The Eight Data Protection Principles
[ch 4: pages 141-143]The DPA 98 is built around eight core data protection principles with which the employer must comply to avoid breaking the law. For sensitive personal data, the employer must also have the worker’s express unpressured informed consent. Here are the eight principles.
1. Data can only be processed for one of these purposes:
• for the performance of the worker’s contract (for example, salary payments);
• to meet any non-contractual employment obligation (for example, accident reporting);
• to protect a worker’s vital interests (for example, health);
• for the administration of justice (for example, to defend a tribunal claim, or to share information with investigators when employee fraud is suspected);
• to protect the legitimate interests of the employer or third parties to whom the information is disclosed, as long as this does not prejudice the worker’s own legitimate interests;
2. data must be obtained and processed only for specified and lawful purposes;
3. only adequate, relevant and not excessive data must be held, taking into account its stated purpose;
4. stored data must be kept accurate and up to date;
5. data must not be kept longer than necessary;
6. data must be processed in accordance with the rights of individuals;
7. appropriate measures must be taken to keep data safe from harm or accidental loss and to avoid unauthorised or unlawful processing; and
8. data must not be transferred outside the European Economic Area without ensuring adequate measures have been put in place to ensure protection.
The duty to keep workers’ personal data safe includes a duty to use appropriate security measures to protect that data from risks such as exposure to identity theft or hacking. The fact that a data breach is caused by someone who is not a current employee, for example an external payroll company, an ex-employee, job applicant or volunteer, is no excuse for a data breach that compromises workers’ data protection rights.
All employers should have proper data security policies in place and should regularly carry out risk assessments of their data processing systems, as well as full, regular checks on the security standards of any third parties (such as payroll providers) before entrusting them with employees’ data.
Employers should also have proper plans in place to respond quickly to any theft or leak of staff data, to minimise its impact. Where a union is recognised, they should be consulted on written policies. Employers should also take steps to raise internal awareness among employees of the importance of data security, including simple measures such as reminder stickers, notices and posters, and provide training on data security.
As well as breaching statutory duties under the DPA 98, employers can incur liability under the Human Rights Act 1998 (the right to respect for family life – Article 8 of the European Convention on Human Rights), the law of tort (negligence or misuse of private information) and for contract breach – the implied contractual duty to take adequate care of workers’ private information (see Chapter 3).
The General Data Protection Regulation (GDPR) will apply in all EU member states from 25 May 2018. The ICO has said that if the UK wants to trade with the EU single market on equal terms, it will have to demonstrate compliance with the standards in the Directive by May 2018. The UK intends to implement the GDPR by this deadline. There is guidance on the ICO website (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr).