Data Protection in payroll (part 3)

In the last of his series of articles about how payroll departments can comply with the new data protection legislation, Ian Congreave provides a checklist of those aspects of the Data Protection Act 1998 that will come into force from 24 November 2001 and, in some cases, much later.

Introduction

For many employers, the first significant date for compliance with the Data Protection Act 1998 (DPA) will be 24 October 2001, although those whose three-year registrations under the 1984 Act have expired will already have had to follow the new notification procedures and pay their annual £35 charge.

There are two transitional periods during which the DPA's provisions are brought into force in stages. The first period runs from 24 October 1998 to 23 October 2001. The second period continues from 24 October 2001 to 23 October 2007.

Computerised Personal Data

24 October 1998 to 23 October 2001

The first transition period applies only to computerised personal data that was already being processed on 24 October 1998. Processing of new personal data after that date, perhaps because an employer is computerising personnel and payroll records for the first time, must comply in full with all of the requirements of the DPA.

Otherwise, employers must comply with all of the Data Protection Principles and other obligations, other than those described below to which the first transition period applies.

24 October 2001

The DPA provisions that come into effect from 24 October 2001 are:

1) for processing to be "fair" (Principle 1), data subjects, i.e. employees, must be given: the identity of the data controller, i.e. the employer who will process the data; the name of any nominated representative; and the purposes for which the data is to be processed (Schedule 1, Part II)

2) for processing to be "lawful" (Principle 1), processing must be justified by identifying one or more precisely defined conditions (Schedule 2)

3) if the data being processed is "sensitive", e.g. illness records, processing must also be justified by identifying one or more further defined conditions (Schedule 3)

4) for data to be securely protected (Principle 7), if a payroll bureau runs the payroll, the processing must be carried out under a written contract that requires the bureau to act only on instructions from the employer (Schedule 1, Part II)

5) personal data may only be transferred within the European Economic Area or to a country that has an equivalent level of data protection (Principle 8), unless one or more defined conditions apply (Schedule 4)

6) if asked in writing by an employee to see personal data that is being processed about that employee, in addition to being given a copy of the data (a requirement already in force), the employer must explain the purposes for which the data is being processed, identify the recipients to whom they may be disclosed, identify anything that is known about the source of the data, and, if applicable, provide an explanation of the logic that is used to make decisions about the employee (Section 7)

7) the right of an employee to require, in writing, the employer to stop processing any personal data that is causing substantial distress or damage to the employee or to someone else, or to stop any processing for the purpose of direct marketing (Sections 10 and 11)

8) the right of an employee to require, in writing, the employer not to take any decisions that are based solely on automated processing, e.g. selection for promotion based on scoring the employees' qualifications or skills (Section 12)

9) entitlement for employees to receive compensation at law for damage caused to them because the employer has contravened any requirement of the DPA, other than in certain defined situations (Section 13)

24 October 2007

The only implications for computerised records in 2007 affect some medical, educational and public records, and some information held by public authorities. All other computerised personal data must comply with the DPA in full by 24 October 2001.

Manual Personal Data

24 October 1998 to 23 October 2001

As with computerised personal data, the first transition period applies only to manual personal data held in a "relevant filing system" that was already being processed on 24 October 1998. Processing of data in new personal record files after that date, perhaps because a new employer is setting up employee files for the first time, must comply in full with all of the requirements of the DPA.

Otherwise, during the first transition period, manual records are not subject to any of the Data Protection Principles, or to the notification requirements of the DPA, or to any of the rights of data subjects that apply to computerised personal data.

24 October 2001

The DPA provisions that come nto effect from 24 October 2001 are:

1) for processing to be "fair" (Principle 1), data subjects, i.e. employees, must be given: the identity of the data controller, i.e. the employer who will process the data; the name of any nominated representative; and the purposes for which the data is to be processed (Schedule 1, Part II)

2) personal data must be processed in accordance with the rights of employees as set out in the DPA (Principle 6)

3) appropriate technical and organisational measures must be taken to protect the security of personal data (Principle 7)

4) personal data may only be transferred within the European Economic Area or to a country that has an equivalent level of data protection (Principle 8), unless one or more defined conditions apply (Schedule 4)

5) almost all of the rights of data subjects, including: the right of access (Section 7); the right to prevent processing likely to cause damage or distress (Section 10); the right to prevent processing for direct marketing (Section 11); the right to require the employer not to take any decisions that are based solely on automated processing (Section 12); the right to require the employer to correct or destroy data that is inaccurate or incomplete or that is held contrary to the legitimate purposes of the employer (Section 12A); the right to receive compensation at law (Section 13)

24 October 2007

1) for processing to be "lawful" (Principle 1), processing must be justified by identifying one or more precisely defined conditions (Schedule 2)

2) if the data being processed is "sensitive", e.g. illness records, processing must also be justified by identifying one or more further defined conditions (Schedule 3)

3) personal data may only be processed for lawful purposes and not processed in any way incompatible with those purposes (Principle 2)

4) personal data must be adequate, relevant and not excessive in relation to the purposes for which it is processed (Principle 3)

5) personal data must be accurate and, where necessary, up-to-date (Principle 4)

6) personal data may not be kept for longer than is necessary for their purpose (Principle 5)

7) the power of a court to order that personal data be corrected or destroyed if the court believes it to be inaccurate (Section 14)

In Conclusion

The checklists provided here give only a general description of the issues that employers must consider in the context of payroll and personnel by October this year, and those in connection with manual paper files that do not have such a priority because they are not enforceable for another six years.

Some of the matters covered here were discussed in more detail in articles in issues 186 and 188 of Payroll Briefing.

If the reader feels that any particular point requires further investigation, the following publications of the Data Protection Commissioner may be of use:

- Draft Code of Practice on the use of personal data in employer/employee relationships. This is currently available in draft format, but is due to be published in instalments during the second half of 2001.

- A range of documents available on the Commissioner's website, at www.dataprotection.gov.uk/dpr/dpdoc.nsf .