Data Protection Policy
In the course of an Employee’s work he may come into contact with or use confidential information about Employees, clients and customers, for example their names and home addresses. The Data Protection Act 1998 contains principles affecting Employees’ and other personal records. Information protected by the Act includes not only personal data held on computer but also certain manual records containing personal data, for example Employee personnel files that form part of a structured filing system. The purpose of these rules is to ensure that an Employee does not breach the Act. If an Employee is in any doubt about what can or cannot be disclosed and to whom, do not disclose the personal information until further advice has been sought from a line manager. Employees should be aware that they can be criminally liable if they knowingly or recklessly disclose personal data in breach of the Act. A serious breach of data protection is also a disciplinary offence and will be dealt with under the Company’s disciplinary procedures. If an Employee gains access to another Employee’s personnel records without authority, this constitutes a gross misconduct offence and could lead to summary dismissal.
The data protection principles
There are eight data protection principles that are central to the Act. The Company and all its Employees must comply with these principles at all times in its’ information-handling practices. In brief, the principles say that personal data must be:
1. Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the Employee has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the Employee and consists of information relating to:
• race or ethnic origin
• political opinions and trade union membership
• religious or other beliefs
• physical or mental health or condition
• sexual life
• criminal offences, both committed and alleged.
2. Obtained only for one or more specified and lawful purposes, and not processed in a manner incompatible with those purposes.
3. Adequate, relevant and not excessive. The Company will review personnel files on an annual basis to ensure they do not contain a backlog of out-of-date information and to check there is a sound business reason requiring information to continue to be held.
4. Accurate and kept up-to-date. If an Employee’s personal information changes, for example a change of address, the Correct Department must be informed as soon as practicable so that the Company’s records can be updated. The Company cannot be held responsible for any errors unless the Employee has notified the Company of the relevant change.
5. Not kept for longer than is necessary. The Company will keep personnel files for no longer than six years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a period of time will be destroyed after six months. Data relating to unsuccessful job applicants will only be retained for a period of six months.
6. Processed in accordance with the rights of Employees under the Act.
7. Secure, technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. Personnel files are confidential and are stored in locked filing cabinets. Only authorised staff have access to these files. Files will not be removed from their normal place of storage without good reason. Data stored on diskettes or other removable media will be kept in locked filing cabinets. Data held on computer will be stored confidentially by means of password protection, encryption or coding and again only authorised Employees have access to that data. The Company has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.
8. Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.
Employee consent to personal information being held
The Company holds personal data about its’ Employees and, by signing the Contract of Employment, the Employee has consented to that data being processed by the Company. Agreement to the Company processing an Employee’s personal data is a condition of employment. The Company also holds limited sensitive personal data about its Employees and, by signing the contract of employment, the Employee gives explicit consent to the Company’s holding and processing that data, for example sickness absence records, health needs and equal opportunities monitoring data.
Employee right to access personal information
Employees have the right, on request, to receive a copy of the personal information that the Company holds about them, including personnel files, and to demand that any inaccurate data be corrected or removed. Employees have the right on request:
• to be told by the Company whether and for what purpose personal data about them is being processed
• to be given a description of the data and the recipients to whom it may be disclosed
• to have communicated in an intelligible form the personal data concerned, and any information available as to the source of the data
• to be informed of the logic involved in computerised decision-making.
Upon request, the Company will provide an Employee with a statement regarding the personal data held about them. This will state all the types of personal data the Company holds and processes about an Employee.
If an Employee wishes to make a complaint that these rules are not being followed in respect of personal data the Company holds about an Employee, an Employee should raise the matter with their line manager. If the matter is not resolved to an Employees satisfaction, it should be raised as a formal grievance under the Company’s grievance procedure.
Employees obligations in relation to personal information
Employees should ensure they comply with the following guidelines at all times:
• do not give out confidential personal information except to the data subject. In particular, it should not be given to someone from the same family or to any other unauthorised third party unless the data subject has given their explicit consent to this
• be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone
• only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail