Data Protection in payroll (part 2)

In the second of his series of articles about how payroll departments can comply with the new data protection legislation, Ian Congreave considers the concept of "lawful" processing and the new definition of "sensitive" data.

The first of the eight data protection principles in the Data Protection Act 1998 sets out an extended definition of what constitutes "lawful" processing. "Processing" is any action performed on computerised or manual data, including recording, amending, disclosing and deleting it. As all data held in a computerised payroll system is personal data, it is essential that data controllers, the organisations that own and control the data, satisfy themselves that their processing is lawful. This is true even if the data controller has taken advantage of the exemption from notification that applies to some payroll processing. (See Part 1 article)

The first requirement is that the processing satisfies at least one of six specified conditions. Two are easily satisfied in the context of payroll processing, i.e. that the processing is necessary under:

1) a contract to which the data subject is a party
2) a legal obligation to which the data controller is subject.

There is clearly no problem with payroll processing; the employer has a contractual obligation to calculate and make the payments and has a statutory obligation to operate PAYE.

Sensitive data
However, a potential problem arises if payroll records and the computerised payroll system contain any items of information that fall within the new category of "sensitive" data. In general, data items held about employees in a payroll system are only there because they are needed to run the payroll and meet statutory recording requirements. Personnel systems, however, contain a wide variety of personal information about employees, some of which is used to make significant decisions about each individual's employment. Data that could potentially be used to an employee's detriment is classified as "sensitive" and, to safeguard the employee, may only processed if it meets at least one of ten further conditions.

The eight categories of sensitive data are:

• racial or ethnic origin
• political opinions
• religious or other similar beliefs
• membership of a trade union
• physical or mental health or condition
• sexual life
• actual or alleged offences
• information about the proceedings for any such offence and their result

Not all personnel systems contain all of such information about employees although they could all be relevant in the context of some employments. Only two of the categories are to be found in some payroll systems, namely trade union membership, used for check-off deductions, and health information, stored in some SSP systems and in manual record files. The issue for payroll departments, therefore, is whether or not they can identify at least one of the ten further conditions that would allow them to continue processing such sensitive data.

Trade union membership

If the payroll system records the fact that employees are members of a trade union, or identifies the trade unions to which they belong, there is the potential for detrimental treatment. The data is viewed as "sensitive" because it could be used to make adverse employment decisions about the employees.

However, the processing of trade union membership information in the payroll context is readily justified. One of the ten conditions is that the data subject has given 'explicit' consent to the processing of the personal data. Check-off deductions through the payroll are only lawful if the employee has given written consent, as required by the 'protection of wages' provisions of the Employment Rights Act 1996. In every case, therefore, there should be an existing document providing explicit consent for the employer to deduct union dues. However, the employer must consider whether or not that document can reasonably be taken to give 'explicit' consent to the processing required to make those deductions. It may be necessary to talk to the trade union(s) involved and, if necessary, arrange for new documents to be signed, specifically authorising both the deductions and the processing.

Health records

Although general information about an applicant's health may be provided on an application form, any information that is kept as part of an employee's health record is considered to be "sensitive" data. It too could be used to the employee's detriment, even to the extent of dismissal.

Many businesses simply file self-certificates and doctor's statements, once the decision has been made whether or not to pay SSP to the individual concerned. That person's record file may be full of old documents, perhaps going back many years. Other employers have payroll systems that allow the dates of an illness to be recorded, along with some sort of code to identify the nature of the illness that caused the absence. Under the new legislation, it may be possible to justify the retention of the documents for a limited period, but probably impossible to justify the processing of health information within the computerised system. Even if the payroll system doesn't hold the data, it is likely that a personnel system maintains health records as part of an attendance module.

Of the ten conditions set out to justify the processing of health records, only two have some relevance. It is not likely that an employer would be able to obtain specific consent and any term in the employment contract authorising the employer to keep such records could not be viewed as giving "specific" consent.

One of the ten conditions allows processing where it "is necessary for medical purposes (including the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services) and is undertaken by … a health professional". In a work environment where there are dangerous materials or processes, a doctor may be permanently on-site and have access to computerised information about the health of the workers. It is not likely that such information would be stored in a payroll system and, in any event, the retention of health records within an SSP system cannot be described as being for "medical purposes".

Another condition permits sensitive data to be processed where "the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment." To satisfy this condition, the employer would have to identify the statutory obligation that required the personal data to be processed. The legislation for Statutory Sick Pay requires employers to keep records only of: • dates of PIWs reported by the employee, and
• all payments of SSP made during a PIW, for at least three years after the end of the tax year to which they relate.

The Revenue (Booklet CA30, page 56) recommends that doctor's statements and other certificates be kept, or otherwise to record:

• the date the doctor signed the statement
• the date the statement was received
• the period covered by the statement
• the nature of the illness.

This advice may now be out of line with the law. Recording "the nature of the illness" because the Revenue recommends it is not an "obligation imposed by law". Employers should, therefore, consider carefully whether or not it is legally possible for them to record employee's illnesses on computer. Even if it is felt that the original paper documents should be kept in the employee's file, they should be disposed of after the statutory three years is up.

Compliance

If an employer processes "sensitive" data for the first time after 24 October 1998, the lawful processing rules apply immediately. Otherwise, they apply to all processing that takes place after 24 October 2001.

With regard to manual paper files, the lawful processing rules also apply immediately to new sets of files created after 24 October 1998. From 24 October 2001, they apply to new documents added to files created before 24 October 1998. Only from 24 October 2007 do the rules apply to all manual filing systems.

The Data Protection Commissioner's published advice is that data controllers should ask themselves "Do I have legitimate grounds for my processing operations? Once the Act is in force, subject to any transitional relief, data controllers will need to consider the legitimate basis for current and future processing. Failure to meet at least one of the conditions will mean the processing is in breach of the first Principle and therefore subject to possible enforcement action."