Call Us
08000 224 224
The Data Protection Act 1998 was written with openness and access to information in mind, in line with the EC Data Protection Directive 1995. The directive's purpose is to protect the rights and freedoms of people, in particular their privacy. The Data Protection legislation covers manual records - where they are held in a relevant filing system - as well as computer records. It therefore has a huge impact in the workplace as most personnel files are paper based.
This booklet looks at:
what trade unions need to know as 'data controllers' holding information on both their members and employees
what protection and rights are offered to employees and union members as data subjects
what to do if data subject's rights have been breached
It is intended only as an introduction to what is a complex piece of legislation.
The Data Protection Act applies to almost anyone who stores personal data. Personal data is any data including photographs where living individuals can be identified from that data or information. For the Act to apply the data needs to form part of a 'relevant filing system'.
The Act refers to a person or body such as a trade union which holds personal data as the 'data controller'. This means that trade union members have the same rights and obligations as employees and employers when it comes to data storage.
To make sure that all information is handled properly, employers and trade unions are required to comply with the eight data protection principles and ensure that before any personal data is processed, they are included in the register of notifications maintained by the Information Commissioner.
The eight principles embodying the fundamental purpose of the Act require that information is:
1 Fairly and lawfully processed.
2 Processed for limited purposes.
3 Adequate, relevant and not excessive.
4 Accurate.
5 Not kept for longer than is necessary.
6 Processed in line with employees' and members' rights.
7 Secure.
8 Not transferred to countries without adequate protection (this effectively means that 'free and informed consent' is required from the data subject before data can go onto the internet).
Contravention of the principles may result in the commissioner issuing an enforcement notice.
Processing is defined as obtaining, recording, holding or carrying out any operation on the data. Most things will be covered, including disclosing data to a third party.
To process personal data at least one of the schedule 2 conditions below need to be met. With sensitive personal data one of the schedule 3 conditions need to be met too.
Schedule 2 The condition most data controllers will meet is consent of the data subject (the person the data is concerning).
Consent is not defined in the Act, but is defined in the directive, as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".
"Signifies" implies that the data subject has to take a positive step, rather than something amounting to consent. Therefore, not responding to a leaflet, for example, would be unlikely to qualify. The consent does not need to be in writing.
There is a "special purposes" exemption at 5.32 of the Act which allows journalists to process data without consent in some situations.
Other conditions set out in schedule 2 include:
the processing is necessary for the performance of a contract or entering into a contract
the processing is necessary for compliance with any non-contractual legal obligation
the processing is to protect the vital interest of the data subject
the processing is for the purpose of legitimate interests
The Act specifies certain information as sensitive personal data and this affects trade unions specifically. This data is defined as racial or ethnic origin, political opinions, union membership, religious belief, health, sexual orientation, the commital or alleged commital of an offence and any proceedings for any offence.
The processing of this data must comply with the eight principles and conditions set out in schedule 2, and with the strict criteria set out in schedule 3.
Schedule 3 Any processing of union members' data amounts to the processing of sensitive personal data and as such the data controller also needs to comply with one of the following conditions:
the explicit consent of members is required before disclosing information to third parties and any other type of processing
unions need the explicit consent of members to reply if asked whether a person is a union member
explicit consent is not defined but it may be that to give explicit consent a data subject would need to tick a box to rather than not tick a box to comply
Without explicit consent, data subjects can still comply if they satisfy one of the other conditions in the schedule which include:
that the processing is necessary for the purposes of exercising rights or obligations imposed by law, such as industrial action ballots where unions are required to hand over the names of members to an employer or other such body such as ACAS
the processing is necessary to protect the vital interests of the data subject where they cannot reasonably give consent
the processing is carried out in the course of a trade union's legitimate business, but if data is closed to a third party this condition will not apply
This has important implications for trade unions. Trade unions which disclose membership lists to third parties in order that their members receive mail shots advertising benefits should amend their application forms so that new members give their explicit consent to such processing and disclosure.
Employers should include paragraphs in the contract of employment to this effect.
In addition, trade unions should send out data protection notices to all existing members if they intend to process their data in this way. If membership lists are disclosed for any other purposes, such as during elections, this should be specified on the application form and the data protection notice.
The information commissioner's office suggest that each data controller carries out an audit to assess exactly how personal data and sensitive personal data is used within that organisation.
By outsourcing certain functions such as payroll, data controllers are able to use data processors other than their own employees to process data. A contract should be drawn up between the data controller and the data processor. Responsibility for selecting a reliable data processor rests with the data controller.