serves a legitimate purpose; that it is kept under 'lock and key'; and that it is not deliberately or unwittingly disclosed to unauthorised third parties. Employees, for their part, have the right to be informed of the nature and scope of the data held on their personal files, the source of that data (Who provided it?), and the names or job titles of the people to whom that data has been or may be disclosed. They have the right also (on payment of a fee of up to £10) to inspect and take copies of most (if not all) of the documents concerning personal data about them that is held in their employers' filing systems. Although the term 'employee' is used throughout this section, it is as well to point out that the 'data protection' and 'subject access' provisions of the 1998 Act apply equally to casual, seasonal and temporary workers who may or may not be 'employees' in the strict legal sense of the word.
§  Add a note hereEmployees may challenge the relevance or accuracy of any personal data about them that is held on their employers' files and may apply to the High Court or county court for an order directing their employers to rectify, block, erase or destroy that data and any other personal data which contains an expression of opinion which appears to the court to be based on inaccurate data.
Add a note here'Processing', in relation to information or data, whether done manually or by computer, means obtaining, recording, or holding the information or data; or carrying out any operation or set of operations on that information or data, including organising, adapting, altering, retrieving, disclosing, erasing or destroying it.
§  Add a note hereThe term 'relevant filing system' encompasses any non-automated or manual filing system that is structured either by reference to individuals or by reference to criteria relating to individuals, and that is assembled in such a way that specific information relating to a particular individual is readily accessible. Arguably, the contents of the typical personnel file are neither 'structured'; nor 'readily accessible'. Indeed, some commentators have expressed the view that, because they are unstructured, such files fall outside the scope of the 1998 Act. Others have argued, equally cogently, that they do not. Wiser counsel urges employers to err on the side of caution by applying the 1998 Act's 'data protection principles' (see below) to all personal data which relates to individual employees.
§  Add a note hereAlthough the processing of personal data on a computer in a coded format may be appropriate from the point of view of security, it does not relieve employers of their statutory duty to disclose that data when an employee asks to see it. Coded data must, of course, be translated into plain English (and a hard copy produced) before it is made available to the employee.
Add a note hereMeaning of 'personal data'
§  Add a note here'Personal data' means data or information relating to a living person (whether employee or worker, job applicant or former employee) who can be readily identified from that data (or from any other data held by, or likely to come into the possession, of that individual's employer (or former employer), including any expression of opinion about that individual and any indication of the employer's intentions in respect of that individual.
Add a note hereSensitive personal data
§  Add a note hereThe 1998 Act lays down rules concerning the processing of so-called 'sensitive personal data' – that is to say, data that consists of information relating to a person's racial or ethnic origins, or to his (or her) religious beliefs, political opinions, trade union membership, physical or mental health, sexual life, or criminal convictions.
§  Add a note hereAn employer may not process sensitive personal data about an employee (or reveal such data to a third party) without the employee's express consent, preferably in writing, unless the data in question is needed for legal reasons or in compliance with an employer's statutory duties. Indeed, the 1998 Act allows that the 'processing' of data about an employee's racial or ethnic origins may be justified if the employer's aim is to monitor the effectiveness of his equal opportunities policy.
§  Add a note hereJob application forms that require a would-be employee to reveal sensitive data should explain why that information is needed. For example, in certain trades and industries involving exposure to specified hazardous substances, health and safety legislation effectively requires women of 'reproductive capacity' to disclose whether they are pregnant or are breastfeeding or have recently given birth. Such information will need to be kept on file for obvious reasons (at least for so long as it remains relevant). Job applicants who have a liability to epileptic seizures, or who are insulin-treated diabetics, or who have a alcohol or continuing drug dependency, or who have suffered from a psychotic illness within the previous three years, may not be employed to drive large vehicles; and so on. The Rehabilitation of Offenders Act 1974 also requires job applicants (and, in some cases, existing employees) who are applying for appointment or transfer to particular occupations to disclose details of any and all criminal convictions (including 'spent' convictions).
Add a note hereThe eight 'data protection principles'
§  Add a note hereThe 1998 Act lists eight data protection principles that differ slightly in subject-matter and content from the seven principles laid down in the now-repealed 1984 Act. Under the 1998 Act, personal data about an individual (whether 'processed' by automated or non-automated means):
1.     Add a note heremust be processed fairly and lawfully;
2.     Add a note heremust be obtained for one or more specified lawful purposes;
3.     Add a note heremust be adequate, relevant and not excessive in relation to the purposes for which it is processed;
4.     Add a note heremust be accurate and, where necessary, kept up to date;
5.     Add a note heremust not be kept longer than is necessary;
6.     Add a note heremust be processed in accordance with the rights of employees (or former employees);
7.     Add a note heremust be safeguarded (by appropriate technical or organisational measures) against unauthorised or unlawful processing, and against accidental loss, damage or destruction; and
8.     Add a note heremust not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects (this principle is new in the 1998 Act).
