Employers Questions -
Employment Records
Q1: I have recently
employed a HR Manager who is going through the Company’s employment
records and has noticed records going back 10 years. These include
records relating to former employees. The HR Manager wants to destroy
these, can she do so?
Q2: I keep
records of the ethnic origin of my employees so that I can monitor
them for equal opportunities purposes. Is this permitted by the
Data Protection Act 1998?
Q3: I have
a number of informal records relating to my employees which are
not kept in a filing system. Does the Data Protection Act 1998 cover
these?
Q4: I
am setting up a new recruitment procedure. Am I restricted by the
Data Protection Act 1998 as to the sort of personal information
that I can obtain from employees?
Q5: An employee
has asked for a copy of the information held on his personnel file.
Am I obliged to provide this information?
Q6: The HR
Manager has said that a lot of the information on the personnel
files is incorrect and out of date. Could the Company be liable
for any actions as a result of this? How can I prevent a repeat
of this?
Q7: I set
up a system to decide who is entitled to a promotion. An employee
did not get one. The employee is now asking for documentation to
show why. Am I obliged to provide this information?
Q8: I have
information relating to a disciplinary incident which occurred three
years ago and our HR manager said that I should destroy this immediately.
Am I in breach of the Data Protection Act 1998 by retaining this
information?
Q9:
I have an employee who has been diagnosed as suffering from a disability.
I have details of the medical condition on the file. Am I allowed
to keep such information?
Did we answer your question? These questions will
be updated periodically. If you would like to see an Employers Question
featured here, email it to us at info@rawlisonbutler.com.
Please note, we cannot answer your specific legal queries by email.
If you require legal advice on this or any
other employment law issue, please contact Tony
Hyams-Parish or your usual contact in the employment team at
Rawlison Butler LLP.
This document is provided for information purposes
only and does not constitute legal advice. Professional legal advice
should be obtained before taking or refraining from taking any action
as a result of the contents of this document.
_____________________________________________________________________________________________________ Answers
to questions below, please click on the questions above to be directed to the
correct answer.
A1: The Data Protection Act 1998
('DPA') provides that employment records should not be kept for
longer than is necessary for the purposes for which they were obtained.
Unhelpfully the DPA and the accompanying Code of Practice called
‘Employment Practices Data Protections Code’ does not
specify any retention periods so it falls primarily to the employer
to set retention periods. However, any period that is set must be
based on a real business need. Retention periods may therefore vary
from one employer to another depending on the use the employer makes
of a particular type of information. Records should not be retained
simply on the basis that they might come in useful one day without
any clear view of when or why - so if the records no longer serve
any purpose and are out of date it is correct to destroy them.
You should undertake a risk analysis that
considers what the consequences would be for your business, for
workers and former workers and for others, should information that
is accessed only very occasionally be no longer available. As part
of this you should take into account, as you feel appropriate, the
time limits for claims employees might bring such as three months
for most employment claims and six months for a redundancy payment
claim, three years for a personal injury claim and six years for
a breach of contract claim in the courts.
back to the questions
A2: The DPA and accompanying Code of Practice
make it clear that employers are permitted to carry out ethnic monitoring
for equal opportunities purposes without the consent of the employee.
It is important, however, to only use information that identifies
individual workers where this is necessary to carry out meaningful
equal opportunities monitoring. It is stated in the Code that where
possible and practicable information should be collected in an anonymous
form.
It is prudent to have an equal opportunities policy
to ensure that employees are aware of what ethnic monitoring information
will be collected and retained and for what purpose and it is good
practice to ask employees to sign a consent form giving their agreement
for this information to be held and used in relation to them. You
should consider carefully what you are trying to monitor and should
not collect unnecessarily detailed information about workers.
back
to the questions
A3: In order for information to come within
the DPA it must be, amongst other things, part of a ‘relevant
filing system’. A relevant filing system is defined as any
set of information relating to individuals to the extent that it
is structured either by reference to individuals or by reference
to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible.
Therefore if the records are not filed in a structured
manner, do not identify individuals and are not easily accessible
they may not be covered by the DPA. However, please bear in mind
that the DPA covers the intention that the records will be put in
a filing system. Therefore you would be well advised to err on the
side of caution and carry out an audit to locate all paper information,
identifying the purpose for which it is being used.
back
to the questions
A4: You should only seek personal data
that is relevant to the recruitment decision to be made. For example,
there is no obvious reason why you should ask applicants for information
about their membership of a Trade Union.
