Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Processing of employee data subject to new rules [1999] PLBIRp 41; (1999) 50 Privacy Laws and Business International Report 8

Processing of employee data subject to new rules

The provisions of the UK Data Protection Act 1998 require employers to provide special protection for sensitive data, and to enable employees to access their own manual records. How can organisations prepare for these new rules?

The EU Data Protection Directive and the national laws implementing it have many implications for data controllers processing employee data. While there is the possibility of a specific EU directive for employee data, in the meantime organisations need to prepare for the immediate changes. The UK Act poses the difficulty of identifying which manual data are caught under the new law. Similar changes to existing laws are being made in other EU Member States.

Another international instrument that deals with the processing of workers' data, is the non-binding code of conduct by the International Labour Office (PL&B Sept '98 p.11- 12). There has been some speculation that the code may be used as a basis for drafting a sector specific directive. Meanwhile, some countries are coming up with their own solutions. For example, the UK and Hong Kong Privacy Commissioners are preparing codes of conduct on employee data.

SUBJECT ACCESS TO PAPER RECORDS

The main reason why personnel departments ought to consider the question of manual data is that employees will have access to their paper records. While employers may not have any problem with disclosing past payroll information, the case may be different if this information includes notes about future pay reviews or promotions.

Under the new UK Data Protection Act, only so called "relevant filing systems" fall under the scope of the law. The difficulty is in identifying relevant filing systems. The Office of the Data Protection Registrar advises that this type of manual data is a set of specific information about an individual which is readily accessible.

In the personnel department context this would mean a set of employee files, which is structured so that data about a particular employee is easy to find by reference to his name or other criteria such as department. It is important to note that files do not need to be in the same location; therefore personnel data in various branch offices would still form a "relevant filing system."

AUDITS IDENTIFY WHICH DATA IS HELD

Due to the somewhat problematic definition of relevant filing systems, UK organisations may find it easier to treat all manual data as if it were automated. Otherwise, they need to engage in a time-consuming audit process to find out which types of manual records they hold. However, in large organisations audits may be required simply to identify the business implications of the inclusion of manual data.

BARCLAYS BANK TAKES PROACTIVE APPROACH

Barclays Bank started preparing early for the new UK Act in 1997 by conducting a risk assessment.

Sandie Hopkins, HR Operational Risk Manager at Barclays Bank summarised the company's approach: "We assessed the impact and cost of including manual data, and decided to start working on the issue sooner rather than later. It was evident that 99% of the manual data Barclays holds in the HR function would fall under the Act's definition of structured files. Therefore, it was best to take a proactive approach and analyse and reduce the volume of paper that we held.

"The audit helped us to compile retention lists of the documents that we needed to keep. On average, we now hold less than 25 paper records on an employee's file. Although the exercise was costly and cumbersome, it was worth it, and resulted in our being 'ahead of the game."

When asked to estimate how much the 2-year process cost the company, Sandie Hopkins said: "It is impossible to give an exact figure. Some business units were able to absorb the additional work, but others needed to recruit additional temporary staff and this obviously increased the costs significantly.

"The important thing was that every HR area knew what they needed to do and were aware of their own individual budget constraints - the cost had to be commensurate with the risk," she explained.

SENSITIVE INFORMATION REQUIRES CONSENT

Organisations need to be aware that collecting information about individuals' health, religion, sexual behaviour, ethnic origin or political beliefs requires employees' consent. Also, there needs to be a legitimate reason for collecting such information. Collecting sensitive data is justified, for example, for the monitoring of equal opportunities or for medical purposes by a health professional.

Under the EU Directive, details about trade union membership are now regarded as sensitive data. This is a novel idea in Sweden and Finland, for example, where it is commonplace to belong to a trade union. Employers based in any EU country who collect contributions on behalf of the trade union must now seek employees' consent to continue to do so.

SECURITY REQUIREMENTS

While the new data security provisions adopted from the EU Data Protection Directive into national laws apply to employee data, the security of manual data needs special care. Organisations sometimes hold paper records in filing cabinets that are left unlocked outside of working hours. Other security problems include unauthorised access and failing to keep backup copies elsewhere. It is essential to ensure that paper records are stored in a secure way.

Disposal of data is now also covered by the new law. As a result, it is not sufficient for an organisation just to provide shredding machines for manual records. Staff should also receive written guidance and training on the circumstances in which they should be used.

PROCESSING FOR PAYROLL NOW INCLUDED

It has not been a requirement to register under the UK Data Protection Act 1984 if the purpose for processing has been solely for keeping a payroll. Although few major companies have been in this position, it is worth mentioning that there will be a change, as processing for payroll and accounts purposes is subject to the 1998 Act.

However, manual data is exempt from notification. This is unlikely to benefit human resources departments, which typically have records on computer as well.

TRANSFERS TO COUNTRIES OUTSIDE OF THE EEA

Transferring employee data to countries that do not belong to the European Economic Area (EU + Norway, Iceland and Lichtenstein) requires determining whether the recipient country affords an adequate level of data protection. What is meant by adequate, and which countries may qualify, is still under consideration.

The UK Data Protection Registrar has given some initial guidance on the matter (p.3-4), but many issues remain unresolved. The basic message is, however, that organisations have to find solutions themselves. Relying on any future model contracts may be a solution if it is not possible to obtain the employees' consent for such transfers to countries outside the EEA.

In the United States, Privacy & American Business has come up with the idea of a customisable model contract to meet the requirements of the EU Data Protection Directive. Further work is being done within a Human Resources Data Consortium (see p.14 and PL&B May '99 p.11), which seeks a sectoral solution for employee data rather than including it in the US-EU "safe harbour" discussions (PL&B May '99 p.13). The Co-Chair of the Consortium, Dr Donald Harris told the Privacy Laws & Business Annual International conference in June that the consortium will produce a White Paper outlining the current level of data protection in the human relations field. The Consortium also plans to publish guidelines on consent.

AUTOMATED DECISIONS

Automated decision-taking is often used in large personnel departments in the context of automated CV scanning. This method, developed to facilitate the screening of hundreds of job application, has, however, privacy implications. Section 12 of the new UK Act states that "An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data....." Examples given include performance at work and a person's reliability or conduct.

A report prepared by the Personnel Policy Research Unit on the Uses and Misuses of Personal Data in Employer/Employee Relationships (see http://www.dataprotection.gov.uk) suggests that in order to comply with the Act, it is necessary to inform the job applicants that their applications will be processed by automatic means. In addition, organisations should provide applicants with an opportunity to have their application assessed by a human being if they so wish.

UK WILL HAVE A CODE OF CONDUCT NEXT YEAR

The above mentioned report's recommendations are now being considered by the UK Data Protection Registrar, who will publish a code of conduct on employee data under the Data Protection Act 1998. The Registrar's office plans to publish a draft code for consultation by the end of the year, allowing the code to take effect on 1st March the earliest. Once the code has been adopted, failure to comply could lead to enforcement action.

The code will go beyond the requirements of the Data Protection Act 1998 and include detailed rules. For example, it is planned that employers will be banned from intercepting e-mails at the workplace. The Registrar's office already recommends that employers establish a policy on the use of e-mail and telephone, as well as be open about any possible surveillance.