Skip to main content

The Data Protection Act 1998

The Data Protection Act 1998
Click to enlarge

What are an employers' obligations?

(Q) What is the aim of the Data Protection Act?

The Act is designed to strike a balance between the need for a business to hold information about its staff and an individuals’ right to respect for their private life. The Act sets out very strict rules about when and how personal data must be processed.

(Q) Where can ‘personal data’ relating to staff be stored?

Within emails, Company databases or manual filing systems, internet logs, payroll systems, telephone or CCTV records, any automated door entry systems.

(Q) What are an employers’ key obligations?

  • Only collect information that you need for a specific purpose
  • Keep that information secure
  • Ensure it is relevant and up to date
  • Only hold as much information as you need and only for as long as you need it
  • Allow the subject of the information access to it if they request it

 (Q) Does the Act only apply to current employees?

 No. An employers’ data protection obligations also cover former and existing:
  • Job applicants (even those that are unsuccessful)
  • Employees
  • Agency or casual workers
  • Volunteers, work experience and interns.

(Q) Can individuals request access to the personal data being held?

Yes. If an individual requests access to their personal data, employers are legally obliged to provide it. This could relate to grievance or disciplinary issues, recruitment documents or information that has been obtained via monitoring. Usually requests will be contained within a Data Subject Access Request (DSAR) and under the Act, there is a strict time limit of 40 days to provide them with it. 

(Q) Am I allowed to monitor my staff i.e. reviewing CCTV records, telephone records or monitoring emails or computer usage?  

Yes. The Act does not prevent employers from monitoring staff however the reason for the monitoring and the way in which any monitoring is carried out is important. Consider why you may need to monitor staff and consider whether the method you are choosing to take is justifiable based on your concerns.
Ensure that staff have been made aware that you may monitor them so that they can expect action to be taken if anything untoward is identified.  Covert monitoring is rarely a justified course of action and it is therefore not advisable.

(Q) What are the repercussions of breaching the Act?
The Information Commission Office (ICO) is the body responsible for enforcing the Act.  Their remit is extensive and over recent years, there have been a number of reported cases where high profile companies have been found guilty of serious data breaches.  They have the power to impose fines of anything up to £500,000 and the attention that employers should be paying to the requirements of the Act is becoming increasingly important.
A particularly common breach of the Act is where personal data belonging to staff, customers or clients is either being stolen (from external hackers or even disgruntled employees) or being disclosed due to the negligent actions of staff. Whatever the method, such data breaches are exposing employers to significant fines being imposed on them by the ICO, as well as it causing potentially irreparable reputational damage to businesses.
(Q) Why has TalkTalk been in the press?
The largest ever fine imposed by ICO was recently given to TalkTalk after their poor website security led to the theft of 157,000 customers’ data. The database was hacked by individuals who found that TalkTalk simply did not have adequate security measures in place for the volume of data that it held.
Given the significantly large number of customers whose data was stolen and the size of the enterprise involved, the ICO decided to flex its muscles and imposed a hefty fine on TalkTalk of £400,000, the closest it has ever come to imposing its maximum penalty of £500,000.
(Q) What about the risk of insider threats?
Morrisons has also been under the spotlight in recent years when a former employee who held a grudge against them (due to having been disciplined) posted salary, bank and National Insurance information of 100,000 staff online and he also sent this information to a number of newspapers.  
The individual responsible for this unlawful action was (quite rightly you may say) jailed under the criminal law system for 8 years.  However aside from that, Morrisons also faced a group claim brought by the staff that were affected by this breach and as their employer, Morrisons (who was responsible for protecting the personal data of their staff) was also found vicariously liable for the actions of the individual. Whilst the final figures have not been disclosed, a £2m pay-out is estimated.
This case draws into question the steps employers should be taking to reduce the risk of employees that have access to such personal data about staff. This individual was an accounts clerk and therefore had access to such information, which should not be readily available to staff who work in unrelated departments. However even where you have staff in such roles, the restrictions you place on them regarding confidentiality and security must be tightened to reflect their role.

(Q) What happens when no deliberate unlawful action has been taken by staff?
Another recent case where the employer was found to be vicariously liable for the actions of an individual was where a member of staff at a nursing home in Northern Ireland took an unencrypted laptop home and the laptop (containing sensitive personal details relating to staff and residents of the home) was stolen when her house was burgled overnight.  
The ICO imposed a £15,000 fine on the employer on the basis that it found they did not have any policies in place regarding encryption, homeworking and the storage of mobile devices. They also identified that there had been insufficient data security training for its staff.
Given that the option of home working is now more commonplace than ever before, this case serves as a reminder that it is important to carry out risk assessments when staff take mobile devices, laptops or work phones home with them in order to ensure that any data that is contained on them is adequately protected.  Paper records should ideally be kept securely within the business premises and computer records should be password protected.
The above cases highlight the importance of all employers understanding their requirements under the Act to ensure they don’t fall foul of the law. Speak to us at HRx Consultancy Services for advice if you have concerns about falling foul of the legislation and in the meantime:
  1. Check that you have proper  procedures  in place regarding data protection;
  2. Implement  policies  on homeworking and the storage of mobile devices and;
  3. Provide  training  to all staff on data security and DPA obligations