Search:

Data protection and your employees - Matt Smith

This checklist highlights the key legal obligations businesses should consider when dealing with personal data about any individual who you may encounter in the course of your business, but in particular focuses data protection in relation to your employees.

Penalties for failing to deal with personal data appropriately

• There could be serious financial, commercial and reputational implications for your business (including possible criminal penalties and fines) if personal data is not handled properly.

Protecting and securing personal data

• Personal data is any information about an individual held on computer or in organised filing systems that could identify the individual, either on its own or together with other information your business holds. It needs to be protected and kept secure. This information includes:
  - name, e-mail address, telephone numbers or date of birth; and
  - notes written about someone, such as an annual performance review.
• The individual could be a potential or actual employee, customer or supplier, or possibly someone captured on your business' CCTV footage.

Collecting personal data

• Your business can only collect personal data if it has a good reason for doing so (for example, because a new employee is coming to work for you).
• When your business collects data about an individual, you will need to tell that individual what your business intends to do with their data (for example, if you are collecting information about employees' ethnicity, state that this is for equal opportunities monitoring).
• Your business should only collect information that it requires at the particular time (for example, a job applicant should not be asked for their bank details). This type of data should only be collected once the applicant has started to work for your business.

Storing personal data

• All data must be accurate and up to date. Databases should be regularly spring cleaned and out-of-date information must be deleted (for example, ex-employees' details).
• Data should only be held for as long as it is required and for the reason it was collected.

Keeping data secure and confidential

• Personal data must be kept secure at all times. For example:
  - computers and files should be password protected;
  - personal data on laptops and other portable devices should be kept to a minimum;
  - manual filing cabinets containing personal data should be locked and only accessible to authorised personnel;
  - confidential documents should not be left unattended on desks; and
  - personal data should be removed promptly from fax machines, printers and photocopiers.
• When your business sends personal data, it must be done in a secure way (for example, confidential information should not be sent in the internal mail).
• Personal data must be disposed of securely (for example, by shredding, placing in confidential waste bags, destroying or securely deleting electronic files). Confidential papers should not be put in the recycling bin.
• When working away from the office or in public areas:
  - ensure that personal data stored on portable devices such as laptops, Blackberries, CD-ROMs or memory sticks is encrypted and kept secure at all times;
  - avoid leaving papers or electronic devices lying around;
  - make sure that members of the public cannot see any of your employees' confidential documents or computer screens; and
  - avoid talking about confidential matters when the public can hear.
• Security breaches, such as accidentally losing personal data, should be reported to the appropriate person immediately.
• Electronic documents, including calendar entries and meeting requests, should be password protected or designated private where appropriate.

Using data collected on individuals

• Your business is generally allowed to use someone's personal data if they have given their consent. The data may also be used in other circumstances, for example, if your business has a legitimate interest in using it (although this has to be balanced with the individual's rights). For example, if a part of your business has been sold to a third party and you need to transfer employees' data to it under the TUPE regulations.
• Data should only be used for the reason that it was collected (for example, if calls between staff and customers are recorded for training purposes only, they should not be used to discipline a member of staff).
• If you want a third party to manage data, such as carrying out payroll services, you should take legal advice. Your business will still be responsible for protecting the data and will need to enter into a written contract with the third party.
• Your business should also take legal advice if it is considering transferring any data outside the UK. It is very easy to transfer data outside of your own country, for example, by sending an e-mail to an office outside of the UK.
• If your business is considering using sensitive personal data (for example, information about ethnic origin, trade union membership or criminal records), you should take legal advice.

Enquiries about personal data

• Make sure your business has a system in place to deal with individuals who request details of the personal information that your business holds on them. Individual employees should not deal with this type of enquiry unless they have been given specific authorisation to do so. The request should normally be passed to the person within your business who has responsibility for data protection issues.
• Personal data should not be given out to the friends or relatives of an individual without that individual's specific consent.

Practical Steps

You can take some simple steps to improve the way your business handles personal data and prevent breaches of the Data Protection Act:-

1. Designate an employee to act as your Data Protection Officer, who will be responsible for compliance with data protection laws and dealing with all data protection enquiries.
2. Include a data protection policy in your staff handbook. Ensure that all employees, and in particular managers, are familiar with it.
3. Include a clause in your contracts of employment by which the employee agrees to comply with the data protection policy and consents to the handling of their personal data.

More information

If you wish to discuss the content of this checklist, or if you have any further questions or queries in relation to any aspect of employment law, please contact Matt Smith on 0151 647 9381.

Matt Smith

 

This article provides a summary of a recent case/change in law/news item. It is intended for general information purposes only and is not to be relied upon. It does not constitute legal advice and should not be treated under any circumstances as a substitute for legal advice. Lees Solicitors LLP does not accept any responsibility for any loss that may arise from reliance upon the information contained within this article. The copyright in this article is owned by Lees Solicitors LLP and permission must be sought before reproduction or publishing.

Back to Employment Law News

Email to a friend Print

• Information and Consultation
• TUPE (Transfer of Undertakings (Protection of Employment) Regulations )
• Restructuring and Re-Organisation
• Responding to Employment Tribunal Claims
• Alternative Dispute Resolution
• Day to day assistance - Employment Law
• Equal Pay
• Discrimination
• Unfair Dismissal
• Fabio Capello set to benefit from poor England display - Matt Smith
• Pages:1234next

Newsletter Sign-up:

Birkenhead | Heswall | West Kirby | Accessibility | Privacy Policy | Sitemap | Site Credits