In addition, the scope of the information gathered
must be proportionate to what the employer is seeking to achieve.
For example, the extent and nature of the information sought from
an applicant for the post of head of security at a bank would be
very different from that sought from an applicant to work in the
bank's staff canteen.
If you intend to retain information from job applicants
you should inform them of this intention, the reason for it and
the length of time you expect to hold the information.
back to the questions
A5: Yes. Workers have a right to gain access
to information that is held about them. This right is known as a
subject access request. The right applies, amongst other things,
to information held in personnel files.
The request from the employee must be in writing
and you must satisfy yourself as to the identity of the individual
before you disclose any information. You can charge up to £10
for disclosing the information and must respond within a reasonable
period, but in any event 40 days from when the information was requested.
There are certain exemptions when you will not
be required to disclose requested information, such as where:
• the information identifies another party and revealing this
information may be prejudicial to their rights.
• they are records in relation to the prevention or detection
of crime, the disclosure of which may prejudice that matter.
• access to the information may prejudice the running of a
business, for example management planning.
back
to the questions
A6: Yes. An employee can seek the correction
of any inaccurate data that his/her employer holds. There are three
ways in which the employee can do this:
- the employee can ask the employer to amend the data.
- the employee can ask the Information Commissioner (who is responsible
for Data Protection) for an assessment.
- the employee can apply to the court for an order requiring the
employer to correct the inaccuracies in the data.
If the employee gave you incorrect details and
this is what you have put on your file then generally you will not
be liable. In order to avoid any liability for inaccurate data you
should ensure you have systems in place to regularly update your
records.
back to
the questions
A7: The employee is exercising his
right to Subject Access as we discussed above. Details regarding
the promotion are potentially covered by the DPA as personal data
because it covers any information as to the intentions of the employer
regarding the employee. This would include documentation about dismissal,
promotion or discipline. However, the Code of Practice provides
certain exceptions whereby an employer is not required to allow
the employee access to certain information requested. This is where
the provision of such information is likely to prejudice the conduct
of the business. This could be, for example, information held for
management forecasting or management planning about plans to promote,
transfer or make an employee redundant.
If the decision not to supply the information
requested is based solely on an automated method of processing the
data, the employee will have a right under the Act to issue a notice
to ask for the decision to be reconsidered. If the employer can
show that some human judgement was used in the decision whether
or not to promote you, they will not contravene the DPA.
back to the
questions
A8: If the incident was investigated and
found to be without substance, then the records should not be retained.
There are some limited exceptions to this, for example, where the
employee works with children and the allegation was of child abuse.
If the incident was investigated and found to
be a disciplinary matter of substance, the Data Protection Act 1998
(DPA) provides that you should not keep records for longer than
is necessary for the purpose for which they were retained in the
first place. Employers normally retain disciplinary warnings on
an individual employee's personnel file for a fixed period of 6
months to 1 year, depending on the severity of the disciplinary
penalty. The record should then be removed from the file. There
are no set time periods under the DPA for the retention of information,
instead you must consider whether you have a real business need
for retaining the records beyond the periods set out in your disciplinary
procedure; if there is no real business need you may be in breach
of the DPA by retaining the information.
back to the questions
A9: Information on the physical or mental
health of employees is ‘sensitive personal data’. Extra
restrictions apply to the processing of sensitive personal data
as opposed to personal data because the unauthorised use or disclosure
of such information could cause damage to the individual.
To process sensitive personal data you must seek
the employee's explicit consent before you retain or use the information.
The employee’s consent must be ‘freely given’.
This means that the employee must be informed exactly what information
you intend to process, how this information will be used and the
employee must then expressly consent, for example by signing a consent
form giving his/her permission for you to retain and process the
information.
We assume that the reason you need to keep this
information is to ensure that you are complying with the Disability
Discrimination Act 1995 (DDA) in relation to his/her disability
and to ensure compliance with the obligation to make reasonable
adjustments.
There are certain exceptions where it is not necessary
to obtain the employee's prior explicit consent to the processing
of this information, such as where it is required for legal proceedings
or to comply with a legal obligation, but these have limited application
and are used very rarely. Although keeping the information for the
purposes of the DDA may fall within one of the exceptions, guidance
has indicated that these should only be used in exceptional circumstances
and therefore as a general rule you should always ask the employee
to sign a consent form which clearly states how the data about him/her
will be used.
back to the questions
| 
