Data Protection and Privacy in the Workplace - PowerPoint PPT Presentation

Loading...

PPT – Data Protection and Privacy in the Workplace PowerPoint presentation | free to download - id: 1217e1-MGYzZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Data Protection and Privacy in the Workplace

Description:

To regulate the way in which organisations process personal data about ... Legal duty tachograph. Privacy button. Policy to state what private use allowed. Sat Navs' ... – PowerPoint PPT presentation

Number of Views:380
Avg rating:3.0/5.0
Slides: 63
Provided by: angel79
Learn more at: http://www.barlowrobbins.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Data Protection and Privacy in the Workplace


1
Data Protection and Privacy in the
Workplace David Ludlow 24th 25th February 2009
2
Individual Rights
  • DPA Objectives
  • To regulate the way in which organisations
    process personal data about individual
    TRANSPARENCY
  • To protect the rights of individuals in relation
    to such processing
  • (To process to gather, store, use,
    disclose, amend, delete, etc)

3
Securing the DPA Objectives
  • THE 8 DATA PROTECTION PRINCIPLES
  • Personal data must be …………………….

4
The Data Protection Principles
  • Processed fairly and lawfully
  • Processed for limited purposes only
  • Adequate, relevant and not excessive
  • Accurate
  • Not retained longer than necessary
  • Processed in line with individual rights
  • Measures to control unauthorised processing
  • Not be transferred to countries outside of the
    EEA where there is no adequate data protection
    regime in place

5
What is Data Protection ?
  • THE DATA PROTECTION REGIME

6
Notification
  • Information Commissioner
  • Fee 35
  • On line application
  • Failure to notify/keep registered information up
    to date criminal offence UNLIMITED FINE

7
Notification
  • Non Compliance
  • Criminal offence
  • Civil liability
  • THERE IS NO SMALL EMPLOYER EXEMPTION

8
The Information Commissioner
  • Provides information/guidance
  • Codes of Practice
  • Monitors compliance
  • Enforcement
  • www.ico.gov.uk

9
Individual Rights
  • INDIVIDUAL RIGHTS CONFERRED BY DPA

10
Subject Access Request
  • Workers have a right to gain access to
    information kept about them
  • In writing e-mail/letter
  • Indication of type of data sought/where recorded
  • 10 fee (automated)
  • 40 day response period
  • Copy of data to be provided
  • UNLESS exemption applies…………………….

11
Disclosure Exemptions
  • Management planning/forecasting
  • Criminal investigation
  • Corporate finance situations
  • Negotiations with a worker
  • Legal professional privilege
  • Data which discloses identity of non-consenting
    3rd parties
  • If cost of providing copies is disproportionate

12
Court Powers
  • FAILURE TO COMPLY WITH SUBJECT ACCESS REQUEST
    COUNTY COURT/HIGH COURT APPLICATION BY INDIVIDUAL
    FOR AN ORDER FOR COMPLIANCE
  • COMPENSATION FOR ANY DAMAGE SUFFERED AS A
    RESULT OF NON-COMPLIANCE

13
Other Individual Rights
  • County Court/High Court application for
    correction/deletion of data or to stop processing
    of data likely to cause damage or distress
  • compensation if damage and distress
  • Application to Information Commissioner
  • Criminal Justice and Immigration Act 2008
  • Information notice
  • Enforcement notice
  • Powers of entry and inspection
  • Non compliance criminal offence
  • Monetary Penalty Notice

14
Employment Practices Data Protection Code
  • Good Practice Recommendations Managing Data
  • Protection
  • Part 1 Recruitment and Selection
  • Part 2 Employment Records
  • Part 3 Monitoring at Work
  • Part 4 Medical Information
  • Not legally binding but good practice

15
Data Controller
  • The organisation making the decisions about
    processing the personal data

16
Data Subject
  • The individual whose personal data is processed
    by the
  • data controller
  • Applicants
  • Former applicants
  • Employees
  • Agency staff
  • Casual staff
  • Contract staff
  • Volunteers

17
Data Processor
  • A third party who processes personal data on
    behalf of the data controller
  • e.g. outsourcing of payroll (See Good
    Practice Note Nov 2008)

18
Records
  • What information is covered by the law?
  • Automated/computerised data records inc. e-mails
  • Manual records held in a relevant filing system?
  • Only a highly structured manual system
  • More than a bundle of documents filed in order
  • Some sort of system

