As an employer you will hold personal information about your employees. You have obligations to protect that information under the Data Protection Act 1998 (“the Act”). I have seen an increasing number of enquiries relating to data protection and the consequences of a breach of the Act so I thought what better place to set out the key information for employers to be aware of and the consequences of failing to fulfil their obligations.
The Act regulates the use of “personal data”. Schedule 1 of the Act lists the seven data protection principles which include but are not limited to processing data lawfully and fairly, keeping data up to date and accurate, not keeping data for longer than is necessary, taking measures to ensure that there is no accidental loss or destruction of personal data.
Rights of access to this data
An employee (like other data subjects) is entitled at any time to make a Data Subject Access Request of a data controller (the employer). It does not matter why an employee is making the request, whether the request is wide or the fact that it will result in a huge number of documents and associated costs for the employer. Some of my employer clients have described a Subject Access Request as a “logistical nightmare”. There is no doubt that they can be a real headache and can take away valuable time from running the business. Did I mention that there is a 40-day statutory timeframe in which you must provide the data? There are tools that can be used to delay the timeframe but these are limited.
A Data Subject Access request is valid even if it is sent to someone else who is not normally responsible for data protection within the employer. A request can even be made on social media. It is therefore important to educate and ensure that employees understand the employer’s obligations under the Data Protection Act and how to spot a request.
Data protection is a minefield and it’s no wonder that some employers prefer to bury their heads in the sand than to take proactive steps to deal with and educate staff on data protection. However, the Information Commissioner’s office (the ICO) the UK’s independent body set up to uphold information rights can take action to change the behaviour of organisations and individuals who collect and use data. The actions can include criminal prosecution, non-criminal enforcement and audit. The ICO also has the power to serve a monetary penalty. Each action must be justified in the circumstances.
To discuss your information practices or to find out how you can become more data protection “savvy” give us a call and we can chat through the options with you.