Home
 
Quick Tour Break Out Room Login
 
Data protection in the workplace

21 March 2005

Within the workplace, the Data Protection Act 1998 (the DPA) is concerned with information which an employer collects and keeps on any individual who works for them or who wants to do so or has done so. This covers current and former job applicants, current and former employees, agency staff and casual staff. It can also cover others such as volunteers and work experience students.

Not all information about these people falls within the DPA – in short, only information which identifies and focuses on a living person and which is stored on a computer or, in the case of paper records, in a clearly structured file, will be covered. In today’s increasingly computerised world, this means that more and more records are likely to be covered. In the meantime, any paper files that are relatively disorganised are unlikely to fall within the DPA provisions.

The DPA is supplemented by a weighty tome, catchily entitled "The Employment Practices Data Protection Code", but generally referred to as the Code of Practice, which has been produced by the Information Commissioner. The Code of Practice is not legally binding in itself but is likely to be taken into account by the courts and the Information Commissioner when considering any alleged breaches.

The Code of Practice is divided into four main parts, the last of which (Part 4) was issued in December 2004. The now complete Code of Practice covers:

Part 1 Recruitment and Selection
Part 2 Employment Records
Part 3 Monitoring at Work
Part 4 Information about Workers Health

Those overstretched HR Professionals who have just about got to grips with Parts 1-3 of the Code of Practice will no doubt have been delighted to discover that Part 4 of the Code consists of a main guidance document of 33 pages, which is complemented by a supplementary guidance document of 27 pages and a separate 6 page Guidance for Small Businesses. Whilst the total 66 pages of guidance may not be short, it is a considerable improvement over Parts 2 and 3 of the Code, which came in at 96 and 91 pages respectively!

Part 4 of the Code of Practice gives practical guidance on collecting, storing and processing records about workers health. Information about an individual’s physical or mental health or condition is classified as sensitive personal data and is therefore subject to more stringent restrictions than standard personal data. Before processing information on workers health, employers must ensure that one of the sensitive personal data conditions in the DPA is satisfied. Some of the more relevant ones in the employment context include:

  • Where processing is necessary to enable the employer to meet its legal obligations, for example to ensure health and safety at work
  • Where the processing is for medical purposes and is undertaken by a health professional or someone working under an equivalent duty of confidentiality, for example, an occupational health adviser
  • Where the processing is in connection with actual or prospective legal proceedings
  • Where the worker has given consent to the processing of his or her medical information (although for this to be effective, it must be both explicit and freely given)

Once the employer is satisfied that a sensitive personal data conditions has been satisfied, the Code of Practice recommends that the employer carries out an impact assessment to ensure that:

  • It is under a legal duty to process information about workers health, or
  • The benefits gained from processing information about workers health justify the privacy intrusions or any other adverse impact.

Section 3 of the Code of Practice sets out good practice recommendations and further detail on these is given in the supplementary guidance. The six subsections cover:

  • Information about workers health: general considerations
  • Sickness and injury records
  • Occupational health schemes
  • Information from medical examination and testing
  • Information from drug and alcohol testing
  • Information from genetic testing

Whilst there is no substitute for reading the Code of Practice and supplementary documents, some key points to bear in mind include:

  • It will be intrusive and may be highly intrusive to obtain information about your workers health
  • Workers have legitimate expectations that they can keep their personal health information private and that employers will respect their privacy
  • Employers should be clear about the purpose and proper justification for collecting and holding information on their workers’ health
  • One of the sensitive personal data conditions must be met
  • Workers should be aware of the extent to which information about their health is held and the reasons for which it is held
  • Decisions on a worker’s suitability for particular work are properly management decisions but the interpretation of medical information should be left to a suitably qualified health professional.

Note: The Office of the Information Commissioner in June 2005 launched a consolidated and updated version of the Employment Practices Data Protection Code, previously available in the above, four separate parts.
 
You are Here :- Knowledge bank >> Categories >> Data protection >> Articles >> Data protection in the workplace (March 2005)
Copyright 2007 Clarkslegal LLP   |  Employmentbuddy  |  Terms Of Use  |  Privacy Statement  |  Register
Clarkslegal LLP is a limited liability partnership registered in England and Wales. Registered number: OC308349. VAT registration number: 198 9098 84. Registered office: One Forbury Square, The Forbury, Reading RG1 3EB. Solicitors regulated by the Law Society. References to Partners are to members of Clarkslegal LLP. Clarkslegal LLP is a member of the TAGLaw worldwide network of law firms. * Trade Mark Applied.