Your employer’s duties as a data controller

 dpa4

The Data Protection Act 1998 (DPA 1998) governs the processing of your personal data. This includes obtaining, holding, using or disclosing such information. It places a duty on your employer and any other organisation that processes personal data (known as data controllers) to comply with eight data protection principles, and gives you rights in relation to information held about you.

Almost all employers will be data controllers of personal data about employees. All such data processed electronically and manually is personal data under the DPA 1998. The DPA 1998 is important when you need to have information about you from your employer, this includes during any disciplinary action or negotiation. It gives you rights about your information and not anyone else’s.

See ICO on Data controllers and data processors: What the difference is and what the governance implications are

 

When does the DPA 1998 apply to a data controller?

The DPA 1998 applies to a data controller;

  • Where the data controller is established in the UK and the data is processed in the context of that establishment – S5 (1) (a) DPA 1998
  • Where the data controller is not established in the UK or elsewhere in the European Economic Area (which includes the EU countries, Liechtenstein, Iceland and Norway) but the data controller uses equipment located in the UK for processing the data, and the use of the equipment is not only for the purpose of moving the data through the UK – S5 (1) (b)

What does it mean to be established in the UK or other EEA State?

Under S5 (3) DPA 1998, a data controller is established in the UK or other EEA states where the data controller is;

  • an individual who is ordinary resident in the UK or other EEA state
  • a body incorporated under the law of, or any part of, the UK or other EEA state
  • a partnership or other unincorporated association formed under the law of any part of the UK or other EEA state
  • an individual who does not fall within these categories, but maintains an office, branch or agency through which he carries on any activity, or a regular practice in the UK/other than a EEA state.

Registration as a data controller

Under S17 DPA 1998 almost all employers must register as data controllers. If your employer has separate companies or other group entities, they must have their own registration.

See ICO on Notification: A brief guide

Sections 16, 18 and 20 DPA 1998 say that your employer must register by notifying the ICO of the company’s (or his) name, address and description of the data processing activities, these are called “registrable particulars”, and of measures to be taken to comply with the seventh data protection principle of keeping personal data secure. Registration has to be renewed annually, and any changes to the registrable particulars must be notified.

The rules about notification and annual renewal fees are contained in Regulation 7 of the Data Protection (Notification and Notification Fees) Regulations 2000, SI 2000/188 

Failure to register with the ICO, and to notify of changes, is an offence and may result in a fine – S21 (1) DPA 1998

Exemptions to registration – Schedule to Data Protection (Notification and Notification Fees) Regulations 2000 (- Processing to which s 17(1) does not apply)

Employers are exempt from the requirement to register in the following situations;

  • where data is being processed only for the purposes of staff administration advertising and marketing of an employer’s own services
  • For accounts and time-keeping purposes

See ICO on Notification: A brief guide for other exemptions.

 

The duty to follow the 8 Data Protection Principles

The rights and duties in the DPA 1998 apply only to personal data and sensitive personal data. Schedule 2 DPA 1998 contains the conditions for processing personal data, and Schedule 3 DPA 1998 contains the conditions for processing sensitive personal data.

Personal data is data which allows you to be identified;

from those data, or

  • from those data and other information which is in the possession of, or is likely to come into the possession of your employer (for example names, addresses, NI numbers & CCTV images),
  • includes any expression of opinion about you and any indication of the intentions of your employer or any other person about you.

Sensitive Personal Data is data about your;

  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar nature
  • membership of a trade union
  • physical or mental health or condition
  • sexual life
  • any offence actually or allegedly committed and any resulting proceedings

S4 (4) DPA 1998 places a duty on your employer to comply with the data protection principles for all personal data and sensitive personal data.

In the ICO Guide to Data Protection, a number of the conditions require that the processing should be necessary for the purposes described. This is a strict requirement which means that if your employer can achieve the purpose by some other reasonable means, or the processing is only necessary because your employer has decided to operate the business in a particular way, then the conditions would not have been met. This would be a breach of the DPA 1998. 

