Carbon Resourcing Logo
TestimonialsSurveys
low carbon zonego green
let us find your ideal candidate
sign-up for our newsletter & job alerts
Email*
First Name
Last Name
* = Required Field
latest news

Carbon capture technology to create: "30,000-60,000 jobs"
By NCE 17th June 2009

UK Sets World's First Carbon Budget
By DECC 22nd April 2009

Building Low Carbon Britain
By DECC 6th March 2009

A new green industrial revolution needs a new industrial activism
By DECC 6th March 2009

What would you pay for 400,000 new green jobs?
By The Register 2nd April 2009

Energy efficiency measures create 50,000 jobs in UK
By eddie.net 1st April 2009

 

Data Protection

1. INTRODUCTION
The Data Protection Act 1998 ("the 1998 Act"), implemented the EU Data Protection Directive (No95/46) and replaced the 1984 Act. The majority of the Act came into force in the course of 1999 with the issue of Regulations.

There was a transition period of three years from the 24th October 1998 until 23 October 2001 for data controllers to bring "processing already underway" into line with the new requirements. A further transitional period exists until 2007 for certain other categories of data, which will be explained in more detail in paragraph 9 below.

Despite some changes in terminology, at least 80% of the Act mirrors the old 1984 Act. Key elements, which remain, include:

  • The data protection principles of good practice;
  • 'Notification' (previously referred to as "registration");
  • An independent supervisory body to oversee the system (the Office of the Information Commissioner);
  • And the rights given to data subjects to have access to personal data, to correct inaccurate data and to claim compensation for damage suffered in certain circumstances.


2. CODES OF PRACTICE
Since the beginning of 2002 the Information Commissioner has been in the process of drafting an Employment Practices Data Protection Code. Once completed it will consist of 4 parts:

  • Recruitment and Selection ­ which concerns processing records, checking the accuracy of applications and pre-employment vetting
  • Employment Records ­ about the collection, storage, disclosure and deletion of personnel records
  • Monitoring At Work ­ covers the monitoring of worker's use of telephone, email systems and vehicles
  • Medical Information ­ about occupational health, medical testing, drug and genetic screening

The Code is intended to assist employers and to establish good practice for handling personal data in the workplace. Employers have a duty to comply with the Act and any enforcement action would result from a failure to comply with the Act rather than the recommendations contained in the Code.

Parts 1,2 and 3 of the Code have been published and are available on the Information Commissioner's website (www.dataprotection.gov.uk). Part 4 of the Code is available for consultation from 3rd December 2003.

3. WHO IS PROTECTED?
The 1998 Act provides for the regulation of the processing of information relating to individuals who are the subjects of personal data (i.e. the "data subject"). "Personal data" includes all data, which relates to a living individual who can be identified from the data and which includes any expression of opinion about the individual and any indication of the intention of the data controller or any other person in respect of the individual.

The Act therefore covers your own staff, applicants for temporary and permanent vacancies, clients who are individuals or partnerships (but not limited companies) and details of potential client individuals or candidates who are held on a marketing database.

4. WHAT INFORMATION IS COVERED BY THE 1998 ACT?
One of the major changes is that the definition of data in the 1998 Act extends to manually recorded data (i.e. paper-based records) as well as computerised data. However manual data is partially exempt until 2007. Further details are set out below in paragraph 9.
The new definition of "data" includes information:

  • That is being processed by means of equipment operating automatically in response to instructions given for that purpose;
  • That is recorded with the intention that it be processed by such equipment;
  • That is recorded as part or is intended to form part of a relevant filing system or part of an "accessible record" i.e. one which is either a health record, an educational record or a record kept by a housing or social services authority.
  • Manual data will be covered if it is included in a "relevant filing system". This is defined as any set of information, which is structured, either by reference to individuals or criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible. It is not yet clear what type of manual record will fall within this definition but clearly paper-based personnel files will come within its scope. It could also include piles of loose paper if they are structured in any way and the information can be easily found.

