6.11 Data protection

Many employers will need to be registered as data controllers with the Information Commissioners office, by completing a form and paying the appropriate fee. Their details will then appear on the Register.

Data does not just cover information held on computers but also that which is stored in a “relevant filing system” in other words, a drawer or room containing a set of personnel records will be covered, as will on-line records and email folders. Personal data is any information from which an individual could be identified, either on its own or in conjunction with other information, and will include recordings such as CCTV footage. Sensitive personal data is, as the name suggests, of a more intimate nature and includes medical and criminal records and political beliefs.

Employers must process employee records “fairly and lawfully”. “Processing” data includes storage, alteration and deletion of records, so that almost any activity relating to personal data carried out by a data controller will amount to processing. When data is “processed”, it must be done in accordance with the eight data protection principles.

If an employee makes a subject access request, the employer may require them to pay a small fee for administration of the request, and then provide copies of personal data held in relevant filing systems. There is a limited period within which to provide the data and some of it may be exempt, so it is important for employers to act quickly on receipt of any request so that what must and what may not be disclosed can be properly considered.