Introduction

Gone are the days when data protection was just to do with maintaining employee confidentiality and updating contact details from time to time. As busy HR managers are finding, employees now have a much better awareness of their rights (though not necessarily their responsibilities): they have the right to know what information is being processed about them and why, they have the right of access to most of that information and they have the right to expect it to be held securely and not passed on to others who have no legitimate right to see it. Employees also need to understand their responsibilities towards other "data subjects" (ie those whose personal information is processed by the employer), so as to ensure that they do not (unwittingly or otherwise) trample on those other people's rights.

The purpose of this checklist is to provide a practical guide to the key data protection issues facing HR managers on a daily basis, and covers the following four areas: Recruitment; Employee Monitoring; Disputes; and Overseas data transfers and business disposals.

Recruitment Issues

Using employment agencies

  • Check your agency contract to ensure that it contains an obligation on the agency to inform potential candidates that their personal details may be forwarded to your organisation with the consent of the candidates.
  • Once you receive written information about a candidate, you should contact the candidate to let them know of any uses to which their information may be put, if such uses are not for the normal purposes intended by the provision of the candidate's details. This is unlikely to occur in practice.
  • If a candidate is unsuitable, inform the agency and destroy or remove from your IT system all personal information relating to that individual.

Interviewing candidates

  • Interview notes do not necessarily come within the ambit of the Act – if they are not scanned into the computer, nor placed in a relevant filing system, the candidate will not have an automatic right to see them under the Act. However, care should still be exercised when interviewing candidates because they may still apply for disclosure of the notes during the course of subsequent Employment Tribunal proceedings (typically a discrimination claim). It is obviously important for the organisation defending such a claim to be able to justify its decision not to appoint.
  • If employee personnel records have a clear internal structure and have an index to facilitate the easy retrieval of particular documents, they should be treated as a "relevant filing system", meaning that such records will come within the ambit of the Act. This means that any information from the recruitment stage of the process must still be relevant to the ongoing employment relationship, and is subject to the right of access by the employee.
  • You should let an unsuccessful candidate know if you intend to keep their personal details on file, should a more suitable vacancy arise, and give that candidate an opportunity to object.
  • Even if the candidate does object, this does not mean that you have to destroy all interview information, because you may retain such information as is necessary to defend the organisation or the interviewer in the event of future litigation. This should be made clear on the file.

Pre-employment vetting

  • The use of verification or vetting agents who verify the accuracy of information provided by successful candidates is not prohibited by the Act.
  • Due to the intrusive nature of vetting services, these should be used only where it is strictly necessary to vet candidates in addition to relying on references supplied.
  • Limit vetting to specific categories of data (such as educational/professional qualifications or previous directorships).
  • Vetting agents will be acting as your "data processor", which means that you must ensure that you have a written contract with them, whereby the agents agree to act only on your organisation's instructions and to comply with certain data security obligations.
  • You should obtain the candidate's written consent to the vetting exercise and offer them the opportunity to make representations about any adverse findings.
  • Any information provided by a vetting process should be destroyed as soon as possible, although a record of the result of the vetting process may be retained.

Criminal records

  • Unless the successful candidate will be working with children or vulnerable adults, then the only type of criminal record disclosure that will apply in most cases will be the "basic disclosure". Currently, basic disclosures are not available via the Criminal Records Bureau, although it is possible to obtain them through Disclosure Scotland.
  • If the successful candidate is going to be working with children or vulnerable adults, there are two levels of CRB checks, Standard and Enhanced Disclosure. Further advice should be obtained as to the suitable level of check to apply for.
  • Criminal records constitute "sensitive personal data", which means that one of the sensitive personal data conditions must be satisfied under the Act, of which "explicit consent" is one such condition. Since the candidate will have to apply for the disclosure themselves, the obtaining of their explicit consent should not pose any practical difficulty.
  • Do not retain criminal records data after a recruitment decision has been made – a record of the fact that a criminal record check was carried out and the result of that check should suffice.

