Improper use of paper and computer information may cost money, says Francis Shennan.
Almost five months to the day from today, employers will face a new law governing how they keep records on their staff.
Once fully implemented, employees will be able to claim compensation for information which is kept on them without their consent or is not allowed by the new Data Protection Act.
This time the legislation covers not only information stored on computer, but on paper too; in theory, everything from formal personnel records to the notes made for personal use during interviews.
It also applies to all users of personal information, not just those who currently have to register under the existing Data Protection Act.
The European Union decided to harmonise data protection within Europe and, in 1995, passed the Data Protection Directive. The UK has until October 24 to implement it and the Bill has now been published.
When solicitors Dundas & Wilson and career consultants Sanders & Sidney hosted a seminar on the subject, it drew nearly 100 managers concerned about the effects of the legislation. The new Act sets out a list of data protection principles which will be enforced by notices served by a new official who will be called the Commissioner.
''These notices can either demand further information from a business about the personal information it holds or require the offender to comply with the data protection principle breached,'' said Eilidh Cameron, head of Dundas & Wilson's human capital services group of eight solicitors who work exclusively in the fields of employment, employee benefits and pensions.
''If the recipient of the notice fails to comply, the business - or potentially the senior employee responsible for the failure - will be guilty of an offence for which a fine may be imposed.''
The principles state that personal data must be processed fairly, lawfully and with the subject's permission. The data must be obtained only for specified and lawful purposes and cannot be used in a manner which is incompatible with those purposes.
It has to be adequate, relevant, not excessive, accurate and kept up to date where required. The data must not be kept longer than is necessary. Technical and organisational arrangements have to be taken to prevent unauthorised and unlawful processing, and accidental loss, destruction or damage to the data.
No personal data can be transferred out of the European Economic Area unless the country concerned has an adequate level of personal data protection legislation itself.
''The 1984 Act applies only to data held on computer, but the new Act applies to manual filing systems,'' said Cameron. ''These are files from which an individual's personal data is readily accessible and can easily be retrieved. This may be a burden for human resources departments as much of the information held about employees will be in paper form.''
EU member states have been allowed until 2007 to adapt to the inclusion of manual files and the British Government has already said it will take advantage of any opportunity to delay its full impact, but it is almost certain these files will be covered eventually.
''Good practices should be developed and enforced within organisations to ensure that data is kept secure, accurate and up to date,'' said Cameron. ''Given the extension in the new Act to individuals to inspect personal data, HR managers should consider carefully whether to retain information they would prefer the employee not to see.
''Files held both on computer and manually should be reviewed prior to October and thereafter on a regular basis to ensure the data protection principles will not be contravened.''
The new Act will also extend the meaning of ''processing'' of personal data. It will now include the preparation of text and the storage of data. This will affect organisations with large quantities of archived information as it will become subject to the Act.
One significant innovation of the Act, says Cameron, is that the individual's consent will normally be required before personal information about him may be processed. ''There are a number of exceptions where this consent is not required.
''Consent is not required where the information is required for 'the performance of a contract to which the data subject is a party'.
''In the employment sense this might mean, for example, that an employee's bank account and other personal details could be used for payroll purposes.''
Nor is consent required for the ''taking of steps at the request of the individual to use personal information with a view to entering into a contract.''
That would cover using personal information at the point of recruitment and selection, such as following up references.
''It is difficult to anticipate what situations might fall under these categories, especially as it will probably be some time before there is any significant case law to interpret the bare provisions.
''One option I would recommend would be to incorporate a statement into offer letters and into the employment contract seeking the employee's consent to use his personal information for employment administration and payroll purposes, for example. This should be relatively cheap and easy to do, and should give greater certainty that they are complying with the data protection obligations.''
A situation that has already caused problems on the continent, according to Cameron, is the effect that data protection might have when businesses are being sold or services are being transferred.
''Outsourcing of services is becoming increasingly popular and will often involve the transfer of information about employees from one service provider to the next.
''If an employee does not know about, or has not consented to, the disclosure of his personal information to future service providers or potential purchasers of the business, such a disclosure may contravene the Act.
''Employees should be asked for their consent to disclose personal information to third parties.''
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article