In the final part in this series on the Data Protection Act 1998, we will turn our attention to what happens if an employer is not complying with its principles.
Under Section 40 of the act, the Information Commissioner can serve an enforcement notice on an employer, requiring it to comply with the data protection principles it has breached and to take certain steps or refrain from processing any personal data. The enforcement notice must contain a right of appeal to the Data Protection Tribunal.
Staff who believe their personal data is not being processed in compliance with the act may make a request to the commissioner for an assessment. If the commissioner receives a request for an assessment, he can serve the employer with an information notice requiring the employer to provide certain information within a specified time.
If the employer fails to comply with an enforcement or information notice, it will be guilty of a criminal offence. The crime is punishable as a summary conviction, with a maximum fine of £5,000.
If workers suffer damage because their employer fails to comply with its data- protection obligations, they can issue proceedings in the High Court or a County Court pursuant to section 13 of the act.
Should the High Court determine that a worker has suffered damage because the employer failed to comply with its obligations under the act, unlimited damages could be awarded. Where data is inaccurate, the High Court also has powers to order its rectification, blocking, erasure or destruction.
It is worth noting that, although any enforcement action would be based on a failure to meet the requirements of the act itself, relevant parts of the Employment Practices Data Protection Code are likely to be cited by the Information Commissioner in connection with any enforcement action that arises in relation to the processing of personal information in the employment context.
It is therefore important that employers are familiar with the provisions of the code and do their best to implement the good practice recommendations contained in it.
Employers are advised to develop a data-protection policy if they do not already have one, and to put in place proper practices and procedures to govern the storing and processing of personal and sensitive personal data.
- Emma Burrows is a partner and head of the employment group at Trowers & Hamlins solicitors