Recently there has been a lot of chatter about data protection in the workplace, for example the recent incident where a US based employee had outsourced his work to a third party in China, compromising the information. Such incidents are leading up to a growing concern among employers and employees alike about their rights in the workplace when it comes to data protection.
In UK the Data Protection Act controls the use of personal information by organisations, businesses or the government. According to the law, everyone responsible for using data should adhere to a set of rules called 'data protection principles' and should ensure that the information is:
- Used fairly and lawfully
- Used adequately and in relevance
- Used for limited, specifically stated purposes
- Handled according to data protection rights of people
- Kept secure and safe
- Not transferred outside UK without adequate protection
- Stored for no longer than necessary
The DPA also provides for a stronger legal protection for more sensitive information that deals with ethnicity, political opinions, religious beliefs, criminal records, health and sexual health.
It also grants a right to information where you can inquire the government or any other organisation about all the information they have stored about you, by writing to them. The organisation is law bound to provide you with a copy of the information.
However, in certain cases the information can be withheld when it is related to the prevention, detection or investigation of a crime; national security; assessment or collection of tax; judicial or ministerial appointments. Further, the organisation doesn't have to provide a reason for withholding information in this case.
You might be required to pay a fee (which is usually less than £10) to request information.
In addition, if you are doubtful that your data is being misused by any organisation, you can contact them directly; also in absence of a satisfactory response you can contact the Information Commissioner's Office (ICO) directly at 0303 123 1113. (Read: How to make a data protection complaint)
Employers' and Employee's Rights
Employers reserve the rights to monitor their workers by using different ways such as CCTV recordings, drug testing, bag searches, checking their worker's emails and websites they look at. All monitoring that involves taking data, images or drug testing is protected under DPA.
If an employee is unhappy with this, they can check their staff handbook or contract to see if the employer is allowed to do this. In case the employer hasn't mentioned this, the worker may resign and claim unfair ('constructive') dismissal as a last resort after exhausting other means of dispute resolution.
Employers also need to maintain a written policy for conducting searches and they should be done by respecting privacy of individuals, by a member of the same sex and in presence of a witness.
Employees reserve the rights to file for discrimination, assault or false imprisonment if a search or drug test is not handled properly by the book.
In case of drug testing, employers need to have prior consent from employees such as in the form of a full contractual health and safety policy which needs to be mentioned in the contract or staff handbook. Also employers should limit testing to only employees that need to be tested, ensure that tests are conducted at random and without singling out any particular employee unless justified by the nature of their job.
For email, CCTV and other forms of monitoring, employers must clearly mention the amount of monitoring in the staff handbook or contract and inform the workers that they are being monitored. They should also inform them about a reasonable number of personal emails and phone calls that would be monitored or that personal emails and calls are not forbidden. However, employers can't monitor workers everywhere in the workplace (for example, toilets), lest they be in violation of the DPA.
Employers also need to ensure that all data that they collect should be kept safe, secure and up to date. The type of data that an employer can store about their employee includes – name, address, date of birth, sex, education and qualifications, work experience, national insurance number, tax code, disability details and emergency contacts. They can also update their records with details of an employee's employment history with the organisation, employment terms and conditions, any accidents in the workplace and connected with work, training received as well as any disciplinary actions.
In all circumstances, the employer should clearly inform their employees about what records are being kept and how they are being used, the confidentiality of the records and how these records will help with their training and development at work.
An employee can request a copy of their data from their employer, who has 40 days to comply with this request.
Under no circumstances the rules laid down in the Data Protection Act should be broken.