contents
- About the Supplementary Guidance
- Managing Data Protection:
Supplementary Guidance - Part 1: Recruitment & Selection: Supplementary Guidance
- Part 2: Employment Records:
Supplementary Guidance - Part 3: Monitoring at Work:
Supplementary Guidance - Part 4: Information About Workers' Health: Supplementary Guidance
- Conditions for Processing Sensitive Data
- Frequently Asked Questions
- Useful Addresses
Good Practice Recommendations – Managing Data Protection: Notes and Examples
0.1 In a small business the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function or someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a co-ordinated approach to data protection compliance.
Ideally data protection should be seen as an integral part of employment procedures rather than as a stand-alone requirement. For example, in the company's IT security procedure there should be a section on monitoring which should be based on the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and upgrade procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or selfcertification by managers.
0.2 It is important to remember that data protection compliance is a multi-disciplinary matter. For example, a company's IT staff may be primarily responsible for keeping computerised personal information secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance, for example by ensuring that waste paper bearing personal information is properly disposed of. An employer is liable to pay compensation for damage suffered by an individual as a result of a breach of data protection law arising from the actions of a line manager unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place.
0.3 It may be helpful to assess personal information held on workers using the same categories as are used in the various parts of this Code, i.e. personal information processed in connection with recruitment and selection, employment records, monitoring at work and health information. Consider who in your organisation will be collecting, using, storing and destroying such information. Only when you have ascertained this will you be able to check that your organisation is complying with the Act.
0.4 When making your assessment of personal information consider if all the information collected on workers is necessary for the employment relationship. For example, information concerning workers' lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers' other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave.
The collection and use of sensitive information must satisfy a sensitive data condition.
0.5 Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, e.g. disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations
0.6 Failing to notify when required to do so or failing to keep a notification up to date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers' data on the Register of data controllers are complete, accurate and up-to-date. This may be a duty that he or she personally undertakes or it may be delegated.
0.7 Consultation about decisions likely to lead to changes in work organisation or contractual relations is starting to become mandatory under employment law for larger employers. Whether a legal obligation or not consultation should help ensure processing of personal information is fair to the workers to whom the information relates.