5. PROCESSING DATA - WHAT YOU CAN OR CAN'T DO
"Processing" of personal data means obtaining, recording or holding information or data or carrying out any operation including organisation, retrieval, use, disclosure, erasure or destruction of data.

Processing is unlawful unless the details of the "data controller" have been "notified" to the Data Protection Commissioner and an entry has been made in the register kept by him. Details of the procedure for notification are available from the Office of the Information Commissioner (see below). Failure to notify where required may lead to a criminal prosecution punishable by a fine.
The "data controller" is a person who (either alone or jointly or in common with others) determines the purposes for which and the manner in which personal data are or will be processed. This relates to limited companies as well as firms and individuals who collect and process information about individuals.

A "data processor" is someone other than an employee of the data controller who processes data on his behalf. This may include payroll companies, PR and marketing agencies etc.
Processing data must be carried out in accordance with the Data Protection Principles.

6. THE DATA PROTECTION PRINCIPLES
These are essentially principles of good business practice in relation to the collection, use and storage of data. They are as follows:

First Principle
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless one or more conditions are met. The conditions for processing to be lawful include the following:

  • The data subject has given his consent;
  • Processing is necessary for the performance of a contract to which the subject is a party or for entering into a contract at the request of the subject;
  • Processing is necessary to comply with a non-contractual legal obligation;
  • Processing is necessary to protect the vital interests of the data subject or otherwise for the administration of justice.

If it is "sensitive personal data" i.e. that which relates to racial or ethnic origin, political and religious beliefs, TU membership, health, sex life or criminal record, then at least one of the above conditions must be satisfied together with one of a further set of more stringent conditions set out in Schedule 3 to the 1998 Act. For example, there must be requirements for express consent to the processing in question by the individual. This means that before obtaining such data, for example on registration, an employment business should ask the individual to sign a form of written consent to the processing of such data in connection with the search for suitable employment or any other agreed operation. Schedule 3 however permits ethnic monitoring to promote or maintain equality of opportunity.

Second Principle
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes. So if the information is to be used for any purpose other than the search for suitable employment e.g. marketing other services, the individual should be informed of this.

Third Principle
Personal data shall be adequate, relevant, and not excessive in relation to the purposes for which it is processed. Individuals should only be required to give such information about themselves that is relevant to the employment they are seeking. For example, on registration you should only ask questions about a candidate's health that may affect the type of work they will be doing.

Fourth Principle
Personal data shall be accurate and where necessary kept up to date.

Fifth Principle
Personal data shall be kept for no longer than is necessary for the purposes for which it was processed.
Different statutes require information to be held for different lengths of time. Some records should be kept until potential legal claims by the data subject would be time-barred. Claims for a debt or damages for breach of contract can be brought up to six years after the breach, so this is probably the maximum period for certain records to be kept after the end of any placement of termination of someone's employment.

Sixth Principle
Personal data shall be processed in accordance with the rights of data subjects under the 1998 Act.

Seventh Principle
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and accidental loss destruction or damage to personal data.

Eighth Principle
Personal Data shall not be transferred to a country or territory outside the European Economic Area unless that country/territory ensures an adequate level of data protection. Consideration should be given to the nature of the data, the law or codes of conduct of that country and security measures in place in that country.

7. RIGHTS OF DATA SUBJECTS

7.1. ACCESS TO PERSONAL DATA

7.1.1. Individuals are entitled to:

  • Be informed whether personal data are being processed by or on behalf of the data controller;
  • If so, be given a description of the data, the purposes for which they are being processed and the recipients to whom they are or may be disclosed;
  • Have communicated in intelligible form
    • the information constituting the personal data of which s/he is the subject and
    • any information available as to the source of the data;
  • Where processing by automatic means of data evaluating matters such as performance at work, reliability, conduct or creditworthiness is to be the sole basis of any decision-making process by the data controller for any decision significantly affecting him, be informed of the logic involved in the decision-making process.
  • Requests must be made in writing and accompanied by such fee as is required by Regulations subject to a maximum, which is yet to be prescribed. The data controller is not obliged to comply with a request unless he is satisfied as to the identity of the person making the request and has sufficient information to enable him to locate the details requested. Compliance with a request must be prompt and in any event within 40 days or other period prescribed by impending Regulations.
  • The data controller's obligation is to provide the information in a permanent, intelligible form with an explanation where necessary. As "personal data" includes expressions of opinion, records marked with coded comments about an individual will have to be produced with an explanation as to what these mean.

