Data Protection - How Employers Can Avoid Being Penalised

Article by Stephen Musgrave and Nadia Hussein, Bird & Bird LLP Employment Group

HR practitioners have been living fairly comfortably with the data protection enforcement regime for many years, even after the storm of data security problems that hit the UK in recent years. Most memorably, in 2007 HMRC lost two CD-Roms containing personal data of 25 million individuals. At around the same time three million records of candidates for the UK Driving Theory Test on a hard drive were lost by Pearson – not even in the UK, but in Iowa. And on 15 Dec 2007 Ministry of Justice CDs containing details of defendants before the Manchester Magistrates Court went missing in the post.

The penalties for this sort of transgression have recently increased dramatically.

On 6 April 2010, sections 55A to 55E of the Data Protection Act 1998 came into force. The Information Commissioner can now impose fines of up to £500,000 on 'Data Controllers' for breaches of the Act without first going to court. Until now, when breaches were brought to the attention of the Information Commissioner, he could serve an Enforcement Notice on a data controller to secure proper compliance. Refusal or failure to comply with a Notice could lead to a prosecution and a fine. The penalty is now much larger. An employing organisation is typically the 'Data Controller' for personal data relating to its employees. The most common way in which data protection issues arise is through subject access requests. Most HR departments will have processes in place to deal with these. Data protection has also had a relatively low profile in compliance terms. HR professionals are acutely aware of the risks and potential consequences of treating individual employees unfairly, inappropriate discrimination or failure to comply with collective consultation requirements. Any of these may result in Employment Tribunal proceedings which are likely to be stressful, time-consuming and expensive as well as damaging to the reputation of the employer but this awareness is unlikely to extend to everyone in the organisation.

The Information Commissioner Christopher Graham made it clear in January this year that he intends to use the new powers. He said 'When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.'

Key Areas

Now is the time for HR practitioners to review the way their organisations handle, store and disseminate personal data to make sure that processes and procedures remain robust and have not been overtaken by events. Approaches that were excellent when introduced may not have taken account of subsequent changes – perhaps in terms of outsourcing arrangements, or greater devolution of people issues to line management. With staff turnover, the training effort you put in initially may have faded, allowing laxity to creep into the way you deal with personal information.

As a minimum first step it would be wise to refresh your knowledge of the eight data protection principles in the 1998 Act.

Each organisation will have its own requirements, but it is easy to make data protection mistakes and you may need to check your current practice in a number of areas:

• Sickness:
• • medical information is one of the categories designated as 'sensitive' for which a special justification for the processing is required, so:
  • • Are medical certificates treated with sufficient confidentiality?
    • Are HR and payroll staff trained not to reveal to other colleagues the reasons for sickness absence?
    • Have you got clear protocols on who in HR, occupational health and line management needs to have access to medical information?
    • Do your processes keep medical information secure from colleagues who have no need to access it?
• International outsourcing:
• • Offshoring to an outsourced service provider outside the EEA needs extra care – is the contractor secure and reliable?
  • Do you have in place contracts to satisfy the rules in the 1998 Act on sending data overseas and passing it to a data processor?
• Transnational management structures:
• • If you have a foreign parent company, are you authorised to send data abroad outside the EEA?
  • Do you have in place contracts or Binding Corporate Rules to satisfy the Eighth Data Protection Principle?
• TUPE:
• • The TUPE Regulations require you to provide specific information shortly before a transfer takes place, so you will not be in breach of the 1998 Act in those cases
  • However, in preliminary discussions, ensure that the information given in commercial negotiations is not so detailed that individuals can be identified
  • In these early discussions or cases not covered by TUPE, consult and follow the Commissioner's guidance on your responsibilities
• Employee relations:
• • In grievance and discipline cases, be clear that a union representative has authority to act for an individual and be careful about the information you divulge on other individuals involved in a case
  • In collective negotiations, take care to protect the privacy of non-members
• General security:
• • Who has access to work in progress and manual files during the day – could colleagues or visitors be left alone with access to personal information?
  • After hours, do you have a 'clear desk' policy and, if so, is it practical in terms of adequate storage space and reliably adhered to?
  • What happens to your waste paper?
  • Do you, HR staff or line managers carry personal records around on a laptop or memory stick?
  • If so, is this confined to occasions where this is absolutely essential?
  • Do you routinely encrypt laptops and portable media on which personal data are kept?

Recent high-profile cases show that having a set of security policies in place may not be enough if you do not use technology to firmly enforce them. In particular, the Information Commissioner's Office is clearly concerned about the volume of cases where unencrypted confidential data stored on mobile and portable devices has been lost or stolen. Organisations should take note of the fact that in recent cases involving employee negligence, if all the relevant data had been encrypted the integrity of the data would most probably have remained intact. In other words, there would have been no breach of the Data Protection Act 1998 and no public scandal. In light of the Commissioner's new power to impose fines of up to £500,000 for breaches of this kind, expenditure on proving technologies such as encryption is cost-effective.

Enforcement

The move from enforcement notices to the power to apply fines is a step change in the regulatory framework, and the Commissioner will use the power for every breach of the Act. He must first be satisfied that:

• there has been a serious contravention by the data controller of its duty to comply with the eight Data Protection Principles, and
• the contravention was of a kind likely to cause substantial damage or substantial distress.

If such a breach is made deliberately, a fine may be applied. If the breach was the result of negligence - that the Data Controller knew or ought to have known of the risk of contravention - the organisation can still be fined if it also knew or should have known of the risk and consequences of contravention but failed to take reasonable steps to prevent it.

The Commissioner 'will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty' and will take into account 'an organisation's financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation.'

A crucial issue will be whether the Data Controller takes "reasonable steps" to prevent the contravention, such as:

• Carrying out a risk assessment, taking into account the kind of risks outlined above plus those particularly relevant to your organisation
• Reviewing and updating your policies and procedures in the light of this
• Having good overnance and audit arrangements to establish clear lines of responsibility, and
• Implementing the Guidance, Codes and Standards published by the Information Commissioner and other bodies such as ISO/IEC 27001 standard on information security management.

Finally, the board should be told that your organisation could now be fined for a serious breach of data protection.

www.twobirds.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.