Chapter 1 Introduction and guidance for employers

Transcription

1 A Thorogood Special Briefing Chapter 1 Introduction and guidance for employers Introduction Subject access request Compliance Changing law The Employment Practices Code Personal data Making access requests Managing Data Protection Conclusion Further information Technical Guidance notes Detailed Specialist Guidance

2 DATA PROTECTION LAW FOR EMPLOYERS 2008 Chapter 1 Introduction and guidance for employers Introduction The Data Protection Act applies to most employers in the UK. Whether they have registered or notified the Information Commissioner that they hold personal data which is caught by the Act or not, they must still comply with eight data protection principles and ensure they give individuals access to copies of the personal data of those individuals, which is held about them by the employer known in this context as the data controller. This report looks at how the Act affects employers rather than describes the Act in all its provisions. Lots of useful guidance on the Act is contained in the Introduction to the Act published by the IC on the IC s website. The eight data protection principles are that personal data must be: 1. processed fairly and lawfully 2. processed for limited purposes and not in any manner incompatible with those purposes 3. adequate, relevant and not excessive 4. accurate 5. not kept for longer than is necessary 6. processed in line with data subjects rights 7. secure 8. not transferred to countries that do not protect personal data adequately. 6 A THOROGOOD SPECIAL BRIEFING

3 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Subject access requests Employees, just like anyone else, whose personal data is held by someone have a right of subject access under section 7 of the Act to see the data held about them. Many employers find it useful to have a form for this purpose. If inaccurate data is held about someone they have a right to have it corrected and even to obtain a court order to force it to be corrected. There are also rights to sue for damages if loss has been suffered by a data subject arising from a breach of the Act. Compliance It is an obligation of the data controller to comply with the Act. This will be a limited company or could be a sole trader or partnership. However, companies act through their employees and directors, and it will be employees who either ensure the company complies or whose conduct results in a breach of the act. It may be wise to appoint an employee as the data protection compliance officer. For Government bodies the Data Controller is the Secretary of State. For other public organisations, it is usually the organisation itself that is liable. The IC has an Audit Manual on their website which helps companies to check if they comply. The IC has powers to take enforcement action if a breach of the Act occurs. Companies can be forced to change their policies or correct or delete records. Breach of the Act is a criminal offence. Offences include failing to register (notify), not keeping a notification up-to-date, unlawfully obtaining personal data and unlawfully selling the data. There are also rights to sue for damages to obtain compensation if the Act has been breached. Changing law This report looks at the Data Protection Act This brought an EU data protection directive into force in the UK. That directive was agreed in 1996 and in 2003 was being re-examined by the European Commission. It is possible it will be altered. In May 2003, the European Commission adopted the first report on the implementation of the Data Protection Directive. The report notes that the directive has broadly achieved its aim of ensuring strong protection for privacy but A THOROGOOD SPECIAL BRIEFING 7

4 DATA PROTECTION LAW FOR EMPLOYERS 2008 that late implementation by some member states, along with differences in national approaches, has prevented the EU from obtaining the full benefit of the Directive. Information on EU data protection law and documents reporting on progress under the directive is at: The Employment Practices Code This report principally concentrates on the application of the Act in the employment area as the IC construes this through its Employment Practices Code. What is this Code of Practice for? The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Who does data protection cover in the workplace? The Code is concerned with data that employers might collect and keep on any individual who might wish to work, work, or have worked for them. In the Code the term workers is used to cover all these individuals. As such it includes: Applicants (successful and unsuccessful). Former applicants (successful and unsuccessful). Employees (current and former). Agency workers (current and former). Casual workers (current and former). Contract workers (current and former). Some benchmarks will also apply to others in the workplace such as volunteers and those on work experience placements. What data are covered by the Code? It is likely that most information about workers that is processed by an organisation will fall within the scope of the Data Protection Act and therefore within the scope of this Code. 8 A THOROGOOD SPECIAL BRIEFING

