Introduction

Walker Thompson Ltd is a registered person under the Data Protection Act 1998 and is subject to scrutiny by the Data Protection Office. The basis of the act is to formalise the procedures which should be followed when business process or store personal data. Data may essentially be held in an electronic or manual form but under the Act a business must provide access to data on request and ensure that any data is processed in a fair and reasonable way.

Under the Act, individuals (data subjects) have the right to add information to their records, have inaccurate data deleted and to stop information being used for marketing purposes. Individuals have a legal right to know what data is held and what if anything that data is used for.

Individuals also have a right to know from where information was obtained and if it has been used for any automated decision making processes eg: electronic profiling in order to shortlist job applications.

A business must respond to request for information within 40 days.

There are both criminal and civil penalties for non-compliance with the Act. Challenges may also be made against offenders under the Human Rights Act.

What exactly is Sensitive Data?

All businesses have a duty to maintain the highest possible levels of security whilst handling data under Schedule 3 of the Data Protection Act.

This category covers areas relating to health, sexuality, religion, ethnicity and trade union membership.

For matters concerning sick pay within a payroll, specific consent is required from the employee to the handling of data. Eg: the reasons for sickness quoted by a doctor on a sick note is sensitive data.

Outsourcing of any data processing to third parties does not relieve obligations of a business under the Act and written agreements should be in place documenting exactly what responsibilities each party accepts.

Any personal data should not be transmitted outside the European Economic Area as global protection may not be provided.

Impact upon our Company 

Any issues arising which may give rise to DPA impact must be referred to a Director of the firm.

  • Any information gathered by the staff must be for specific purposes and not be more intrusive than is reasonable in order for us to fulfil the immediate obligations upon us.
  • Wherever possible, data held must be and remain as up to date and accurate as possible.
  • Data should not be retained any longer than necessary.
  • Processing of data must be in accordance with the rights of the individual(s) concerned.
  • Processing of data must be done using appropriate technological measures to ensure access can be restricted if required.
  • Any data held must be subject to consent.
  • Publishing of statement on DPA within any marketing literature, mailing lists etc used.
  • Ensure that whenever a data collection event happens we will have adequate methods of recording.
  • Knowledge of the Act sufficient to ensure that a breach of confidentiality does not arise – breaches can be transmitted verbally, in written form, e-mail, via a website etc.
  • A need to monitor internally that processes are in place and evidence of such monitoring taking place.
  • Ensuring that we do not breach the regulations on interventionary protection. (This is dealt with through out Internet Usage Policy).

IN PRACTICE

How do we collect information?

  • For clients we collect information at the first meeting which we hold on a database – This information will be added to throughout the period of time during which we act and in most cases it may extend beyond then.
  • For suppliers we collect information when we trade with them and this may arise very early in the process eg: at tender or quote stage.
  • For introducers to the Company we gain information through business cards, introduction letters, incoming mail shots etc.
  • For staff recruitment purposes we gain information from applications, CV’s and telephone conversations and correspondence which for appointed staff will be added to throughout their working period with the Company.
  • It should be noted that data collection is often by word of mouth.

Obtaining Consent 

  • Under no circumstances whatsoever should personal data be given to any third party without consent from the individual.

An indicative but not exhaustive list of examples is given as Appendix B but staff must use their best judgement in this area.

  • Consent is best obtained in writing from a subject but may be by telephone if we know for certain that the person responding is the subject, (in which case a telephone record must be made), or in person at a meeting (when an authority should be signed at the time).
  • Consent by e-mail is not acceptable as we cannot guarantee security of the senders equipment.
  • Consents sent to us by third parties apparently signed by an individual should not be accepted at face value without double checking with a subject.
  • We will seek to obtain all necessary consents within 3 working days of a request for data. This is considered reasonable except where a subject may for any reason be unavailable. In such cases data must not be transmitted.
  • Individuals applying for jobs with the Company will be informed of the use of personal details.

Security

  • Security and confidentiality are an inherent part of our work and staff should understand the necessity of such.
  • Data relating to staff at the Company will be maintained on individual staff record files and available only to Directors.
  • Payroll details held on computer will be password protected and payroll details held manually will be retained in files within a secure environment.
  • Security of client data will be as detailed in the office manual including methods of processing data within a secure environment.
  • Data held on the computer network will be backed up within the server onto the installed mirror hard drive instantaneously and daily back ups will be made after the end of each working day.