7.1.2. Exemptions to the Right of Access

  • Personal data consisting of a reference given in confidence by the data controller in connection with the employment, education or training of the data subject; appointment to any office; or the provision of a service by the data subject. This means that only references given by the person to whom the request is made are exempt. The most common request by individuals of employment agencies or businesses is for access to references given by some other person, usually previous employers. The data controller is not obliged to comply with such a request if in giving the information he will be disclosing information relating to another identifiable individual who has not given his consent, unless it is reasonable to comply without such consent having been given.
  • Personal data, which would prejudice the combat effectiveness of the Armed Forces.
  • Management, forecasting and corporate finance services.
  • Records of the intentions of the data controller in relation to and which would prejudice any negotiations with the data subject.
  • Examination marks and scripts.
  • Information covered by legal professional privilege, i.e. communications with your own legal advisers.
  • Self-incriminating evidence of the commission of an offence which if disclosed would expose the data controller to proceedings.

7.2. CORRECTION OF INACCURATE DATA
An individual can apply to a county court for an order requiring the Data Controller to rectify, block, erase, or destroy any data containing an expression of opinion which appears to be based on inaccurate data.

7.3. PREVENTION OF PROCESSING LIKELY TO CAUSE SUBSTANTIAL DAMAGE OR DISTRESS which would be unwarranted, by serving notice in writing followed by an application to a court in the event of non-compliance.

7.4. PREVENTION OF PROCESSING FOR DIRECT MARKETING PURPOSES
This includes unwanted "junk" mail shots.

7.5. TO REQUIRE THAT A DATA CONTROLLER SHALL NOT TAKE A DECISION about the subject evaluating performance at work, reliability, conduct or creditworthiness solely on the basis of automatically processed data, by serving notice in writing followed by an application to a court in the event of non-compliance. It is rare that decisions are made solely by computer equipment. Psychometric testing, for example, is only partly automated and therefore will be exempt from this right.

7.6. COMPENSATION FOR DAMAGE suffered i.e. financial loss as a result of the contravention by a data controller of any of the requirements of the 1998 Act.

8. ENFORCEMENT
Failure to comply with the Act where required may lead to a criminal prosecution punishable by a fine. A data controller may not process personal data unless an entry is made in the register kept by the Information Commissioner or, s/he is otherwise exempt from notification. A data controller must give his name and address; a description of the data being or to be processed; the purposes for which it is being processed and any recipients to whom data is disclosed; and details of any countries outside the EEA to which data may be transferred. There is also a new requirement to give a general description of the measures taken to ensure adequate security against unauthorised processing, loss or destruction of data.
The Commissioner has extensive powers of enforcement including powers of entry and inspection.
The data protection principles apply to all data controllers even those exempt from notification.

9. EXEMPTIONS FROM COMPLIANCE WITH THE ACT
Part IV of the Act sets out those circumstances to which certain parts of the Act do not apply. The provisions are too extensive to set out in detail and reference should therefore be made to the 1998 Act itself. Broadly speaking the exemptions apply for the purposes of:

  • Safeguarding national security
  • The prevention or detection of crime
  • Apprehension or prosecution of offenders
  • The assessment or collection of any tax or duty
  • Discharging regulatory functions such as protecting the public from financial loss, dishonesty, malpractice or other seriously improper conduct and securing health and safety of persons at work
  • Publication of any journalistic, literary or artistic material if it would be in the public interest
  • Complying with any enactment, rule of law or order of the court
  • Personal, family or household affairs (including recreational purposes) e.g. Christmas card lists

10. TRANSITIONAL PERIOD FOR COMPLIANCE WITH THE ACT: FROM 24 OCTOBER 2001 UNTIL 23 OCTOBER 2007
Eligible manual data i.e. personal data which was already being processed immediately before 24 October 1998 and other personal data is exempt from:-

  • the first data protection principle except to the extent that it requires the data controller to supply the subject with certain information:-
    • the second, third, fourth and fifth data protection principles and
    • provisions concerning rectification and erasure of inaccurate personal data.

