|
Ask Employment Law |
|
|
|
|
|
|
Remember: There is no substitute for legal advice on the actual
situation you find yourself in. The information posted on this site is for
general information only, is based on |
|
|
|
|
|
|
|
Question: |
Do Employers need
permission to hold personal data on employees under the Data Protection
Act? |
|
|
|
|
Answer: |
This note only touches on the extent of Employers
obligations under the Data Protection Act. Normal Personal Data: It is not necessary to get an employee’s express
permission to hold data on them. Imagine someone sending in their CV to a
prospective employer. It would be silly if the employer had to obtain express
permission in order to read or ‘process’ it. Under Schedule 2 of the Act an organisation can process
the data if ·
The
data subject has given his consent (consent will not always be explicit
though), or ·
Its
necessary for the performance of a contract or enter into a contract which
the data subject is a party (ie to recruit or employ Jo Bloggs), or ·
It’s
necessary to comply with a legal obligation (ie under the Employment Rights
Act, Discrimination Acts etc) ·
It’s
necessary to protect the vital interests of the data subject (for the
administration of justice etc) ‘Sensitive Personal Data’
It is however normally necessary to obtain the employee’s
explicit permission to hold ‘sensitive’ personal data on them. In the HR
field sensitive personal data will include ethnic monitoring information,
Trade Union membership, information about health conditions or criminal
convictions which you may ask for at the recruitment stage or later. In the case of ‘Sensitive Personal Data’ ·
The
data subject must give explicit consent (ie by signature, after being
told clearly the personal data and the use involved and consent must be
freely given) or: ·
The
processing is necessary to perform legal obligations imposed on the data
controller in connection with employment ·
Or
to protect the person’s vital interests if consent cannot be obtained. Processing of sensitive personal data can only take
place: ·
for
legitimate reasons ·
not for profit. ·
With
no disclosure to a third party without the person’s consent. In practice: Permission should be
sought to complete an ethnic monitoring form (which is why these forms are
often separate from the application form).
Arguably it could be collected in order to monitor compliance with the
Race Relations Act. It would be inappropriate
to query trade union membership to decide whether or not to employ someone at
the application stage. It might be appropriate to ask them once the employer
has recruited them so the employer knows whether to collect Union dues. The Code states ‘The collection of sensitive personal data
must however be ‘necessary’ for exercising or performing a right or
obligation which is conferred or imposed by law.’ For example, if the employer wants to carry
out criminal record checks to protect the safety of staff, it should be
sufficient only to do so for successful applicants before confirming the
appointment. What permission do
employers need to process data relating to job applications and vetting? As above, express permission is not required in job
applications unless the data is ‘sensitive’ The Code of Practice suggests that: ·
if
recruitment agencies are being used by the employer, they should identify
themselves and explain how personal data received will be used and disclosed unless
it is self evident. ·
Only
ask about criminal convictions if it can be justified in terms of the role
offered (ie Head of Finance) ·
Explain
the checks undertaken to verify the information provided on the application
form (ie checking Qualifications) ·
If
it is necessary to secure the release of documents or information from a
third party, get a signed consent form from the applicant unless consent to
release has already been given in some other way What permission do employers need to process data on
medical history? Data on medical history is likely to be ‘Sensitive
Personal Data’ and will include information on the personnel file about: ·
Results
of eye tests / ergonomic reports ·
Any
drugs testing ·
Occupational
Health Physician reports ·
Disability
assessment for reasonable adjustments Employers should normally obtain the employee’s explicit
consent to hold such information. ·
If
the employers asks on an application form ‘Do you have any medical conditions
of which we should be aware?’ Explicit consent must inevitably be given if
the applicant answers and signs the form. The form should state to what use
the information will be put though. ·
If
the employer refers an employee to Occupational Health for a report, the
employer should first get the employee to sign a form allowing you to receive
the report. There are exceptions to the need to get explicit
permission, such as: ·
If
the employer holds the sensitive medical data to ensure the health and safety
of a member of staff, you do not need explicit consent. ·
If
the employer holds the sensitive medical data to comply with obligations
under (say) the Disability Discrimination Act, it does not need explicit
consent. ·
If
the employer obtains the sensitive medical data as part of actual or
prospective legal proceedings, it does not need express consent. Can employers hold the CV’s of unsuccessful job
applicants? The Code says: ·
Ensure
that personal data recorded and retained following the interview can be
justified as relevant to and necessary for the recruitment process itself or
for defending the process against challenge (ie being sued for
discrimination) ·
Inform
unsuccessful applicants there you intend to keep their names on file for
future vacancies (if appropriate) and give them the opportunity to have their
details removed if they wish (ie in the rejection letter) See
also our page on data
subject access requests. Last reviewed:
July 2010 |
|
|
|
|
Employment
Solicitor Reculver Solicitors Tel
0207 324 6271 Regulated
by the Solicitors Regulation Authority ©
Reculver Solicitors. 2005- |
|