5 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Personal data The Code is concerned with personal data. That is, information which: relates to a living person, and identifies an individual either on its own or together with other information that is in the organisation s possession or that is likely to come into its possession. All automated and computerised personal data is covered by the Act. It also covers personal data put on paper or microfiche and held in any relevant filing system. In addition, information recorded with the intention that it will be put in a relevant filing system or held on computer is covered. A relevant filing system essentially means any set of information about workers in which it is easy to find a piece of information about a particular worker. A case called Durant v FSA looked at what this meant. It proposed a temporary secretary test if the temp can be sent to find the manual (ie non computer file) on an individual and can find it then it is likely to be sufficiently part of a structured set to fall within the ambit of the Act. Processing The Act applies to personal data that is subject to processing. For the purposes of the Act, the term processing applies to a comprehensive range of activities. It includes the initial obtaining of personal data, how it is kept and used, any access and disclosure of it and even its final destruction. Sensitive personal data Some particularly important data, such as about people s sexual inclinations or health, is classed as sensitive personal data. It must only be processed if explicit consent has been obtained for the processing. Sensitive data is data about: racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), physical or mental health or condition, A THOROGOOD SPECIAL BRIEFING 9

6 DATA PROTECTION LAW FOR EMPLOYERS 2008 sexual life, commission or alleged commission of any offence, or proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive data found in a workers record might typically be about their: physical or mental health as a part of sickness records disabilities to facilitate adaptations in the workplace, racial origin to ensure equality of opportunity, and trade union membership to enable deduction of subscriptions from payroll. The IC says: In the context of recruitment and selection typical circumstances in which sensitive personal data might be held include: relevant criminal convictions to assess suitability for certain types of employment. disabilities to ensure special needs are catered for at interview or selection testing. racial origin to ensure recruitment processes do not discriminate against particular racial groups. The Act sets out a series of conditions, at least one of which has to be met before an employer can collect, store, use, disclose or process sensitive personal data. The conditions include: The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. Note: This condition can have quite wide application in the context of recruitment and selection. Employers rights and obligations may be conferred or imposed by statute or common law, which in this context means decisions in relevant legal cases. For example, they will include obligations to: 1. Ensure the health, safety and welfare of a worker at work. 2. Select safe and competent workers. 3. Ensure a safe working environment. 4. Not discriminate on the grounds of race, sex or disability. 10 A THOROGOOD SPECIAL BRIEFING

7 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS 5. Ensure the reliability of workers with access to personal data. 6. Protect customers property or funds in the employer s possession. 7. Check immigration status before employment. The IC says: Thus an employer may be able to collect information as to an applicant s criminal record or health in the recruitment process if this can be shown to be necessary to enable the employer to meet its obligations in relation to the safety of its workers or others to whom it owes a duty of care. The collection of sensitive personal data must however be necessary for exercising or performing a right or obligation which is conferred or imposed by law. This condition would not, for example, be satisfied if the employer obtains information on the criminal convictions of all applicants in order to protect its staff or customers if the protection could equally be provided by obtaining this information only on the successful applicant prior to confirmation of appointment. The processing: 1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 2. is necessary for the purpose of obtaining legal advice, or 3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights. Note: The application of this condition in the context of recruitment and selection is quite limited but it might, for example, be relied on to enable a prospective employer to process sensitive personal data to defend him or herself were an applicant to make a claim of unlawful discrimination. The processing: 1. is of information in categories relating to racial or ethnic origin, religious or other beliefs or physical or mental health, 2. is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment, 3. there are safeguards for the data subject. Note: This condition will be relevant to equal opportunities monitoring related to racial origin, religion and disability. Processing must be necessary emphasising that wherever practicable, monitoring should be based on anonymous or aggregated information. A THOROGOOD SPECIAL BRIEFING 11

