Good Practice Recommendations –
Part 2: Notes and Examples

2.1 Collecting and keeping general records

2.1.1 There is no need to provide workers with details that are self evident. They do not, for example, need to be told that information on their earnings will be disclosed to the Inland Revenue. Consent may be needed if sensitive data are held but there may be alternative ways of meeting the sensitive data conditions.

This page explains more about the conditions for processing sensitive personal data.

Possible different ways of informing workers include distribution of a fact sheet, information given on an intranet or inclusion of relevant material in an induction course.

2.1.2 This information can, of course, be combined with that provided under 2.1.1.

2.1.3 For example, employers often require an emergency contact to be used should a worker be
taken ill at work. If you ask for ‘next of kin’ you will not necessarily obtain the information needed.

2.1.4 Some employers may decide that it is not practicable to provide each worker with a copy of their personal details annually. If so they must ensure they have an effective alternative for ensuring records are kept accurate and up to date. In some cases employers may be able to take advantage of the capabilities of automated systems. For example, workers’ PCs could prompt them to check their personal details from time to time and require them to acknowledge that they have done so. Employers must be prepared to give access to records when a worker makes a subject access request but employers should not rely on this alone as a means of ensuring accuracy.

2.1.5 For example, a computerised personnel system could have a built-in facility to automatically query the input date of birth of workers, highlighting ages above or below the normal working age. Similar “flagging” can be used to automatically alert the organisation to information that may be out of date. This could be used as part of a review and deletion policy. Systems which incorporate audit trails showing who has created or altered a record and when also assist in ensuring accuracy. They enable the employer to trace the sources of inaccurate records and to take action to prevent recurrence.

Many businesses buy computerised personnel systems ‘off the shelf’. The business should make sure the system facilitates data protection compliance. The legal responsibility for compliance rests clearly with users rather than suppliers of systems. Users cannot simply blame the system. The Information Commissioner does though recognise that it may take businesses some time to bring existing systems up to the desired standards. This will be taken into account should the possibility of enforcement action arise as a result of a breach of the Act.

2.2 Security

2.2.1 It is beyond the scope of this Code to set general security standards that may have no special relevance to employment records. BS7799: 1995 (Code of Practice for Information Security Management, British Standards Institution, ISBN: 580236420) provides guidance and recommendations which, if followed, should address the main risks. Not all the controls described in BS 7799 will necessarily be relevant to all organisations but many are as applicable to small as well as to large organisations.

See Useful Addresses for British Standards Institute

2.2.2 For example, confidential worker information should not be stored on laptop computers that do not have adequate access controls, i.e. controls that would prevent access to the information stored on the computer should it be stolen or misplaced. Give access to such information sparingly; for example, access to confidential worker information should not normally be given to technical staff for use in testing computer hardware or software. The basic principle should be that information about workers is only available to those who need it to do their job. Access rights should be based on genuine need not seniority.

2.2.3 Computer systems increasingly incorporate audit trails. These can record automatically when and how records have been altered and by whom. In some cases they also record when a record has been accessed and by whom. Where systems detect unusual patterns of access to personal information, for example where one worker accesses information noticeably more frequently than other workers in a similar position, this should be investigated and if necessary preventative action taken.

2.2.4 It is important to check the reliability of workers who have access to personal information. They should be made aware of the security regime that surrounds it. Where appropriate a confidentiality clause should be incorporated into their contracts. Do not overlook workers in management positions as they may pose as great a risk as other workers, or even a greater one, as they may enjoy wider access to information than other workers.

2.2.5 There should be a procedure for taking employment records, whether computerised or in paper files, off-site – if this is allowed at all. This should make clear who, if anyone, is allowed to take information and what information they can take. It should address security risks, e.g. laptops not to be left unattended in vehicles. Do not overlook senior managers who may think procedures like this do not apply to them.

2.2.6 There are risks with the use of faxes. A confidential fax message may be received on a machine to which many people have access. It can also be retained in the memory of the sending and/or receiving machine. Fax messages can easily be misdirected, for example, by miskeying the fax number of the intended recipient. Do not use general company e-mail addresses or fax numbers for the transmission of confidential information.

An employer must not allow the transmission of confidential worker information by e-mail without taking appropriate security measures. Encryption may protect e-mail in transit but it may still be vulnerable at either end. If a confidential e-mail is “deleted” bear in mind that a copy may nevertheless be retained on the system.

To secure fax and e-mail systems

• ensure that copies of e-mails and fax messages containing sensitive informationreceived by managers are held securely and that access to them is restricted.
• provide a means by which managers can permanently delete e-mails from their personal work-stations that they receive or send and make them responsible for doing so.
• check whether ‘deleted’ information is still stored on a server. If so, ensure that this too is permanently deleted unless there is an overriding business need to retain it. In any event, restrict access to information about workers held on servers. Don’t forget that those providing IT support have access to servers. They may be outside contractors.
• draw the attention of all workers to the risks of sending confidential or sensitive personal information by e-mail or fax.

