What should employers consider when storing data on their employees?
Friday 11 November, 2011
Here’s a teaser: Apart from occupying seats on the front bench of the Coalition Government, what else do Vince Cable and Oliver Letwin have in common? Answer: They have both recently been somewhat carefree with other people’s personal information. In Vince Cable’s case, constituents’ personal information was found in his recycling bin, while Oliver Letwin was spied putting papers containing personal details of constituents and fellow MPs into a park bin.
As data controllers, employers have a duty to ensure they take appropriate technical and organisational steps to guard against unauthorised use or accidental loss of personal data. In an employment context, data protection security issues are paramount, since employee data is very often confidential or sensitive. Failure to dispose of personal data securely is a breach of one of the core data protection principles, which could lead to a complaint or a claim for damages from the individuals concerned and an investigation from the data protection watchdog, the Information Commissioner’s Office (ICO). Heavy fines can be imposed for serious or persistent breaches.
When personal information is stored on the employer’s premises, careful consideration should be given to the security of the systems in place. Paper-based HR files should be kept under lock and key, and password protection applied to computerised files containing sensitive or confidential information. Training should be given to those who are responsible for handling personal data, so that they understand and minimise the risks attached to inappropriate disclosure and security failings.
When it comes to disposal, employers should ensure that all confidential papers and any information containing personal data are disposed of securely. This will normally mean that paper based records should be bagged up and shredded by a reputable contractor. Archiving files should again be handled by a reputable contractor and questions should be asked of the storage facilities to ensure that they offer adequate security.
An appropriate policy should be put in place to deal with such matters, including the steps that should be taken by employees who take work home with them.
Regular items on the ICO website of the "named and shamed" involve the loss of memory sticks and laptops containing huge amounts of personal data, often unencrypted. Employers should avoid the embarrassment and potential liability to clients, customers and staff by reviewing their policies and procedures, auditing their normal practices and closing any gaps in security.
This article first appeared in the Thames Valley Business Magazine.
Piers Leigh-Pollitt is co-author of the Data Protection Act Explained
