Data Protection for Employers- Monitoring Employee Activity & Recent Developments
Lori Duckworth of Legal Edge explains the important issues surrounding Data Protection and the eight principles that businesses must follow to remain compliant using the example of Google.
Data Protection: Not necessarily the most exciting topic you'll deal with as an employer, but in a world of ever increasing global data sharing, giving proper attention to data protection compliance is crucial. In the UK, the Data Protection Act 1998 requires pretty much all businesses to register with the Information Commissioner, the regulatory officer tasked with enforcing of the Act. This is because most businesses process information about individuals (such as employees' names, ages, home contact details, health history, remuneration, as well as information about business contacts and clients).
All businesses, even those that are exempt from registration, are required to follow the 8 principles of data protection, which are:
- To process personal data fairly and lawfully.
- To obtain personal data for one or more specified and lawful purposes.
- The data must be adequate, relevant and not excessive.It must be accurate and, where necessary, kept up to date.
- Personal data must not be kept for longer than is necessary.It must be processed in accordance with the rights of individuals who are the data subjects.
- Appropriate measures must be taken to prevent unauthorised processing, accidental loss or damage to personal data.
- Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights of data subjects.
This last principal can be quite challenging when using web based applications, including the Google cloud. For example, many small and medium size businesses use Google applications for delivering mail, sharing calendars, wikis, etc., which often tie in with third party applications. In many cases the servers are located outside the EEA, which means that data is automatically transferred outside EEA. Depending on the type of data being transferred, this could contravene principle 8 unless each and every individual has consented to such a transfer.
Compliance with the Act is important for employers for many reasons, including the Information Commissioner's power to issue fines for failure to comply with the Act of up to 500,000.
Another issue to highlight - one that is often overlooked - is that employers must ensure that any monitoring of employees' activities must be compliant with the 8 principles and should have been accepted in advance by the employee in writing. Monitoring of employee activities must be for a specific purpose, be fair and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate. Failure to ensure that your internet policy adheres to this not only violates the Act, but may infringe the employee's right to privacy under the Human Rights Act and/or otherwise expose you to claims of discrimination, etc. On the flip side, an appropriate level of monitoring of employees' activities is advisable because where illegal activities occur, it is often the employers who are held liable for the acts and omissions of their employees- even if the employees are violating the employer's code of practice.
Perhaps data protection just got a little more exciting?
This article should not be construed as legal advice or opinion in any specific facts or circumstances and are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.
RM2 recommends the specialist advice of Legal Edge, who provide legal advice, support and management on a flexible basis. If you would like to contact them then you can visit their website http://www.legaledgeltd.com/ or call 020 3427 5115.