Latest estimates from the Home Office put the cost of identity fraud to the UK economy at £1.7 billion. Joanna Downes advises how employers can protect personal data about their staff, and outlines the risks involved if they get it wrong.
The digital era
When two CDs containing 25 million child benefit details went missing in November last year, the media focus turned to the storage of personal data and the need for adequate procedures and protections.
At around the same time, the DVA in Northern Ireland reported the loss of the personal details of more than 6,000 car owners, further emphasising that certain government agencies do not have adequate procedures in place to keep up with the digital era.
There is now more sharing of information than ever before; people are voluntarily putting data about themselves online, and many businesses are retaining much more personal data – about their suppliers, customers and employees.
Even so, as digital data sources mushroom, a recent study revealed that almost a quarter of employees in Britain feel their employers do not care about their privacy and 10 per cent actively distrust the people who have access to their personal data.
Identity theft is one of the fastest growing crimes in the UK and the general public are becoming more and more concerned about the safety of their personal details.
So what are employers’ obligations in this area, and what do they stand to lose if they get it wrong?
The Data Protection Act 1998 applies to computerised records of employees and workers, as well as well-structured manual records, such as indexed personnel files. All organisations retaining or dealing with personal data (data controllers) have to abide by eight ‘data principles’ in the Act, which set out the following:
1. Personal data shall be processed fairly and lawfully;
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s);
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
4. Personal data shall be accurate and, where necessary, kept up to date;
5. Where processed for any purpose, personal data shall not be kept for longer than is necessary for that purpose;
6. Personal data shall be processed in accordance with the rights of ‘data subjects’ (the individuals to whom the data relates) under the Act;
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
The Act also sets outs further safeguards for sensitive personal data. Details of employees’ race, nationality, previous convictions and medical records will be sensitive personal data. Generally, employers should get the individual employee’s consent before processing any such information.
Advice for employers
As well as employees, the Act will apply to job applicants and interviewees. An organisation will obtain personal information as part of the recruitment process, by way of application forms, CVs and interview notes.
Organisations need to ensure that applicants are aware who will be processing their data and the purposes for which it will be used. Generally, specific consent from the individuals to this processing will not need to be obtained. However, if the organisation intends to keep the details of unsuccessful applicants ‘on file’, the applicants should be allowed to refuse permission for this.
Employers will have to balance the need to keep records of recruitment decisions (to protect the organisation from potential discrimination claims) with compliance with data protection principle five (see above).
Ideally records should not be kept for any longer than the statutory time period for bringing claims, unless this can be justified.
Some data will only be required once the position has been offered to an individual, such as bank details, and should not be asked of all potential candidates. Sensitive information such as criminal convictions should only be requested if it is relevant to the role and the request can be justified.
Once applications are received they should be stored appropriately, and generally access should be restricted to those involved in the recruitment process.
Data relating to employees of the business should also be stored carefully and systems should be put in place to prevent unauthorised access. An employer should consider training staff who have access to personal data to help to prevent the business being liable for acts of uninformed employees.
As always, the principal advice to employers is to have adequate systems in place, and a clear policy that has been communicated to all employees.
Penalties for breach
At present, the Information Commissioner is charged with ensuring compliance with the Act. Disgruntled employees may contact the Commissioner to explain that a breach has been committed, in which case the Commissioner is likely to serve the employer with either an ‘information notice’, requiring them to provide certain information to the employee within a certain time limit, or an ‘enforcement notice’ requiring the employer to cease processing personal data. Failure to comply with either notice is a criminal offence. Directors and managers can be personally liable in certain circumstances.
However, there have already been calls from a committee of MPs for a new criminal offence to be created for failure to take adequate care of personal details, in both the public and the private sector (rather than the failure to comply with a notice).
Critics of the current law also argue that the Information Commissioner should have stronger enforcement powers and that a legal obligation to report losses of data should be created.
Whether or not the suggested changes in this area of law become a reality remains to be seen, but the government has stated that it has recognised the need to strengthen data protection laws. It now seems clear that breaches of the data principles and failures to protect sensitive data will not be ignored.
Joanna Downes is an assistant solicitor at Clarion Solicitors.