2.3 Sickness and injury records

2.3.1 With computer based systems the separation of sickness and injury records from absence records can be achieved by logical rather than physical separation, perhaps with additional password protection.

Do not access information about sickness or injury when information only about the length of absence is needed. For example, when calculating a benefit, it may only be necessary to see the length of absence rather than the nature of the sickness responsible for the absence.

2.3.2 The Act does not prevent employers from keeping sickness and injury records about their workers. Such records are clearly necessary for an employer to review the ability of workers to undertake the work for which they are employed, and for other purposes such as the detection of health and safety hazards at work and the payment of health-related benefits to workers.

Where an employer is obliged by law to process sensitive personal data, for example under health and safety or social security legislation, it is easy to satisfy a sensitive data condition. In other cases, particularly involving sickness records, it may be less clear cut that a sensitive data condition is satisfied. Because of this some employers have sought to rely on obtaining the worker’s explicit consent for the processing. The Commissioner recognises that employers need to keep some sickness records but doubts the validity of consent as a basis for the processing of the health data involved. He takes the view that an employer keeping and using sickness records in a reasonable manner is likely to satisfy one of the other sensitive data conditions. Whilst the Data Protection Act, as it currently stands, does not place this question beyond doubt, he understands the Government is considering changes to the law that will do so.

2.3.3 This recommendation does not stand in the way of the disclosure of number of days of absence such as might be involved, for example, in giving a reference.

See Part 2 Employment Records for recommendations relating to references.

2.3.4 ”League tables” of sickness absences of individual workers should not be published because the intrusion of privacy in doing so would be disproportionate to any managerial benefit. It is permissible for a manager to access the record of an individual’s sickness in order to investigate repeated or long-term absence. It is also permissible to publish totals of sickness absence by department or section provided that individual workers are not identifiable.

2.4 Pension and insurance schemes

2.4.1 Care must be taken to ensure that information legitimately required in connection with the administration of the scheme is not made available to the employer unless this is a necessary consequence of the funding or other arrangements of the scheme. Mechanisms can be put in place to ensure this. For example, information, perhaps about medical or pensions history, passed from workers to a scheme administrator via the employer could be provided in a sealed envelope so that it remains confidential.

2.4.2 An employer’s funding of a pension or insurance scheme does not give the employer the right to receive information about individual workers who are members of the scheme unless this is necessary for the operation of the scheme, e.g. to enable the employer to deduct contributions from pay or to decide whether to continue funding. This does not prevent the provision of anonymised, statistical information which should be used wherever possible. Some employers insure their businesses against sickness by key workers. If, as is likely, the insurer requires information about the worker’s sickness in the event of a claim and the employer supplies this, one of the sensitive data conditions must be satisfied.

Click here for conditions to be satisfied.

2.4.3 Although the trustees or administrators may in some cases be workers or directors, information that they receive in their capacity as trustees or administrators of the pension scheme should not be used in relation to general employment issues. For example, a medical report on a new worker that is needed because he or she has applied to join the employer’s pension scheme may not be used in connection with decisions about the worker’s eligibility for sick pay.

2.4.4 Whilst there is no obvious reason why an employer should require access to medical information in connection with private medical insurance, the same is not necessarily true of permanent health insurance. If a worker becomes unfit for work and makes a claim, the insurer might justifiably approach the employer to determine whether suitable alternative work is available. This could involve the disclosure of some health information. In such cases notify the worker concerned about the disclosure and make the information available to the worker on request.

2.4.5 This may require an explanation of how the funding obligations for the scheme fall on the
parties involved.

2.5 Equal opportunities monitoring

2.5.1 The sensitive data conditions should mean that most equal opportunities monitoring can take place without the need to obtain a worker’s consent.

Click here for conditions to be satisfied.

2.5.2 Effective equal opportunities monitoring may mean employers have to keep records about workers’ backgrounds and their work history in a form that identifies them. For example, if your organisation wants to track how many workers with disabilities are being promoted and to what grades, it is difficult to see how this can be done without keeping records in a form that identifies them. Where tracking of individuals is involved it will not always be possible to use only anonymised information. However, where the employer only wants to monitor the proportion of external candidates with particular characteristics that apply for jobs, this alone will not justify the keeping of information about unsuccessful candidates in a form that identifies them. Although the removal of identifying details, e.g. name, may assist the protection of privacy, records will not be truly anonymous if they can still be linked back to individual workers, for example by putting serial numbers on ‘anonymous’ questionnaires but keeping a list of which worker was given a particular questionnaire. Do not give workers the impression that information about them is anonymised unless this is truly the case.

