DATA PROTECTION RULES: The requirements are strict for any business that stores or uses personal information.
The regulations apply to the information that businesses keep on their staff, their customers, as well as any account holders.
In most cases, businesses will gather personal information while:
- Managing staff records
- Marketing products or services
- Recruiting staff members
- Using video surveillance or CCTV
The kinds of personal data that businesses gather varies. But, it will often include the recording of staff working hours and keeping files on the addresses of customers. It may also involve giving out delivery information when using a courier or delivery company.
Note: The UK laws on marketing and advertising provide further information on direct marketing regulation in United Kingdom.
UK Rules on Data Protection
Data protection rules will apply to your business if it is storing or using personal information. As such, you would need to keep all the information accurate, up to date, and secure.
There are several steps to take when you collect someone else’s personal data. You would need to inform them who is collecting their data (e.g. who you are). You would need to tell them how you will use it, including whether you will share their information with any other organisations.
Data protection requirements for businesses also means telling the person that they have the legal right to:
- View the information that you are holding about them and then correct anything that is wrong.
- Make a request for the business to delete their data or not to use it for certain purposes.
Note: The Information Commissioner’s Office (ICO) sets out the 7 data protection principles as part of the main data protection rules.
Businesses Must:
- Comply with data protection law requiring you to provide details to the Information Commissioner’s Office. The ICO needs to know how your organisation handles personal data about staff or customers (for the data protection register).
- Comply with data protection law requiring you to respond to a data protection request within one (1) month if someone asks to see the information you hold about them.
Note: someone’s personal data can result in a substantial fine or you may need to pay compensation.
Data Protection and Employment Records
Businesses that collect data on their staff members must keep it secure. That may mean setting strong passwords for computer records or locking paper records in filing cabinets.
You should only be storing information for as long as there is a clear business need for it. You should then dispose of it afterwards in a secure manner (e.g. by shredding it).
Staff Recruitment
In most cases, staff recruitment will take place through job adverts. If so, you would need to provide the name of the business and its contact details on the actual advert (or the details of an agency).
You should be collecting any necessary personal information only on application forms. During the job interview, you must not ask for any irrelevant information (e.g. banking details).
An Example:
As a rule, it would only be necessary for an interviewee to ask about any motoring offences if driving is a requirement for the actual job.
Note: You should only keep the information gathered for the purpose of recruitment. So for example, you should not use the same information as part of a company marketing mailing list.
Staff Records
Only the most appropriate and trained staff should have access to employee records. Certain files, such as those with sensitive information (e.g. criminal or health records), may need keeping in a separate storage facility.
An Example:
It would be inappropriate for a manager to have access to a worker’s full sickness record if they only need to inspect a basic record of absences.
Note: Make sure the worker or the ex-staff member approves of you giving a reference if you’re asked to provide one.
Employee Access to Records
There are strict rules on the personal data an employer can keep about an employee. Staff have the legal right to ask for a copy of information that their employers hold about them.
The regulation also applies to information held about staff grievance and disciplinary issues. In all cases, the employer must respond to the request within thirty (30) days.
Note: In some cases, employers can withhold certain information in a response to a request. It may apply if the details concern another person (e.g. to protect someone who accused them of harassment).
Monitoring Employees at Work
If workers are being monitored at work by their employers, it must be legal and fair. As an employer, you must be able to justify monitoring your staff in the workplace. Common examples include:
- Keeping records of telephone calls
- Logging emails or Internet use
- Physical searches or searching workstations
- Using closed-circuit television (CCTV)
Employees should be aware of workers’ rights at work. In fact, failing to treat employees fairly means they could:
- Take the employer to an employment tribunal.
- Make a complaint to the Information Commissioner.
Employers must make their workforce aware that they are monitoring them and the reason for doing it. As a rule, sending them an email with the notification would suffice.
Note: The block email could also explain company policies on using phones or work computers for personal use.
Monitoring Staff without their Knowledge
There are certain circumstances that allow employers to monitor staff without their knowledge. For example if:
- There are suspicions that an employee is breaking the law.
- Informing them would make it difficult to detect a crime being committed.
Note: You should only be monitoring staff without their knowledge as part of a specific investigation. Monitoring should stop once the investigation ends.
Using Closed-Circuit Television at Work
It is not uncommon for businesses to use CCTV in the United Kingdom. But, any that do must inform people that they may be recorded. As a rule, CCTV notification takes place by displaying signs. People must be able to see the signs ‘clearly’ and be able to read them.
The business must also notify the Information Commissioner’s Office (ICO) about the reason why it is using video surveillance.
You should be controlling who can see the CCTV recordings. It is also your role to ensure that the system is only used for its intended purpose.
Note: system set up to detect crime should not be used to monitor the amount of work done by staff members.
Letting People See CCTV Recorded Images
Anyone has the right to ask to see images that a business recorded of them. If you get asked, you can charge up to £10 but you must provide access to the recordings within forty (40) days. You can get more information about CCTV filming carried out by others on the ICO website.
Note: Business data protection rules do not apply to a camera installed on a domestic property to protect it from burglary.