8 DATA PROTECTION LAW FOR EMPLOYERS 2008 The processing is necessary: 1. for the exercise of any functions conferred on any person by or under an enactment, or 2. for the exercise of any functions of the Crown, a Minister of the Crown or a government department. Note: This condition is most likely to be relevant to public sector bodies that may have specific legal duties placed on them in relation to the qualifications, attributes, background or probity of their workers. It will also be relevant when a public sector body concludes that in order to discharge its wider statutory functions it is necessary for it to process sensitive personal data, such as criminal convictions relating to applicants or, in exceptional cases, their family or close associates. It is likely, for example, to be relevant to the recruitment of police or prison officers. The data subject has given explicit consent to the processing: Note: Employers seeking to rely on this condition must bear in mind that: the consent must be explicit. This means the applicant must have been told clearly what personal data are involved and the use that will be made of them. The applicant must have given a positive indication of agreement (e.g. a signature), the consent must be freely given. This means the applicant must have a real choice whether or not to consent and there must be no significant detriment that arises from not consenting. Importantly the commissioner says: The extent to which consent can be relied upon in the context of employment is limited because of the need for any consent to be freely given. However, in relation to the recruitment and selection of workers this is less of a constraint. Individuals in the open job market will usually have a free choice whether or not to apply for a particular job. If consent to some processing of sensitive data is a condition of an application being considered this does not prevent the consent being freely given. It must of course be clear to the applicant exactly what he or she is consenting to. As recruitment proceeds it becomes less likely that valid consent can be obtained. If, for example, the direct consequence of not consenting is the withdrawal of a job offer the consent is unlikely to be freely given. 12 A THOROGOOD SPECIAL BRIEFING

9 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Making access requests The Act allows for any individual to make a subject access request to any organisation that he or she believes is processing his or her personal data. This request must be in writing, so by letter or . Once an organisation receives such a request it must respond promptly, or at the most within 40 calendar days. There is similar legislation in the Freedom of Information Act This allows anyone, companies as well as individual data subjects, to request information held by public bodies (it does not apply to bodies other than those in the public sector). This requires that such requests be made within 20 days. Many public sector bodies have harmonised their procedures to comply with the DPA and the FOIA and thus provide for a 20 (not a 40) day period. However, companies in the private sector, should stick with 40 days under the DPA. The data controller, in response to a request, must produce copies of the information it holds in an intelligible form. A charge of up to 10 can be made. The 40 day period starts once the organisation has received the fee together with any information it needs to verify the identity of the individual making the request, and to locate the information that the individual seeks. Practical guidance subject access requests Many companies have a form they ask data subjects to complete when making a request so that the company receives all the identification information it needs. It is wise to have such a form ready. Always check the individual is who they say they are before providing information. Never provide information for a spouse about their spouse for example. Consider requesting the applicant to narrow down what they are interested in discovering although all information must be supplied if requested it is often in practice wise to ask what are they particularly after to make the task for finding it easier. There are some exemptions that allow organisations to withhold information. These exemptions can apply in areas such as criminal investigation, management planning such as promotion and transfer plans, and negotiations. The exemptions, though, are limited in their application even within these areas. THIRD PARTY DATA Be careful not to disclose third party data in responding to requests. The IC has guidance on the IC website on subject access and third party data to which reference should be made. A THOROGOOD SPECIAL BRIEFING 13

10 DATA PROTECTION LAW FOR EMPLOYERS 2008 Managing Data Protection Most businesses will need to nominate someone to take charge of data protection in their company. The Information Commissioner suggests standards for managing data protection which are common to all four areas of the employment Code of Practice as follows: Data protection compliance should be seen as an integral part of employment practice. It is important to develop a culture in which respect for private life, data protection, security and confidentiality of personal data are seen as the norm. The benchmarks 1. Establish a person within the organisation responsible for ensuring employment practices and procedures comply with the Act and for ensuring that they continue to do so. Put in place a mechanism for checking that procedures are followed in practice. 2. Ensure that business areas and individual line managers that process information about workers understand their own responsibility for data protection compliance and, if necessary, amend their working practices in light of this. 3. Assess what personal data about workers is in existence and who is responsible for them. 4. Eliminate the collection of personal data that is irrelevant or excessive to the employment relationship. If sensitive data is collected ensure that a sensitive data condition is satisfied. 5. Ensure that workers are aware of the extent to which they can be criminally liable if they knowingly or recklessly disclose personal data outside their employer s policies and procedures. Make serious breaches of data protection rules a disciplinary offence. 6. Allocate responsibility for checking that your organisation has a valid notification in the register of data controllers that relates to the processing of personal data about workers, unless it is exempt from notification. 7. If applicable, consult trade unions or other workers representatives, or workers themselves over the development and implementation of employment practices and procedures that involve the processing of workers data. 14 A THOROGOOD SPECIAL BRIEFING

