Mark O'Neil and Jane Pryke consider how a company's failure to register under the Data Protection Act 1998 and adopt a comprehensive data protection policy could lead not only to civil liability and unlimited fines but to criminal liability of directors and considerable exposure to employment related claims.
Notwithstanding the fact the Data Protection Act 1998 (the "Act") came into force on 1 March 2000, it is a fact that 9 out of 10 companies do not appreciate the Act's implications and 1 in 2 directors are unaware that they are personally liable for the accuracy of their database. These statistics are all the more alarming in circumstances in which failure to comply with the provisions of the Act may lead not only to an unlimited fine in the Crown Court, potential criminal liability of responsible directors and damages for the affected data subject for damage and associated distress.

Equally importantly in today's litigious atmosphere, failure to comply also exposes a company to the whole spectrum of employment related claims including sexual, racial and disability discrimination and claims of unfair dismissal.

The Act

In brief, and subject to certain exemptions, the Act requires a company to notify the Data Protection Commissioner if a company is "processing personal data" which includes obtaining, recording, analysing data or disclosing such data to someone else. "Data" is any information relating to individuals who can either be identified from the data alone or from the data and other information which is in the company's possession and the Act applies not only to data processed automatically but also data held on manual filing systems.

To this end, the Act would certainly apply to employees' personnel files, recruitment, health, attendance and disciplinary records and any other files compiled manually by management with or without authorisation. There is an annual notification fee of £55 but companies are still required to comply with the data protection principles as set out under the Act even if notification is exempted.

How to ensure compliance

Personal data must be processed fairly and lawfully and to this end can only be processed with the individual's consent. While such consent can be implied in circumstances in which the individual is providing the information - or in circumstances in which a clause in the individual's contract of employment specifically places the individual on notice - that personal information on that individual will be processed in accordance with the Act's provisions. Explicit consent (in writing) is required for processing of "sensitive personal data" which includes information relating to racial, ethnic or origin, political opinions, religious beliefs, health, sex and commission of offences.

Any employee has the right to see all personal data held by the company relating to him/her, be told the purpose for which the processing is taking place and who has access to the information and require inaccurate information to be requested

In addition, a company should appoint a director and/or senior manager as "Data Protection Officer" whose responsibility it is to conduct (have conducted) a detailed data protection audit and ensure the company's compliance with the Act. The Data Protection Officer should establish a company data protection policy and educate staff on the collection and use of personal data. Any unauthorised collection of data by managers or other employees should be expressly forbidden for those reasons discussed below.

It is important to note that at the same time as considering the implementation of a data protection policy, a company should consider and review it's e-mail policy and, if applicable, its CCTV policy as any interception of emails and/or CCTV recording would constitute collection of data and therefore fall within the ambit of the Act.

Rights of Employees

On payment of a fee, any employee has the right to see all personal data held by the company relating to him/her, be told of the purpose for which the processing is taking place and who has access to the information, require inaccurate information to be corrected and can request a copy of all of the information held. What this means in practice is that any remarks made by management in an employee's official personnel file, or in an unofficial file kept by a manager for his/her purposes in monitoring the performance of his/her juniors, will be disclosable on request.

It is not difficult, therefore, to see how a flippant remark in an internal management appraisal could lead to a discrimination and/or a constructive dismissal claim. An example which springs to mind would be a management comment on a female employees' promotional prospects which rules out promotion owing to the fact that the female employee is likely to start a family in the near future and would therefore be absent from work during maternity leave. Such a comment would certainly lead to a sexual discrimination and an unfair dismissal claim, albeit that the management concerned had no intention of revealing these views to the employee concerned.

Conclusion

Source

SMT

Postscript

Mark O'Neil is with law firm Sinclair Roche & Temperley (Tel: 020 7452 4224 email: mark.o'neil@srtlaw.com), Jane Pryke is with The Security Watchdog Tel: 01252 717477.