Personal data and manual files

The news item dated 9 January 2004, entitled "Disclosure of personal data" described and commented on the decisions of the Court of Appeal in the Durant v FSA case. The court's decision clarified the meaning of the terms "personal data" and "relevant filing system" as used in the Data Protection Act 1998. In the context of requests from employees for disclosure of information held about them in an employer's computerised and manual records, the ruling is very helpful.

The Information Commissioner has now published revised guidance on the handling of subject access requests, based on the interpretation of the Appeal Court. The following extracts are useful:

Personal data
"Where an individual's name appears in information, the name will only be 'personal data' where its inclusion in the information affects the named individual's privacy. Simply because an individual's name appears on a document, the information contained in that document will not necessarily be personal data about the named individual.

Provided the information in question can be linked to an identifiable individual the following are examples of personal data:

• information about the medical history of an individual;
• an individual's salary details;

These types of information may be contrasted with the following examples of information which will not normally be personal data:

• mere reference to a person's name where the name is not associated with any other personal information;
• incidental mention in the minutes of a business meeting of an individual's attendance at that meeting in an official capacity; or
• where an individual's name appears on a document or e-mail indicating only that it has been sent or copied to that particular individual, the content of that document or e-mail does not amount to personal data about the individual unless there is other information about the individual within it.

Manual files
Where manual files fall within the definition of relevant filing system, the content will either be so sub-divided as to allow the searcher to go straight to the correct category and retrieve the information requested without a manual search, or will be so indexed as to allow a searcher to go directly to the relevant page/s.

A filing system containing files about individuals, or topics about individuals, where the content of each file is structured purely in chronological order will not be a relevant filing system as the files are not appropriately structured/indexed/divided or referenced to allow the retrieval of personal data without leafing through the file.

Personnel files and other manual files using individuals' names or unique identifiers as the file names, which are sub-divided/indexed to allow retrieval of personal data without a manual search (such as, sickness, absence, contact details etc.), are likely to be held in a 'relevant filing system' for the purposes of the DPA. However, following the Durant judgment it is likely that very few manual files will be covered by the provisions of the DPA. Most information about individuals held in manual form does not, therefore, fall within the data protection regime."
(Source: http://www.informationcommissioner.gov.uk/cms/DocumentUploads...)
...back to 6 February 2004

Disclosure of personal data

The Data Protection Act 1998 (the "Act") provides, among other rights, the right of an individual, i.e. a data subject, to disclosure of personal data that is being processed by a data controller. A data controller could be the individual's bank, doctor, hospital, employer, etc. The data may be stored and processed on computer or in paper documents stored in a "relevant filing system".

It has generally been held that, if an employer receives a request for disclosure, it is necessary to trawl through all of the employer's computerised and paper files, wherever they are stored, and extract the relevant data and documents. One of the key purposes of the Act is to protect a data subject's rights to the privacy and accuracy of that individual's personal data held by data controllers. Meeting those rights can involve the employer in considerable work and may create problems where the disclosure of documents would breach the privacy of other data subjects.

The decision of the Court of Appeal on 8 December 2003 in the case of Durant -v- Financial Services Authority clarifies

• the nature of the personal data that must be disclosed
• what is meant by a "relevant filing system", and
• the need to "redact", or edit, the personal data before providing it to the applicant.

You can read a detailed article on this case by clicking HERE .

(Source: www.courtservice.gov.uk/judgmentsfiles/j2136/durant-v-fsa.htm)
...back to 9 January 2004

Data Protection - monitoring at work

The Information Commissioner has published part 3 of The Employment Practices Data Protection Code, covering monitoring at work. The code explains the application of data protection law to the systematic or occasional monitoring of workers, e.g. collection of information at checkouts, recordings by CCTV, opening e-mails and listening to voice-mails, checking website logs, recording telephone calls.

Parts 1 and 2 of the Code of Practice explain the application of the Data Protection Act 1998 to recruitment and selection, and to employment records. Part 4, on medical records, is yet to be published.

At the same time, the TUC published its own guide for workers on the implications for them of the new code of practice. It is available on the TUC's workSMART web site.
(Sources: www.dataprotection.gov.uk/dpr/dpdoc.nsf/ed1e7ff5... and www.worksmart.org.uk/rights/viewsubsection.php?sun=57 )
...back to 20 June 2003

Payroll records and Data Protection

The Employment Practices Data Protection Code is being published by the Information Commissioner in stages and Part 2, dealing with "records management" was published in September. As all information held in a payroll is "personal data" and falls within the scope of the Data Protection Act 1998, everyone working in payroll should make themselves familiar with the way in which the Commissioner interprets the legislation. For example, a key benchmark in the code is that businesses should "ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer's policies and procedures".

The following are some of the areas highlighted in the Code that are of particular concern for payroll.

1. Some employers, commonly in the public sector, use payroll records to prevent and detect fraud by matching the payroll data with data held for the payment of benefits. To comply with the Act, payroll data should not be given to other organisations for data matching purposes unless
   • the disclosure is required by law, or
   • failure to disclose in a particular case is likely prejudice the prevention or detection of crime, or
   • the disclosure is provided for in workers' contracts of employment.

2. Some of the personal data processed in the payroll is defined as "sensitive" and its use must be justified by one or more of a number of statutory conditions. Payroll offices should ensure that they meet the conditions for processing such information as:
   • trade union membership details, used for making check-off deductions
   • sickness records, used for the payment of SSP and occupational sick pay
   • information about offences, in connection with court orders for fines.

3. Some employers use payroll information to send marketing information to employees. This is not illegal, but employers must be aware of the circumstances in which employees must be given the opportunity to "opt-in" or "opt-out" of such arrangements.
4. If an employer uses another organisation, such as a bureau, firm of accountants, or a sister company in the same group, to process the payroll, the employer must ensure that the "data processor" has adopted appropriate security measures in handling the employer's data and should have a contract in place that requires the data to be processed only to the employer's instructions.

A copy of the new Code of Practice is available at www.dataprotection.gov.uk/dpr/dpdoc.nsf .
Payroll Briefing 7 - 26 September 2002

Next section of Data Protection Code published

The Information Commissioner's office is publishing the final Employment Practices Data Protection Code in four parts. The original intention was to publish each section a month apart on the Internet, starting in March 2002, and finally publish the full Code in booklet form.

The first section, giving guidance on the application of the Data Protection Act on recruitment and selection practices, was released in March. The third section, tackling the contentious subject of monitoring of employees in the workplace, has been published in draft form, pending feedback from the latest round of consultation. There is no sign yet of the final two sections.

The current documents are available at www.dataprotection.gov.uk/dpr/dpdoc.nsf .
Payroll Briefing 5 - 28 August 2002

Data Protection code of practice

In October 2000, the Information Commissioner published a comprehensive draft code of practice on the application of the Data Protection Act 1998 in the context of employment. It was the subject of extensive consultation and the final code of practice is now being published on the Internet in four monthly instalments. A final paper version of The Employment Practices Code of Practice will appear when all four booklets have been completed.

Part 1 of the code is available on the Information Commissioner's website, at www.dataprotection.gov.uk. It concentrates on the application of the data protection principles, including the processing of sensitive data, in the area of recruitment and selection and gives advice on advertising, applications, verification, short-listing, interviews, pre-employment vetting and the retention of recruitment records.
Payroll Briefing 222 - 24 April 2002