11 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Notes and examples 1. In a small business, the responsibility might simply be with the owner of the business. Where there is a management structure, responsibility should be allocated to a senior manager in the personnel or human resources function, or someone in a comparable position. Those with overall responsibility must be in a position to feed their knowledge into other areas of the business where information about workers is processed, and to ensure that the organisation has a co-ordinated approach to data protection compliance. Ideally data protection should be seen as an integral part of employment procedures rather than as a stand alone requirement. For example, in the company s written procedure for dealing with selection, there should be a section on how to follow up on references, which should incorporate the relevant benchmarks in this Code. Procedures are only of value if they are current and adhered to. Review and update procedures as necessary and put a mechanism in place to ensure that they are being followed on the ground. This might involve some form of audit or self-certification by managers. 2. It is important to remember that data protection compliance is a multidisciplinary matter. For example, a company s IT staff may be primarily responsible for keeping computerised personal data secure, whilst a human resources department may be responsible for ensuring that the information requested on a job application form is not excessive, irrelevant or inadequate. All workers, including line managers, have a part to play in securing compliance (for example, by ensuring that waste paper bearing personal data is properly disposed of). An employer is liable to pay compensation for damage suffered by an individual as a result of the actions of a line manager in regards to data protection unless it is clear that the line manager has been acting outside his or her authority. Employers can help protect themselves against claims by training line managers and having clear procedures in place. 3. It may be helpful to assess personal data held on workers using the same categories as are used in the various parts of this Code, i.e. personal data processed in connection with recruitment and selection, employment records, monitoring at work and medical information. Consider who in your organisation will be collecting, using, storing and destroying such information. Only when you have ascertained this will you be able to check that your organisation is complying with the Act. A THOROGOOD SPECIAL BRIEFING 15

12 DATA PROTECTION LAW FOR EMPLOYERS When making your assessment of personal data consider if all the information collected on workers is necessary for the employment relationship. For example, information concerning workers lives outside work is unlikely to be necessary. However, it might be legitimate to request information about workers other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to request information about their children in connection with an application for parental leave. The collection and use of sensitive data must satisfy a sensitive data condition. 5. Workers should be broadly aware of the legal duties that the Act places on employers and their own role as workers in meeting them. In particular, workers should be aware of how data protection compliance impinges in practical terms on the way they perform their work. It is also crucial to make workers aware of the possible consequences of their actions in this area, e.g. disciplinary action or personal criminal liability. It is useful to incorporate such information in the general induction process for new workers and to regularly remind existing workers of their obligations. 6. Failing to notify when required to do so or failing to keep a notification up-to-date is a criminal offence. The person responsible for data protection should ensure that entries concerning workers data on the Register of Data Controllers are complete, accurate and up-to-date. This may be a duty that he or she personally undertakes or it may be delegated. 7. Consultation is not in itself a legal requirement. Nevertheless consultation should help ensure processing of personal data is fair to the workers to whom the data relates. Conclusion The data protection legislation has wide application in the field of employment and employers need to consider its application from the recruitment stage, addressed in the next chapter, right through to termination of the employment contract and beyond. 16 A THOROGOOD SPECIAL BRIEFING

13 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Further information The Information Commissioner s website has the following guidance which is also regularly added to and expanded from time-to-time at (this list is current as of January 2008). Codes of practice Framework code of practice for sharing personal information Quick Guide to the Employment Practices Codes The Employment Practices Code The Employment Practices Code: Supplementary Guidance Code of Practice on Telecommunications Directory Information and Fair Processing. CCTV Technical Guidance notes These notes provide advice and information on the technical issues that affect both data protection and freedom of information. Determining what is personal data This technical guidance note explains and illustrates the Information Commissioner s view of what is personal data for the purposes of the Data Protection Act It is designed to help data protection practitioners decide whether data falls within the definition of personal data in circumstances where this is not obvious. Frequently asked questions and answers about relevant filing systems This technical guidance will help data controllers to decide whether the personal information they have is held in a relevant filing system as defined by the Data Protection Act. A THOROGOOD SPECIAL BRIEFING 17

