Janet Gaymer explains how the forthcoming code on data protection could encourage better practice at work
Personal information is what the code is about. The definition of this is key to an understanding of data protection as a whole
It may not be the sexiest of topics but data protection is the new must know subject. This month sees the close of consultation on the final part of the Employment Practices Data Protection Code. This is intended to help employers comply with the Data Protection Act 1998 and to encourage good practice. Although it is meant to be a reference document, it may be taken into account when a breach of data protection law is at issue.
The first three parts of the code deal with recruitment and selection, records management and monitoring at work. The final part covers medical information, giving guidance on dealing with information about workers health, occupational health schemes, medical examinations, drug and alcohol testing and genetic testing. The key messages that emerge from all four sections are as follows.
A person responsible for ensuring compliance with the Data Protection Act should be appointed. There should be a mechanism for checking that procedures are followed in practice. Serious data protection breaches should be made disciplinary offences.
Managing the expectations of workers will also be important. For example, the final part of the document makes it clear that it will be intrusive to obtain information about workers health. It says that workers should be able to expect to keep their personal health information private and that employers will respect this privacy. In general, employers should only collect health information where this is necessary for health and safety reasons, to prevent discrimination on the grounds of disability, or if each worker affected has freely given explicit consent. This means that a worker must be able to say no without penalty and withdraw consent once given.
Personal information is what the code is about. The definition of this is key to an understanding of data
protection as a whole. In December, the Court of Appeal laid down some valuable guidelines on what is meant by personal data, which in turn may mean further revision of the code.
The Court of Appeal case concerned a Michael Durant who made two requests to the Financial Services Authority (FSA) asking for personal data held both electronically and in four manual files to be disclosed. He had been a customer of Barclays Bank and had sought disclosure of various records in connection with a dispute that had resulted in litigation. The FSA refused to comply with his request for information in manual files on the grounds that the information sought was not personal and therefore not personal data. The files did contain information in which Durant featured and some files identified him by reference to specific dividers in the file. The Court decided that the phrase personal data had to be narrowly interpreted.
The two main points considered were: does the data go beyond recording an individuals involvement in a matter or an event with no personal connotations? And does the information have the individual as its focus rather than some other person with whom the individual may have been involved?
The Court also considered what was meant by the phrase relevant filing system, which appears in relation to the definition of data in the Data Protection Act. There is only a right of access to personal data in manual files that is structured in a certain manner. Again, the Court took a narrow view.
The filing system in question has to relate to individuals. It has to be a set or part of a set of information. Specific information relating to a particular individual has to be readily accessible. The Act doesnt expect people to have to leaf through files to see what and whether information in relation to an individual can be found. Otherwise, the limited time allowed for a response to
a request for personal data (40 days) would be inadequate. The Government only intended the Act to apply to manual records if they are sufficiently sophisticated to provide the same or similar ready accessibility as a computerised filing system.
Although Durant failed in his appeal to the FSA, employers may still wish to reflect on where privacy in the workplace begins and ends.