11. ACTION REQUIRED TO COMPLY WITH THE 1998 ACT
All REC members are likely to be subject to the 1998 Act because of the nature of the business of storing details of individuals seeking work either on computer or on paper. If members are not already registered they will need to notify the Office of the Information Commissioner (see details below) who will provide them with forms to submit details of the information they hold and the types of processing carried on by them.
In the light of the provisions of the 1998 Act relating to manual and computerised data all member organisations should review the information held about individuals i.e. either their employees, temporary workers or clients and should consider the implications of the data subject's right of access to such information. In particular personnel files should be reviewed and any inaccurate or out-of-date information be discarded or updated. Any expressions of opinion, which appear to be controversial should be removed.

Consideration should be given to whether it is necessary to obtain specific consent to the processing of "sensitive personal data" at any stage and if so, a suitable form should be drawn up.
Staff should be informed of the provisions of the Act and one or more persons should be appointed to deal with any requests for access to information or revisions of inaccurate data.
In dealing with requests for copies of references given by previous employers the duty to give information should be balanced with the need to protect the identity of the referee. If necessary ask the referee specifically whether they consent to a copy being given to the subject of the reference if a request is made.

12. FURTHER ADVICE CAN BE OBTAINED FROM:
The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire,
SK9 5AF

Tel: 01625 545 700 / 745
Fax: 01625 524510
Email: data@dataprotection.gov.uk
www.dataprotection.gov.uk

13. FREQUENTLY ASKED QUESTIONS

13.1. Do I need to register with the Information Commissioner and if so how?
Yes, if you hold personal information about individuals for purposes other than staff administration, advertising or marketing your own business or accounts and records. These exemptions are intended for small businesses who hold data only about their own employees whereas most recruitment agencies will be holding data about large numbers of individuals who may or may not be actively looking for work or working through them at any one time.
In order to register with the Information Commissioner (IC) you must "notify" her of the name and address of the "data controller" i.e. your name if you are a sole trader or that of your company together with a general description of the type of processing that you carry out. There are two ways in which to notify the IC:
By Internet: www.dpr.gov.uk
By Telephone: 01625 545740 to request a Notification Form

13.2 Can I keep candidates CVs on my database even though I do not have anything suitable for them?
The Data Protection Act 1998 (DPA) requires you to comply with the 8 data protection principles including processing only such information as is adequate and relevant and keeping data for no longer than is necessary.
Under the Conduct of Employment Agencies and Employment Businesses Regulations 1976 made pursuant to the Employment Agencies Act 1973 ("the Conduct Regulations") you are under no obligation to keep the details of candidates to whom you cannot provide a service and need only keep certain information for one year.

Therefore if you know that you will not be able to assist someone you should decline to register them or if you have not been able to find work for the individual for a year then you should destroy their details in a secure manner. You should ensure that you have a procedure in place for regularly monitoring the information you hold for compliance with the DPA.

13.3 Can I ask for details of a candidate's lifestyle e.g. hobbies?
One of the 8 data protection principles is to process only such data as is relevant and not excessive for the purpose for which it is obtained. The question you have to ask is: is it relevant to the recruitment process and if so how much information do you need? If it is not relevant you should not request it.

13.4 Do I need to get the candidate's written consent to send their details to a) potential employers or b) a company that will offer them financial advice?
Again the 8 basic data protection principles include the rules that processing must be fair and lawful and for limited purposes. This means that it must be in accordance with the purposes for which the individual has given his/her consent for the information to be used.

A) As a recruitment company it is obvious that an individual who registers with you for temporary or permanent work will be happy for you to send their details to prospective employers. This may only be limited to one single employer if they have responded to an advertisement for a specific position with a named company so if you intend to send their details to other potential employers you should make this clear and ask if they object.

