Frequently Asked Questions

1. Aren’t paper files exempt from the Data Protection Act – are we OK if we don’t computerise our workers’ health records?

Not necessarily. As well as computerised records manual data held within a “relevant filing system” are covered by the Act. This is defined as any set of data which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. An example of a relevant filing system would be a personnel file with a worker’s name or individual reference number on it and in which there are internal dividers which make it easy to find information about the worker such as starting date, performance mark at last appraisal, absence record etc. Other examples might be a file of pplications for a particular vacancy in which the individual forms are kept in alphabetical order, or a file of the results of drug tests in which the individual results are kept in alphabetical order. Less obviously structured records, particularly those where the information is kept merely in date order, are unlikely to be caught.

2. Do I have to get a worker’s consent to keep records about him or her?

Consent to hold personal information relating to workers is not usually required. Indeed, the Commissioner considers it misleading to seek consent from workers if they have no real choice. Employers are more likely to need the consent of workers if they are processing sensitive personal information such as health records rather than non-sensitive personal information. In the case of sensitive personal information the consent must be “explicit”. However, even then, sensitive personal information can be processed without explicit consent in a number of circumstances, for example where the processing is necessary to enable the employer to comply with any legal obligation. Information about the racial or ethnic origin of workers may therefore be held in order to comply with the law relating to racial discrimination, and personal information about their health may be held in order to comply with health and safety law. Similarly, sickness records of workers may be kept in order to enable employers to meet both the requirements imposed on them by the law in relation to statutory sick pay and the requirement not to dismiss workers unfairly on the grounds of absence.

Click here for the conditions for processing Sensitive Data.

3. What about sickness records?

Sickness records will almost certainly contain information about workers’ physical or mental health.
They will therefore include sensitive data. Where they are kept in order to enable employers to meet the requirements imposed on them by the law in relation to statutory sick pay it is clear that a sensitive data condition can be satisfied and consent will not be needed. With more general sickness records the position is less clear-cut. The Commissioner recognises that employers need to keep some sickness records and it is unsatisfactory if they have to rely on the consent of workers to do so. He also understands the argument that without sickness records employers will be unable to ensure that workers are not dismissed unfairly on the grounds of absence. He therefore takes the view that an employer keeping and using sickness records in a reasonable manner can rely on the condition that the processing is necessary in order to enable the employer to comply with any legal obligation associated with employment. The Data Protection Act, as it currently stands, does not place the question beyond doubt but the Commissioner understands that Government is considering changes to the law that will do so. Even though consent is not needed, employers should of course ensure that workers are aware of what information about them is kept in sickness records and how it is used.

4. How can the company be expected to keep accurate records if applicants give us wrong information?

Provided that the employer has taken reasonable steps to ensure the accuracy of the information, the
data protection principle that requires personal data to be accurate will not be breached.

5. How can I check that a candidate isn’t lying on his or her application form – doesn’t the Act stop me doing this?

The Act does not prevent an employer from checking whether a candidate is lying. However, the Act
requires that if checks on information are to be carried out the candidate is aware of this. In some cases, for example where a school or college is to be asked to disclose information to verify a candidate’s qualifications, they may want the candidate’s permission before doing so.

6. If we’re only going to use the information that applicants supply to us on their application forms to process their application, what’s the point of telling them this?

There is no obligation in the Act to tell individuals what is going to happen to information they have
provided so long as it is no more than they are likely to expect. If the information is to be used for a purpose that might not be expected, for example where applicants’ details are to be used for direct marketing purposes, they must be advised of this and any objections respected.

7. We employ staff who work with children – how can we protect these children if the Act prevents us from getting a copy of the applicant’s police record?

You should approach the Criminal Records Bureau or Disclosure Scotland who operate a system of police checks for staff working with children or vulnerable adults. The Act does not stop you using this channel. What it will do, when the relevant parts are brought into force is prohibit ‘enforced subject access’ in connection with employment or recruitment.

Click here for more information on the Criminal Records Bureau and Disclosure Scotland.

