All data has to be processed in accordance with the data protection principles set out in the Data Protection Act. It must be fairly and lawfully processed, processed for limited purposes and not processed in a manner that is incompatible with those purposes.
It must be adequate, relevant and not excessive. It must also be accurate and up to date, kept for no longer than is necessary, processed in accordance with the rights of workers and secure. And it is essential that it isn't transferred to countries that do not have adequate data protection regimes.
The term 'processing' effectively covers all uses to which data is put, and 'data' is used to mean any information held on computer or a paper-based filing system.
In order for personal data to be processed, a worker will have to give his or her consent - this can be implied rather than expressed - or the employer can seek to rely on one of the grounds set out in schedule two of the act.
However, if sensitive personal data (Third Sector, 31 October) is to be processed, the worker will have to give explicit consent unless the employer can rely on one of the grounds set out in schedule three of the act.
A worker is entitled to have communicated to him or her in intelligible form all the information that forms any personal data held by the employer. This information must be supplied in permanent form by way of a copy, except when the supply of a copy in permanent form is not possible or would involve disproportionate effort, or the individual in question agrees otherwise.
Before a copy is supplied, the employee must make a valid request in writing. This can be an emailed request, and a £10 fee has to be paid.
Care needs to be taken when the identity of third parties could be disclosed in the copy documentation, and an attempt should be made to make those references anonymous before the document is disclosed. Ideally, if this is not possible, the third party's consent should be obtained.
It might be reasonable to disclose information without obtaining consent, but factors such as any duty of confidentiality owed to the third party, whether the third party is capable of giving consent, or any express refusal of consent by the third party should be taken into account before such a decision is reached.
- Emma Burrows, a partner and head of the employment group at Trowers & Hamlins solicitors