Unlike Right Said Fred, data has never been able to say that it’s too sexy for anything. But if you’re not thinking about your data and how to protect it, you could be at risk of losing one of your organisation’s most vital things – its reputation – not to mention a fine of up to £500K (see our recent update on BYOD).
There have been a multitude of recent developments in this area that should be on the radar of every employer.
Firstly, the Court of Appeal held in February 2014 that an employee’s work email address including their name was personal data. This meant that an employer was entitled to withhold the names of junior employees who had been involved in an investigation. This reminds employers that, when dealing with a subject access request, they should only disclose the names of other individuals appearing in documents which relate to the data subject where they have the consent of those other individuals (or it is reasonable to disclose their identity without their consent).
In May 2014, the European Court of Justice decided that an individual has the “right to be forgotten”. In the UK, this serves as a reminder to employers not to retain personal data for their staff which is irrelevant, excessive, inaccurate or kept for longer than necessary. Retention periods should be based on business need and any legal obligations that might be owed to individuals.
In September 2014, a former paralegal was convicted of disclosing personal data without the consent of his former employer. James Pickles had created worklists, file notes and template documents in his old job and had emailed these documents so he could use them in his new job. The only (and rather large problem) was that these documents contained sensitive personal data relating to over 100 people, including clients still involved in legal proceedings. He was fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs. The Information Commissioner commented that “Stealing personal information is a crime”. Mr Pickles’ employment fate with his new employer is unknown.
In October 2014, the Information Commissioner published a new Code of Practice “for surveillance cameras and personal information” which replaces their old CCTV guidance. The Code deals with issues such as whether surveillance should be used at all, whether sound or video or both are necessary, documenting how surveillance information will be used and how potential video stars will be notified of the surveillance.
Finally, some employers are legitimately entitled to require employees to provide details of spent convictions as part of a DBS check. However, it will become unlawful from 1 December 2014 for employers to force individuals to make a subject access request to obtain details of their criminal record and then provide this to the employer. Employers who participate in this “enforced subject access” will in future be liable to an unlimited fine on conviction.
Please contact us if you require advice on data protection issues, including how to deal with subject access requests or if you’d like us to draft a data protection policy for you.