A recent article in the news has highlighted the scope of the rights of employees to obtain personal data under the Data Protection Act 1998. From previous experience, both employers and employees (and sometimes legal advisers as well) have a weak grasp of the rights and obligations conferred by the Data Protection Act 1998. This post will therefore look at these rights and obligations and consider what an employee should do if they wish to obtain personal data from their employer (or, as in the case above) ex-employer.
The Data Protection Act 1998
The Data Protection Act 1998 (“DPA”) implements the EC Data Directive. Under the DPA an Information Commissioner must be appointed who has the power to enforce the DPA and issue Codes and Guidance on the DPA. An important point to note is that the DPA isn’t a “stand-alone” piece of legislation – it must be interpreted with reference to the Human Rights Act 1998 (“HRA”), specifically sections 8 and 10 (privacy and freedom of expression, respectively).
What does the DPA cover?
The DPA provides data protection controls for data that an employer holds. It covers the processing of data (obtaining, use, disclosure, deletion etc.) of data by the data controller (the employer) that refers to the data subject (the worker).
“Data” is defined as any information which is stored on automated systems or manual information which forms part of an accessible record. If it is a public authority which is being subjected to a subject access request then the worker has the right to see even unstructured data (if it’s not too expensive). If the employer is not a public authority then the situation’s a bit more complicated. If the data is stored on an automated file then the worker will normally have the right to see such data. If the file is a ‘manual’ file (i.e. stored in a manila file or in a ring binder etc.) then the data will only be available if the file is so well organised that a new temp could extract the specific information without leafing through the whole file. The long and the short of this is that if an employer is extremely disorganised they may escape from the DPA provisions! However, the employer probably won’t stay in business for long.
“Personal data” is data that relates to a worker who can be identified from the data alone or taken together with other information that the employer has. The data must focus on the worker, not simply refer to them.
“Sensitive personal data” is personal data that contains information on a worker’s race or ethnic origins, political opinions, religious belief, sexual health etc.
The Data Protection Principles
The data controller has an obligation to comply with the eight principles of the DPA (the “DPPs”). These eight principles are, in order:
1. To process data fairly and lawfully and to meet the conditions set out in the DPA (Schedule 2)
To process data the data controller must obtain the worker’s specific, unpressurised and informed consent. [N.B. How unpressurised a worker is in a work situation is always a moot point. There will always be an asymmetry of power in such a relationship]. The data controller also has the right to process the data if necessary for a number of reasons (performance of the contract of employment or to meet a non-contractual obligation of the data controller etc.). If the processing of data would refer to sensitive personal data of the data subject then the data controller must obtain explicit consent.
2. Obtain and process data for only specified and lawful purposes
3. Hold data only where relevant and not excessive to the purpose
4. Data should be accurate and up to date
5. Not to keep data longer than necessary
6. Process data in accordance with the rights of data subjects
7. To take measures to prevent the unauthorised processing of data and against accidental loss
8. Not to transfer data outside of the European Economic Area unless to a country which has adequate data protection and controls
Useful guidance is given as to the application of the above by the Employment Practices Code which is issued by the Information Commissioner (link). This has 4 parts relating to various data:
1. Data on recruitment and selection
2. Employment records
3. Monitoring at work
4. Information about a worker’s health
Obtaining access to personal data by a data subject
If a data subject wishes to obtain their personal data from a data controller they have the right to make a subject access request. They must make a written request to the data controller requesting access to the personal data and are liable to pay a £10 fee for this (in most circumstances, although if it applies to education or health records then the fee can be higher). If the data controller refuses to comply then the data subject must make an application to the High Court or a County Court or they can alternatively apply to the Information Commissioner for an assessment.
Data subjects are not entitled to see the following personal data:
1. Employment references and other references given by their own employer
2. Documents which are legally privileged
3. Data which relates to an employer’s negotiations with a worker
4. Data which relates to management planning (if it may prejudice the running of the employer’s business)
5. Data concerning a worker’s health if it would be likely to cause serious harm to their health or anyone else’s
Enforcement of the data subject’s rights
If the data controller (the employer) doesn’t comply with the data subject’s rights then the data subject (the employee) has two means of enforcement:
1. An application to the High Court or County Court; or
2. An application to the Information Commissioner to request an assessment under s.42 DPA 1998
An important point to note is that the Information Commissioner can order compliance with the DPA but cannot award compensation. This can only be achieved through the Court process. Data subjects therefore need to carefully consider what their desired outcome is and whether the non-compliance with the DPA has caused them any compensatable loss or distress.
Is a report on dismissal subject to the DPA?
In the above article the data subject is attempting to gain access to the report on her dismissal.
The report is clearly “personal data”. It would focus on her and should be kept on record by her employer (the data controller). The fact that her ex-employer is refusing to disclose the data would suggest that they do still possess a copy of the report and that it is obtainable.
In order to obtain this personal data the data subject would have made a subject access request in writing to the data controller. This has clearly been turned down, either with or without reason. To do so without referring to a specific exception is a bit of a dangerous game to play so one would imagine that the data controller has referred to one of the exceptions as reason for not doing so – presumably that it either concerns management planning or concerns the employer’s intentions in a situation where they are negotiating with a worker. The latter objection seems a bit weak so it is probably the former.
As the data controller has refused to comply with the request the data subject (the worker) seems to have made an application through Her Majesty’s Court System to obtain the data.
What the outcome will be is subject to (obviously) whether the relevant Judge believes that the personal data falls within an exception or not. However, the important point to take away from this is that data subjects have extensive rights regarding the processing of their personal data at work and that they have the right to obtain this personal data if it doesn’t fall within an exception. Such information can sometimes make or break an Employment Tribunal case relating to unfair dismissal or discrimination – don’t neglect to consider a subject access request if you need access to data.