How many of us were in HR when the Data Protection Act was introduced in 1998? It certainly made us wonder what was in a Personnel file and probably opened our eyes when we got around to checking them.
Of course it had been around since 1984 but was updated in 1998 to create a standard for data protection across Europe. Formally it is defined by ‘The Data Protection Act 1998 (DPA) which is an Act of Parliament of the United Kingdom of Great Britain and Northern Ireland which defines UK law on the processing of data on identifiable living people’. It is regulated by the Independent Commissioners Office which is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
That’s all very well, and plenty of information to digest, especially when you chuck in the Freedom of Information Act 2000.
Back in 1998, as I remember, we provisioned for the worst case scenario which was a co-ordinated mass request instigated by some malicious 3rd party to clog up the system and frustrate management. In my experience, and network, this never happened.
We appointed a ‘Data Protection Controller’. Where I worked we were all trained in the basics of understanding of how to deal with a ‘subject access request’. We did the audit of the personnel files and knew we could make staff who submitted a subject access request wait up to 40 days and charge them a minimum of £10. But how is it practically applied?
I think a lot depends on the culture of the company and the HR department. Our advice would always be as a starting point to accept the request in the interest of openness, honesty and trust. Arrange a date and either go through the file with them in a private room, or check it yourself first and leave them to it. It’s worth just putting that safety net in place in case any rogue paperwork or sensitive 3rd party information has found its way into the file.
Of course many companies now have replaced a Personnel file with an eFile and scan everything, but the same principle will apply.
If you are at all concerned about any requests that you may receive then please feel free to contact one of our HR experts to discuss.