Employment Matters July 2010

Data Protection – new enforcement powers

Employers have always had obligations under the Data Protection Act 1998 (DPA) in respect of personal data they hold regarding their employees, customers/clients and other third party individuals.

A recent spate of high profile data protection losses by both public and private bodies has caused concern as to how organisations are approaching the protection of sensitive personal data.

In particular we have seen the Home Office allowing prisoner data to be downloaded to a data stick which was later lost by a contractor.  In a separate incident two discs containing data in relation to families who claimed child benefit were lost. The discs contained personal information of around 25 million people and included their home addresses, national insurance numbers and bank account details.

The Information Commissioner’s Office (ICO) previously only had power to impose enforcement notices for such breaches of the DPA. Only if those enforcement notices were breached could the ICO impose a monetary penalty.

The serious data protection breaches of recent years have led to the ICO being granted new powers. From April 6 2010, the ICO is able to order organisations to pay penalties of up to £500,000 for serious breaches of the data protection principles contained in the DPA. Still undergoing consultation is a further penalty which would allow custodial sentences to be imposed for knowingly or recklessly obtaining or disclosing personal data.

Clearly, more than ever, employers need to be aware of their obligations under the DPA.

Are you affected by the DPA?
The DPA imposes obligations on data controllers. Data controllers are individuals, companies, organisations or other bodies who can determine the purpose and/or the manner in which personal data is processed.

Personal data essentially means any data that can be related to an individual and which could be used to inform or influence actions or decisions in relation to that individual.

The following would all be examples of personal data:
An employee’s personnel records, containing such information as their home address, national insurance number and details relating to their sickness absence.
An employee’s appraisal, with opinions from their line manager as to their performance.
E-mails sent or received by an employee to their relatives/friends on an employer’s work system.
Customer information, such as phone number, home address and information about products previously purchased by that customer.

Essentially then, almost all employers are going to be data controllers, as they are likely to hold personal data of one form or another, relating to their employees and/or customers, in a relevant filing system (for example in an organised paper file or on a computer.)
What are your obligations under the DPA?

You are obliged to ensure that personal data is kept secure and that it is only processed for legitimate and proportionate reasons with the employee’s knowledge and consent. The following are examples of potential breaches of the DPA:

• Holding on to employee information for too long.
• Failing to protect employee or customer information adequately (for example by not password protecting files which contain sensitive employee or customer data).
• Using employee or customer data for a purpose to which they have not consented (eg passing personal data onto a third party without their consent).

If our data protection practices and procedures aren’t perfect will we attract a large fine?

Not necessarily. We are still waiting for the first test cases in respect of the new ICO powers, but the fines in the region of £500,000 are likely to be reserved for the most serious of DPA breaches. When considering whether to impose such a penalty, the ICO will take the following into account:

• The seriousness of the breach (for example the loss of medical records would constitute a serious breach).
• The likelihood of significant damage or distress to the individuals who are affected by the breach (for example an individual being prejudiced in obtaining a job due to inaccurate data being processed or an individual suffering the distress of knowing that their medical records might be in the pubic domain due to a data controller’s failure to protect them adequately.
• Whether the breach was deliberate (for example a serious view would be taken if an organisation knowingly disclosed customer data to a third party without their consent in order to make a profit).
• If the breach was not deliberate, whether it was negligent (for example, if the breach was serious, did the data controller fail to take adequate steps to ensure such a breach did not happen).

What can we do to ensure we are compliant with the DPA?
You can ensure that there is a proper data protection policy in place and that any of your employees who handle personal data have sufficient training in relation to the DPA and your policy, to ensure that your DPA obligations are met in practice.

We can offer a data protection audit. This involves a review of any written data protection policies and an examination of how data protection issues are dealt with in practice in the workplace, followed by a full report outlining areas of compliance and non-compliance and possible areas for improvement. Such an audit can help you minimise the risks of breaching the Data Protection Act and incurring sanctions from the ICO.

If you would be interested in having your data protection policies reviewed, receiving training, or have any general data protection queries, then please contact our data protection specialist Richard Kay at richard.kay@cobbetts.com or on 0845 165 5014.

The content of this handout is for information only and should not be relied upon as a substitute for legal advice. Copyright 2010 Cobbetts - All Rights Reserved – June 2010.