The Data Protection Act 1998 (DPA) provides for when and how personal data can lawfully be processed. Personal data can be found in numerous places including databases, manual filing systems, word processing programs, e-mails, CCTV records, telephone records, internet logs, automated payroll systems and records of automated door entry systems such as swipe cards.
Employers have data protection obligations in relation to current and former job applicants, employees, and agency, contract and other casual workers.
Personal data is defined as information which relates to a living person:
- who can be identified from that data alone or from that data and other information in the possession of, the data controller,
- is about that living person (whether in his personal or family life, business or professional capacity)
When personal data is being processed, the eight data protection principles set out in the DPA must be complied with. The data must be:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than necessary;
- Processed in line with data subject’s rights;
- Secure;
- Not transferred to other countries without adequate protection.
Requests for data
Under the DPA, employees may access data held about them by their employer by making a request in writing and paying a fee of up to £10. Employers should be aware that this right of access effectively provides employees with a means of ascertaining whether or not their data is being properly processed in accordance with the DPA, and this may have an impact on their relationship with their employees as well as their reputation as an employer.
It is vital that employers understand their duties and that they act promptly to respond to requests for data from employees or former employees. Our experienced team can advise employers about their duties and about responding to requests.