19
Personal Data
  • Information relating to a living person who can
    be directly or
  • Indirectly identified by the information
  • Affects privacy (whether personal, family or
    business life)
  • Focuses on the individual
  • Identifies by itself (or with other information)
  • Biographical
  • BEWARE This includes information including an
    expression
  • of opinion about the individual or intentions of
    the data
  • controller towards the individual e.g. internal
    memos
  • The data controller must satisfy prescribed
    conditions
  • before it can process personal data

20
Sensitive Personal Data
  • Information about the individuals
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or beliefs of a similar nature
  • TU membership
  • Physical/mental health
  • Sexual life
  • Commission/alleged commission of an offence
  • Involvement in any legal proceedings
  • Higher degree of protection than personal data
    more stringent conditions for processing

21
Safe Processing Consent
  • Freely given written Consent Form separate from
    contract
  • Explain
  • data being processed
  • reason/use
  • source
  • who data is disclosed to

22
The Employment Practices Data Protection Code -
Managing Data Protection
  • Processing Data
  • Obtaining, retention, use, access, disclosure and
    final disposal
  • Examples of information likely to be covered
  • Salary and bank account of computer system
  • Email about an incident
  • Supervisors notebook?
  • An indexed personnel file in date order
  • A sub divided personnel file with headings such
    as application details, leave record and
    performance reviews
  • Alphabetically organised leave cards
  • Alphabetically organised application forms

23
The Employment Practices Data Protection Code -
Managing Data Protection
  • Processing Data
  • Examples of information unlikely to be covered
  • Entire workforces salary given by grade
  • Report on success of different recruitment
    campaigns with no details regarding individuals
  • Report on result of exit interviews with
    anonymised responses
  • A personnel file organised only in date order
  • Manually selected/automatically recorded (Johnson
    -v- MDU 2007)

24
The Employment Practices Data Protection Code -
Managing Data Protection
  • Good Practice Recommendations
  • Identify person responsible for ensuring
    compliance
  • Put in place mechanism for checking
  • Brief line managers
  • Audit personal information and eliminate
    irrelevant material
  • Educate and inform staff disciplinary rules
  • Consult employee representatives
  • Register www.dpr.gov.uk

25
The Employment Practices Data Protection Code
  • PART 1 RECRUITMENT AND SELECTION

26
Advertising
  • Employer/agent must make themselves known to the
    applicant as soon as possible
  • Agency need not identify employer or applicant
    (until information passed on)
  • Explain how information obtained about the
    applicant will be used
  • Provide the above information in the
    advertisement or in the pre-recorded message (if
    application by telephone) or on the internet (if
    on-line applications)

27
Applications (including uninvited CVs etc)
  • Relevant questions only
  • Criminal convictions only if necessary
  • Section for consent to processing sensitive data
  • Explain verification process/pre-employment
    vetting
  • Secure necessary consent for release of 3rd party
    information
  • Ensure secure method of application and storage
    of applications

28
Short Listing
  • Be consistent to avoid discrimination claims
  • If automated selection system used, inform
    applicants and give them the opportunity to make
    representations about the process before making
    the final decision e.g. psychometric telephone
    testing
  • Appropriately trained assessors

29
Interviews
  • Remember interview notes are disclosable as
    part of subject access request
  • Prepare and train interviewers
  • Destroy notes after a reasonable time

30
Pre-Employment Vetting
  • Only use in specific risk cases e.g. children,
    vulnerable adults where no other, less intrusive,
    alternative
  • Customer requirements?
  • Only apply to a successful applicant (applicant
    should already have been informed of
    pre-employment vetting process)
  • Use for specific relevant information only not
    general fact gathering exercise
  • If data is going to be held on 3rd parties e.g.
    family members, they should be informed (e.g.
    Police, prison officers)

31
Criminal Records Bureau
  • Basic disclosure unspent convictions
  • Standard disclosure spent and unspent
    convictions cautions, reprimands and warnings
    on Central Police Computer
  • Enhanced disclosure any further information
    held in local police records

32
Criminal Records Bureau Code of Practice
  • Only apply for level of disclosure required
  • Do not share disclosure information with any
    other employer
  • Do not retain disclosure information once
    employment decision made record fact check made
    and result
  • In any event, do not retain the disclosure
    information beyond 6 months
  • Criminal Records Bureau should be the only
    pre-vetting system used

33
Retention of Recruitment Records
  • Decide what information from the recruitment
    process will be retained e.g. applicants former
    salary details may not be relevant
  • Who retains and stores recruitment (and vetting)
    records?
  • Formulate a clear policy for period of retention
    based on clear risk analysis e.g. time limit for
    any claims against the employer arising from the
    recruitment process
  • Advise of intention to keep names for future
    vacancy
  • Ensure vetting records destroyed after 6 months
  • In any case, destroy irrelevant convictions data