 

Schedule 2 conditions for processing personal data

At least one of the following Schedule 2 conditions must be met before your employer can process any personal data (unless there is an exemption)

 

The person who is the subject of the personal data has consented to the processing-

 

Paragraph 1 

 

The processing is necessary for the following reasons;

 

Paragraph 2 

 

  • because of a contract which the individual has entered into
  • because the individual has asked for something to be done so they can enter into a contract
  • because of a legal obligation that applies to the data controller (outside of a contractual obligation)

Paragraph 3 

 

The processing is necessary to protect the individual’s vital interests. This condition only applies in cases of life or death, for example where your employer has to disclose your medical history to a hospital after an accident.

 

Paragraph 4 

 

The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

 

Paragraph 5 

 

The processing is in accordance with the ‘legitimate interests’ condition. See ICO Guide to Data Protection.

 

Paragraph 6 

 

 

Schedule 3 conditions for processing sensitive personal dataData Protection (Processing of Sensitive Personal Data) Order 2000 

Your employer must meet the Schedule 2 conditions as well as the following Schedule 3 conditions if the data is sensitive personal data;

 

The person who is the subject of the sensitive personal data has given explicit consent to the processing.

 

Paragraph 1

 

The processing is necessary for your employer to comply with employment law.

 

Paragraph 2

 

The processing is necessary to protect the vital interests of:

  • the individual or another person (in a case where the individual’s consent cannot be given or reasonably obtained), or
  • another person (in a case where the individual’s consent has been unreasonably withheld)

 

Paragraph 3

 

The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents (there are other  limitations to this condition).

 

Paragraph 4

 

The person has deliberately made the information public.

 

Paragraph 5

 

The processing is necessary for legal proceedings, obtaining legal advice, establishing exercising or defending legal rights.

 

Paragraph 6

 

The processing is necessary for administering justice, or for exercising statutory or governmental functions.

 

Paragraph 7

 

The processing is disclosure and is carried out by a person who is either a member of an anti-fraud agency or working in accordance with arrangements made by an anti-fraud agency and is necessary for the purposes of preventing fraud or a particular kind of fraud.

 

Paragraph 7A

 

The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.

 

Paragraph 8

 

The processing is of sensitive personal data consisting of information as to racial or ethnic origin and is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

 

Paragraph 6

 

The Data Protection (Processing of Sensitive Personal Data) Order 2000 sets out further circumstances in which a data controller may carry out processing of sensitive personal data.

 

What does ‘Consent’ to processing mean?

One of the conditions for processing is that a person must consent to their personal data being collected and used. “Consent” is a Schedule 2 condition and “explicit consent” is a Schedule 3 condition for fair and lawful processing.

Consent

‘Consent’ is not defined in the DPA 1998. The European Data Protection Directive defines consent as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

This means that;

  • You must signify your agreement through some active communication which can be in writing or some other action.
  • Agreement cannot be assumed because a person does not respond to a communication.
  • The nature of the processing must be clearly explained.
  • There must be no duress or misinformation to get consent.
  • Consent can be withdrawn.

Explicit Consent

Explicit consent means that the individual’s agreement must be absolutely clear. You must give your explicit consent to;

  • the specific processing details;
  • the type of information (or even the specific information);
  • the purposes of the processing;
  • any special aspects that may affect you, such as any disclosures that may be made.

For more on Consent see page 116 of the ICO Guide to Data Protection 

 

When is processing ‘necessary?’

Many of the conditions for processing depend on the processing being “necessary” for the particular purpose to which the condition relates. This imposes a strict requirement, because the condition will not be met if the organisation can achieve the purpose by some other reasonable means or if the processing is necessary only because the organisation has decided to operate its business in a particular way.

 

For more on processing see page 114 of the ICO Guide to Data protection 

Case Study

Introduction Employment law recognises three types of working individual for employment status, which are; An Employee A worker (Limb b) A self-employed contractor These categories are very important because it is your employment status that determines your statutory rights at work. Employee’s have all the rights in the Employment Rights Act 1996 (ERA 1996), workers have a few and self-employed individuals have none. In Clyde and Co LLP v Bates van Winkelhof, the Supreme Court said that the law recognises two types of self-employed people. The first type are micro-entrepreneurs or professionals contracting with clients or customers. The second type, who... Read More
The Uber Case [2017] and Worker Status
Business, Finance & Law