Add a note hereIn brief, an employer should only process personal data if the information held on an employee's file (computerised or otherwise) is necessary or justifiable:
o    Add a note herefor the purposes of entering into a contract of employment (employee's name, address, age, sex, address, marital status, number of dependants, schooling, academic qualifications, employment history, etc); or
o    Add a note herein the context of an employee's (or employer 's) statutory or contractual rights, duties or obligations (eg, doctor's sick notes, attendance records, performance appraisals, disciplinary records and warnings, health assessments, information about accidents, injuries or diseases); or
o    Add a note herefor PAYE tax, National Insurance, or occupational pension scheme purposes.
§  Add a note herePersonal data about an employee or worker should only be kept on file for so long as is strictly necessary. It follows, that personnel files should be 'laundered' at regular intervals to remove extraneous, invalid, irrelevant or out of date information (particularly important in the case of former employees). If an employee asks for inaccurate, false or irrelevant material to be removed from his (or her) personal file, the employer should comply, unless of course he disagrees with the employee's assessment of that information; in which event, the matter may be referred to the High Court or a county court for determination, although the latter option will not be available in relation to data held in manual or paper-based filing systems in existence before 24 October 1998
§  Add a note hereFinally, and most importantly, an employer must ensure that appropriate security measures are in place to prevent personal data held on computer or in paper-based filing systems falling into the wrong hands. As indicated earlier, sensitive personal data should not be kept on file without the express permission of the individual(s) concerned unless there is an overriding legal or practical requirement for the retention of such data.
Add a note hereAccess to personal data
§  Add a note hereUnder the 'subject access' provisions of the 1998 Act, employees have the right (at reasonable intervals and without undue delay, and on payment of a fee of up to £10) to be informed about any personal data concerning them that is held by their employers either electronically (that is to say, in a computerised format) or in their manual or paper- based filing systems. They have the right also to examine that data and to ask for the correction, updating or erasure of any data that they consider to be inaccurate or irrelevant. What constitutes reasonable access will depend on the particular circumstances. But two or three times a year would not be unreasonable.
Add a note hereIf revealing the source of contentious information on an employee's file means disclosing the identity of the person who provided that information in the first place, the employer must first obtain the permission of that person before doing so. If that permission is withheld, the employer must edit the information in such a way as to omit that person's name or other identifying particulars.
§  Add a note hereFinally, an employee should not expect to be given access to personal data at a moment's notice. He may have to wait up to 40 days (the maximum under the Act), before that information is supplied. An employer who refuses to supply such data (or needlessly delays issuing that data) is guilty of an offence and liable on summary conviction to a fine of up to £5,000.
Add a note hereEvaluating an employee's capabilities
§  Add a note hereInformation held on computer or on an employee's personnel file, which expresses an opinion about that employee's capabilities, character, attitudes, conduct, performance, etc must be disclosed to that employee on request.
§  Add a note hereFurthermore, an employee may challenge his (or her) employer's sole reliance on the computerised processing of his personal data to evaluate his work performance, capabilities, reliability, conduct, etc – the more so if decisions stemming from that automated evaluation are likely to have a significant impact on the employee's prospects for advancement or career development within the employing organisation. In short, the employee has the right to demand an intelligible explanation of the logic involved in such decision-taking and may write to his employer requiring him to ensure that no such decision is to be taken based solely on a computerised evaluation of his personal data.
Add a note hereInformation that need not be disclosed
§  Add a note hereThe definition of personal data in the 1998 Act includes any indication of an employer's intentions with respect to an individual employee – which, at first sight, would appear to suggest that an employee is entitled to know whether he (or she) has been earmarked for a pay rise, promotion, redundancy, disciplinary action or dismissal. However, that is not the case. Schedule 7 to the Act (Miscellaneous Exemptions) makes it clear that employees have no statutory right to demand to see (or to be provided with copies of) documents whose contents comprise information processed for the purpose of management forecasting or planning
o    Add a note herethe more so if the premature disclosure of such information is likely to prejudice the conduct of the employer's business (ibid. Schedule 7, paragraph 6).
§  Add a note hereNor need an employer disclose the contents of a reference relating to an existing or former employee that he (or she) has sent in confidence to a prospective new employer. Nor need he reveal the contents of a reference sent to some other body or institution which is considering an employee for further education or training, or that relates to the appointment (or prospective appointment) of an employee to any public office; or that is given in respect of any service the employee hopes or intends to provide to another person or organisation (ibid. Schedule 7, paragraph 1).