8. Do we have to show candidates the notes we make when we interview them?

There is no general exemption from the Act’s subject access rights in respect of interview notes about candidates. This means that when an individual makes a request for access to the notes, it must be granted unless the set of notes is so unstructured as to fall outside the Act.

9. Is a worker entitled to access to all our confidential records, including references?

There is no general exemption from the worker’s right of access to information about him / her simply
because the information is ‘confidential’. There is, however, a special exemption from the right of access to a confidential reference when in the hands of the organisation which gave it. This exemption does not apply once the reference is in the hands of the person or organisation to whom the reference has been given. The recipient may though be entitled to take steps to withhold information that reveals the identity of other individuals such as the author of the reference. This would not usually justify withholding the reference in its entirety.

10. How do I deal with requests by workers for access to information where the information identifies someone else? We get this problem a lot when workers want access to disciplinary files and similar documents.

Such requests require careful handling and there is no simple solution to your problem. Employers should be prepared to disclose information to a worker that identifies work colleagues, provided that the information is about colleagues acting in a business capacity and is not of a particularly private or sensitive nature. However, there are cases where information should be withheld. This might be the case where, for example, giving access would allow a worker accused of bullying to find out the identity of his or her accuser.

Click here for the process to follow for access when information about third parties is involved.

11. If the Act forces us to delete information, how are we supposed to protect ourselves against allegations that we have discriminated against someone?

The Act doesn’t require that all information is deleted straight away. However, information that is
retained for a particular purpose should not be kept for longer than is necessary for that purpose. This does not rule out keeping information to protect against legal action. Employers should however consider carefully what information they hold and why they hold it. A ‘risk analysis’ approach to data retention is therefore recommended.

12. We are looking at centralising our group’s employment records at our headquarters in the USA. Can we do this?

Personal data must not be transferred outside the European Economic Area (EEA) unless adequate
protection is provided in the destination country. Some countries provide adequate protection by virtue of their data protection law. The USA is not one of these. In the USA a special arrangement known as the ‘safe harbor’ has been created. If your company is a member of the safe harbour transfer is allowed. There are also other alternatives such as providing adequate protection through the terms of a contract between your company in the UK and its parent in the USA. Detailed guidance on international transfers of personal data is provided on the Data Protection: Your Legal Obligations section of the Commissioner’s website.

13. Can we disclose personal information to prospective purchasers of our business?

The Act doesn’t necessarily prevent this. However, if it is not unduly difficult to do so and the prospective purchasers’ needs can still be met the information should be anonymised, for example by providing the numbers of workers in each grade rather than their names. If personal information needs to be made available the employer should ensure that the prospective purchaser signs up to conditions on how it will be used. Employers should also ensure that information is returned or destroyed if the sale of the business does not proceed.

14. We own the equipment workers use for communications and they’ve been told we are going to monitor them. Isn’t that enough?

You may well own the equipment, but the rules of data protection still apply to personal information processed on it. Telling workers about the monitoring is important, but telling them about it in general terms is unlikely to be sufficient. Workers should be told about the specific circumstances in which messages they send or receive may be seen by others. Even if workers have been told about monitoring, the other rules of data protection still apply. This means, for example, that the information obtained through monitoring mustn’t be irrelevant or excessive. The benefits monitoring brings should be sufficient to justify carrying it out. The Code recommends the use of an impact assessment to check whether monitoring is justified.

15. But what if we completely ban private e-mail use and internet access?

A ban can be an important factor but is not necessarily an over-riding one. A ban on private use doesn’t in itself allow the employer to access messages that are clearly private. The intrusion involved in accessing such messages must still be justified by the benefits gained. It might, for example, be possible to identify an e-mail as private from its header and take action against its sender or recipient for breach of the rule without reading the message’s content. In any case there might well be genuine business messages, for example ones sent by a worker to his or her occupational health advisor that a worker has legitimate grounds for wishing to keep private.

