Press Articles & Comment

How personal is personal data?

(First published in Payroll Manager's Review, January 2006)

Since 1 January 2005, individuals have been able to make a request for information held by a public authority (e.g. a local council), under the Freedom of Information Act 2000 (FIA). The authority must usually respond within 20 working days. There are exemptions to the FIA, and using these a public authority can refuse disclosure, due to confidentiality or the protection of commercial interests.

Unlike the Data Protection Act 1998 (DPA), which is primarily concerned with accessing personal information, the aim of the FIA is to further a greater understanding of how public authorities carry out their duties and how they spend public money. It is of no relevance to employees in the private sector.

What is the Data Protection Act?

The DPA regulates the collection, storage, processing of and access to personal data.

What is personal information?

A recent Court of Appeal decision has confirmed that personal data is defined as information about a living person which affects that person's privacy, whether in their personal or family life, or business or professional capacity. This is limited to information that has the person as its focus, is biographical in nature and identifies the person, whether by itself or together with other information in the organisation's possession. It therefore excludes documents where the individual is only mentioned in passing.

The DPA also creates a subcategory of personal information called sensitive personal data. This data includes information about an employee's racial or ethnic origin, political opinions, religion, or physical or mental health.

Who is regulated by the DPA?

A Data Controller is the person (individual, company or organisation) who decides why personal data is held and the way in which such data is dealt. Eight principles regulate Data Controllers to ensure that personal data is accurate, secure, not kept for longer than necessary, not excessive, processed for specified purposes and not transferred outside the European Economic Area without adequate safeguards. An employer is regarded a Data Controller and therefore subject to the DPA and its disclosure rules. Anyone who runs outsourced payroll services is a Data Processor, and they are not obligated to disclose information to the employees directly.

Do you need consent?

An employer is not required to seek an employee's prior consent to collect and retain most employment records. It will usually suffice if they inform employees which records will be maintained, for what purpose and the nature of any disclosure. The most effective way to do this is to have a Data Protection Policy.

If an employer exports data to a third party, the third party becomes a Data Processor and the employer must ensure that the Data Processor only processes personal information in accordance with their specific instructions. The relationship should be governed by a written contract. If the information is to be processed abroad, then additional provisions apply in respect of security of that information.

Where sensitive personal data is concerned, explicit consent is generally required before the information can be processed either internally or externally. It is advisable to include a provision in the employment contract where the employee gives their express consent to such processing. Unfortunately, such 'blanket' consent may not always be sufficient, as guidance produced by the Information Commissioner (The Guidance Document) notes that consent must be "freely given". Despite this, it is good practice to include such a provision and to make clear what sensitive personal data will be stored and processed, explaining why and, ideally, also explaining the fact that the employee can withdraw their consent to processing at any time.

The most frequently processed sensitive personal data relevant for payroll purposes is sickness absence information. The Guidance Document recognises that employers will need to retrain sickness record for payment of sick pay. In this context, consent is not required as employers are using the information to comply with their legal requirements.

What rights do employees have?

All individuals have the right to make a written data subject access request to find out exactly what information is held about them. The request should be made to the employer (the Data Controller). The employer is entitled to charge a maximum fee of £10, and must supply a response within 40 calendar days.

Where is the data kept?

Paper files

You only need to disclose documents which are in a "relevant filing system". This refers to a manual filing system which allows files to be identified without having to make a manual search for them. The file should be structured and/or indexed to enable the information requested to be easily located within the file. If you are required to search files at great length or cost, for example unstructured files which do not indicate at the outset of the search where specific personal data is located, this will be excluded from your search.

Computerised records

Personal information stored on a computer is easily retrievable and therefore should be disclosed regardless of how it is stored.

What information can I withhold?

References

You do not have to disclose a copy of a reference you have given. However, an employee is, at least in theory, entitled to obtain a copy of the reference from the company that received it.

Third-party information

You should take care that you do not disclose information relating to another individual without their consent. You may have to delete names or other particulars by which the third party could be identified before disclosure. If it is not possible to prevent identification, you may still disclose the document as long as you take into account a number of factors including whether the third party has expressly refused consent and the reasons given.

Other exemptions

You are not required to disclose information about management forecasting or planning; negotiations with a worker where access would be likely to prejudice those negotiations; or information relating to the prevention or detection of a crime.

How long should/can I retain personal data for?

The DPA does not specify how long personal information can be retained but states that it can only be retained for 'as long as is necessary'. The Information Commissioner's Employment Practices Code recommends that standard retention times be set for specific categories of information based on business need. Relevant factors for payroll data would be Revenue requirements and the need to have information to answer queries/defend claims.

Sarah Porter and Kalpany Murthy