Human Resources and Data Protection

Transcription

1 Human Resources and Data Protection Contents 1. Policy Statement Scope What is personal data? Processing data The eight principles of the Data Protection Act Council obligations Employees obligations Individual s rights under the Act Making a request for information What information do we need from the applicant? What is the timescale for gaining access to the information? What if the applicant is not happy with our response? What if the data is incorrect? Policy Monitoring Policy Statement 1.1. The Data Protection Act 1998 ( the Act ) regulates the way in which certain personal data about an employee is held and used The general aim of the Act is to ensure that where personal data is held, the data is adequate, relevant and not excessive. The Act also ensures that employees are able to access and review the contents of any files held on them

2 1.3. Throughout employment and for as long a period as is necessary following the termination of employment, the Council will need to keep information for purposes connected with an employee s employment. The Council will also hold information to ensure that required services are provided in an efficient, effective manner The Council endorses and adheres to the Data Protection principles and requires all employees to comply with the Act in relation to all personal data held by the Council including the personal data about staff Employees should at all times value the right to privacy of the people about whom information is held and manage personal information professionally. It is each employee's responsibility to ensure that personal data remains confidential and secure. The aim of this document is to provide employees with information relating to the Council s obligations in relation to Data Protection and guidance on how employees are expected to handle personal data or make a Subject Access Request under the Act. The Council also has a Corporate Legal Policy on the Data Protection Act to which employees should also refer Failure to comply with this Guidance and the principles set out in the Data Protection Act will be regarded as serious misconduct and will be dealt with in accordance with the Council s disciplinary policy. Misuse and unauthorised disclosure of personal data can lead to personal prosecution. 2. Scope 2.1. This document applies to all employees other than those in educational establishments with delegated powers The principles in this document also apply to: Former employees Job applicants (successful and unsuccessful) Former job applicants (successful and unsuccessful) Agency workers (current and former) Casual workers (current and former) Contract workers (current and former) Volunteers (current and former) Trainees / work placement students (current and former) 3. What is personal data? 3.1. As outlined in section 1, the Act applies to any personal data. The term personal data is information about a living individual who is identified or who is identifiable. Personal data may be: photographs CCTV footage information held on computer disk - 2 -

3 3.2. These records may include: information gathered about an employee and any references obtained during recruitment details of terms of employment payroll, tax and National Insurance information performance information details of grade and job duties health records absence records, including holiday records and self-certification forms details of any disciplinary investigations and proceedings training records contact names and addresses Correspondence with the Council and other information provided to the Council Some personal data is also classed as sensitive and attracts a higher level of protection under the Act. Sensitive personal data is information relating to: Race or ethnic origin Political opinions Religion or belief Trade union membership Disability Sexual orientation Gender identity The commission or alleged commission of an offence or any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings 3.4. Such information, if disclosed by the employee to the Council is classed as sensitive under the Act and will not ordinarily be disclosed to a third party. 4. Processing data 4.1. The definition of processing is very wide and encompasses almost everything from the collection and storage of data to its eventual destruction If the Council intends to process data it must be processed fairly and lawfully and must comply with the conditions for processing set out in first data protection principle in the Act. The Council must ensure: consent is obtained where relevant, and the Information Commissioner (who is responsible for policing compliance with the Act) must be notified and given the reasons for the processing. The Council is required to maintain its registration with the Information Commissioners Office (ICO) and its registration can be found on the ICO web site

4 4.3. If the Council disclose personal data, consent is required unless the Council is required to provide the information by law. 5. The eight principles of the Data Protection Act 5.1. The Act contains statutory guidelines called 'data protection principles' to govern the manner in which personal data is processed. The principles mean that personal data shall: be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes. be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. be accurate and when necessary kept up to date. not be kept for longer than is necessary for that purpose or those purposes be processed in accordance with the rights of the Data subject under the Act Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. not be transferred to a country of territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data. 6. Council obligations 6.1. As part of the Council s commitment to maintaining public confidence and the successful operation of this policy, the Council will:- Ensure there is a designated Data Protection Officer with specific responsibility for data protection. Ensure that employees handling personal data understand that they are contractually responsible for compliance with the data protection policy and are appropriately trained and supervised for these purposes. Formulate a data subject access request procedure for corporate use. Conduct a regular review, assessment, evaluation and audit of the way personal data is managed within the Council. Ensure that persons making enquiries about personal data are dealt with promptly and are appropriately advised of their rights and the Council's policy in making requests for personal data under the Data Protection Act, Employees obligations 7.1. Employees must work within the requirements of the Act at all times and: - 4 -

