LRD guides and handbook November 2015

Monitoring and surveillance at work - a practical guide for trade union reps

Chapter 7

Protection of personal information 


[ch 7: pages 59-61]

The Data Protection Act 1998 (DPA) regulates the processing of data about individuals in employment. 


What is personal data?


“Personal data” is any information from which a worker can be identified, either on its own or when viewed alongside other information held by the employer, and which affects an employee’s privacy. Personal data can be on paper, stored on a computer system or processed through email and it must be easy to find. The DPA is aimed at computer records and electronic filing systems, but it will cover a manual filing system, provided it is organised in a logical way that makes it easy to extract information quickly and with minimum effort. 


Employers and other bodies which make decisions on how personal data will be used and what they are to be used for are classified as “data controllers” under the DPA. Depending on the type of organisation, and type of data collected, they may need to register with the Information Commissioner’s Office (ICO) and notify it of the intended data processing activities. Various exemptions apply, for example, for normal staff administration.


As the TUC points out in its guide to privacy at work: “Occasional references to you in a set of minutes from a team meeting, for example, are unlikely to count as personal information. Neither will information about the workforce that has been anonymised in a way that makes it impossible to identify any individual”.


Common examples of personal data held by an employer include: 


• information supplied on an application form;


• details of salary and bank account;


• an email about an incident involving you;


• details of your disciplinary record;


• an assessment of your work performance in a staff appraisal form;


• your scores on a redundancy matrix;


• your image on a CCTV or video recording;


• an opinion your employer has expressed about you e.g. about your promotion prospects; and


• information compiled by your employer about your use of the email or internet at work. 


Sensitive personal data


There is a separate category of information known as “sensitive” personal data. This is information or “data” so private that the employer must meet a higher standard of protection. Sensitive information is information about an employee’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation, or criminal (or alleged criminal) activities, proceedings or convictions. 


The core data protection principles


The DPA is built around the following core “data protection principles” which an employer must follow: 


• to process personal data fairly and lawfully and to meet at least one of two conditions set out in the Act, namely either (1) that specific, informed, unpressured consent has been obtained, or if not; (2) that the processing is needed for one of the following purposes:


• for the performance of the worker’s contract;


• to meet any non-contractual employer obligations (for example, accident recording);


• to protect a worker’s vital interests (for example, health);


• for the administration of justice;


• to protect the legitimate interests of the employer or others to whom the information is disclosed, unless this prejudices the worker’s own legitimate interests;

• to obtain and process data only for specified and lawful purposes;

• to hold only data that is adequate, relevant and not excessive, given its stated purpose; 


• to ensure stored data is accurate and up-to-date; 


• to ensure data is not kept longer than necessary; 


• to process data in accordance with the rights of individuals; 


• to take appropriate measures against unauthorised or unlawful processing, or accidental loss, damage or destruction of the data. This includes taking security measures to keep data safe and making sure third parties (for example, outsourcing companies responsible for paying wages) do the same; and 


• not to transfer data outside the European Economic Area without ensuring its adequate protection.


For sensitive personal data, the employer must also meet at least one of the conditions set out in Schedule 3 of the Act, including express, informed consent. The Act contains an exemption to allow employers to collect data to monitor equality of opportunity, provided the exercise is carried out in a way that safeguards privacy (usually by anonymising results).


Morrisons leak highlights employer’s duty to keep staff personal data secure


A recent data leak involving supermarket chain Morrisons has highlighted the employer’s duty to keep information, such as employees’ personal identity details, including bank details, salary, national insurance number, date of birth and so on, secure and protected. 


Over 2,000 Morrisons employees are reportedly pursuing claims under privacy and data protection laws after a disgruntled ex-employee who used to work as an internal auditor leaked the personal information of around 100,000 staff on to the internet, leaving employees exposed to identity theft and fraud as well as damage to their credit rating.


Employers (as data controllers) are legally obliged to process data in compliance with the core data protection principles. These include a duty to use appropriate security measures to protect employees’ personal data from risks including the risk of exposure to theft or hacking. The fact that a data breach is caused by someone who is not a current employee, for example ex-employees, job applicants, agency workers, casual workers or volunteers, is no excuse. All employers should have proper data security policies in place and should regularly risk assess their data processing systems, as well as carrying out full checks on the security standards of any third parties (such as salary outsourcing operations) before entrusting them with employees’ data. Any such arrangements should be reviewed regularly. 


There should also be careful plans in place to enable the organisation to respond quickly in the event of any theft or leak of staff data, to minimise its impact. Especially in a workplace where a union is recognised, there should be employee involvement in drawing up written policies. Employers should also take steps to create adequate internal employee awareness of the importance of data security, including simple measures such as reminder stickers, notices and posters, as well as providing training on data security. 


Remember also that under the core data protection principles contained in the Data Protection Act 1998, an employer must not transfer data (including staff administration data) outside of the European Economic Area, unless to a country with adequate data protection and controls in place.