Personnel Records and the Data Protection Act 1998

The Data Protection Act 1998 makes a number of important changes to the handling of personnel records. Rebecca Barnett provides some guidance.

The Data Protection Act 1998 (the “Act”) (which will become law on 1st March 2000), will have a major impact on what employers do with the information they hold on employees.

The Act covers “personal data”. In brief, this is any data from which a living individual is identifiable whether contained on computer or in a filing system. One consequence of this is that, where employers keep records in an organised form, employees will be entitled to see their personnel files.

However, there is transitional relief for employers who had a system in place for keeping employee records on 24th October 1998. As long as they continue to use this system, they will not be required to give employees access to those records, or any records added to that system since then, until 23rd October 2001. Whether or not records in your organisation are covered by transitional relief, it is advisable to reconsider the type of information kept on personnel files now.

Described below are the types of information which employees will have the right to see (along with any exemptions available) and other provisions which impact on the handling of personnel records.

Statements of opinion or intention
Expressions of opinion about an individual or an indication of the employer’s or any third party’s intention towards the individual are disclosable to that individual under the Act. Examples include appraisals, or notes on career planning.

However, some statements of opinion or intention are exempt from disclosure. For example, employees do not have the right of access to information which has been created for the purposes of management forecasting or planning where disclosure would prejudice the conduct of the business or other activity. Examples could include restructuring and redundancy plans. Also, records of an employer’s intentions in relation to any negotiations with an employee do not have to be disclosed where it would prejudice the negotiations, for example negotiations on termination of employment.

Legal and other advice
Advice relating to an employee’s possible claims or a note of advice given in a meeting or by telephone from anyone, unless legally qualified, will be disclosable to an employee. However communications with a legally qualified person, including an in-house lawyer, which is for the purposes of seeking or giving advice or collecting evidence for use in litigation which is in reasonable prospect may be exempt from an employee’s access rights on the ground that it is covered by legal professional privilege. As ever, care must be taken over who such advice is copied to as it will lose its privilege if copied for purposes other than disseminating legal advice.

Medical reports and records
Reports and records consisting of information about an individual’s physical or mental health or condition which were made by or on behalf of a health professional in connection with the care of an employee falls into the category of personal data, called “accessible records”. There is no transitional relief from the disclosure of accessible records, whether manual or automated. However, there may be grounds for refusing to disclose a medical report if a person other than the employee concerned can be identified from it, such as the doctor providing the report. This is unless that doctor has either given consent to the disclosure, or it is reasonable in all the circumstances to disclose it notwithstanding the lack of consent, or information can be given without disclosing the person’s identity.

The Act gives the Secretary of State the power to prevent a person from obtaining information about his own physical or mental health or condition under further regulations. This power has not been exercised to date. However, the Home Office has indicated that the Secretary of State is likely to make regulations which prevent a person obtaining information where supplying it is likely either to cause serious harm to his or her physical or mental health, or lead to the identification of another person.

Sensitive data
Sensitive data is subject to conditions which must be fulfilled before an employer can process it. This includes information about:-

• racial or ethnic origin
• political opinions
• religious beliefs or beliefs of a similar nature
• trade union membership
• physical or mental health or condition
• sexual life
• commission or alleged commission of a criminal offence

However, it may be possible to satisfy one of these conditions if the employer has the employee’s express consent, where it wants to collect or use the data for the purposes of ethnic monitoring or where it is necessary for the purposes of obtaining legal advice or defending legal proceedings.

References
References which have been received by an employer from a prospective employee’s previous employers must be disclosed to that employee upon request. However, employees are not entitled to see references which the current employer has supplied on their behalf. They may, under the right explained above, request that the recipient of the reference disclose it to them.

Exporting data
Transferring data outside the European Economic Area (the 15 Member States of the European Union and Norway, Iceland and Liechtenstein) is restricted unless the country receiving the data has an adequate level of data protection. The Data Protection Registrar (or Data Protection Commissioner when the Act comes into force) can advise in each case. This may have the effect of restricting an employer’s ability to transfer data for the purposes of keeping centralised records, taking advice from lawyers in that country, or reviewing or compiling details on the work force. Currently, the USA is not regarded as having an adequate level of protection. However, this restriction does not apply if the employee has consented to the transfer or where the transfer is necessary for the conclusion of a contract between the employee and employer.

General rules
The guiding principles state that data held on individuals must be adequate, relevant and not excessive in relation to the purpose for which it is held . It must also be accurate, kept up to date and not be kept for longer than is necessary. Personnel files should therefore be regularly reviewed to ensure that unnecessary information is removed. Employees should be given the opportunity to review their files and confirm that the information held about them is correct