The Data Protection Act 1998 came into force on 1 March 2000. The new act implements the European Data Protection Directive (European Directive 95/456/EC) in the UK. It introduces a range of new measures and requirements into the data protection arena, not least of which is the inclusion of manually held data.

This paper introduces The Service’s policy on the processing of personnel data in light of the new Act. It explains:

• Your rights under the new Act
• Your rights of access to data and the timetable for introducing full access to manual records at the end of the transitional period prescribed under the new Act;
• The exceptions to the rights of access;
• The principles of the Act;
• How The Service will manage compliance with the new Act with regard to it’s processing of manual data.

The purpose of this statement is to show how The Service complies with the law when it collects and uses personal information on staff in The Service (including contract and casual staff). This statement does not replace the law. You are encouraged to read this policy and should you have any further queries or need further advice contact the appropriate contact within Human Resources (refer to Human Resources intranet home page).

The Service needs to collect and use certain types of personal data about it’s own staff, whether past, present or prospective, in order to carry out its Human Resources functions and to achieve its objectives.

The Service’s aim is to ensure that all personal information processed by The Service is done so lawfully and fairly. The Service recognises the importance of respecting the privacy of all of its employees and the need to have safeguards in place to protect this information, in relation to the collection, use and storage of information. We therefore recognise the lawful and fair treatment of personal information by all staff as very important to successful operations, and to maintain trust between staff and with outsiders. We, as an Agency, are responsible for our own compliance.

The Service fully endorses, and will adhere to, the principles of the data protection as set out in the Data Protection Act 1998.

The key elements of the 1988 Act are:

• Adherence to the eight data protection principles for all personal data;
• Manual personal data as well as automated personal data is now included;
• More extensive rights for data subjects;
• New notification arrangements (which can include notification of manually held data if the data controller so wishes);
• Restriction on the disclosure of personal data to others;
• Additional safeguards concerning the processing of "sensitive" data.

The Data Protection Act gives a number of rights to individuals’ (referred to as data subjects) in respect of data held about them (data subject rights). These rights are broadly as follows:

• The right of data subject access;
• The right to be told by the Data Controller (The Service) of the purposes or purpose for which the processing of the personal data is being undertaken;
• The right to prevent processing likely to cause any damage or distress (this is subject to certain exemptions);
• The right to prevent processing for the purposes of direct marketing;
• The right not to be subject to a decision, which is based solely on automated decision-making;
• The right to compensation if the data subject (the individual) suffers damage by any contravention of the Act by the data controller;
• The right to rectify, block, erase or destroy inaccurate data;
• The right to make a request to the Commissioner for an assessment to be made to determine whether any provision of the Act has been contravened.

What could be regarded as one of the most significant of the rights for an individual is the right to gain access to manual (i.e. paper) records where information is part of a structured filing system or an organised system, which is readily accessible, as well as computerised records. The vase bulk of The Service’s manual data holdings will fall into the category of "processing already under way" which will have to comply with subject access provisions of the 1998 Act from 24 October 2001. This includes the majority of files held on you, including your centrally held personnel files.

We have drawn up a retention policy for personnel records, which will ensure we are holding all the correct information on our files when data subject access comes into force on 24 October 2001. Access to your computerised records is available, and staff can order a printout of the information held on them through their Human Resources Adviser.

The regulations suggest a fee may be charged to gain access (up to £10 is the maximum prescribed). We have decided against charging a fee for the time being, but this may be reviewed in the future, if the cost of providing the service becomes too great.

The Act provides a number of situations whereby subject access rights do not apply. In practice, most Civil Service personnel records will become open to subject access with the exception of those dealing with:

• The processing of personal data for the purpose of safeguarding national security;
• The processing of personal data for the purposes of

• The prevention or detection of crime,
• The apprehension or prosecution of offenders, or
• The assessment or collection of any tax or duty or of any imposition of a similar nature;

• Background data underpinning research, history, and statistics where the results do not identify the data subjects;
• Confidential references given by the Service (but not those received, i.e. as soon as a reference is received and retained it becomes open to the data subject access in the receiving Department);
• Legal advice;
• Succession planning;
• Honours;
• Negotiations (this includes papers being held as part of the settling of current personnel issues, e.g. on postings, investigations and, so on).

In broad terms, the data protection principles state that when dealing with people’s personal information, we must:

The term processing includes "obtaining, recording, or holding information". We must only undertake processing with your consent, except in certain specified circumstances (i.e. the processing is necessary for the performance of a contract to which you are a party). We have to tell you why the information is needed, how we may use it and any further information needed to ensure fair processing.

The law imposes extra conditions in relation to sensitive information. Information which is considered sensitive is that which relates to racial or ethnic origin, political opinions, religion, trade union membership, physical or mental health, sexual life, and offences or alleged offences or convictions, and court proceedings.

If we obtain information from you we will only use it for the purposes agreed in advance with you and which are consistent with the Act.

We will only process information, which is necessary to ensure The Service runs effectively.

We will do all that we reasonably can to ensure that we only hold accurate information. Where we see something is out of date we will either update it or delete it. We will take all reasonable steps to ensure the accuracy of the information we obtain. You are expected to assist in this process by letting The Service know of any changes to your personal circumstances (e.g. changes to your home address or marital status).

We will regularly audit/review the information we hold against The Service’s retention policy for personnel papers (which is based on Cabinet Office guidelines) to see whether we still need it to do our work. Information we no longer need will be deleted. The retention policy is available on the HR intranet page under Data Protection.

We will ensure that we will:

• not contravene your rights of access
• correct inaccurate data brought to our attention
• comply with your right to prevent processing likely to cause damage or distress
• comply with your rights relating to automatic decision-making
• comply with the provisions relating to the transitional rights, which apply to the processing of certain manual data

We will do everything possible to protect any information about you that we hold.

In particular, we will:

• Assure the integrity of staff who have access to personnel files/systems;
• Only let authorised people see your personal information;
• In relation to automated data processing, ensure the necessary security measures are applied;
• In relation to manual personnel records, we will keep all records securely and safely, and they will only be viewed by authorised personnel
• Monitor changes in technology, e.g. by upgrading existing systems, etc.

Transfers of personnel records outside of the UK, let alone the EEA are very rare. However, if a request is received, we will ensure there are adequate safeguards in place before making any arrangements.

Guidance for line managers has been made available, and can be obtained under the Human Resources page on the intranet.

If you require any further advice on the Data Protection Act you should contact Diane Blackmore in Human Resources Policy on 020 7637 6455, or alternatively e-mail.

Human Resources Policy
October 2001