|
Notification and the Data Protection Register
The Information Commissioner maintains a public register to enable data subjects to see what data controllers are doing with the personal data they hold about them. The procedure that must be followed by data controllers is called "notification" and is generally done by completing pro-forma documents on the Commissioner's website. Each register entry must be renewed and updated annually, for which there is a £35 fee.
Each data controller's register entry is public and anyone can view the entry. For example, employees may look at their employer's entry to see what is held about them, what the employer does with the information, and, in particular, to whom their personal data is disclosed. Employees may make a complaint to the Commissioner if they believe that their personal data is being misused, for example, because the disclosure is to a recipient that is not shown in the register entry or is one that the employee has not personally authorised. This could lead to the employer being prosecuted.
To prevent the risk of prosecution, employers must ensure that all staff involved in any way with the processing of staff records, whether on computer or in paper files, have had the register entry explained to them and a copy of the register entry should always be available, in particular to check whether a particular disclosure is lawful. The employer, or any member of staff, can interrogate the register and download and print a copy of the relevant register entry.
Register entries with a "Staff Administration" section
Most register entries include a purpose that is entitled "Staff Administration". It is this section of the register entry that data controllers must tailor to describe the way in which staff records are used in their own individual organisation. There are five sections that detail the characteristics of each specific purpose for which personal data is being processed.
Purpose Description: The standard definition describes, in broad terms, the various activities that any organisation would be likely to perform in connection with employees and workers:
|
"appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller".
| |
Data subjects: In the context of staff administration, the persons whose personal data is being processed may be described as:
|
Staff including volunteers, agents, temporary and casual workers
Relatives, guardians and associates of the data subject
| |
Data classes: The general categories of personal data for employers, for example that might be found in a computerised personnel and payroll system, would typically be:
|
Personal Details
Family, Lifestyle and Social Circumstances
Education and Training Details
Employment Details
Financial Details
Racial or Ethnic Origin
Religious or Other Beliefs Of A Similar Nature
Trade Union Membership
Physical or Mental Health or Condition
| |
Sources and Disclosures: These describe the individuals or organisations from whom the personal data is obtained and to whom it is given. A typical list would be:
|
Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Current, past or prospective employers of the data subject
Education, training establishments and examining bodies
Suppliers, providers of goods or services
Financial organisations and advisers
Central Government
Employment and recruitment agencies
| |
Transfers: This requires a list of the countries to which personal data is transferred. The entry may say:
|
None outside the European Economic Area | |
In particular, it is the "data classes" and "sources and disclosures" sections that each data controller must adjust to reflect the realities of their own business.
It must be noted that the "staff administration" section is broader in its scope than just the processing of payroll data. It is likely, therefore, to include data classes, sources and disclosures that are relevant to personnel records.
Register entries without a "Staff Administration" section
However, not all register entries have a "Staff Administration" section. As defined in the DPA, there are three purposes for which personal data is processed that are common to all businesses. As long as a data controller is prepared to comply with a strictly defined range of activities, a data controller does not have to notify the following purposes:
- staff administration
- advertising, marketing and public relations
- accounts and records.
Therefore, if a data controller chooses not to notify processing for the purpose of staff administration, there will be no entry for that purpose in the register. It means, however, that the data controller's processing is limited to that defined in the DPA, namely
- the data subjects may be only those whose personal data is necessary for staff administration
- the data classes are limited to personal data necessary for staff administration
- disclosures are only made where necessary for staff administration, of where required by law, or otherwise with the data subject's authorisation
- the personal data is only kept after the data subject's contract ends for as long as is necessary for staff administration.
As there are no defined characteristics in this situation as there are when there is a register entry, it would be appropriate for the payroll department to make its own list of those data subjects, data classes and disclosures that the business believes are necessary for staff administration. The range would be quite limited, for example, the data classes would be limited to those required for payroll processing and administration, and the disclosures would be limited to those organisations to whom disclosure is a statutory requirement, such as the Inland Revenue and the courts. If this is too restrictive for an organisation, the alternative is to notify the purpose so that it appears in the register, and define its characteristics to suit the business requirements.
|
For Payroll and Human Resource Professionals
