The Law on Data Handling

The Data Protection Act 1998 (DPA) is the UK's implementation of a European Directive that is in operation across all of the EU states. The principal purpose of the DPA is to regulate "the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information." It provides a number of rights for the protection of individuals and imposes a number of obligations on those who process information about individuals.

The provisions of the DPA apply to personal data about data subjects, whether that data is processed by computer or held in paper files. At the centre of the DPA are eight data protection principles that provide, in effect, a code of practice that must be followed by anyone processing personal data.

All of the data held in personnel and payroll computer systems, and their supporting paper records, is personal data. As a result, employers must understand and apply the eight data protection principles and apply them in the way they handle personal data about their employees. This article will concentrate on the application of the principles to payroll data.

Understanding the technical terms

Data: This refers to information that is processed automatically, or recorded so that it can be processed automatically, or that is recorded in a "relevant filing system".

Personal data: This is data from which the identity of a "data subject" can be identified. In the context of payroll, personal data includes both permanent data about an employee, such as a national insurance number, and temporary data, such as the number of hours worked this week.

Data subject: This is a person about whom personal data is being processed. Examples are current employees, leavers, directors, casual workers and, if relevant, pensioners and subcontractors.

Relevant filing system: This refers to a collection of paper or microfilm records, in which documents are stored in a way that allows any personal data that they contain to be easily retrieved. A personnel wallet containing documents that are carefully filed under specific headings, so that any particular documents can be quickly found, is a relevant filing system. A collection of documents stored as images and indexed on a CD-ROM is also a relevant filing system. However, if documents are simply filed in no particular order or in date order, that is not a relevant filing system.

Processing: This is a broad term and relates to the storing of personal data in a computer or relevant filing system and anything that is done to it or with it subsequently. Even if the data is never used, the fact that it is available for use means that it is still being processed. Making the data inaccessible or deleting it is also processing.

Data controller: This is the individual or organisation that controls the way in which personal data is processed and that is responsible in law for the proper use of the data. In the context of payroll, the data controller is the employer, even if the job of calculating and paying employees is given to a "data processor". Where payments are made to pensioners, the data controller is the organisation responsible for the pension fund. If the employer makes the payments to its former employees, the employer is a "data processor".

Data processor: This is a person or organisation that processes personal data on behalf of the data controller. In the payroll context, this would be payroll bureaux, accountants and bookkeepers who provide payroll services for their clients. The term also applies to employers who process payroll on behalf of other data controllers in the same group of companies, or on behalf of a pension fund.

Notification: This is the requirement of the DPA for data controllers to inform the office of the Information Commissioner that they are processing personal data and to have that information recorded in a public register. As part of the notification process, data controllers must define

• data classes, i.e. the categories of personal data that are being processed,
• the purpose for which personal data is being processed, e.g. staff administration
• the recipients to whom the data controller wishes to disclose personal data, e.g. a data subject's previous or future employers.

Subject access: This is one of, and perhaps the most important of, the various rights that data subjects are given in the DPA. It is the statutory right for data subjects to see personal data that is being processed by a data controller about them.

Information Commissioner: This is the person appointed by Parliament to oversee the operation of the DPA and the Freedom of Information Act 2000. The Commissioner has powers to bring prosecutions for breach of the DPA rules and also develops codes of practice to explain the practical application of the DPA.