Data Protection and Record Keeping
What records should employer’s keep?
The extent of the information that an employer will hold about your employees and the systems used will depend on the size and nature of the business. Whichever system is used (manual or computerised) there are certain Data protection and record keeping that employers should keep:
- A copy of the employee’s contract of employment, signed by both parties
- A copy of the employee’s CV and interview records
- Letters/memos outlining any changes to the employee’s terms and conditions
- Details of the employee’s salary and benefit reviews
- Details of any grievances, disciplinary proceedings and any warnings (only for as long as necessary)
- Personal details (only in so far as they are necessary)
- Attendance and sickness records
- Appraisals or other performance-related documents
How does the Data Protection Act work?
The Data Protection Act 1998 prevents personal information or data held about an individual from being misused, or held without their permission. This applies across all areas of a business, nor simply HR records. Record-keeping must comply with certain principles in that information held is:
- Adequate, relevant and not excessive (for the purpose the information is held)
- Processed for limited purposes and in an appropriate way
- Not kept for longer than necessary
- Processed in accordance with the data subject’s rights
- Secure and not transferred to countries that do not give adequate data protection
- Processed fairly and lawfully
These principles apply to most forms of record-keeping, including manual paper records (‘a relevant filing system’) provided the information is readily accessible, as well as records held in an electronic format.
What is a Data Controller?
A Data Controller is a designated person responsible for ensuring compliance with Data Protection legislation and dealing with requests for data. In practice the Data Controller must ensure compliance with the employer’s Data Protection policy and regularly question the need to hold all forms of information about employees, review the information and remove any that does not meet the principles above.
What access rights do employees have to information?
Any person for whom an employer holds personal information (including employees) has a right to see certain information by following a disclosure procedure. In essence:
- Any request they make must be in writing (also known as a Subject Access Request)
- Open-ended requests, such as “everything you have on file”, are not acceptable and if necessary the request should be clarified
- An employer must respond to a request within 40 days of either the request, or payment of an administration charge (if applicable) of £10
Certain rules apply to references. These need not be disclosed by the person giving the reference, but it may be references given to and held by an employer are not excluded. An employee would usually be entitled to receive a copy of their personnel file.
What are the consequences of non-compliance?
If an employer fails to comply with the regulations relating to data processing requests, an employee may:
- Make a request to the Information Commissioner to determine whether or not a request has been complied with;
- Make a complaint to the Information Commissioner that data protection principles or requirements are not being complied with;
- Make an application to the Court on the grounds that the information held by an employer is inaccurate; and seek destruction or rectification of that information; and
- Make a claim for damages in Court proceedings if the employee can show that they have suffered a loss or suffered distress.
The Information Commissioner has the power to impose a financial penalty on a Data Controller of up to £500,000 for serious breaches.