Stewart Room is a solicitor and non-practising barrister, an academic and a Data Protection Law specialist at Rowe Cohen Solicitors. He looks at how HR professionals are affected by the Data Protection Act.
The work of HR professionals brings them into regular contact with the Data Protection Act 1998. To recap, the Act regulates the processing of personal information relating to living individuals by Data Controllers, and many HR functions, for instance recruitment, disciplinary processes and employee appraisals, inevitably involve the processing of regulated information.
The past couple of years have seen a significant amount of data protection activity that is of direct concern to the HR world. For instance, in March 2002 the Information Commissioner published the first part of the Employment Practices Code, Recruitment and Selection. Since then the remaining three parts have been published; Part 2 - Employment Records, Part 3 - Monitoring at Work and, most recently, Part 4 - Information about Workers Health. HR professionals need to be fully conversant with the Code if they are to keep their data processing activities within the boundaries set by the law.
So, what does Part 4 seek to achieve? Well, the Information Commissioner says that it aims to provide employers with clear and practical guidance about how to comply with data protection law when handling information about workersí health and this is stated to include the operation of occupational health schemes, medical testing of workers, drug and alcohol testing and genetic testing in the workplace.
It is important to note that information about a personís health is classified as sensitive personal data under the Data Protection Act, and that it can only be processed if the eight Data Protection Principles are complied with and if a Schedule 3 condition is established. Sensitive information needs to be handled carefully due to the risk of harm to the individual that can flow from mishandling.
The eight Data Protection Principles provide a complete code for fair and lawful data processing and cover everything from the initial collection of information right through to its final destruction and deletion. Key elements within the Principles are that personal information should be adequate, kept up to date, relevant, should not be excessive, should not be processed in any manner incompatible with the purpose for which it was collected and should not be kept for longer than is necessary. In addition, appropriate technical and organisational measures must be taken against unauthorised or unlawful processing and against accidental loss, destruction or damage. Finally, personal information should not be transferred outside the European Economic Area to countries that do not ensure adequate protection for the rights and freedoms of Data Subjects in relation to the processing of their personal data.
As regards Schedule 3 of the Act, these are the conditions that make data processing lawful in the case of sensitive data like health information. In the workplace the employer has relatively little room for manoeuvre where sensitive data is concerned and in most cases it will be necessary to show that the Data Subject has given his explicit consent to the data processing activity. The need to obtain explicit consent should focus the HR professionalís attention on the contents of company documents such as employment contracts, job applications forms and work place handbooks as these are ideal vehicles for delivering important information about data protection in clear and concise fashion.
The Code of Practice gives employers real help and assistance when dealing with employee health information and the issue of lawfulness, advising that once a Schedule 3 condition is satisfied the employer should consider carrying out an impact assessment in order to be clear that the benefits it gains from processing the employeeís health information outweigh the invasion of privacy or any other adverse impacts. An impact assessment will:
1. Clearly identify the purpose for which health information is processed and the likely benefits flowing from the processing. 2. Identify any adverse impact. 3. Examine and consider alternatives to the processing of health information. 4. Take account of the legal obligations arising from the processing of health information. 5. Make a judgment on whether the processing of health information is justified.
An issue naturally at the forefront of the HR professionalís mind is the legal status of the Code, because this is bound to have a bearing on the decision whether an impact assessment should be carried out. Fortunately, the Code itself gives very clear guidance on this important matter. It points out that the Code has been issued by the Information Commissioner pursuant to his powers under section 51 of the Data Protection Act and it goes on to say that:
Any enforcement action would be based on a failure to meet the requirements of the Act itself. However, relevant parts of the Code are likely to be cited by the Commissioner in connection with any enforcement action that arises in relation to the processing of personal information in the employment context.
This should leave the HR professional under no illusions. In most cases an impact assessment will be required and failure to comply with the Code is likely to be treated as evidence of the employerís breach of statutory duty.
Processing health information - preparing for impact assessments
How will HR professionals be affected by the Data Protection Act.