Pre-employment medical

  • Any information concerning an individual's physical or mental health will fall within the category of "sensitive personal data" under the Act and should only be processed if one of the sensitive data conditions is satisfied. Usually, the easiest condition to satisfy is that of the individual's explicit consent.
  • Only where there is an intention to appoint should employers carry out medical examinations on candidates. They should be informed of the need for testing as early as possible in the recruitment process.
  • It may be sufficient for the employer to seek information via a medical questionnaire in the first instance, as this will be less intrusive than a full medical, but if the nature of the job requires a full medical, health and safety considerations will prevail.
  • You should inform individuals about the circumstances in which medical testing is to take place, the nature of the testing, what the individual is being tested for, how the information will be used and to whom it will be made available. If only a medical questionnaire is used, the candidate should be informed about how the information will be used and by whom.

Employee Monitoring

Drug and alcohol testing

  • As with all forms of employee monitoring, it is important to consider whether it is appropriate to carry out an "impact assessment" before undertaking any monitoring. This is designed to ensure that the benefits of processing such information about the employee justifies the intrusion on the employee's privacy.
  • Always consider less intrusive methods first – for example, there is equipment available to measure hand-eye co-ordination and response time, which may suffice for your purposes.
  • Since the chief justification for drug and alcohol testing is health and safety, testing should be targeted at jobs that pose a particular risk to the health and safety of others. Randomly testing all employees will not be justified if it is only employees in safety critical activities that pose a risk.
  • Make sure that employees have been warned that testing may take place in advance – for example, this could be done via a drug and alcohol testing policy or an email communication.
  • Inform employees of the procedure for testing (eg random/on suspicion only), what type of substances they are being tested for, what are the acceptable levels of use for a particular substance, and the possible consequences of a breach (eg dismissal).
  • Any samples taken should be analysed by an appropriately qualified professional or by an approved laboratory.
  • Remember that if a laboratory is used, that laboratory will be acting as your organisation's "data processor". Make sure that you enter into a data processor agreement with the laboratory, whereby the laboratory agrees to act only upon your instructions and to comply with certain data security obligations.
  • If you have a reasonable suspicion that one of your employees is under the influence of drugs or alcohol and is about to use a car or machinery that could pose a health and safety risk, the employee may be prevented from driving or operating machinery pending further investigation (which may include testing).

Email and internet monitoring

  • The key to fair monitoring is ensuring that employees are provided with clear information about how the monitoring will be carried out. A clear policy on the acceptable use of electronic communications within your organisation is a must. A good illustration of the importance of having an acceptable use policy in place is the 2007 European Court of Human Rights case of Copland v United Kingdom, in which Lynette Copland, an employee of Carmarthenshire College, successfully sued the UK Government for a breach of her human rights. She was able to do this as her employer is a publicly funded body, and the Government accepted that it was responsible for the College's actions for the purposes of the European Convention on Human Rights. Her employer had monitored her email traffic, internet activity and telephone usage and was unable to justify such behaviour. The Court said that Ms Copland "had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation should apply in relation to the applicant's email and internet usage". Ms Copland was awarded 3000 euros in damages and 6000 euros towards her costs.
  • It is equally important to ensure that the policy is enforced in practice. If reasonable personal use is permitted in practice, a policy which claims to ban all personal use may well be worthless in subsequent Employment Tribunal proceedings where you try to defend a claim of unfair dismissal against an employee who was dismissed for excessive personal use of the email.
  • If a blind eye has been turned to the abuse of the computer systems in the past, and you now want to take a firmer line, make sure you warn employees first by putting a "marker in the sand".
  • Carry out an impact assessment to determine whether monitoring is justified – weighing up the detrimental impact of an employee's suspected activity on the business against the adverse effect on his or her privacy.
  • It is considered less intrusive to use automated processes for detecting misuse of the system, rather than allowing IT to undertake manual checks. For instance, you could use content inspection software to monitor traffic of email and to filter content. Spot checks or audits are less intrusive than continuous monitoring.
  • Inform employees in your policy that their email inboxes may be checked in their absence in order to ensure your organisation can respond promptly to the needs of clients and customers.
  • Where emails are clearly marked "personal", they should only be opened in exceptional circumstances (for example, where the employee is suspected of using email to harass other employees or is suspected of downloading or disseminating pornography).