2.5.3 Employers should take account of the advice of relevant bodies before designing, distributing, collating and evaluating an equal opportunities monitoring initiative and incorporating it into procedures. Public sector employers will also need to take into account the requirements of the Race Relations Act 1976 (Statutory Duties) Order 2001 and the Race Relations (Amendment) Act 2000. Advice about the forms, procedures and ethnic grouping categories to be used in equal opportunities monitoring are available from bodies such as the Commission for Racial Equality, the Equal Opportunities Commission and the Disability Rights Commission.

See Useful Addresses for details.

For example do not limit the range of choices of ethnic origin to such an extent that individuals are forced to make a choice that does not properly describe their ethnic origin. Employers should consider carefully precisely what they are trying to monitor and should not collect unnecessarily detailed information about workers’ nationality or linguistic group. Again, they should seek advice from bodies such as the Commission for Racial Equality about this. If monitoring involves the employer assigning workers to categories, perhaps in the case of those who decline to assign themselves, the record must make clear, whenever information is extracted, that the categorisation is merely the employer’s assumption and is not a matter of fact.

2.6 Marketing

2.6.1 Some employers distribute marketing material to their workers. They may market their own products or services, or those of other organisations such as insurance companies and charities which they believe might be of interest to their workers. Workers have a right not to have their personal information used for this purpose.

If your organisation uses workers’ details for advertising or marketing you should explain this fully at the outset, making clear what personal details will be used. You should give workers a clear opportunity to object and respect any objections. An objection might be received, for example, in response to a human resources department telling workers that there is an intention to market to them unless they object. This arrangement is often described as offering an ‘opt-out’. The worker’s right to prevent information about him or her being used for marketing does not just apply to the marketing of products or services, but also to marketing or advertising in a broader sense, such as the promotion of another organisation’s aims and ideals.

2.6.2 The disclosure to another organisation of workers’ details for marketing requires express approval from each individual, for example by the worker sending an e-mail to the human resources department indicating agreement. This is often described as an ‘opt-in’. It would arise, for example, where a company wants to pass workers’ home addresses to a sister organisation so it can market them with its products. The positive indication of consent is required because the disclosure of workers’ information is intrusive and could amount to a breach of the employer’s duty of confidence unless consent is obtained.

2.6.3 This benchmark applies equally to former workers such as pensioners whose details are still kept for payroll purposes, if their details are to be used for marketing. An ‘opt-in’ will not be needed if the new use of workers’ details is likely to be expected by them. For example, if the offering of discounts on your products and services to workers is accepted practice within the industry concerned it may well be that they would expect to receive details of such offers personally addressed to them.

2.7 Fraud detection

2.7.1 There is no obligation to set up representative bodies where they do not already exist, nor is consultation on data matching mandatory under employment law. However, consultation provides an opportunity to identify and address data protection risks and concerns, helping to ensure that the data matching is fair to the workers concerned.

2.7.2 This information could for example be included in a fact-sheet for workers or other
arrangements adopted to meet the recommendations earlier in the Code.

See Part 2 Employment Records, Collecting and Keeping General Records for benchmarks on informing workers.

2.7.3 The fact that disclosure of information may be required by law does not remove the obligation to inform workers. This is only removed if informing workers would be likely to prejudice the prevention or detection of crime, for example by amounting to a ‘tip off’ to the worker that he or she is under investigation for suspected fraud.

2.8 Workers’ access to information about themselves

2.8.1 This is linked closely to the recommendations in the section on Managing Data Protection. A subject access request need not mention the Data Protection Act. When a worker makes a written request to an employer for access to information about him or her, this should be recognised as a subject access request and handled accordingly. Unless the employer knows what personal information is held about workers and who is responsible for the information, it will be difficult to fully respond to subject access requests. It may be necessary to carry out some form of audit to find out what information about workers is held. There should then be a system for ensuring all relevant information is located and provided in the event of a request being made. An employer can however ask a worker making an access request for information to help it locate the information about the worker, for example by asking “when were you employed by us and in which department?”

2.8.2 Making a false subject access request is one method that can be used by those trying to get access to information about workers to which they are not entitled.

See Part 2 Employment Records, Disclosure Requests, for more information about this.

2.8.3 The employer must provide a copy of the subject access information in a permanent form unless providing it in that form would involve disproportionate effort. Even if disproportionate effort would be involved in providing a copy, the employer must still give access to the record, perhaps by allowing the worker to inspect it. The Act does not define ‘disproportionate effort’. Matters to be taken into account include the cost, the length of time it would take, the difficulty of providing the information, and also the size of the organisation to which the request has been made. These factors have to be balanced against the impact on the individual of not providing a copy. Given the significance of employment records, an employer should only rely on the disproportionate effort exemption from providing a copy in exceptional circumstances.

