Businesses need to process certain information about employees and other people in order to monitor employment history, performance, achievements and health and safety etc . However, this information must be collected and used fairly, stored safely and not disclosed to any other personal unlawfully.
The Data Protection Act 1998 requires you to comply with a number of principles in relation to the personal data you retain in that it must be:
- Obtained fairly and lawfully and not processed unless certain conditions are met
- Obtained for specified and lawful purposes and not further processed in a manner incompatible for that purpose
- Adequate, relevant and not excessive
- Accurate and up to date
- Kept for no longer than necessary
- Processed in accordance with data subjects’ rights
- Protected by appropriate security
- Not transferred to a country outside the European Community, unless that country has equivalent levels of protection for personal data
Your employees are entitled to know what personal information you hold about them, the purpose for which it is used, how to gain access to it, how it is kept up to date, and that your business is complying with its obligations under the Data Protection Act 1998.
Employees are responsible for certain aspects of data protection which includes employee and client personal data.
They must also comply with the principles of the Data Protection Act when processing personal data about a live individual in the course of their work. Any breach of data protection policy, whether deliberate or through negligence, may justify you in taking disciplinary action and could in certain cases result in criminal prosecution.
Personal information should be kept in a secure environment, or if it is computerised, be password protected, or be kept only on disk, which is itself kept securely.
Employees have the right to access any personal data that is kept about them, either on computer or in files. This is called a subject access request. A company must respond to a subject access request within 40 days of receipt of the request and payment of the correct fee. There are certain categories of information that you are not obliged to provide, such as plans for promoting an employee and copies of references given to prospective employers.
Be aware that employees may make a subject access request for copies of their own personal data which may include a copy of their personal records, documents which refer to them and all emails with their name in the subject heading or where another employee has made a reference to them. Your managers need to be careful with what emails they send to each other regarding employees and documents they have written as these may need to be disclosed to the employee in a subject access request.
If you would like more detailed information about data protection, ActifHR can help you.
For more information on other HR Policy support from ActifHR, click on another employment topic from the list on the left of this page.