34
Data Protection and Privacy in the Workplace
  • The Employment Practices Data Protection Code
    Part 2 Employment Records
  • Collecting records
  • Maintaining records
  • Using records

35
The Employment Practices Data Protection Code
Part 2 Employment Records
  • Collecting and Keeping Employment Records
  • Consent not needed unless sensitive
  • But is Worker aware and informed?
  • Nature and source of records
  • How records used
  • Who disclosed to
  • Rights of access
  • Fact sheet
  • Personnel management systems

36
Employment Records - Security
  • Apply some security standards
  • Physical and electronic devices
  • e.g. passwords and access controls
  • Electronic audit trails
  • Trained and authorised staff
  • Fax and email policies
  • NB dangers of internal transmission

37
Employment Records - Equal Opportunities
monitoring
  • Monitoring allowed
  • Consent not needed?
  • Try to anonymise
  • Accurate not excessive

38
Employment Records - Marketing and Publications
  • Workers right to privacy
  • Inform
  • Opt - out from receiving marketing?
  • Opt - in to disclosure?
  • Publication and other disclosures
  • Trade unions recruitment
  • Collective bargaining anonymity

39
Employment Records - Workers Access to
Information About Themselves
  • Subject Access Right (SAR)
  • Sickness, disciplinary, training, appraisal,
    performance review notes, e-mails, word processed
    documents, personnel files and interview notes
  • SAR system
  • Copy not coded/inspection
  • Third parties expectation or privacy?
  • Inform third parties?

40
References and other Disclosure Requests
  • Corporate reference Specific exemption
  • Policy
  • Internal reference not exempt
  • Reference received third party?
  • Disclosure requests policy
  • Non regular disclosure
  • copy to worker?
  • keep record
  • Transfers abroad?

41
Employment Records - Mergers and Acquisitions
  • Anonymise
  • Confidentiality agreement
  • Data room?
  • Inform workers?
  • Sensitive personal data
  • New employer duties
  • TUPE guidance note (May 2008)

42
Employment Records - Discipline, Grievance and
Dismissal
  • Necessarily processing
  • Clear right to access
  • Accurate and substantiated?
  • Secure?
  • Not incompatible use
  • Destroy unsubstantiated allegations
  • Spent warnings

43
Retention of Employment Records
  • No prescribed period
  • Some statutory exceptions
  • Not longer than is necessary
  • How often accessed in practice?
  • Do a risk analysis
  • Implement the system

44
The Employment Practices Data Protection Code
Part 3 Monitoring at Work
  • Monitoring at work
  • Not prevented by Data Protection Act
  • Consent required?
  • Monitoring manual recording or watching over by
    automated means
  • CCTV
  • Opening up e-mail
  • Checking voicemails
  • Automatically checking e-mail
  • Checking logs of website visited (for example to
    check that individual employees are not
    downloading pornography)
  • Covert videoing

45
Monitoring at Work General Considerations
  • Who can authorise?
  • Who can carry out?
  • Record an impact assessment?
  • Inform about monitoring
  • Consult with workers representatives
  • Set out rules and standards
  • Access request capability?
  • Customer stipulations?

46
Monitoring Electronic Communications at Work
Specific Considerations
  • Telephone monitoring
  • Is it necessary? Manual records?
  • Impact on workers and recipients
  • Mobiles/home calls
  • E-mail and Internet
  • Is it necessary?
  • Allow secure lines
  • Avoid opening personal emails
  • Allow personal lines or communications
  • Block access to inappropriate sites
  • Record time spent on line as an alternative?

47
Monitoring Electronic Communications at Work
Specific Considerations
  • Video and audio
  • Particularly intrusive and difficult to justify
  • Blanket surveillance necessary?
  • Clear notification unless…….
  • Covert monitoring
  • Rare prevention of crime or equivalent
    malpractice
  • Investigators enter into proper contracts
  • Should still warn in contract of employment
  • Senior management authority
  • Targeted
  • Set time frame

48
In - Vehicle Monitoring at Work
  • Legal duty tachograph
  • Privacy button
  • Policy to state what private use allowed
  • Sat Navs

49
Monitoring at Work
  • Protection of privacy generally
  • Justification?
  • Is justification needed in practice?
  • e.g McGowan v- Scottish Water (2005)
  • Privacy cuts both ways?
  • e.g Governors of Amwell View School (EAT 2006)
  • Inform workers e.g. cyber- movements may be
    observed
  • Appropriate staff
  • Specific retention of records period 6 months