16. Is it right that we can never open private e-mails in the course of monitoring?

There is no absolute ban on an employer accessing the content of private e-mails, but any such access ought to be carefully considered. Much depends on the reasons for access, any rules the employer might have for private use of the system, what workers have been told about monitoring and what steps are taken to keep the intrusion to a minimum. There is, for example, likely to be little to prevent an employer who suspects a worker of engaging in criminal activity in the workplace and who reasonably believes that this may involve the sending or receipt of e-mails from accessing the contents of his or her messages.

The opening of e-mails that are clearly private should not be undertaken lightly though. It is unlikely that opening private messages merely on the off chance that evidence of wrong-doing will be found will be justified if this involves revealing their contents to an individual other than the sender or intended recipient.

17. The Lawful Business Practice Regulations allow a wide range of monitoring. Don’t they override the Data Protection Act?

No. When carrying out monitoring both pieces of legislation must be complied with, one doesn’t override the other. The Lawful Business Practice Regulations deal with the interception of electronic communications. Not all monitoring involves interception. Even where it does, the Regulations work in tandem with the Data Protection Act. An interception, if it is not done with the consent of the parties to the communication, must satisfy one of the conditions in the Lawful Business Practice Regulations. In so far as it then involves the recording and use of personal information it must also comply with the Data Protection Act. Although the conditions in the Lawful Business Practice Regulations allow for interception of business related communications in a range of circumstances, monitoring that involves interception and is targeted on the contents of personal communications that are not business related is not permitted.

18. How does the Act affect virus checking?

The Act does not prevent employers monitoring their systems to check for viruses or other forms of malicious code. In fact the Act requires those handling personal information to use technical means to
safeguard their systems. Virus checking should though be conducted in the least intrusive way ossible consistent with achieving good security. It is preferable, for example, from a privacy viewpoint, for suspect messages to be rejected or quarantined for collection by the intended recipient rather be opened and read by a systems administrator.

19. Does the Code really require us to provide our workers with separate e-mail accounts for private messages?

No, this is a misunderstanding. The Code says that if an employer chooses to provide a separate facility for private messages this will be an important factor in deciding what monitoring of the business related account is justified. If a separate account is provided for private messages this will help limit any intrusion that results from monitoring the business account.

20. We have to prevent sexual and racial harassment of workers. Are we justified in checking e-mail and internet access to do so?

Employers have legal obligations on them that require them to take active steps to prevent racial or
sexual harassment in the workplace. Nevertheless it is hard to see a justification for randomly or routinely accessing the content of e-mail messages, particularly private ones, sent to of from workers or checking which websites they have visited in the course of private internet use on the off-chance that evidence of harassment will be found. Where there are grounds to suspect that a particular worker or workers are using e-mail to harass others or are downloading inappropriate material from the internet then targeting monitoring at those workers’ e-mail or internet use may well be justified.

21. We undertake work as a contractor for a bank and they insist we monitor our workers’ creditworthiness. If they require us to do this does this mean we can do it regardless of what the Data Protection Act says?

No. As you are monitoring the creditworthiness of your workers you must be satisfied that the intrusion they face is justified by the benefits the monitoring brings to you and the bank. You are obviously entitled to take the bank’s circumstances into account in assessing what monitoring is justified, but the assessment should be yours. You are also entitled to take into account the extent to which workers genuinely have a free choice whether or not to subject themselves to the monitoring, i.e. are they able to choose not to work on the bank’s contract without suffering any detriment? Incidentally, you must not use a facility provided to you by a credit reference agency for checking your customers to check your workers without the agency’s knowledge and agreement.

22. Is it acceptable for us to install hidden video cameras? We told all workers some months ago that we might do this.

Video cameras are particularly intrusive. The notice you have given to workers will not be sufficient
unless it is the case that providing more specific information would be likely to prejudice the prevention or detection of crime or equivalent malpractice, for example because the camera has been set up to monitor a worker you suspect of theft. Because video cameras are intrusive workers should generally be aware of exactly where they are located and what they are being used to detect.

23. We collect a lot of information about workers through monitoring e-mails and internet access. What do we have to do when one of them makes a subject access request?