14 DATA PROTECTION LAW FOR EMPLOYERS 2008 Filing defaults with credit reference agencies The aim of this guidance is to provide advice to credit grantors on the conditions under which information about defaults is filed with the credit reference agencies. Only if credit grantors file defaults information in broadly comparable circumstances to each other will credit reference agency records provide meaningful information about the financial standing of individuals, and be processed in a way that is fair to those individuals. The guidance sets common standards for filing defaults while recognising that some differences exist with the wide range of credit products available. Access to pupil s information held by schools in England/Wales/Scotland/Northern Ireland These guidance notes will help state primary and secondary schools and Boards of Governors in England, Wales, Scotland and Northern Ireland understand their responsibilities under the Data Protection Act regarding requests for pupil s information. The guidance for Scotland is also intended for independent schools. Local education and library boards may also find them useful. These notes also cover the separate right of access that parents have to the official educational record of their child. The use of personal information held for collecting and administering council tax This note explains the Commissioner s approach to the use of personal information obtained for the administration of council tax. Disclosures to MPs carrying out constituency casework Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order S.I.2002 No Radio frequency identification This technical note summarises RFID technology, its usage, and how the Data Protection Act 1998 applies. It is aimed at those using or thinking of using RFID technology. 18 A THOROGOOD SPECIAL BRIEFING

15 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Privacy enhancing technologies (PETs) This technical note is intended to raise awareness of the concept of privacy enhancing technologies and is aimed at system designers and those commissioning them. It will give a brief description of privacy enhancing technologies but draws on the extensive information published elsewhere. It is not intended to be an exhaustive account, rather a point of entry for readers who wish to further their own research. Subject access requests and legal proceedings The aim of this guidance is to provide an explanation to legal practitioners and data protection specialists of the Information Commissioner s view on the exercise of these access rights where legal proceedings are contemplated or ongoing. Subject access requests involving other people s information This technical note replaces previous guidance on this subject and deals with the potential conflict between an individual s right of access and a third party individual s rights to privacy of confidentiality. Freedom of information: access to information about public authority employees This guidance gives public authorities practical advice about dealing with requests made under the Freedom of Information Act for access to information about their employees. It should be read in conjunction with our freedom of information awareness guidance 1 about personal information which is available on the exemptions guidance section of the website. Health data: use and disclosure Health records: subject access Local authorities: data sharing Model contracts for transfer to other organisations Model contracts for data processors processing personal information on their behalf Notification of barristers chambers Notification of pension scheme trustees Promotion of a political party A THOROGOOD SPECIAL BRIEFING 19

16 DATA PROTECTION LAW FOR EMPLOYERS 2008 Registration officers: right to inspect local authority records Vehicle keepers information: implications on use and disclosures Detailed Specialist Guidance International transfers of data. See: list_guides/international_transfers_legal_guidance_v2.0_ pdf Audit Guide. See: list_guides/data_protection_complete_audit_guide.pdf Good practice notes Security of personal information This good practice note aims to alert small and medium sized organisations to the security measures they should have in place to protect the personal information they hold. Training checklist for small and medium sized organisations High-profile security breaches have increased public concern about the handling of personal information. We recognise that some organisations have limited resources to devote to staff training. This note outlines some of the practical implications of the Act and is intended as a basic training framework for general office staff in small and medium sized organisations. The exemption from notification for not-for-profit organisations This note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to notify under DPA 1998 for not-for-profit organisations. Publication of Examination Results by Schools This good practice note aims to explain to boards of governors, head teachers and school data protection officers how the Data Protection Act (the Act) affects the publishing of examination results. 20 A THOROGOOD SPECIAL BRIEFING

