Blogs

Avoiding the pitfalls in data protection

first_imgRelated posts:No related photos. Theuse of personal data at work can be a sensitive issue. This summary provides aninvaluable guide to the key features of the new draft Code of Practice on DataProtection.  By Joan Lewisand Linda GoldmanThenew Data Protection draft code of practice covers a very wide range ofstandards and best practice on the use of personal data at work. This summarysets out examples of some of the key areas of particular interest to OHprofessionals. Our aim is to highlight the importance of this new code that isset to come into force later this year. Afull copy of the code should be obtained from the Data Protection Commissionerso that any necessaryfull-action plans can be made by management, humanresources and OH departments. Thecode, which is a large document, is useful as a general human resources and OHguide. It proposes a more restrictive approach than is apparent from the 1998Act itself and indeed from the new Regulation of Investigatory Powers Act 2000(RIP) and the Telecommunication (Lawful Business Practice) Regulations 2000.Thecode refers throughout to “employees” but makes special provision forcontract and agency staff so that the same standards apply.Thetable provides examples from the code. It gives a flavour of the wide range ofstandards covered by the draft that will have a direct effect on OH policiesand practice.Disciplineand dismissalMattersof discipline and dismissal are not set out in the table as these come withinthe ambit of all record keeping, particularly with reference to data beingobtained and used fairly and lawfully (Principle 1). Also, retention of recordsof former employees is covered in most other areas of record-keeping. Therecommended time limits for keeping old records are shown below.Applicationform and duration of employment–References received – 1 year–Payment and tax information – 6 years–Sickness records – 3 years–Annual leave records – 2 years–Unpaid or other special leave records – 3 years–Appraisal or assessment records – 5 years–Promotion or disciplinary records – 1 year from end of employment–References of information enabling reference provision – 5 years fromreference/end of employment–Summary record of employment – 10 years from end of employment–Records of accident or injury – 12 years from end of employmentLindaGoldman, LLB, BDS, is a barrister specialising in employment law andmedico-legal matters, and training consultant to Advisory Training andConsulting Associates Ltd and Virtual Personnel. Joan Lewis, MA (Law &Employment Relations) is a consultant specialising in employment law andrelations for ACT Associates & Virtual PersonnelDataProtection Act 1998 Occupational Health NotesPrinciple1Data must be fairly and lawfully processedApplicableto recruitmentVerification standards– Give applicant the opportunity to rebut third-party informationPre-employmentvetting – Only vet where a job offer is to be made– Ensure vetting is specific to the job and the individual and no more– Ensure compliance with at least one of the sensitive data conditions wheredata is sought about family or close associatesRetentionof recruitment records – Obtain informed consent to retention of records for use for a potentialfurther vacancyApplicableto employment recordsCollectionof information – Inform new staff what information will be kept about them, whereobtained, how used and circumstances where and to whom it may be disclosed– Obtain informed consent to use of personal data– Ensure that personal information is relevant and not excessive to theemployment relationshipMaintainingrecords – Ensure that personal information is relevant and not excessive to theemployment relationshipSicknessrecords – Only hold sickness records with explicit consent of the employee or ifone of the other conditions for processing sensitive data is satisfied– Explicit consent depends on each employee being told the extent ofinformation that will be held in sickness records and how this will beused.  Obtain evidence of consent– Release of sickness records to managers should be limited to informationreasonably required for management purposesOccupationalhealth schemes– Obtain written consent to processing of data concerned with health. Theemployee must know the extent to which information given to a healthprofessional directly or indirectly is made available to and used by othersApplicableto medical testing Generalstandards– Establish the specific business reason for testing– Medical tests should be proportionate to the risk involved in failure to testwhether by risk to others or to the individual concerned or if in relation to ahealth benefit such as sick pay– Pre-employment medicals are justifiable to determine whether an employee isfit for the particular job or if eligible to join a pension or insurance scheme– Proportionate measures such as the use of a health questionnaire should begiven first preference– Only carry out tests on properly targeted employees unless blanket testing isjustifiablePrinciple2Data must be processed for limited purposes and not in any mannerincompatible with those purposesApplicableto recruitmentRetentionof recruitment records– Vetting information should be kept securely until complete thendestroyed, save for keeping a record that vetting has been carried outApplicableto employment recordsOccupationalhealth schemes– Obtain written consent to processing of data concerned with health. Theemployee must know the extent to which information given to a healthprofessional directly or indirectly is made available to and used by othersApplicableto medical testing Generalstandards– Establish the specific and genuine business reason for testingPrinciple3Data must be adequate, relevant and not excessiveApplicableto recruitmentApplicationform standards– Require minimal personal information specific to the job in question– State if information is to be taken from other sourcesPre-employmentvetting – Only carry out vetting if all other criteria for making a job offer havebeen satisfiedApplicableto employment recordsTellnew employees of their rights under the DPA 1998Collectionof information – Obtain informed consent to use of personal data and ensure that personalinformation is relevant and not excessive to the employment relationshipOccupationalhealth schemes– Obtain written consent to processing of data concerned with health. Theemployee