Usage

  • Confidentiality of client data including any data relating to clients employees or agents is restricted to staff of the Company.
  • Data relating to employees of the Company is restricted in access to the Directors.
  • Consent will be obtained as stated above prior to release of data to third parties.
  • Data will only be used for the purpose of answering specific requests and should relate only to information necessarily required.
  • Professional judgement and ethics must be observed and utilised in dealing with any sensitive data.

Destruction

  • Data relating to clients will be maintained for such periods as are laid down by the professional bodies responsible for the conduct of the Company.
  • Data relating to Company staff will be maintained for a period of time based upon a reasonable business need to retain them which for purposes of future references shall not extend beyond 5 years.

General Awareness

  • Any matter relating to data protection may be referred to a Director in the first instance but checks on good practice can be accessed via the Data Protection website www.Dataprotection.gov.uk
  • A copy of the draft codes of practice are available from the website and a copy is available within the Company from the Directors.
  • For criminal convictions it must be clear that spent convictions do not have to be declared unless covered by certain exceptions relating to a specific post.
  • We will act for clients on payroll bureau only where consent to hold records has been received by us.
  • Where clients request payroll details be despatched by fax we must ensure that the methodology is secure.
  • Any confidential information handed to the Directors for onward transmission to the Group Health Scheme or Stakeholder Pension Company should be in a sealed envelope and as such will not be accessed by anyone prior to despatch.
  • We may from time to time request that applications for posts at the Company contain details of Ethnicity, sexuality, disability or other characteristics, but this will be only for the promotion of our Equal Opportunities Policy.
  • Staff are involved in bi-annual reviews of progress and are already shared as between individuals and Directors on an open basis.

 

Last updated 13 April 2011

Appendix A

THIRD PARTY REQUESTS FOR DATA RELATING TO EMPLOYEES

Release of Third Party Information in Response to a Subject Access Request.

Seek the consent of the third party to release of the information unless it is impractical to do so (eg: the third party’s whereabouts are unknown) or consent cannot be given (eg: the third party does not have sufficient mental capacity).

If consent has not been given, decide whether in all the circumstances it is nevertheless reasonable to give access. This involves balancing the employee’s right of access with the third party’s right to respect for his/her private life.

In doing so take into account :

whether you owe a duty of confidence to the third party;
any express refusal of consent;
the impact the information has had or is likely to have on actions or decisions affecting the employee;
the nature of the third party information, in particular whether its release will be damaging to the third party or whether it is sensitive;
the extent to which the employee is already likely to be aware of the information;
whether the information includes facts which might be disputed by the employee where he/she aware of them;
whether the third party information relates to the third party acting in a business or personal capacity;

Bear in mind that the release of confidential information or information where there has been an express refusal of consent is unlikely to be justified unless the information has had or is likely to have a significant adverse impact on the employee.

Appendix B

Third parties who may request data from us and where consent is required for release include the following :

Inland Revenue
Dept for Work & Pensions (formerly DSS)
H M Customs & Excise
Other Government Regulatory Bodies
Police/National Criminal Intelligence Service
Banks & Building Societies
Other Lending & Financial Institutions
Credit Agencies
Training Agencies
Colleges & Universities
Previous or Prospective Employers
Professional Organisations
Accountancy Firms
Lawyers/Solicitors
Estate Agencies/Surveyors
Staff Representing Clients
Employment or similar Agencies

The list is indicative and not exhaustive – staff must use the highest levels of discretion and confidentiality in dealing with any requests for data from third parties.

Appendix C

RETENTION PERIODS FOR EMPLOYEE RECORDS

Application Form - Duration of Employment

References Received - Duration of Employment

Payroll & Taxation Information - 9 years

Sickness Records - 3 years

Annual Leave Records - 2 years

Unpaid/Special Leave Records - 3 years

Annual Appraisal Records - 5 years

Notes regarding Promotion, Training & Disciplinary matters - 1 year after end of employment

References given & relevant Information used - 5 years after end of employment

Records relating to Accidents or Injury at work - 12 years after event

The above criteria are for guidance only but if longer periods are considered appropriate then justification must be given.

 

Last Updated 13 April 2011