§  Add a note hereAlthough not obliged to disclose the contents of references sent to other employers, that same prohibition does not apply to references supplied by one or other of an employee's former employers. However, section 7 of the 1998 Act cautions that an employer should be wary of disclosing the contents of a reference supplied in confidence by a former employer unless it is possible to do so by deleting the name and job title of the person who wrote the reference as well as those of any other person named or referred to in the reference. Furthermore, in deciding whether it is reasonable to supply a copy of a reference without the consent of the person who wrote it (or that of any other person named or identified in it), the employer must pay due regard to any duty of confidentiality owed to the individuals in question; the steps that have been, or should have been, taken to obtain their consent; whether they are capable of giving their consent; and whether they have expressly refused to give their consent.
Add a note hereTransitional provisions
§  Add a note hereThe 1998 Act allows of two transitional periods. The first transitional period ended on 23 October 2001; the second ends on 23 October 2007. During the first transitional period, personal data held in automated or computerised filing systems was exempt from some but not all of the 1998 Act's provisions. The processing of data stored on computer must now comply fully with the 1988 Act. However, as is explained in the next paragraph, most employers have until 23 October 2007 to comply fully with Act's provisions relating to manual or paper-based filing systems.
§  Add a note hereDuring the second transitional period, manual (or paper-based) files in existence before 24 October 1998, need not comply with the first data protection principle (save for the right of an employee to access personal data held on those files), nor with the second, third, fourth and fifth data protection principles until the end of the second transitional period (that is to say, until 24 October 2007). Nor do employees have the right, during that second transitional period, to apply to the county court (or High Court) for an order requiring their employers to rectify, block, erase or destroy inaccurate data held on those files. In short, employers processing personal data held in manual files (set up before 24 October 1998) have some five years in all in which to 'put their houses in order ' – by auditing and sanitising those files and putting the necessary compliance procedures in place.
§  Add a note hereWhat is not yet clear (and this has been the subject of some speculation) is whether personal data added to manual or paper-based files on or after 24 October 1998 'enjoys' the benefit of the same seven (now four) year transitional period or whether such data should now comply fully with the 1998 Act. In her Introduction to the Data Protection Act 1998, the Data Protection (now Information) Commissioner states that personal data about existing employees added to files that came into being before 24 October 1998 is 'unlikely' to alter the character of those files unless that additional material 'produces a different effect on the overall processing operation'. Further information about compliance with the 1998 Act (notably on this latter point) on this point may be obtained by telephoning the data protection Information Line on 01625 545745.
Add a note hereNotification
§  Add a note hereUnder the since-repealed Data Protection Act 1984, UK employers who kept personal data about their employees in a computerised filing system or by other electronic means (eg, in a mainframe, desk-top, laptop computer, or on a floppy disc or CD), or who used the services of a computer bureau to store or process any such data, had no need to register that fact with the then Data Protection Commissioner if the data in question was held solely for the purposes of calculating and paying wages, salaries and pension monies. Even though registration was not required in the latter situation, the data stored on computer could not then (and cannot now) legally be used for any other purpose. Nor may it be disclosed to any other person except for the purpose of obtaining actuarial advice on pension issues or for use in medical research into the health and accident records of persons employed in particular occupations.
§  Add a note hereWith the coming into force on 1 March 2000 of the 1998 Act, and the concomitant repeal of its predecessor, the former system of registration has been replaced by a new notification regime. Under that regime, employers who store and process personal data about their employees (whether on computer or in paper-based filing systems) need not notify the Information Commissioner of that fact (although they may choose to do so voluntarily) if the processing is done purely for staff administration purposes – eg, for recruitment and selection or payroll purposes or in connection with an employee's employment and career history, qualifications, experience, promotion, transfer or training, performance, health and attendance, conduct and capabilities, or related personnel issues. Nor is notification required if employers do not use computers for processing personal data about their employees. However, notification is required if personal data about an individual is processed on computer for pensions administration purposes. Further advice may be obtained from the Notification Helpline on 01625 545745 (Fax: 01625 545748 or email:
Add a note hereEmployment Practices Data Protection Code
§  Add a note hereIn March and September 2002, respectively, the Information Commissioner published the first and second parts of a planned four- part Employment Practices Data Protection Code. Part 1 (Recruitment and Selection) and Part 2 (Records Management) may be downloaded from website Part 3 of the code (Monitoring at Work), in draft form, was published on 8 July 2002, and may also be downloaded from the same website. At the time of writing, a consultation draft of Part 4 of the code (Medical Information) had not yet been produced. It is as well to point out that the new code will not come into force until its four constituent parts have been formally agreed and published.
Add a note hereFurther information
§  Add a note hereIt is important to stress that the above is little more than a summary of the principal provisions of the 1998 Act and should not be relied upon by any reader as his (or her) primary source of information on the 1998 Act – the more so as the Act itself is not only lengthy and complex, but contains a great many 'ifs' and 'buts' which have not been explored in any detail in these pages. Copies of the The Data Protection Act 1998 – Legal Guidance can be downloaded from website or may be obtained (along with related publications, guidance notes and codes of practice) from:
Add a note herePublications
Information Commissioner's Office
Wycliffe House
Water Lane
Add a note hereTelephone: (01625) 545700