CCTV

  • Carry out an impact assessment to see whether the use of CCTV can be justified, and on what grounds.
  • There should be a clear notice of the existence of the CCTV cameras, their purpose (eg for health and safety reasons; to protect against and detect crime etc), and you should also supply contact details of the data controller.
  • The Information Commissioner's Office has provided a lengthy Code of Practice on the use of CCTV systems.

Covert surveillance – using secret cameras and engaging private investigators

  • Such methods are highly intrusive and may only be justified when investigating criminal activities or "equivalent malpractice".
  • Make sure that senior management authorisation is obtained before covert monitoring takes place. This should be obtained after an impact assessment is carried out, fully documenting the reasons for undertaking such monitoring and stating why less intrusive methods to obtain evidence would not be suitable.
  • When undertaking the impact assessment, think about the positioning of the secret camera(s), which should not be placed in areas where employees have a high expectation of privacy (eg a cloakroom). If it is necessary to position cameras in such places, the police should be called.
  • Any incidental information obtained as part of the monitoring should be discarded, unless that information is so serious that it would be reasonable not to ignore it. For example, you should ignore evidence of an employee coming in late, but you may use evidence of an employee harassing another employee, even if your original purpose for setting up the camera was to detect some quite unrelated criminal activity.
  • If you decide to engage a private investigator, he or she will be acting as your organisation's data processor. Make sure you have a written contract in place, in which he or she agrees to act only upon your instructions and agrees to abide by the data security principle.

Disputes

Subject access requests

  • Although not all subject access requests relate to disputes, they are often the starting point for individuals (or their legal advisers) to obtain information which will assist them in future potential litigation. Subject to certain exemptions, employees have the right to access information held about them by their employer or former employer.
  • Provided the information is held on computer or in a relevant filing system, the right of access applies to sickness records, appraisal or performance review notes, disciplinary notes and many documents held on their employer's email system.
  • Up to £10 can be charged for complying with each subject access request. Many employers choose to waive this fee, or exercise a discretion, which they apply only in cases where the extent of the search is time consuming and/or costly.
  • Your organisation must respond to a request promptly and in any event within 40 days.
  • The cost of undertaking a search of your systems cannot be taken into account when determining whether to comply with the request, but you may seek further information or try to limit the scope of the request. The motive behind the request is also not relevant for your purposes. However, in the High Court case of Ezsias v The Welsh Ministers in November 2007, the Act was interpreted purposively so that it now appears that the search for data, as well as the provision of copies of the data, only needs to be "reasonable and proportionate". This is welcome news for organizations that often spend huge sums of money and a great deal of time conducting far-reaching searches. Provided they can show that they have conducted a reasonable and proportionate search, they should be compliant with the Act. It is therefore useful if organizations faced with wide-ranging requests (where the data subject is unwilling to narrow the scope of the request) to quantify the time and costs involved in searching excluded locations (including IT related expenses, employee costs, and other service providers).
  • When complying with a request, you should provide information in a permanent form unless to do so would require "disproportionate effort", in which case you may invite the employee (under supervision) to view their information on computer and print off copies of what they need.
  • You may wish to provide a standard "subject access request form" which tries to direct employees to the usual sources of information so that they are less likely to make an open-ended request for "everything you have on me".
  • If your organisation is a large one and you do not know the employee personally, make sure you check the identity of the person making the request. Sometimes unscrupulous individuals or organisations will use this method to fraudulently obtain employee details. If you unwittingly disclose information to such third parties, you are likely to be in breach of the data security principle.
  • Responding to data subject access requests is often hampered by the amount of third party information that is often attached to the personal information about the individual who has requested it. Further advice should be sought if you are unsure whether to reveal such third party information.

