New data protection laws - new rights of access to information under the Data Protection Act 1998

New data protection laws

Rebecca Barnett examines new rights of access to information under the Data Protection Act 1998

The Data Protection Act 1998 (DPA 1998) received Royal Assent on 16th July 1998 and is expected to be brought into force in the second quarter of 1999 in order to comply with the amended EU Directive. The existing data protection regime under the Data Protection Act 1984 (DPA 1984) will be replaced by a new regime which is similar in many respects, but which is extended, importantly for employee records, to include paper-based personal data and to give employees greater rights of access to their personal data.

There is a period of transitional relief under which the bulk of the DPA 1998 will not apply to manual records until 24th October 2001. However, this relief only applies to manual records which were subject to processing before 24th October 1998. For manual records created after 24th October 1998 and all computer records, the new requirements under the DPA 1998 will apply as soon as it is brought into force.

DPA 1984 - a reminder

The DPA 1984 applies to personal data which is processed automatically. In practice, this means data held on computer. Persons who process personal data have to be registered with the Data Protection Registrar and this registration determines the type of data which may be processed and what type of processing may take place. There are 8 data protection principles which are concerned with the lawful use of personal data, but which do not place any specific obligations on the data user. Individuals have fairly limited rights of access to data held on them, compensation for loss or unauthorised disclosure and a right to seek an order from the court for inaccurate data to be rectified or erased.

DPA 1998 - the main changes

Personal Data: Under the DPA 1998, the definition of personal data has been broadened to include paper-based records which form part of a filing system. Case law will determine exactly what manual records are included, but the Home Office's view is that it will include 'files about named individuals in which each item has an internal structure conforming to some common system'. Therefore personnel records which are organised by name, or other criteria by which an employee's personal data are accessible, are almost certain to be covered by the Act. Disorganised papers which include personal data will not.

Personal data includes expressions of opinion and, under the DPA 1998, indications of intentions towards an employee.

Registration/Notification: Under the DPA 1998, there is a new system of notification. Details of this will be contained in secondary legislation which has not yet been finalised. The Data Protection Registrar's current proposal is that the Data Protection Registry will transpose a data user's existing registration under the DPA 1984 onto the new notification form and automatically send this to data users for updating whenever registration would have become due under the DPA 1984 or by 24th October 2001 (whichever is earlier).

Conditions for Processing: Under the DPA 1998, 'processing' covers a broader range of activities than under the DPA 1984. It is likely to encompass most, if not all, of the activities an employer would wish to carry out in relation to the data held on employees.

There are eight principles governing processing under the DPA 1998. These are broadly similar to those under the DPA 1984. Under both regimes, the first principle is that data must be processed fairly and lawfully. Under the DPA 1998, data can only be processed fairly and lawfully where either the employee consents to the processing or where processing is necessary to:

• perform a contract with the employee,
• comply with a legal obligation,
• protect the vital interests of the employee,
• carry out public functions, or
• pursue the legitimate interests of the business (unless prejudicial to the interests of the employee).

The second, third, fourth and fifth data protection principles are concerned with the type of data held. Data may only be obtained for specified reasons. It should be accurate and up to date and should not be irrelevant or held for any longer than necessary.

Sensitive Data: There are new restrictions on the processing of sensitive data. Sensitive data includes information about ethnic or racial origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health, sex life or commission of an offence, proceedings or the disposal of proceedings or sentencing. In addition to the conditions for the processing of non-sensitive personal data, it is necessary either for the employee explicitly to consent or to show that the processing is necessary:

• to exercise or perform any right or obligation conferred or imposed by law on the employer in connection with employment,
• in connection with any legal proceedings or for the purpose of obtaining legal advice,
• for administration of justice,
• as regards information on ethnic or racial origin, for the purpose of monitoring equality of opportunity or treatment. Rights of Data Subjects: The rights of individuals to have access to their personal data have been extended:
• Employees will be entitled, on request and on payment of a fee, to be told when information about them is being processed, to be given a description of the data, the reason it is being processed and who is to receive the information. There is an exemption for references given by an employee's current employer, but this does not cover those given by third parties, for example, a previous employer. Other information may be exempt from disclosure, such as management planning information which would prejudice the conduct of the business or which indicates the employer's intentions in any negotiations with the employee. It will be an offence for employers to require prospective employees to obtain information about themselves for the employer's purposes using the data access provisions under the DPA 1998.
• Employees may apply to court for rectification, erasure or destruction of inaccurate information. Where there has been any breach of the DPA 1998 an employee may claim compensation for damage caused as well as distress.
• The DPA 1998 restricts the use of computer software packages for recruitment and assessment. Where such a package is the only means of assessing performance, conduct, reliability or credit rating, the employer is obliged to inform the employee of this fact. The employee may then ask the employer to reconsider and/or explain the process involved in the decision making. Cross Border Transfers: The eighth data protection principle restricts the transfer of data to countries outside the European Economic Area which do not have an adequate level of data protection. The Data Protection Registrar's view at present is that few countries will have the requisite protection. The United States is not one of them. This will have important implications for employers with overseas offices, particularly for those with centralised records. There are a number of exceptions, for example where the employee's consent has been obtained or where the transfer is necessary to perform a contract between the employee and employer. Transitional relief: There are detailed and complex provisions for transitional relief in respect of manual and some automated records. For example, from commencement of the DPA 1998 until 23rd October 2001, manual records which were already being processed before 24th October 1998 are exempt from the data protection principles and the rights of employees to have access to their records. Personnel files which were in existence before 24th October 1998 will fall into this exemption. It is less clear however whether information added to personnel files after 24th October 1998 will also be covered by the exemption. From 24th October 2001 to 24th October 2007, there are further exemptions for manual records covered by the first transitional period. Practical tips
  • Personal data includes expressions of opinion but also indications of intentions towards an individual, for example, promotions or redundancies. Care must therefore be taken in creating such data.
  • Personnel files should be reviewed before the DPA 1998 comes into force and periodically thereafter so that they may be updated and irrelevant and out of date information removed.
  • Employers may wish to provide employees with copies of their personnel files so that they may rectify any inaccuracies.
  • Employers should reconsider what information they ask their employees to provide and the purposes for which it is used in view of the restrictions on processing sensitive personal data.
  • Employers should implement a procedure to deal with requests for access to personal data.
  • Where computerised decision-making is used, the employer should be prepared to explain the logic behind any decisions made. Computerised decision-making will only be caught by the DPA 1998 when it is the sole system used. Employers should therefore consider cutting down on the use of such programmes and involving human assessment where possible.
  • Employers must consider how to handle cross border transfers of information, either by obtaining employee consent or by confining the transfer to information which is necessary to perform the employment contract.
  • The DPA 1998 requires steps to be taken to prevent unauthorised access or unlawful processing of data. Employers should therefore review internal and external access to personal data.
  • There is much secondary legislation and guidance yet to be published. Employers should try to keep up-to-date with developments including publications by the Data Protection Registry.