HR practitioners have been living fairly comfortably with the
data protection enforcement regime for many years, even after the
storm of data security problems that hit the UK in recent years.
Most memorably, in 2007 HMRC lost two CD-Roms containing personal
data of 25 million individuals. At around the same time three
million records of candidates for the UK Driving Theory Test on a
hard drive were lost by Pearson – not even in the UK, but
in Iowa. And on 15 Dec 2007 Ministry of Justice CDs containing
details of defendants before the Manchester Magistrates Court went
missing in the post. The penalties for this sort of transgression have recently
increased dramatically. On 6 April 2010, sections 55A to 55E of the Data Protection Act
1998 came into force. The Information Commissioner can now impose
fines of up to £500,000 on 'Data Controllers' for
breaches of the Act without first going to court. Until now, when
breaches were brought to the attention of the Information
Commissioner, he could serve an Enforcement Notice on a data
controller to secure proper compliance. Refusal or failure to
comply with a Notice could lead to a prosecution and a fine. The
penalty is now much larger. An employing organisation is typically
the 'Data Controller' for personal data relating to its
employees. The most common way in which data protection issues
arise is through subject access requests. Most HR departments will
have processes in place to deal with these. Data protection has
also had a relatively low profile in compliance terms. HR
professionals are acutely aware of the risks and potential
consequences of treating individual employees unfairly,
inappropriate discrimination or failure to comply with collective
consultation requirements. Any of these may result in Employment
Tribunal proceedings which are likely to be stressful,
time-consuming and expensive as well as damaging to the reputation
of the employer but this awareness is unlikely to extend to
everyone in the organisation. The Information Commissioner Christopher Graham made it clear in
January this year that he intends to use the new powers. He said
'When things go wrong, a security breach can cause real harm
and great distress to thousands of people. These penalties are
designed to act as a deterrent and to promote compliance with the
Data Protection Act.' Now is the time for HR practitioners to review the way their
organisations handle, store and disseminate personal data to make
sure that processes and procedures remain robust and have not been
overtaken by events. Approaches that were excellent when introduced
may not have taken account of subsequent changes –
perhaps in terms of outsourcing arrangements, or greater devolution
of people issues to line management. With staff turnover, the
training effort you put in initially may have faded, allowing
laxity to creep into the way you deal with personal
information. As a minimum first step it would be wise to refresh your
knowledge of the eight data protection principles in the 1998
Act. Each organisation will have its own requirements, but it is easy
to make data protection mistakes and you may need to check your
current practice in a number of areas: Recent high-profile cases show that having a set of security
policies in place may not be enough if you do not use technology to
firmly enforce them. In particular, the Information
Commissioner's Office is clearly concerned about the volume of
cases where unencrypted confidential data stored on mobile and
portable devices has been lost or stolen. Organisations should take
note of the fact that in recent cases involving employee
negligence, if all the relevant data had been encrypted the
integrity of the data would most probably have remained intact. In
other words, there would have been no breach of the Data Protection
Act 1998 and no public scandal. In light of the Commissioner's
new power to impose fines of up to £500,000 for breaches of
this kind, expenditure on proving technologies such as encryption
is cost-effective. The move from enforcement notices to the power to apply fines is
a step change in the regulatory framework, and the Commissioner
will use the power for every breach of the Act. He must first be
satisfied that: If such a breach is made deliberately, a fine may be
applied. If the breach was the result of negligence - that
the Data Controller knew or ought to have known of the risk of
contravention - the organisation can still be fined if it also knew
or should have known of the risk and consequences of contravention
but failed to take reasonable steps to prevent it. The Commissioner 'will take a pragmatic and proportionate
approach to issuing an organisation with a monetary penalty'
and will take into account 'an organisation's financial
resources, sector, size and the severity of the data breach, to
ensure that undue financial hardship is not imposed on an
organisation.' A crucial issue will be whether the Data Controller takes
"reasonable steps" to prevent the contravention, such
as: Finally, the board should be told that your organisation could
now be fined for a serious breach of data protection. The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Key Areas
Enforcement
ARTICLE
30 June 2010
Data Protection - How Employers Can Avoid Being Penalised
HR practitioners have been living fairly comfortably with the data protection enforcement regime for many years, even after the storm of data security problems that hit the UK in recent years.