The Data Protection Act 1998 (DPA) requires anyone (for example, an employer) who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information. The type of information that is covered by the DPA includes automated and computerised personal information kept about workers by employers, for example, personnel files, any CCTV recordings etc.
There are eight data protection principles which state that personal data must be:
- processed fairly and lawfully
- obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes
- adequate, relevant and not excessive in relation to the purposes for which it is processed
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary for the purposes for which it is processed
- processed in accordance with the rights of data subjects under the Act
- subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage
- not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection.
The Information Commission has produced an Employment Practices Code to provide information and guidance for employers.
Information Commissioner - Employment Practices CodeQuick guide to the employment practices code