B) It is unlikely that a candidate looking for work could be said to have agreed to their details being sent to another company who may wish to sell them an unrelated product or advice. So, if you intend to pass their details on to any one for a purpose other than those related to looking for work you should ask for their consent by use of a data collection notice:
E.g. "[Name of agency] will collect the personal details which you provide to us on this page for the purposes of providing you with work-finding services [or supplying workers/introducing candidates or insert the services you provide]. In providing this service to you we will need to transfer your personal details to our client companies [suitable candidates etc]. We may also from time to time, transfer your details to [associated companies/ other service providers] that may send you information about their services."

13.5 What information can I pass on to the potential employer about an individual who has registered with me?
As has been indicated above provided you have the individual's consent you may pass on most of their data to a potential employer. The only details for which you must get the individual's specific written consent to their being processed are those considered to be "sensitive personal data" and these include information about:

  • Racial or ethnic origin;
  • Political opinions
  • Religious or similar beliefs;
  • TU membership;
  • Physical or mental health or condition;
  • Sex life;
  • Convictions or allegations of the commission of an offence or court proceedings in relation to this or the sentence of any court.

So if you collect information about racial origin, medical condition, and criminal convictions you must not pass this information on unless you have the specific written consent of the individual

13.6 What information can I pass on to the potential employer about an individual who I have interviewed in response to an advert where the client's identity was not disclosed in the advert?
If a candidate responded to an advert for a position where the employer's identity was not disclosed you should consider removing the identity of the candidate from any information you send to the client until the client expresses an interest in the candidate and is happy to let its own identity be revealed. In this way the candidate remains anonymous until he/she has the opportunity to know the identity of the recipient of his/her personal details. Refer to Q.5 above in relation to the type of information that may be sent.

13.7 What do I do if I receive a request from an individual to obtain copies of the information I hold about them?
Individuals are entitled to make a "subject access request" to any organisation that he or she believes is processing his or her personal data. This request must be in writing e.g. by post or email. Once you receive such a request you must respond promptly and in any event within 40 days. You must produce copies of the information you hold in an intelligible form i.e. readable and understandable (in the case of cryptic interview notes these must be explained). You may charge a maximum of £10 for doing this. Once you receive the fee you must confirm the identity of the individual and locate the information. There are some exemptions but these are limited.

13.8 What information are they allowed access to?
The individual is entitled to receive copies of any data that is held about them. This will include name, address, registration form details, copies of CVs, your interview notes, personnel file etc. This also includes references received from previous employers (although copies of references you have written are an exemption to this right) but care should be taken not to reveal the identity of the individual giving the reference unless they have consented to their name and address being passed on to a third party or their interests are outweighed by the interests of the subject of the reference.

13.9 What do I do if an unsuccessful candidate asks to see a copy of the references obtained from their previous employer?
An individual is entitled to receive a copy of a references given by a previous employer but strangely may not request a copy of a reference given by you. If you are asked to produce a copy of a reference given by a previous employer care should be taken not to reveal the identity of the individual giving the reference, unless they have consented to their name and address being passed on to the subject or a third party or their interests are outweighed by the interests of the subject of the reference.
The words "private and confidential" do not prevent access but would imply that the referee did not intend it to be given to anyone other than the person to whom it was addressed. If possible you should first try to get the consent of the referee, or try to anonymise the reference so that their identity is not revealed. If neither of these is possible you should exercise your judgment as to whose interests are more important: the right of the referee to remain anonymous or the right of the subject to know what has been written about them.

13.10 If I take up a verbal reference am I required to tell the individual what was said about them?
The DPA only applies to data stored or held in writing or on computer so if no written note is made you will not be required to divulge the information given to you in answer to a subject access request.

 

© carbonresourcing | Site Map | Privacy Policy | Data Protection | Terms and Conditions

8-10 Panorama Business Village
Glasgow, G33 4EN
Tel: 01294 475 660 | Fax: 01294 472 408