Data protection 



The Data Protection Act 1998 (DPA 98) regulates the processing of personal data about individuals at work and is enforced by the Information Commissioner (ICO). There is a useful Employment Practices Data Code of Practice available online from the ICO website. The Code is in four parts, covering recruitment and selection, employment records, monitoring at work and medical information. There is a separate Code of Practice on CCTV, updated in 2015 to cover other technological devices used at work, such as body cameras. These are not statutory Codes, meaning that tribunals are not required to take them into account, and any breach will not necessarily make a dismissal unfair (City and County of Swansea v Gayle [2013] UKEAT 0336/12/106). 



What follows is a summary of the basic position. More detailed information can be found in LRD’s booklet, Monitoring and surveillance at work — a practical guide for trade union reps.



In the DPA 98 statutory regime, the employer is known as a “data controller”. “Personal data” is any information from which a worker can be identified, either on its own or when viewed alongside other information held by the employer. It can be on paper, stored on a computer or processed through email and it must be easy to find. The DPA 98 is aimed at computer records and electronic filing systems, but it will cover a manual filing system as long as it is organised in a logical way that makes it easy to extract information quickly with minimum effort.



Common examples of personal data held by an employer include:



• information on a job application form;



• salary and bank account details and other payroll information, such as dates of birth, national insurance number, address;



• payroll deduction information;



• an email about an incident involving you;



• your disciplinary record;



• your staff appraisal;



• your redundancy selection scores;



• your image on a CCTV recording; and



• your employer’s opinion of your performance expressed in a reference (see Chapter 3, page 72).



There is also a separate category under the DPA 98 known as sensitive personal data. This is information so private that the employer must meet a higher standard of protection. Clear and express informed consent is needed before an employer can process sensitive personal data. This is information about someone’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation or criminal (or alleged criminal) activities, proceedings or convictions.