One area that can cause employers difficulties is access to e-mail. Workers are entitled, under subject access, to copies of the information in e-mails that is about them. Employers are not though required to search through all e-mail records merely on the off-chance that somewhere there might be a message that mentions the worker who has made the request. For information to fall within the Data Protection Act’s subject access provisions, the worker must be the focus of the information and the information must affect the worker’s privacy. This means, for example, that an e-mail about a worker’s conduct or performance must be provided. However, an e-mail that merely mentions a worker, perhaps because his or her name appears on the e-mail’s address list, need not be provided. Employers should check wherever there is some likelihood that messages might exist, for example in the mail box of the worker’s manager. In doing so they should take into account any details the
worker has provided to assist them in locating the information about him or her.

Detailed guidance about subject access is available in the ‘Data Protection: Your Information Rights’ section of the Information Commissioner’s website at www.informationcommissioner.gov.uk

It is sometimes asked whether an employer will be a data controller for personal e-mail messages held on its system. If it is not a data controller for such messages it does not have to provide access to them. Employers will though usually be data controllers for all e-mail messages held on their systems. This is because they will keep at least some control over how and why messages are processed, for example by restricting the purposes for which workers can send personal e-mails or by retaining or monitoring personal e-mails to ensure the security of their systems.

Employers are free to agree alternatives to formal subject access with workers, but no pressure should be put on workers not to make or to withdraw subject access requests. For example, a worker might agree to withdraw a formal request if the employer provides particular information, about which the worker is concerned, free of charge. However if the worker proceeds with a formal request the employer must provide a full response.

2.8.4 Information released to a worker could include information that identifies another person, for example a fellow worker. This other person is referred to as a ‘third party’. Responding fully to a subject access request could lead to the third party’s rights under the Act being violated. One example is when a complaint is received about a worker and releasing information on the complaint, in its entirety, would identify the complainant to the worker. In many cases simply removing the third party’s name from the information before it is released to the worker will solve the problem. However this will not always be the case. Sometimes the worker might be able to work out the third party’s identity from the information itself, for example ‘only X could possibly have written that about me’. The
employer has to strike a balance between the right of the worker to access and the right of the third party to privacy. Before releasing information to the worker the organisation should follow a clear decision-making process to ensure it gets the balance right.

Click here for the process to follow for access when information about third parties is involved.

2.8.5 No further guidance on this recommendation.

2.8.6 Such automated systems are most common in recruitment exercises. An example of a decision that is covered is where an individual is short-listed purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. Workers have a right, under the Act, to know the logic behind any such automated decision. Either a separate request can be made for which a fee of £10 can be charged, or, if specifically stated, the request can be included in a more general subject access request.

See Part 1 - Recruitment and Selection for more information on the use of automated selection methods.

2.8.7 Responsibility for responding fully to a subject access request rests with the employer rather than the systems supplier. An employer cannot blame the shortcomings of the system it uses, or a lack of information provided by the systems supplier, as a defence for its failure to respond properly to a subject access request.

2.9 References

2.9.1 It is in the employer’s interest to make clear to staff the limits it places on their authority to give corporate references. Good indicators of whether a reference has been given in a corporate capacity are whether it is written on corporate headed notepaper and whether the referee provides his or her job title. If there is no company policy on the giving of corporate / personal references, the assumption should be that, in the absence of evidence to the contrary, references given from the workplace are given on behalf of the organisation.

Where confidential corporate references are given by the employer, an exemption in the Act allows the employer to deny workers access to these. Employers should decide and make clear to those providing corporate references whether they take advantage of this exemption or whether they adopt a policy of openness. In deciding the approach to take bear in mind that good data protection practice is to be as open as possible with workers about information which relates to them. Workers should be able to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them.

It should be noted that in any case this exemption only applies to corporate references given by the employer. It does not cover references provided by one part of the employer’s business to another, as might be the case when a worker seeks a transfer between departments. Access to such internal references should be treated in the same way as access to other information the employer keeps about the worker.

2.9.2 The provision of references on workers is common practice but they do contain personal information, often of a private nature. Employers should therefore be sure that the worker is content for a reference to be provided. Requests that are clearly from reputable businesses and that request that the reference is returned to a recognised address can generally be taken at face value, but if there are any doubts the employer should check with the worker. It is a criminal offence under the Data Protection Act to use deception to obtain personal data, such as might be included in a reference, where the data controller would not have agreed to the disclosure involved.

Employers should, where it is practicable, clarify the expectations of workers who leave. If a worker wants references to be provided in future the employer should still make sure that those requesting references are genuine and are not attempting to obtain information about the worker by deception.

2.9.3 The information released to a worker could include information that identifies another person, for example the author of the reference. This other person is referred to as a ‘third party’. Responding fully to an access request could lead to the third party’s rights under the Act being violated.

Click here for the process to follow for access when information about third parties is involved.

2.10 Disclosure requests

2.10.1 Junior or inexperienced staff should not be left to make difficult decisions about disclosure without guidance. A policy should be established. This does not need to be lengthy or complex but should set out some basic rules for staff who are likely to receive requests.