50
Monitoring Electronic Communications at Work
  • Electronic communications interception
  • Generally unlawful Article 8, Halford and RIPA
    2000
  • Defences?
  • Consent?
  • Under the LBP Regulations?
  • To secure the operation of the system?
  • For the purpose of running business
  • To show standards that workers ought to achieve
  • To detect unauthorised use of the system
  • To check compliance with regulatory procedures

51
The Employment Practices Data Protection Code
Part 4 Information About Workers Health
  • Collection and subsequent use of IAWH
  • Mental and physical health
  • Most relevant
  • To larger organisations
  • To organisations with specific health safety
    obligations
  • Examples
  • Health questionnaire
  • Information about a workers disabilities
  • Results of an eye test
  • Results of an alcohol or drug test
  • Unregulated information?
  • Information stored in line managers head
  • Information in a general notebook

52
The Employment Practices Data Protection Code
Part 4 Information About Workers Health
  • The keys to handling IAWH lawfully
  • Workers Consent
  • Another statutory ground
  • Necessary to meet legal obligation
  • Necessary for medical purposes
  • Necessary for legal proceedings
  • Strict legal duty? e.g. monitoring of exposure
    to hazardous materials

53
The Employment Practices Data Protection Code
Part 4 Information About Workers Health
  • Do an Impact Assessment
  • To assess the purposes of processing health
    information
  • To assess the adverse impact
  • To assess the alternative to and methods of
    processing health information
  • Health questionnaires rather than testing?
  • Changes in the workplace and method to avoid
    testing at all?
  • Target testing
  • Limit and refine the actual testing
  • Limit staff handling it medically qualified
    staff or those working under confidentiality
    agreements

54
The Employment Practices Data Protection Code
Part 4 Information About Workers Health
  • To assess the obligations that arise from
    processing health information
  • To assess whether processing of health
    information is justified
  • Making a conscious (recorded) decision
  • Placing particular emphasis on fairness to worker
  • Ensuring intrusion is necessary
  • Consultation with unions and other
    representatives

55
The Employment Practices Code Health Records
  • Sickness and Injury Records
  • Sickness record
  • Injury record
  • Absence records mere reason for absence?
  • Restrict record keeping to absence records
  • If you need sickness and injury records
  • Keep them separate
  • Check sensitive data condition exists
  • Do not disclose sickness or injury records to
    third parties
  • Restrict information to responsible managers
  • No league tables

56
The Employment Practices Code Health Records
  • Pension Schemes and Insurance Schemes
  • Do not access information held by Pension or
    Insurance Scheme providers
  • Limit exchange of information with provider
  • Inform internal trustees and administrators of
    their duties
  • Tell workers about exchange of information

57
The Employment Practices Code Part 4
Information about Workers Health
  • Medical examination and testing
  • Recommendation of a policy dealing with
  • Circumstances in which testing will take place
  • The nature of the testing
  • How the information will be used
  • Successful job applicants only
  • Is testing necessary
  • Is testing justified
  • To determine whether applicant fit for
    employment or
  • In connection with membership of a pension or
    insurance scheme

58
The Employment Practices Code Part 4
Information about Workers Health
  • Current Workers
  • Is testing necessary
  • Is testing justified
  • To prevent a significant risk to health and
    safety of the worker
  • To determine the workers fitness to continue in
    that employment
  • To prevent discrimination on the ground of
    disability or
  • In connection with membership of a pension scheme
    etc
  • Always apply general principles
  • E.g. is there a less intrusive way of obtaining
    the information?
  • E.g. unrelated information to be destroyed
  • E.g. explicit and freely given consent

59
The Employment Practices Code Part 4
Information about Workers Health
  • Common problems worker on long term absence or
    poor attendance refuses to give
    information/access
  • Breach of contract vs breach of Data Protection
    principles
  • Who is authorised to institute testing?
  • Are they trained on the Code and DPA
  • Who will interpret medical details?

60
The Employment Practices Code Part 4
Information about Workers Health
  • Drug and alcohol testing
  • Very difficult to justify Health Safety
    reason?
  • Impact assessment
  • Targeted at specific jobs
  • Post incident testing
  • Alternatives to drug and alcohol testing
    assisted performance tests
  • Drug and alcohol policy
  • When testing will take place
  • What testing for
  • What acceptable levels of use are for particular
    substances
  • Possible consequence of being tested

61
The Employment Practices Code Part 4
Information about Workers Health
  • Genetic Testing
  • Too intrusive and unreliable
  • Do not use to predict illnesses
  • Do not insist on disclosure
  • You can ask as last resort
  • Inform the Human Genetics Commission

62
Any Questions?
About PowerShow.com