must know the extent to which information given to a healthprofessional directly or indirectly is made available to and used by others.Data must be processed in accordance with standards set out in the ethicalguidelines of the Faculty of Occupational Medicine of the Royal College ofPhysiciansApplicableto medical testing Generalstandards– Ensure testing is carried out as a necessary and proportionate matter toensure there is no risk to health and safety of the individual or others or tosecure a health benefit such as sick pay– Pre-employment medicals are justifiable to determine whether an employee isfit for the particular job or if eligible to join a pension or insurance scheme– Only carry out tests on properly targeted employees unless blanket testing isjustifiable– Drugs and alcohol testing should be part of a voluntary programme fordetection of abuse– Substance testing should be by properly qualified persons Principle4Data must be accurateApplicableto recruitmentVerificationstandards– Give applicant the opportunity to rebut third-party informationVetting– Ensure vetting is specific to the job and the individual and no more– Attempt to ensure accuracy where there is justification for obtaininginformation about the applicant’s family or close associates as it will bedifficult for them to rebutApplicableto employment recordsMaintainingrecords –Ensure information in employee records is accurate and up to date.  Good practice: provide every employee with acopy of his/her basic record annually and ask for identification ofinaccuracies and what amendments are needed– Incorporate accuracy, consistency and validity checks– Require emergency contact not “next of kin” Applicableto medical testing Generalstandards– Testing for drugs and alcohol should be by properly qualified persons(The commission refers to tests of “the highest technical quality”and to interpretation of results by a medically qualified person competent inthe field of drug testing)Principle5Data must not be kept for longer than necessaryApplicableto recruitmentRetentionof recruitment records – Establish and adhere to retention periods for recruitment records wherethey need to be kept for business purposes. Suggested retention periods:4 months from the date of confirmation of an unsuccessful application4 months from the date of confirmation that another candidate was appointed toa  shortlisted position–Vetting information should be kept securely until complete then destroyed, savefor keeping a record that vetting has been carried outPrinciple6Data must be processed in accordance with the rights of the individualApplicableto recruitmentApplicableto access and disclosureSubject access– Ensure that information is available within 40 days of the request being madeand on receipt of the current £10 fee– Ensure that information is only released to actual data subject– Provide information on file with reasons for why it is kept and explanationof any otherwise  unintelligible terms– Ensure information is not provided which identifies other persons unless thethird party consents to its releaseReferences– Ensure identity of third party is not revealed– If third-party information is integral to the reference, special proceduresare set out in the code appendix allowing for consent by the third party or theoverriding interest of the data subjectPrinciple7Data must be kept securelyApplicableto recruitmentApplicationform standards– Provide secure method of transmission for on-line applications– State for whom data is being provided and how it will be usedApplicableto retention of records generallyStandardsof keeping sickness records– Release of sickness records to managers should be limited to informationreasonably required for management purposesStandardsof security– Apply proper security standards as identified in BS7799 to protect fromrisk of accidental or unauthorised intervention leading to loss or destructionof or damage to employment records– Use system and password controls for information to be released to definedpersons on a “need to know” basis– Maintain a log and audit trail of all access to the records– Ensure reliability of staff having access to records– Unauthorised or otherwise improper access to records is a seriousdisciplinary offence and may also constitute a criminal offence– Take stringent precautions when transmitting data by e-mail or fax to ensuresecurity encryption and receipt by the individual addresseeOccupationalhealth schemesCOMPLIANCE IS REQUIRED WITH THE STANDARDS SET OUT BY THE FACULTY OFOCCUPATIONAL MEDICINE– Obtain written consent to processing of data concerned with health. Theemployee must know the extent to which information given to a healthprofessional directly or indirectly is made available to and used by others – Security measures to be appropriate to the nature of sensitive data processedin connection with an occupational health scheme. Information should not bereleased even to occupational health professionals unless on a “need toknow” basisApplicableto access to recordsDisclosureof references– Confidential references should not be given without the express consentof the subject to disclosure of the referenceDisclosurerequests– Clear policies should be established and adhered to so as to ensuredisclosure is only made to the proper subject who is entitled to access.Security measures include only accepting written requests and informing theCommissioner where it is suspected that an attempt is being made to obtain informationby deception:  remember that there is nolegal requirement to disclose even where a failure to do so would prejudicecrime and taxation– Disclosure should be by staff trained in data protection procedures– Records should be kept of non-routine disclosures– Disclosure records should be checked and procedures updated regularly– Remind staff regularly that disclosure to the wrong person is a criminaloffence.  It should be a disciplinaryoffence as well. Errors or deliberate releases of information should bereported to the Commissioner Principle8Datamust not be transferred to countries which do not have adequate protection.Exerciseparticular caution with any information transfers outside the European EconomicArea and seek permission from employees in these circumstances. Previous Article Next Article Comments are closed. Avoiding the pitfalls in data protectionOn 1 Feb 2001 in Personnel Todaylast_img read more