2.10.2 Ensure that unusual requests not covered by the disclosure policy are forwarded to those who have a proper grasp of the legal issues involved.

2.10.3 There are a number of legal obligations placed on employers to disclose information about their workers. Where you are under such an obligation, the disclosure must be made. However, prior to disclosing you should satisfy yourself that there is in fact a duty to disclose and should avoid disclosing more information than you are legally obliged to. Even if you are legally required to disclose information about a worker, the worker should still be told, where practicable, about the disclosure, for example what information is being disclosed, who to and why.

The most common sources of requests for disclosure that employers are legally required to comply with come from;

• the Inland Revenue
• the Child Support Agency
• the Benefits Agency
• the Department of Work and Pensions
• the Financial Services Authority.

In some cases you will not be under a legal obligation to disclose but you will be able to rely on an exemption in the Data Protection Act if you choose to do so. This is most likely to arise in the case of criminal or tax investigations or where it is necessary for you to disclose to obtain legal advice or in the course of legal proceedings such as an employment tribunal. In such cases provided sensitive information is not involved, it is clear the Act will not stand in the way of disclosure. You should still take a balanced decision whether to disclose taking into account the interests of the worker. If the information requested is confidential, for example information about sickness or earnings, only disclose if you have obtained the worker’s consent or you are satisfied the public interest served by disclosure is sufficiently strong to justify the breach of confidence.

For details of the exemptions from the non-disclosure provisions of the Act, click here.

In other cases you risk a breach of the Act if you disclose. Where it is reasonable to do so inform the worker about the request for disclosure and take account of any objection. If the information that you intend to disclose includes sensitive data you should be sure that the disclosure satisfies a sensitive data condition. If confidential information is involved you should not disclose if there is an objection. If the information is not confidential, for example dates of employment, position employed in, still only disclose if in all the circumstances you are satisfied that it is fair to do so. This can be a difficult decision but you should remember that you must mainly consider what is fair to the worker. If it is not reasonable or not possible to contact the worker and they have not indicated their consent to disclosure in any way, you should not disclose confidential information unless it is clearly in the worker’s interest that you do so. With non-confidential information still only disclose if in all the circumstances, including in particular what the worker’s view would be likely to be, you are satisfied that it is fair to do so.

Click here for details of the sensitive data conditions.

2.10.4 Even in apparent emergencies care should be taken to protect the interests of workers whose information might be disclosed. How urgent is the situation? Is it a matter of life and death? In many cases there is, for example, no reason why requests cannot be submitted in writing given the wide availability of fax and e-mail facilities.

2.10.5 Always establish the identity and authority of the person making a request for disclosure before providing any information about workers. Those seeking disclosure, particularly on the telephone, are often persuasive. Approaches to an employer are a favourite route for those trying to get access to information to which they are not entitled e.g. debt collectors, private investigators, recruitment agencies or journalists. Employers should be aware that people requesting information might use deceit, for example by pretending to be from the Inland Revenue, and should guard against this. They should also be aware that sometimes officials, perhaps from government department, may not fully understand their own powers to demand information. They may mistakenly tell an employer it is required by law to disclose information about workers when this is not the case. Where practicable, obtain the request in writing. Take particular care with telephone requests, for example by calling back to a known number. In particular,

• establish the authority, if any, of the person making a request. If this is not clear, seek further information from the person concerned.
• inform the Commissioner where requests based on deception are detected and there appears to be a reasonable prospect of obtaining evidence as to who is behind the deception.
• where those requesting information maintain that the employer is under a legal obligation to respond, ensure that the request is received in writing and spells out the basis on which the legal obligation is asserted. Check that any assertion they make is valid and that the law is not being misrepresented.

2.10.6 The Act imposes restrictions on the transfer of personal information to countries outside the EEA. Countries in the EEA are the member states of the European Union together with Iceland, Norway and Liechtenstein. The Information Commissioner provides separate detailed guidance on international transfers. The European Commission provides both a model contract that can be used to legitimise a transfer outside the EEA and a list of countries outside the EEA that are deemed to provide adequate protection by virtue of their data protection law. The European Commission has also entered into a special arrangement with the USA known as ‘the safe harbor’.

See the Information Commissioner’s website: www.informationcommissioner.gov.uk: Data Protection: Your Legal Obligations: International transfers.

The European Commission website is at www.europa.eu.int/comm/internal_market/privacy/index_en.htm

2.10.7 A non-regular disclosure would be one where a one-off enquiry is received about an individual worker, perhaps from the Inland Revenue or a local authority housing benefits department. It would not include, for example, information on tax deductions supplied regularly to the Inland Revenue on all workers or the regular passing of information to a trade union on subscriptions deducted from pay for its members.

