The People Bulletin

Technology has changed the way organisations collect and use information on its employees and this has presented a number of new challenges to employers.  The responsibility to respect and protect personal details of employees is a requirement that has never been quite so complicated.

Data protection

The Data Protection Act 1998 strives to protect the population at large in the new age of instant, globally accessible information and globally organised crime.  HR professionals recognise the need for this legislation in light of the significant upsurge in identity fraud now reportedly reaching the staggering level of an average £631.00 each year  per household in the UK[i].  This is the fastest growing crime in the world.

If you collect or use information about people as part of a recruitment or selection exercise, the Act will apply. If a candidate is not taken on, it is not a good idea to shred documents immediately as this may be needed if the candidate was to make, for example a discrimination claim as to why they were not employed. The CV and interview notes may be required as evidence in an Employment Tribunal. If records are retained therefore, at least until a claim would be time-barred, then the details and contents should be kept private.

It is sensible for employers to avoid collecting more information than they need. More sensitive details such as banking information and next of kin should only be taken from applicants who are appointed. You should also only ask for information on criminal convictions if it is relevant and justified for the type of job you are recruiting for.

If you propose to check and verify information, it is recommended that the prospective employee is informed that this will be done and the manner in which it will be done. The Act does not prevent you from collecting, keeping and using employment records but is to balance the employer’s need to keep records and the worker’s right to privacy. Employees have a right to know how an employer will use records about them and in what circumstances information will be disclosed.

Employers must be aware that data protection rules apply to those who have access to employment records and that personal information must be handled with respect. Employers should also encourage workers to check their own records periodically to keep information relevant and up to date.

In practice

I have advised on a number of high value, international frauds which could not have operated unless the perpetrators had been able to obtain personal details of individuals in order to assume their identities, open accounts, set up companies and arrange finance. In one case a client was arrested, charged and put on trial for fraud. The jury accepted that her identity was stolen and she was acquitted, but the process took close to four years.

Fines

Protection against fraudsters is a responsibility that must be taken seriously. If it is established that the criminals got access to the information, through the ‘data controllers’ carelessness, they may well be liable for a £500,000 fine.

Jack Straw, the secretary of state for justice, recently ruled that The Information Commissioner’s Office (ICO) has the power to enforce hefty fines to organisations who fail to secure confidential data appropriately[ii].

If threatened with a penalty the Information Commissioner will take a business’s turnover, sector, size and the data breach into account before considering a fine. This will be determined by:

• carefully considering the circumstances, including the seriousness of the data breach;
• the likelihood of substantial damage and distress to individuals; and
• whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.

The power to impose these substantially increased monetary penalty notices is designed to deal with serious breaches of the Data Protection Act and is part of the ICO’s overall regulatory toolkit.

The Data Protection Act provides protection for sensitive information about much more than an individual’s finances, it extends to ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and any criminal history.

Refresh button

There are eight common-sense rules known as the Data Protection Principles. These require personal information to be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in such a way as to kept the subjects rights secure; and
• not transferred abroad without adequate protection.

Any information an employer retains must be brief, relevant, confidential and justified.

A case history

Last year’s Kerr Construction case investigated by the Information Commissioner’s Office (ICO) uncovered a database containing details on 3,213 construction workers which was used by over 40 construction companies to vet individuals for employment.

The information included sensitive personal information such as construction workers’ personal relationships, trade union activity, as well as their employment history.

The owner of a firm, known as the Consulting Association, had apparently run the database for many years. The ICO uncovered evidence that numerous named construction firms subscribed to his system for a £3,000 annual fee. They could add information to the system and pay £2.20 for details held on individuals. Invoices to construction firms for up to £7,500 were seized during the raid, suggesting that they’d used the system to vet all 3,200 candidates.

Evidently, in an industry known for its unusually heavy reliance on a relatively short-term mobile workforce and contractors, sub-contractors and agency workers, among others, had seen fit support this central databank.  It contained the kind of information that organisations in many industries with more permanent staffing patterns might once have found useful and kept.   By referring to it, construction companies hoped to avoid recruiting those whose records demonstrated that they were dishonest, indolent, disruptive, malevolent or insufficiently qualified for the work in hand. 

The ICO ruled this to be criminal intrusiveness.  Mr. Kerr closed his company amid outraged protests about blacklisting and victimisation.[iii]

Reinvention

The pattern that emerges over this period is quite interesting. Feverishly rapid progress in the data processing and IT industries has transformed the financial services industries, causing a ubiquitous quantum shift in the storage, processing and retrieval of personal and business data.

The international criminal fraternity realises the opportunities and dangers that this data presents and will move as rapidly as technology allows to exploit it. Employers are at front line to defend personal data which can be used as a criminal tool. If companies fail to take this seriously and adopt proper safeguards and systems, they can face crippling fines and prosecution.

www.lhs-solicitors.com

[i] www.identitytheft.org.uk

[ii] http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

[iii] http://www.ico.gov.uk/upload/documents/pressreleases/2009/tca_release_060309.pdf