5 ensure that personal data is only disclosed to those who are entitled to receive it ensure that they understand any departmental guidelines on data disclosure e.g. adopted practice in establishing identity of telephone callers take care to ensure that data stored both manually and on computer is accurate and up to date ensure that they are aware of their Section / Service security procedures in place for protecting data and follow those procedures 7.2. Employees MUST NOT: Disclose confidential information unless permission is granted Use any personal data held by the Council for personal uses Hold any personal data for any purpose unless certain that the Council is registered to hold information for that use 7.3. Employees MAY: Handle and use personal data where it is necessary to carry out their work Transfer personal data within the Council between departments provided that one or more of the following apply: permission from supervisor is obtained any Information Sharing Protocol in place is followed transferred data is used only for the purposes for which it was obtained consent of the data subject is obtained 7.4. If an employee is in any doubt about whether to disclose information, legal advice should be sought from the Head of Legal Services. 8. Individual s rights under the Act 8.1. Section 2 sets out a list of individuals to whom this policy applies, the key principle being both current employees and individuals not employed by the Council are entitled to request certain information under the Act. These individuals have the right:- To ask the Council if it holds personal information about them To ask what it is used for To be given a copy of the information (subject to certain fees and exemptions) To be given details about the purposes for which the Council uses the information and of other organisations or persons to whom it is disclosed. To ask for incorrect data to be corrected. to be given a copy of the information with any unintelligible terms explained; to be given an explanation as to how any automated decisions taken about them have been made. To ask the Council not to use personal information:- for direct marketing; - 5 -

6 which is likely to cause unwarranted substantial damage or distress; to make decisions which significantly affect the individual, based solely on the automatic processing of the data There are some limited circumstances in which personal data relating to the applicant may be withheld. Examples of this include repeat access requests, confidential references, and third party information. 9. Making a request for information 9.1. A request for a copy of information held about an individual is known as a "Subject Access Request" All requests must be made in writing A fee of 10 will be payable to the Council to provide this information Different fee structures apply to some 'accessible records' such as health, education or social services files and a maximum fee of 50 for copies of these records can be charged Copies of Education records are free but photocopying charges may be made. Viewing of records is free of charge. 10. What information do we need from the applicant? When a subject access request is received, the Council may ask for information they reasonably need to verify the identity of the person making the request and to locate the data This means the Council must ask for proof of identity and information such as whether they are/were a customer or employee of the Council. 11. What is the timescale for gaining access to the information? The Act requires data controllers i.e. the Council to comply with subject access requests promptly and, in any event, within forty days from receipt of the request or, if later, forty days from the day on which the data controller has both the required fee and the necessary information to confirm the identity of the applicant and to locate their data A deliberate delay on the part of the Council is not acceptable and the Commissioner may impose penalties for doing so, which could lead to bad publicity for the Council There are different periods for requests for copies of school pupil records, which is fifteen school days. However, requests for these records should be made to the Governing Body of the school in question

7 12. What if the applicant is not happy with our response? If an applicant who considers his/her request has not been complied with they should write to the Corporate Complaints Officer setting out why they think that the information should have been provided to them If, following the response from the Corporate Complaints Officer the individual remains dissatisfied with the response, the following options are available:- They may apply to the court alleging a failure to comply with the subject access provisions of the Act. The court may make an order requiring compliance with those provisions and may also award compensation for any damage they have suffered as a result and any associated distress. They may write to the Information Commissioner. The Commissioner may do one of the following:- make an assessment as to whether it is likely or unlikely that we have complied with the Act issue enforcement proceedings if they are satisfied that we have contravened one of the Data Protection Principles recommend that the applicant apply to court alleging a failure to comply with the subject access provisions of the Act All complaints must first be directed to the Corporate Complaints Officer. Neither a Court nor the Office of the Information Commissioner will deal with complaints regarding the handling of a subject access request unless the applicant has first exhausted the Council s internal complaints procedure. 13. What if the data is incorrect? If data is incorrect, the individual should write to the Council stating what data is incorrect and ask for the data to be corrected The Council must tell the individual what has been done within 21 days of receiving the request If the Council does not agree that the information is incorrect the individual can ask that the disagreement is noted within the personal records held on them. The individual can also appeal to the Information Commissioner or the courts if the information is not corrected. 14. Policy Monitoring The Council will monitor the application of this policy and has discretion to review it at any time Responsibility for the implementation, monitoring and development of this policy lies with the Head of Human Resources. Day to day operation of the policy is the responsibility of nominated officers who will ensure that this policy is adhered to

8 Version Details of Change Date Number 1.0 Introduction of Single Status 1 st April