17 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS The use and disclosure of information about business people The aim of this good practice note is to explain to local authorities how the Data Protection Act (the Act) applies to the sharing and use of information about business people. This could be information, for example, about a business person s payment of business rates or the results of an environmental health inspection of his or her premises. Collecting personal information using websites This guidance is a set of frequently asked questions for anyone collecting personal information using websites. Calling existing customers listed on the Telephone Preference Service This guidance explains the position regarding calling existing customers for marketing purposes when they are currently registered on the Telephone Preference Service (TPS) or those who subsequently register. Advice to local authorities on disclosing personal information to elected members. This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Advice for the elected and prospective members of local authorities This good practice note aims to provide local authorities with advice on what they need to consider when deciding to disclose personal information to elected members. Checklist for handling requests for personal information (subject access requests) This guidance aims to assist small and medium sized organisations that receive requests for information covered by the Data Protection Act The use of violent warning markers This good practice note explains to those working with the public how best to manage the use of violent warning markers. Corporate Telephone Preference Service This good practice note explains how companies can register their telephone numbers with the Corporate Telephone Preference Service A THOROGOOD SPECIAL BRIEFING 21

18 DATA PROTECTION LAW FOR EMPLOYERS 2008 (CTPS), and the rules that apply to calling companies that have registered their numbers. Releasing information to prevent or detect crime This good practice note explains what you need to consider when you are asked to release personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. It is intended as a guide for organisations that do not normally receive requests of this kind. Monitoring under section 75 of the Northern Ireland Act 1998 This good practice note aims to make clear that the Data Protection Act 1998 allows monitoring under section 75 of the Northern Ireland Act It also aims to provide advice for public authorities that are required to carry out such monitoring. Automatic renewal of policies or membership by credit or debit card This good practice note explains how insurance companies and other organisations can comply with the Data Protection Act 1998 when automatically renewing a policy, membership or other arrangement where a fee has to be paid. This note covers payment of fees by credit or debit card but not by direct debit. Tied agents and independent financial advisors This good practice note is aimed at firms of tied agents and independent financial advisors. It gives advice on common issues raised with the Information Commissioner about how to comply with the Data Protection Act. The term firm includes sole traders and partnerships. Outsourcing a guide for small and medium sized businesses This good practice note sets out what you need to do to comply with the Data Protection Act when you outsource the processing of personal information. Typical examples would include outsourcing your payroll function or customer mailings. It sets out which parts of the Act are important when outsourcing and provides some good practice recommendations. 22 A THOROGOOD SPECIAL BRIEFING

19 1 INTRODUCTION AND GUIDANCE FOR EMPLOYERS Buying and selling customer databases This good practice note explains what organisations need to do to make sure they comply with the Data Protection Act when buying and selling databases which contain customers personal information. It is not intended to cover the purchase and sale of confidential personal information. This advice is for use when a business is insolvent or closing down or when as asset is being sold, either by the owner or an insolvency practitioner. How does the Data Protection Act apply to professional opinions? This good practice note aims to inform organisations and practitioners about some of the data protection issues that arise in relation to the information about individuals that they record in their professional opinions. The information in this note may also be of interest to individuals. Pension trustees and their use of administrators This good practice note explains to pension trustees how to comply with their obligations under the Data Protection Act 1998 when they use pension administrators to help them run a pension scheme. Subject access and employment references This good practice note clarifies how the Data Protection Act applies to employment references. The recommendations also apply to other types of reference, such as those provided for educational purposes. Disclosing information about tenants This good practice note answers some frequently asked questions from landlords about how the Data Protection Act applies to them, the information they hold about their tenants and information held on their behalf by a letting agent. Charities and marketing This good practice note explains what charities and voluntary organisations need to do to comply with data protection law when they carry out marketing activities. Electronic mail marketing This good practice note is aimed at helping businesses understand the dos and don ts of electronic mail marketing and gives an overview of the rules in the Privacy and Electronic Communications Regulations. A THOROGOOD SPECIAL BRIEFING 23

20 DATA PROTECTION LAW FOR EMPLOYERS 2008 Individuals rights of access to examination records This good practice note explains the right to access examination records under the Data Protection Act. The Freedom of Information Act also gives individuals the right to access other (non-personal) information held by public authorities. Providing personal account information to a third party This good practice note is aimed at helping people to decide whether or not to give information to third parties calling on behalf on an account holder. Taking photos in schools This good practice note is aimed at Local Education Authorities and those working within Schools, Colleges and Universities. Telephone marketing by a political party This good practice note is aimed at the public and political parties. Getting it right: a brief guide to data protection for small businesses Getting it right: small business checklist Schools: exam results disclosure to the media 24 A THOROGOOD SPECIAL BRIEFING