January 10, 2013 10:13 am

‘What are our duties regarding personal data?’

A colleague recently raised concerns about our obligations in relation to holding personal data on the staff we manage, but I’m not aware what kind of data that is.

What are our duties towards staff when it comes to holding personal data on file and do we need to get their express permission to keep these records?

Lisa Mayhew, a partner in the employment team at Berwin Leighton Paisner, the law firm,

If you hold any information that relates to an individual employee in any kind of organised way, then that information is very likely to be “personal data”.

This covers the obvious details – name, job title, absence and disciplinary records – but also includes any information that could be used to make decisions about the employee or contains expressions of opinion about them, for example information collected for an appraisal or the results of email monitoring.

Some personal data is classed as “sensitive” – for example, on health or racial origin grounds, and this attracts extra protection.

The overarching theme of the data protection regime is the right of individuals to have information about them used in a fair and transparent way.

This roughly translates to the following duties: to ensure that personal data is held only for lawful, specified purposes – managing the employment relationship will count – and that employees know what those purposes are, that you only hold data relevant to those purposes, that the data is kept up to date and that it is held securely.

You should keep all of these things under regular review. You also have a duty to allow individuals to access the data that you hold on them.

It is always best to obtain employees’ express written permission, either in their contract or separately, on the holding of their personal data.

However, this is not a “get out of jail free” card so you should ensure that the principles set out above are always adhered to, in particular only holding the information that is necessary for your purposes.

The European Commission is in the process of reforming the data protection regime but the changes currently proposed will not affect the basic points set out above.
Sean Crotty, a corporate partner specialising in data protection issues at law firm Weightmans, says:

Every employer must collect, hold and use employment records to maintain its business. However, a balance must be struck between respecting the employee’s privacy and business needs.

The Information Commissioner can impose fines of up to £500,000 for breaches and employees may be entitled to compensation, which mean workers’ records need to be handled carefully.

Employment records will contain information ranging from contact details to sickness, absence and accident records. These details will contain “personal data” and “sensitive personal data” (e.g. health, race, union membership etc). They should be collected, stored and used in accordance with the Data Protection Act 1998 and the Employment Practices Code.

The principles set out in the DPA include fair and lawful processing of data, security and non-disclosure provisions. Employment records should be kept secure, handled in accordance with the principles of the DPA, kept up to date, be adequate, accurate, and only kept as long as is necessary.

Furthermore, disclosures to third parties should be strictly monitored and only be carried out if the employer is certain that it is lawful.

Also, remember that employees have a right to access the majority of their records. If requested, the employer must comply within 40 days in most cases. An employee may also comment upon the records, which might lead to the employer being required to update them in order to maintain accuracy.

Usually, an employer will not have to obtain express permission to keep employment records. However, the employee must be aware that such records are maintained and the purposes for keeping the records, together with the nature of any intended disclosures.

That said, if “sensitive personal data” is being held, express consent should be obtained, ideally. Although this is not the only method of complying with the DPA, it is often the easiest and most certain. However, such consent should be freely given by the employee – they should be able to say “no”.

Email your career management questions to: recruitment@ft.com

Copyright The Financial Times Limited 2014. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.