Where there is a non-regular disclosure, even one required by law, and the information that is to be or has been disclosed might be challenged by the worker, make a copy available to the worker and give the worker an opportunity to check its accuracy. Even if the accuracy of the information is not in doubt it may well be helpful to the worker to know that a disclosure of information about him or her has been made, for example to the Child Support Agency. There will though be cases, for example an enquiry from the Inland Revenue seeking confirmation of tax deducted, where the employer might reasonably conclude that to specifically inform the worker would involve disproportionate effort.

2.10.8 Where non-regular disclosures are made, a record should be kept so that those making the disclosures are accountable for their actions and so that any security breaches can be traced and remedied. The record should include details of the person who made the disclosure, the person who authorised it, the person requesting the disclosure, the reasons for the disclosure, the information disclosed and the date and time. This record can be incorporated into an automated system or be held manually.

2.11 Publication and other disclosures

2.11.1 Publication of information about workers commonly arises as part of the publication of information about a business, for example, in an annual report or marketing material. It may for example be expected by academic staff that information about their fields of expertise and research interests will be widely published, including on the internet. On the other hand, many workers would not expect any information identifying them to be published. There are some legal obligations to publish information about individual workers, for example in company annual reports. Where there is no legal obligation to do so, only publish information about workers if;

• the information is not intrusive, for example information about a worker’s job title, field of expertise or direct dial work telephone number, and taking into account the nature of the employer’s business and the position held by the worker, either:-
  • publication would be expected or
  • if publication might not be expected it is nevertheless reasonable, workers have been
    informed in advance and any reasonable objections have been respected, or
  • the worker has consented, or
  • the information is in a statistical or other form that does not identify individual workers.

2.11.2 If information about workers is published on the basis of consent, ensure that when the worker gives consent he or she is aware of the extent of information that will be published and how it will be published, including whether the information will be published on a web site and the implications of this. Ensure too that if consent is being relied on, the worker is genuinely free not to consent to the publication.

2.11.3 Personal information about a worker can also be disclosed to a trade union where there is consent for this.

2.11.4 There is no obvious reason why in the course of collective bargaining a trade union need be provided with information from which individual workers can be identified. Aggregated or statistical information should suffice.

2.12 Merger, acquisition and re-organisation

2.12.1 Wherever practicable, information from which individual workers cannot be identified should be used, so details such as names and individual job titles should be omitted. This might be possible where, for example, a company merely wants to know how many workers of a particular type are employed and their average rates of pay. In other cases a company might require detailed information about particular workers in order to appraise a company’s human resources assets properly. This might be the case where the expertise or reputation of individual workers has a significant bearing on the value of the company. Similarly where a company has a significant liability, perhaps as the result of a worker’s outstanding legal claim, it may have to disclose information identifying the worker with
details of the company’s liability.

In some cases even the removal of names from the information will not prevent identification, for example where without a name it is still obvious that the information relates to a particular senior manager. Removal of names may nevertheless help protect privacy, even if identification is still possible.

Remember that handing over sickness records will entail the processing of sensitive personal data.

2.12.2 It is important to gain formal assurances about how the information will be used. Information should be returned or destroyed by the shredding of paper or the expunging of electronic files, should the merger or acquisition not go ahead. The provision of information is sometimes achieved by the use of a ‘data room’ in which information about the business is made available to prospective purchasers. Strict conditions must be accepted by those granted access to the ‘data room’.

2.12.3 Businesses may not always expect to be involved in mergers acquisitions, or reorganisations and may not therefore have told their workers, at the time they were recruited, what would happen to their personal information in such an event. Reasons of commercial confidentiality and legal duties relating to matters such as ‘insider trading’ may make it difficult to be explicit at the time the merger or acquisition is being considered. In some circumstances the corporate finance exemption in the Act may be relevant and may relieve companies of the obligation to inform workers of the disclosure of their information. This could occur, for example, where providing an explanation to workers could affect the price of a company’s shares or other financial instruments.

One business may also be under a legal obligation to disclose to another. Where there is a legal obligation to disclose, there is an exemption from some of the provisions of the Act. The employer is relieved of the obligation to inform workers of the disclosure if this would be inconsistent with the disclosure, perhaps because it would breach commercial confidentiality. The processing of sensitive personal information involved in a disclosure related to an acquisition or merger must satisfy a sensitive data condition. This will not be an obstacle where there is an employment related legal obligation on one business to disclose to another, but may well prevent the disclosure of sensitive personal information in the run up to a merger or acquisition where there is no such obligation and the worker has not been asked for and given explicit consent.

Click here for conditions to be satisfied.

2.12.4 The Act imposes restrictions on the transfer of personal information to countries outside the EEA. Countries in the EEA are the member states of the European Union together with Iceland, Norway and Liechtenstein. The Information Commissioner provides separate detailed guidance on international transfers The European Commission provides both a model contract that can be used to legitimise a transfer outside the EEA and a list of countries outside the EEA that are deemed to provide adequate protection by virtue of their data protection law. The European Commission has also entered into a special arrangement with the USA known as ‘the safe harbor’.

