· News

Personnel files become an even bigger headache

The data protection rules have been extended to information held in manual personnel files. Janet Gaymer explains

Employees have had the right to access computerised personnel files for some time since the 1984 Data Protection Act. However, the Data Protection Act 1998 extended the responsibilities of employers in relation to the disclosure of personal data held in personnel files in particular to data held in manual records. Originally, they were exempt but employees may now have access to these also.

The 1998 Act came into force in March 2000. In autumn 2000, a draft code of practice dealing with the use of data in employment was issued. The consultation period closed on 5 January 2001.

The draft code included recommended practices and procedures and a guide to the main provisions of the 1998 Act affecting employment, but was much criticised. Many people were concerned about the effect it would have on the management of manual filing systems.

For the purposes of the Act, the relevant filing systems are structured ones ones in which specific information on a particular individual is readily accessible, such as in a card index.

The Act covers the obtaining, recording, holding, using, erasure, destruction and any operation in relation to data in such systems. Particular safeguards apply to so-called sensitive personal data, for example, information about someones political opinions, physical or mental condition, or religious beliefs. A record that an employee had 20 days sick leave last year would be sensitive personal data.

The safeguards for sensitive data include explicit consent to obtaining the data and ensuring that it is held for one of the specified grounds. For example, medical information, such as blood group, may be held where an employee may be exposed to physical danger.

An employee is entitled to receive data by making a request in writing (including electronically) and paying any fees required by the employer (subject to a maximum of 10 per request). From 24 October 2001, the data to be supplied includes information held in a central personnel function or elsewhere in an organisation.

If the employer refuses a request, employees or other individuals as well the Information Commissioner who oversees the 1998 Act may take legal action. Employees may seek compensation for a breach of the Act if they have suffered damage and distress as a result of any contravention of its requirements. They may also seek to rectify, block, erase or destroy inaccurate information held about them or information that contains opinions based on inaccurate data.

One of the key concerns about the extension of the Act to manual data was the difficulty of dealing with requests from employees for such data. The growth of technology in the workplace has already made it difficult to determine how far one has to search for the relevant data, particularly where there is a habit of copying emails or referring to multiple subjects in emails. In anticipation of the new rights coming into force, there was some evidence of spring cleaning of the removal of potentially embarrassing records.

There is nothing in the Act that prevents HR people from managing or spring cleaning their files. But if an employer who receives a request for access to a file removes an embarrassing record before letting the employee see it, that would be a violation of the employees rights. The court can order that a request for information be complied with and an employer may be prosecuted for not complying with an enforcement notice. The Act does not say how long records should be kept although the draft code suggests periods for retention of various types of record.

A good way for HR to find out what potential problems the changes present is to conduct a trial run of a request by a well-informed employee.

One of the first discoveries is the volume of data documents may contain. Often more than one employee will be mentioned which raises questions of confidentiality when one of the individuals mentioned asks for access to the document. Even the delivery of manual information requires careful planning to ensure that data is preserved. The development of handling procedures for data requests is a must.

For further information about the code of practice: www.dataprotection.gov.uk.


Janet Gaymer is senior partner at Simmons & Simmons