Is an organisation falling foul of the law if it stores staff training records on a shared drive accessed by most of the office? Esther Smith, partner at Thomas Eggar, and Helen Elliott, solicitor at Mills & Reeve, advise.
The question:
In my new job, the company have a ‘shared drive’, which can be accessed by the majority (if not all) of the office staff. One of the folders is training records – in this we have individual folders for (mainly) site operatives and a scanned copy of all their certificates plus machine / plant operators’ tickets. Under the Data Protection Act (DPA), can we do this? I’m not too happy with it but legally I would welcome some clarification.
Legal advice:
Esther Smith, partner, Thomas Eggar
Under the data protection principles, anyone who is in control or possession of personal data, which can include an employer who holds information about employees, is obliged to handle that data and its security in a particular way.
Keeping personal information relating to training records on a shared drive is likely to fall foul of the data protection principles, assuming that all employees concerned have not agreed to the keeping of these records in this way, and the employer is therefore exposed to investigation and possible fine by the Data Protection Commissioner.
There is no apparent need for the records to be kept in this manner and my advice would be to maintain them along with confidential personal records.
Esther Smith is a partner in Thomas Eggar’s Employment Law Unit. For further information, please visit Thomas Eggar.
* * *
Helen Elliott, solicitor in the employment team, Mills & Reeve
The training records and certificates of individuals constitute personal data under the DPA 1988, which provides that personal data should be processed in accordance with eight principles.
It is likely that the current arrangements of storing the employees’ training records and certificates on an easily accessed shared drive breaches three, if not more, of the eight principles. Of particular concern in this case is the seventh principle, which requires organisations processing personal data to have measures in place to prevent unauthorised or unlawful processing of data and to protect against accidental loss, destruction of or damage to personal data; essentially the personal data needs to be secure.
It appears from the current arrangements that you describe that a wide range of individuals can access the personal data and, in addition, may be able to use the data for purposes about which the individuals whom the data concerns have not been informed.
On this basis, I would suggest the company should ensure that the number of people able to access this data is limited to those members of the office staff who need to access the data, such as the company’s training manager. I would also suggest that the data is kept in a secure drive and is password protected. This will ensure that the personal data is only being put to the use for which it was collected and the risk of breaching the DPA is minimised.
Helen Elliott can be contacted at helen.elliott@mills-reeve.com. For further information, please visit Mills & Reeve.
* * *