commercial property
commercial litigation
company & commercial law
employment law
debt collection
corporate tax services
VAT consultancy
notary public services
agricultural & rural affairs
taxation farms & landed estates
charities
trusts
employment law
rural disputes
Data protection
Published August 2007
Is your HR department up to speed?
Over the past three years the Information Commissioner who supervises practices under the Data Protection Act 1998 has issued a code for employers.
The code includes guidance on the use of personal data for employees with their consent. Personal data are defined as data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of or likely to come into the possession of the employer.
There is a sub category of personal data namely “sensitive personal data” which relates to matters such as race or ethnic origin, political opinions, religious beliefs, trade union membership, disability, criminal record and sexual behaviour.
The Commissioner makes it clear that there are limitations to the extent to which employers can rely on consent to justify processing sensitive personal data.
In the first place there must be explicit consent i.e. the employee has to be asked on each occasion whether or not they consent to the collection and processing of the data in question. Any form of blanket consent given at the outset of employment in the contract of employment or other documentation cannot be relied on.
In addition the consent must be freely given i.e. the employee must have been told what personal data involved and have been properly informed about the use that will be made of them. No penalty should be imposed for a refusal to give consent.
This can give rise to a problem with regard to sickness and injury and absence records. There is a distinction between “sickness and injury” records which contain medical details specific to individual employees and “absence” records which are no more than a record of the fact that an employee has been present or absent on any particular day. Sickness and injury records constitute sensitive personal data whereas absence records are just ordinary personal data.
An employee’s explicit consent will therefore be required in order to process sickness or injury records and as will be clear from the above, an employee might not be able to genuinely give free consent to the processing of these types of records because many employers impose potential disciplinary penalties for failure to provide medical certificates.
However, employers can disclose sensitive personal data if other data processing conditions are satisfied, particularly where an employer has to do this to comply with its legal obligations to ensure the health and safety and welfare at work of its workforce, selecting safe and competent workers, ensuring a safe working environment and eliminating discrimination on the basis of race, sex, disability, religion or sexual orientation. It is also entitled to do this when it is considering reasonable adjustments to the workplace to accommodate workers with disabilities and in connection with the supplying of information on accident in the workplace. It can also rely on this to prevent workers working when unfit through drink or drugs and in connection with its obligation not to dismiss workers when it is unfair to do so.
In practical terms employers also have to comply with the provisions of the Access to Medical Reports Act 1988 in that they have to notify the worker and obtain his or her consent to any request for a medical report.
The code also makes it clear that drug and alcohol testing is unlikely to be justified unless it was for health and safety reasons and random testing in particular is unlikely to be justified except where the worker’s job is safety critical. However, in our view testing where the employer has a reasonable suspicion is using drugs or alcohol is more likely to be justified, depending on the circumstances.
The obligations on an employer under the Data Protection Act 1998 are quite onerous and HR Departments need to ensure that they are up to speed with these requirements.
If you would like to find out more about the services that we provide, please e-mail or contact us to arrange a meeting.
