How are HR professionals affected by the Data Protection Act and Part 4 of the Employment Practices Data Protection Code? Stewart Room, a data protection law specialist at Rowe Cohen Solicitors, takes a closer look.
The work of HR professionals brings them into regular contact with the Data Protection Act 1998. To recap, the Act regulates the processing of personal information relating to living individuals by Data Controllers, and many HR functions, for instance recruitment, disciplinary processes and employee appraisals, inevitably involve the processing of regulated information.
The Employment Practices Data Protection Code
The past couple of years have seen a significant amount of data protection activity that is of direct concern to the HR world. For instance, in March 2002 the Information Commissioner published the first part of the Employment Practices Code, Part 1 – Recruitment and Selection. Since then the remaining three parts have been published: Part 2 – Employment Records, Part 3 – Monitoring at work and, most recently, Part 4 – Information about Workers Health
HR professionals need to be fully conversant with the Code if they are to keep their data processing activities within the boundaries set by the law.
Part 4 – Information on workers’ health
So, what does Part 4 seek to achieve? Well, the Information Commissioner says that it aims to provide employers with ‘clear and practical guidance about how to comply with data protection law when handling information about workers’ health’ and this is stated to include:
– the operation of occupational health schemes
– medical testing of workers
– drug and alcohol testing, and
genetic testing in the workplace.
It is important to note that information about a person’s health is classified as ‘sensitive personal data’ under the Data Protection Act, and that it can only be processed if the eight Data Protection Principles are complied with and if a Schedule 3 condition is established.
Sensitive information needs to be handled carefully due to the risk of harm to the individual that can flow from mishandling.
8 Data Protection Principles
The eight Data Protection Principles provide a complete code for fair and lawful data processing and cover everything from the initial collection of information right through to its final destruction and deletion.
Key elements within the Principles are that personal information should be:
– adequate
– kept up to date
– relevant
but should not be:
– excessive
– kept for longer than is necessary
– processed in any manner incompatible with the purpose for which it was collected.
In addition, appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Finally, personal information should not be transferred outside the European Economic Area to countries that do not ensure adequate protection for the rights and freedoms of Data Subjects in relation to the processing of their personal data.
Schedule 3
As regards Schedule 3 of the Act, these are the conditions that make data processing lawful in the case of sensitive data like health information.
The employer has relatively little room for manoeuvre where sensitive data is concerned and in most cases it will be necessary to show that the Data Subject has given his or her explicit consent to the data processing activity.
The need to obtain explicit consent should focus the HR professional’s attention on the contents of company documents such as employment contracts, job applications forms and workplace handbooks as these are ideal vehicles for delivering important information about data protection in clear and concise fashion.
Impact assessments
The Code of Practice gives employers real help and assistance when dealing with employee health information and the issue of lawfulness, advising that once a Schedule 3 condition is satisfied the employer should consider carrying out an ‘impact assessment’ in order to be clear that the benefits it gains from processing the employee’s health information outweigh the invasion of privacy or any other adverse impacts.
An impact assessment will:
Legal status
An issue naturally at the forefront of the HR professional’s mind is likely to be the legal status of the Code, because this is bound to have a bearing on the decision whether an impact assessment should be carried out.
Fortunately, the Code itself gives very clear guidance on this important matter. It points out that the Code has been issued by the Information Commissioner pursuant to his powers under section 51 of the Data Protection Act and it goes on to say that: ‘Any enforcement action would be based on a failure to meet the requirements of the Act itself. However, relevant parts of the Code are likely to be cited by the Commissioner in connection with any enforcement action that arises in relation to the processing of personal information in the employment context.’
This should leave the HR professional under no illusions. In most cases an impact assessment will be required and failure to comply with the Code is likely to be treated as evidence of the employer’s breach of statutory duty.
Stewart Room can be contacted on 0207 332 2235.
Related items
Can anyone recommend a data protection course I could attend?
Data protection policy
Feature article: Testing staff for drug taking