Disciplinary proceedings - using evidence obtained from monitoring activities

  • Where an allegation against an employee is unsubstantiated as a result of monitoring, you should usually remove records of the allegation and the monitoring results from your organisation's records.
  • You may retain such records only in exceptional circumstances (eg if the allegation relates to bullying), but you must clearly record what is an unsubstantiated allegation and what is fact.
  • Make sure that the evidence is not obtained by deception or by misleading those from whom they are obtained.
  • Take particular care over the security of such evidence and limit access to such information to those employees who have a genuine need to know and who have an involvement in the disciplinary proceedings.
  • Establish clear procedures on how "spent" disciplinary warnings are handled. While reliance on spent disciplinary warnings should be seen as the exception rather than the rule, the Court of Appeal in the case of Airbus v Webb has held that taking into account a spent disciplinary warning will not necessarily make the dismissal unfair, because a range of factors need to be considered to assess whether an employer has acted within the "band of reasonable responses". It therefore may be appropriate to retain a note on file of the brief circumstances giving rise to a disciplinary warning and the sanction that was applied, so that if circumstances later arise that may make it relevant, it can be taken into account. For example, as in the case of Airbus v Webb, if an employee had committed the same act of misconduct for which an earlier disciplinary warning had just expired, and committed that act along with a number of colleagues, it may be relevant to consider the disciplinary records of all those employees before deciding whether dismissal is an appropriate sanction. Whereas his colleagues may have clean disciplinary records, and therefore may escape dismissal, such leniency may not be appropriate for the employee with a tarnished disciplinary record, even though the actual disciplinary warning had by that time expired.

Surveillance evidence and tribunal proceedings

  • The admissibility of evidence gathered through surveillance is likely to depend on the employer being able to justify its methods.
  • Generally, Employment Tribunals have taken the view that all relevant evidence should be admitted, regardless of the lawfulness of the method of its capture, although such considerations are likely to have costs or other legal implications for the offending party (see such cases as Jones v University of Warwick and Avocet Hardware Plc v Morrison). The main grounds for such reasoning are based on the conflicting human rights under Article 6 (right to a fair trial) and Article 8 (right to respect for private life), and Courts and Tribunals (perhaps not surprisingly) have generally preferred to allow Article 6 rights to trump Article 8 rights, while still being keen to warn that admissibility of evidence will not always necessarily be guaranteed.
  • Putting the boot on the other foot, and following recent case law (such as the case of Chairman and Governors of Amwell View School v Dogherty), employees who covertly tape record their own disciplinary interviews may well have evidence from such recordings declared admissible in subsequent Employment Tribunal cases. It is always worth asking the employee if they have secret recording equipment with them before proceedings start, or even allowing proceedings to be taped so that an agreed recording can be made. In the Dogherty case, Mrs Dogherty allowed her tape player to keep running when she was out of the room and the governors were privately discussing the case. It was held that while the recording of the disciplinary interview was admissible, the recording of the private musings of the governors was not. However, the Tribunal expressly stated that the conflicting public interests might have been differently determined if the claim had been one of unlawful discrimination and the private musings had involved an indication of unlawful discrimination.

Third party disclosure

  • You are allowed to disclose personal data to third parties where such disclosure is necessary for legal proceedings or prospective legal proceedings, or for obtaining legal advice or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
  • It is therefore permitted for lawyers to receive relevant sensitive personal data from their employer clients without either party being in breach of the Act.
  • It is common practice in cases involving information about third parties (such as other employees in a redundancy selection programme) for those third parties' details to be blanked out before being disclosed to the Claimant or his/her adviser, and for references to them to be to "Employee 1, 2, 3 etc" in related documentation. Tribunal Chairmen will usually want to see the named versions of such documents, so it is wise to take unredacted versions with you to Tribunal.