See the Information Commissioner’s website: www.informationcommissioner.gov.uk:
Data Protection: Your Legal Obligations: International Transfers.
The European Commission website is at
www.europa.eu.int/comm/internal_market/privacy/index_en.htm

2.12.5 It is the new employer who now has a responsibility for the type and extent of personal information retained and who will have liability for it under the Act. The new employer must not assume that the personal information it receives from the original employer is accurate or relevant and not excessive in relation to its purposes. Within a few months of the merger or takeover it should review the records it has acquired, for example by checking the accuracy of a sample of records with the workers concerned and should make any necessary amendments.

2.13 Discipline, grievance and dismissal

2.13.1 The activity of disciplining or dismissing workers or the handling of their grievances will often involve the processing of personal information such as the consultation of records or the compilation of dossiers of information about those involved.

The Act applies to this personal information. This means that;

• subject access rights apply, even when responding to a request might impact on a disciplinary investigation or on forthcoming proceedings. Access rights also apply to opinions expressed about workers and to information indicating the employer’s intentions in respect of them. Access need not be provided if doing so would prejudice the investigation of criminal matters.
  Click here for details of the exemptions from subject access.
• personal information to be used as evidence to support disciplinary proceedings must not be obtained by deception or by misleading those from whom it is obtained as to why it is required or how it will be used.
• records used in the course of disciplinary and grievance proceedings must be accurate and sufficiently detailed to support any conclusions that are drawn from them.
• records relating to disciplinary and grievance investigations, proceedings and action must be kept secure. Be particularly careful that such records are only made available to those staff whose duties require that they should have access to them. Where information is to be provided to a worker’s representative or legal advisor, check that this person has been authorised by the worker to act on his or her behalf.
• records of allegations about workers that have been investigated and found to be without substance should not normally be retained once an investigation has been completed. There are some exceptions to this where for its own protection the employer has to keep a limited record that an allegation was received and investigated, for example where the allegation relates to abuse and the worker is employed to work with children or other vulnerable individuals. There may also be a case for keeping records of unsubstantiated allegations of bullying or abuse of workers by a colleague, provided that it is made clear in the record what is an unsubstantiated allegation and what has been established as fact.

2.13.2 Information about workers must not be used in a way that is incompatible with the purpose(s) for which the information was obtained. For example, a worker in a business that issues credit cards might also be a holder of one of the business’s cards. The business should not access information it obtains about the worker because he or she is a card holder, for use in connection with disciplinary or grievance investigations arising from his or her employment. Similarly, an employer might store e-mail messages for a limited period to ensure the security of its communications system. It must not access stored, personal messages sent by or to workers for incompatible purposes such as checking whether workers have been making adverse comments about their managers. A purpose will not be incompatible if workers have been told in advance that information obtained from them will be used for that purpose. Where the use of information about workers in disciplinary or grievance investigations is not incompatible, it must still be fair.

Personal information about workers should not be accessed if the intrusion into workers’ privacy would be out of proportion to the seriousness of the matter under investigation.

For example, an employer storing e-mail messages might suspect that within a group of workers there is someone who has been spending too long conducting personal business in the employer’s time. Accessing the content of all messages, including private and personal ones, sent by all members of the group is unlikely to be justified simply on the basis of tracking down the culprit even if workers have been told their messages might be accessed in the course of disciplinary investigations. This is because the nature of the offence would not justify the degree and extent of the intrusion, particularly given the availability of other less intrusive means of enforcing any rules the employer might have. On the other hand, accessing the personal e-mails of one particular worker where there is evidence that the worker has been using e-mail messages to racially or sexually harass another worker might well be justified.

See Part 3: Monitoring Workers for recommendations relating to monitoring workers’ e-mail and guidance on how to assess whether an intrusion is proportionate.

2.13.3 Disciplinary procedures generally provide for warnings to “expire” after a set period of time. Ensure the procedure clarifies what is meant by “expire”. For example, is the warning removed from the record or is it simply disregarded in determining a future disciplinary penalty? Put in place arrangements, such as a diary system, to ensure that the procedure is put into practice and that where the procedure provides for warnings to be removed or deleted, that this is actually done.

2.13.4 A breach of the Act’s requirement of accuracy could arise, for example, where a worker has been allowed to resign but, because he or she has been left with little choice, the employer has recorded “dismissed”. Particular care should be taken in distinguishing resignation from dismissal.

2.14 Outsourcing data processing

2.14.1 Frequently, organisations do not process all the information they hold on workers themselves but outsource this to other organisations. Organisations which process the information on behalf of other organisations include specialist businesses which run payroll systems, sister companies which manage the centralised computer system on which group worker records are kept, and organisations which provide a secure facility for the storage of archived manual records. Such organisations are termed ‘data processors’.