If a worker makes a subject access request he or she is entitled to access to all the information of which he or she is the subject. This will include internet access logs and e-mail records. Remember though that a worker will not be the subject of a message simply because he or she is its sender or recipient. Clearly the more information that is amassed about workers through monitoring, the more onerous employers may find it to respond to subject access requests. Systems that are designed with subject access in mind are though likely to reduce the burden considerably.

24. We encourage our managers to take responsibility for managing sickness in the workplace. Doesn’t the Code stand in the way of this?

No. The Code does not try to limit the responsibilities an employer gives to its managers. What the Code seeks to ensure is that managers have access to no more information about their workers’ health than they need to carry out their responsibilities. The broader their responsibilities the more information they are likely to need. However managers’ concern will primarily be with the impact of a medical condition on a worker’s fitness for work rather than with the medical details.

25. We are required to undertake health surveillance for workers exposed to particular health risks. Does the Code mean that this can only be undertaken by health professionals?

According to the Health and Safety Executive (HSE) health surveillance is about systematically watching out for early signs of work-related ill health in workers exposed to certain health risks. There is nothing in the Code that would prevent a supervisor, with appropriate training, having a limited role in the collection of basic health information and associated record keeping, for example carrying out skin inspections to look for signs of rashes on the hands of workers working with detergents. This is the role of ‘responsible person’ identified by the HSE. What is important is that supervisors are trained for any role that they might have in the collection of basic health information, are aware of its possible sensitivity and the need to keep it securely and do not try to interpret the information by, for example, attempting to diagnose the possible cause of symptoms. More intrusive collection of health information, its interpretation and associated record keeping should be carried out by a qualified person such as an occupational health nurse or doctor.

26. As a train operator we must ensure the safety of our passengers. We therefore have a rule that the drivers we employ must not come to work when under the influence of alcohol. To support this, we plan to introduce random testing. We want to treat all our workers equally so we intend to apply the same rule to our office based staff. We also plan to extend the random testing to them. Is this in accordance with the Code?

The Code does not affect your decision to apply a “no alcohol” rule to all your workers. This is not a data protection issue. However the gathering of information about your workers through random testing is. You need to be sure that the intrusion involved is justified by the purpose you are trying to achieve. The collection of information on drivers through random testing may well be justified on safety grounds, particularly if you have suspicions that your rule is being breached. However, the random testing of office based workers is unlikely to be justified because its purpose appears to be to ensure equality of treatment rather than the safety of the public. The Code advises employers to conduct an impact assessment to help them determine whether the collection of information through testing is justified.

27. Why does the Code include a section on genetic testing? Isn’t the Information Commissioner encouraging the use of highly intrusive and unproven techniques by even mentioning genetic information in the context of employment practices?

We are aware that there is little, if any, evidence that information obtained through genetic testing is
currently being used by employers in the UK. The Code takes a very cautious approach to genetic testing. Nevertheless, the Code is intended to be forward looking. There is no doubt that genetic testing techniques are developing quickly and that some employers may seek to take advantage of the opportunities that they provide. Although a cautious approach should be taken and any advice from the Human Genetics Commission should be borne in mind, there may in time be exceptional circumstances where the obtaining of some information about some workers through genetic testing is both justified and desirable.

28. We place great value on our corporate reputation and believe it will be damaged if any of our workers are involved with illegal drug taking outside work. Are we allowed to obtain information through drug testing in order to prevent this? If we have included a drug testing term in workers’ terms of employment, will this cover us?

Obtaining information about workers’ conduct outside work through drug testing is particularly intrusive. It is only likely to be justified where there are compelling grounds. Employers are advised to undertake an impact assessment to help them determine whether this is the case but obtaining information through drug testing is unlikely to be justified on the basis of maintaining corporate reputation. An exception is with organisations that are themselves charged with enforcing anti-drugs laws. If workers have genuinely given their consent to the collection and use of information through drug testing this can be taken into account in an impact assessment but it does not guarantee compliance with the Data Protection Act. Any information collected must still be relevant and not excessive. Furthermore, informed freely given consent is not guaranteed merely because a relevant term of employment is in place.