Overseas data transfers and business disposals

  • The Act prohibits the transfer of personal information outside the EEA (which consists of the 27 EU member states plus Norway, Iceland and Liechtenstein), unless those countries "ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".
  • There are only a handful of countries whose data protection regime has been deemed to be "adequate" and they are: Switzerland, Canada, Hungary, Argentina, the Isle of Man and Guernsey. One of the top offshore destinations for UK companies, India, has yet to achieve a designation of adequacy by the European Commission.
  • There are a number of exemptions to the general ban on exporting personal information outside the EEA, such as where certain types of contract are in place. To benefit from this exemption, any transfer outside the EEA must be necessary for the purpose of performing the contract. The threshold of "necessity" is a high one; the Information Commissioner's view is that the transfer of employee data from an EEA subsidiary to its non-EEA parent company in order to centralise a multinational group's HR and payment functions is not necessary for the performance of the employees' employment contracts. While it may be desirable for the company to carry out its payroll and HR functions in this way, it is not objectively necessary for it to do so. The company would therefore have to consider some other means by which it can lawfully continue (for example, the company could justify the transfer of data on the grounds that the destination of the transfer and the circumstances of the transfer ensure an adequate level of protection). There are complex guidelines which should be followed, and further advice should be sought in such circumstances.
  • Another derogation that may apply is if your organisation can show that the employee has given specific, freely given and informed consent to the transfer of his or her data overseas. While this appears like an easy and attractive option, it can be difficult to achieve, particularly for large organisations. It is also important to remember that freely given consent can also be freely withdrawn.
  • If you incorporate model contract terms (approved by the European Commission and authorised by the Information Commissioner) into your contract with the overseas company to which your employee data will be exported, this will be another legitimate way to transfer employee data. Depending on whether the overseas company will be acting as your organisation's data processor or acting as a data controller in its own right, different model contract terms will apply.
  • More recently, some multinational companies have embraced the "binding corporate rules" (BCR) regime for ensuring overseas data transfer compliance where the data are transferred intra-group. These are not a particularly easy, quick or cheap solution, but they do provide a greater degree of certainty for organisations as BCR must be submitted for approval by the Information Commissioner. They must include, among other things, evidence of measures that are binding, both externally and internally, details of a data protection audit plan and a description of the data protection safeguards that are in place.

Transferring employee data to the United States

  • A unique regime exists in the United States, known as the "safe harbor" framework, which enables some data transfers to the US to be permitted by EU data protection legislation.
  • If you plan to transfer employee data from your UK subsidiary to your US parent, and use of the EU model contracts is not a preferred option, the US parent must first of all consider all the requirements it must satisfy before self-certifying to the US Department of Commerce. Among the information which must be provided to the US authorities is a description of the activities undertaken by the organisation in respect of the personal data received from the EU, and a description of the organisation's privacy policy regarding such personal information. The organisation must declare that it will comply with all 7 safe harbor principles, which are broadly similar to the Act's 8 data protection principles.

Business disposals

  • It is always useful if you have already informed employees that one of the purposes for which their personal information may be used will be in the event of a potential disposal of some or all of the organisation for which they work. You should also tell them that their details may be passed on to the potential buyer or their advisers for this purpose.
  • Without the above forewarning, it is possible that any disclosure of employee personal information to a potential buyer will be in breach of the first data protection principle, relating to the fair and lawful processing of their data. However, where there is a legal requirement to make a disclosure, this will take precedence.
  • In business transfers (as opposed to share sales) governed by the Transfer of Undertakings (Protection of Employment) Regulations 2006 ("TUPE Regulations"), there is a legal obligation to make disclosure of certain "employee liability information". Note, however, that any disclosure that goes beyond the requirements set out in regulation 11 of the TUPE Regulations, will not be governed by the "legal requirement" exemption referred to above, so any information that goes beyond those requirements should either be made with the knowledge of the employees or should be anonymised.
  • In the case of share sales, vendors and their advisers should, as far as possible, anonymise the employee details before disclosing them to potential purchasers and their advisers as part of the due diligence process unless the employees have been forewarned that their details may be disclosed in such circumstances and it is reasonable to do so.
  • Exercise caution in the type of information that is disclosed, because it is unlikely that sensitive personal information can be lawfully disclosed without the prior explicit consent of the employee concerned. If, for example, the purchaser's advisers have sought information about employees on long term sick leave, it may be possible to satisfy the request with statistical information that does not identify the employees concerned.
  • Consideration should also be given to what will happen with the information if the transaction does not go ahead. Formal assurances should be sought from the potential buyers and/or their advisers that information should be returned or destroyed by the shredding of paper or the expunging of electronic files.

For further information, visit:

www.ico.gov.uk (Information Commissioner's Office)

www.crb.gov.uk (Criminal Records Bureau)

www.disclosurescotland.co.uk (Disclosure Scotland)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.