Where an employer outsources a service to a data processor, it falls to the employer to ensure that the data processor puts in place appropriate technical and organisational security measures. The employer must also take reasonable steps to ensure the processor complies with these measures. In deciding what are appropriate security measures, account must be taken of the nature of the information being processed and the harm that might result from a security breach.

In terms of practical steps the obligations on the employer might involve checking whether a potential data processor is certified to BS7799, and/or putting clauses in a contract to give the employer access to the data processor’s audit or security reports. It may also mean visiting the data processor periodically to check that the service that has been outsourced is being provided securely. The aim is to ensure that once personal information has been handed over to a data processor, it is no less well protected than it would have had to have been were it to have remained with the employer.

BS7799: 1995 – Code of Practice for Information Security Management can be obtained from the BSI (British Standards Institution), ISBN: 580236420.

See Useful Addresses for BSI.

2.14.2 There must be a written contract in place between the employer and the data processor, or at least evidence in writing that there is such a contract.

2.14.3 The Act imposes restrictions on the transfer of personal information to countries outside the EEA. Countries in the EEA are the member states of the European Union together with Iceland, Norway and Liechtenstein. The Information Commissioner provides separate detailed guidance on international transfers. The European Commission provides both a model contract that can be used to legitimise a transfer outside the EEA and a list of countries outside the EEA that are deemed to provide adequate protection by virtue of their data protection law. The European Commission has also entered into a special arrangement with the USA known as ‘the safe harbor’.

See the Information Commissioner's website: www.informationcommissioner.gov.uk:
Data Protection: Your Legal Obligations: International Transfers.
The European Commission website is at
www.europa.eu.int/comm/internal_market/privacy/index_en.htm

2.15 Retention of records

2.15.1 It falls primarily to the employer to set retention periods. No specific period is given in the Act, which merely requires that the personal information in a record shall not be kept for longer than is necessary for a particular purpose or purposes. However any period that is set must be based on business need and should take into account any professional guidelines.

In setting retention times employers must ensure that personal information is not kept for longer than is necessary but equally that it is not deleted where there is a real business need to retain it. Retention times may therefore vary from one employer to another depending on the use of the employer makes of particular types of information. For example, the need for retention of records for health and safety purposes is likely to be different in the case of those working with hazardous substances to those working in an office environment.

Base standard retention times on a clearly established business need for retention. Take into account any relevant professional guidelines and observe any statutory requirement to
retain records. In particular:–l

• bear in mind that information should not be retained simply on the basis that it might come in useful one day without any clear view of when or why;
• establish how often particular categories of information are actually accessed after, say, 2,3,4 or 5 years;
• adopt a ‘risk analysis’ approach to retention by considering what realistically would be the consequences for your business, for workers and former workers and for others, should information that is accessed only very occasionally be no longer available;
• base any decision to retain a record on the principle of proportionality. This means, for example, that records about a very large number of workers should not be retained for a lengthy period on the off-chance that one of them might at some point question some aspect of his or her employment;
• treat items of information individually or in logical groupings. Do not decide to retain all the information in a record simply because there is a need to retain some of it.

Ensure that records are not kept beyond the standard retention time unless there is a business justification for doing so. With a computerised system this might be facilitated by the automated deletion or automatic flagging of information that is due for deletion. With paper files this is likely to involve the occasional ‘weeding’ of expired information, perhaps annually for current workers. As far as possible, structure systems to facilitate the retention policy, for example, by making sure that items of information with significantly different retention periods are not recorded on the same piece of paper.

The Chartered Institute of Personnel and Development (CIPD) has published a useful checklist of statutory and recommended retention periods for various classes of personnel documents. This is available on their website.

See Useful Addresses for the CIPD.

2.15.2 If records are maintained for management analysis, for example, to check the average period for which various grades of staff remain employed with a company, delete the information which enables particular individuals to be identified.

2.15.3 For example an employer might have a valid business reason for keeping information about the driving convictions of those who are employed to drive the employer’s vehicles. However it is difficult to see any justification for retaining this information once the convictions become ‘spent’ under the provisions of the Rehabilitation of Offenders Act 1974. In exceptional circumstances which involve jobs covered by the Exceptions Order to this Act there might be a business need that justifies the continued retention of ‘spent’ convictions. An example might be the retention of information about a relevant criminal conviction of a worker who was employed to work with children and was dismissed because of the conviction. This would be held to ensure the worker is not reemployed in a similar role.

2.15.4 Take particular care to ensure that when computer records are deleted they are actually removed from the system. Copies of such records that might have been retained within the system, perhaps on a separate server, or as paper print-outs should be identified and also removed. Establish secure arrangements for the disposal of paper records containing sensitive or confidential information about workers, for example by having them shredded on-site or by a reputable contractor. Do not sell on computer equipment unless you are certain that any employment records have been completely removed. Simple ‘deletion’ will not necessarily achieve this.